[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-139-g262b701
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-139-g262b701 |
|
Date: |
Wed, 09 Feb 2011 22:30:29 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=262b70150677f2eeabbd05a54fb087821170b94e
The branch, master has been updated
via 262b70150677f2eeabbd05a54fb087821170b94e (commit)
via 599ee2a717b238d7367075139bd4a13ce22383c5 (commit)
via e2780fb07b38af49807b725421f9aec97f3f8b99 (commit)
via 499ffc306da6ce7b275bdccb9fde2aa2d83c506f (commit)
via 3681fb4b1fab0776eabeaeed5163a3636db3a76c (commit)
via 410239fc93c6834492bb45b1468eb4c2b254b76f (commit)
via 7e5fef07ca773e8fc2399c52dce0d4e51c4916ba (commit)
via 2fba21b61c33945e50f59051c076296d844f279f (commit)
via f87fa64fd8f00b980a7d9bdbd2b96b7c75fef1e9 (commit)
from 9da8ab29e21bb5cef164ff8c2aa7f1d7b90aecba (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 262b70150677f2eeabbd05a54fb087821170b94e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 23:30:22 2011 +0100
set the psk callback only if username/key were not supplied at command line.
commit 599ee2a717b238d7367075139bd4a13ce22383c5
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 23:19:19 2011 +0100
In TLS 1.2 under DSS use the hash algorithm required by DSS.
commit e2780fb07b38af49807b725421f9aec97f3f8b99
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 23:17:48 2011 +0100
Added new test openpgp-auth2.c that tests openpgp under TLS1.2
and DSS as well.
commit 499ffc306da6ce7b275bdccb9fde2aa2d83c506f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 23:09:27 2011 +0100
Modernized the test applications that now use the
gnutls_priority_set_direct().
commit 3681fb4b1fab0776eabeaeed5163a3636db3a76c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 23:00:50 2011 +0100
deprecated gnutls_*_set_priority().
commit 410239fc93c6834492bb45b1468eb4c2b254b76f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 22:24:53 2011 +0100
The extensions code is now using the gnutls_buffer_st.
commit 7e5fef07ca773e8fc2399c52dce0d4e51c4916ba
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 22:23:33 2011 +0100
Added sha224 to the list of MACs.
commit 2fba21b61c33945e50f59051c076296d844f279f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 20:53:02 2011 +0100
The PSK and SRP key exchange algorithms are not included in the preset
priority strings.
commit f87fa64fd8f00b980a7d9bdbd2b96b7c75fef1e9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Feb 9 20:48:04 2011 +0100
Callback function is being called in both PSK-DHE and PSK.
Using the callback function will not overwrite the credentials,
which were wrongly being overwritten using the retrieved username/key.
The credentials structure is now accessed for reading only, as it
should have been.
-----------------------------------------------------------------------
Summary of changes:
lib/auth_cert.c | 37 ++++--
lib/auth_dh_common.c | 13 ++-
lib/auth_dh_common.h | 1 +
lib/auth_dhe_psk.c | 35 +++---
lib/auth_psk.c | 126 ++++++++++---------
lib/auth_psk.h | 6 +-
lib/ext_cert_type.c | 38 +++---
lib/ext_max_record.c | 36 ++----
lib/ext_safe_renegotiation.c | 43 +++----
lib/ext_server_name.c | 30 ++---
lib/ext_session_ticket.c | 11 +-
lib/ext_signature.c | 39 ++++---
lib/ext_signature.h | 4 +-
lib/ext_srp.c | 46 ++++----
lib/gnutls_algorithms.c | 1 +
lib/gnutls_extensions.c | 84 +++++--------
lib/gnutls_extensions.h | 11 ++-
lib/gnutls_handshake.c | 194 ++++++++++++-----------------
lib/gnutls_int.h | 26 ++++
lib/gnutls_pk.c | 6 +-
lib/gnutls_priority.c | 15 ---
lib/gnutls_sig.c | 59 ++++++++--
lib/gnutls_state.c | 2 +
lib/includes/gnutls/compat.h | 18 +++
lib/includes/gnutls/gnutls.h.in | 43 -------
lib/nettle/pk.c | 1 +
lib/x509/x509_int.h | 1 +
src/cli.c | 3 +-
tests/Makefile.am | 2 +-
tests/anonself.c | 8 +-
tests/dhepskself.c | 8 +-
tests/mini-eagain.c | 7 +-
tests/mini.c | 7 +-
tests/openpgp-auth.c | 40 +-----
tests/{openpgp-auth.c => openpgp-auth2.c} | 45 ++-----
tests/pskself.c | 8 +-
tests/resume.c | 8 +-
37 files changed, 489 insertions(+), 573 deletions(-)
copy tests/{openpgp-auth.c => openpgp-auth2.c} (86%)
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index dea7aae..60bb989 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -1674,9 +1674,7 @@ _gnutls_proc_cert_client_cert_vrfy (gnutls_session_t
session,
return 0;
}
-
#define CERTTYPE_SIZE 3
-#define SIGN_ALGO_SIZE (2 + MAX_SIGNATURE_ALGORITHMS * 2)
int
_gnutls_gen_cert_server_cert_req (gnutls_session_t session, gnutls_buffer_st *
data)
{
@@ -1708,7 +1706,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t
session, gnutls_buffer_st * d
if (_gnutls_version_has_selectable_sighash (ver))
/* Need two bytes to announce the number of supported hash
functions (see below). */
- size += SIGN_ALGO_SIZE;
+ size += MAX_SIGN_ALGO_SIZE;
tmp_data[0] = CERTTYPE_SIZE - 1;
tmp_data[1] = RSA_SIGN;
@@ -1720,10 +1718,10 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t
session, gnutls_buffer_st * d
if (_gnutls_version_has_selectable_sighash (ver))
{
- uint8_t p[SIGN_ALGO_SIZE];
+ uint8_t p[MAX_SIGN_ALGO_SIZE];
ret =
- _gnutls_sign_algorithm_write_params (session, p, SIGN_ALGO_SIZE);
+ _gnutls_sign_algorithm_write_params (session, p, MAX_SIGN_ALGO_SIZE);
if (ret < 0)
{
gnutls_assert ();
@@ -1731,7 +1729,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t
session, gnutls_buffer_st * d
}
/* recalculate size */
- size -= SIGN_ALGO_SIZE + ret;
+ size -= MAX_SIGN_ALGO_SIZE + ret;
ret = _gnutls_buffer_append_data( data, p, ret);
if (ret < 0)
@@ -2040,7 +2038,7 @@ _gnutls_server_select_cert (gnutls_session_t session,
gnutls_pk_algorithm_t requested_algo)
{
unsigned i;
- int idx;
+ int idx, ret;
gnutls_certificate_credentials_t cred;
cred = (gnutls_certificate_credentials_t)
@@ -2055,17 +2053,30 @@ _gnutls_server_select_cert (gnutls_session_t session,
* use it and leave.
*/
if (cred->server_get_cert_callback != NULL)
- return call_get_cert_callback (session, NULL, 0, NULL, 0);
+ {
+ ret = call_get_cert_callback (session, NULL, 0, NULL, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ return ret;
+ }
/* Otherwise... */
idx = -1; /* default is use no certificate */
+ _gnutls_handshake_log("HSK[%p]: Requested PK algorithm: %s (%d) -- ctype: %s
(%d)\n", session,
+ gnutls_pk_get_name(requested_algo), requested_algo,
+ gnutls_certificate_type_get_name(session->security_parameters.cert_type),
session->security_parameters.cert_type);
+
for (i = 0; i < cred->ncerts; i++)
{
/* find one compatible certificate
*/
+ _gnutls_handshake_log("HSK[%p]: certificate[%d] PK algorithm: %s (%d) -
ctype: %s (%d) - sig: %s (%d)\n", session, i,
+ gnutls_pk_get_name(cred->cert_list[i][0].subject_pk_algorithm),
cred->cert_list[i][0].subject_pk_algorithm,
+ gnutls_certificate_type_get_name(cred->cert_list[i][0].cert_type),
cred->cert_list[i][0].cert_type,
+ gnutls_sign_get_name(cred->cert_list[i][0].sign_algo),
cred->cert_list[i][0].sign_algo);
if (requested_algo == GNUTLS_PK_ANY ||
requested_algo == cred->cert_list[i][0].subject_pk_algorithm)
{
@@ -2077,9 +2088,6 @@ _gnutls_server_select_cert (gnutls_session_t session,
&& (cred->cert_list[i][0].cert_type == GNUTLS_CRT_OPENPGP
|| /* FIXME: make this a check for certificate
type capabilities */
- !_gnutls_version_has_selectable_sighash
- (gnutls_protocol_get_version (session))
- ||
_gnutls_session_sign_algo_requested
(session, cred->cert_list[i][0].sign_algo) == 0))
{
@@ -2101,8 +2109,11 @@ _gnutls_server_select_cert (gnutls_session_t session,
cred->pkey[idx], 0);
}
else
- /* Certificate does not support REQUESTED_ALGO. */
- return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ {
+ gnutls_assert();
+ /* Certificate does not support REQUESTED_ALGO. */
+ return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ }
return 0;
}
diff --git a/lib/auth_dh_common.c b/lib/auth_dh_common.c
index f0198b2..5bf7e92 100644
--- a/lib/auth_dh_common.c
+++ b/lib/auth_dh_common.c
@@ -105,7 +105,7 @@ _gnutls_proc_dh_common_client_kx (gnutls_session_t session,
return ret;
}
- ret = _gnutls_set_psk_session_key (session, &tmp_dh_key);
+ ret = _gnutls_set_psk_session_key (session, NULL, &tmp_dh_key);
_gnutls_free_datum (&tmp_dh_key);
}
@@ -120,8 +120,13 @@ _gnutls_proc_dh_common_client_kx (gnutls_session_t session,
return 0;
}
+int _gnutls_gen_dh_common_client_kx (gnutls_session_t session,
gnutls_buffer_st* data)
+{
+ return _gnutls_gen_dh_common_client_kx_int(session, data, NULL);
+}
+
int
-_gnutls_gen_dh_common_client_kx (gnutls_session_t session, gnutls_buffer_st*
data)
+_gnutls_gen_dh_common_client_kx_int (gnutls_session_t session,
gnutls_buffer_st* data, gnutls_datum_t* pskkey)
{
bigint_t x = NULL, X = NULL;
int ret;
@@ -170,6 +175,7 @@ _gnutls_gen_dh_common_client_kx (gnutls_session_t session,
gnutls_buffer_st* dat
else /* In DHE_PSK the key is set differently */
{
gnutls_datum_t tmp_dh_key;
+
ret = _gnutls_mpi_dprint (session->key->KEY, &tmp_dh_key);
if (ret < 0)
{
@@ -177,9 +183,8 @@ _gnutls_gen_dh_common_client_kx (gnutls_session_t session,
gnutls_buffer_st* dat
goto error;
}
- ret = _gnutls_set_psk_session_key (session, &tmp_dh_key);
+ ret = _gnutls_set_psk_session_key (session, pskkey, &tmp_dh_key);
_gnutls_free_datum (&tmp_dh_key);
-
}
_gnutls_mpi_release (&session->key->KEY);
diff --git a/lib/auth_dh_common.h b/lib/auth_dh_common.h
index ccfe5c0..9c528f1 100644
--- a/lib/auth_dh_common.h
+++ b/lib/auth_dh_common.h
@@ -38,6 +38,7 @@ typedef struct
} dh_info_st;
void _gnutls_free_dh_info (dh_info_st * dh);
+int _gnutls_gen_dh_common_client_kx_int (gnutls_session_t, gnutls_buffer_st*,
gnutls_datum_t *pskkey);
int _gnutls_gen_dh_common_client_kx (gnutls_session_t, gnutls_buffer_st*);
int _gnutls_proc_dh_common_client_kx (gnutls_session_t session,
opaque * data, size_t _data_size,
diff --git a/lib/auth_dhe_psk.c b/lib/auth_dhe_psk.c
index 7899182..6d698c4 100644
--- a/lib/auth_dhe_psk.c
+++ b/lib/auth_dhe_psk.c
@@ -65,38 +65,43 @@ const mod_auth_st dhe_psk_auth_struct = {
static int
gen_psk_client_kx (gnutls_session_t session, gnutls_buffer_st* data)
{
- int ret;
+ int ret, free;
gnutls_psk_client_credentials_t cred;
+ gnutls_datum_t username, key;
cred = (gnutls_psk_client_credentials_t)
_gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
if (cred == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
- }
+ return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
- if (cred->username.data == NULL || cred->key.data == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
- }
-
- ret = _gnutls_buffer_append_data_prefix(data, 16, cred->username.data,
cred->username.size);
+ ret = _gnutls_find_psk_key( session, cred, &username, &key, &free);
if (ret < 0)
return gnutls_assert_val(ret);
+ ret = _gnutls_buffer_append_data_prefix(data, 16, username.data,
username.size);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
/* The PSK key is set in there */
- ret = _gnutls_gen_dh_common_client_kx (session, data);
+ ret = _gnutls_gen_dh_common_client_kx_int (session, data, &key);
if (ret < 0)
{
gnutls_assert ();
- return ret;
+ goto cleanup;
}
- return data->length;
+ ret = data->length;
+
+cleanup:
+ if (free)
+ _gnutls_free_datum(&username);
+ _gnutls_free_datum(&key);
+
+ return ret;
}
diff --git a/lib/auth_psk.c b/lib/auth_psk.c
index c272bba..17d9403 100644
--- a/lib/auth_psk.c
+++ b/lib/auth_psk.c
@@ -65,30 +65,14 @@ const mod_auth_st psk_auth_struct = {
*/
int
_gnutls_set_psk_session_key (gnutls_session_t session,
- gnutls_datum_t * dh_secret)
+ gnutls_datum_t * ppsk /* key */,
+ gnutls_datum_t * dh_secret)
{
gnutls_datum_t pwd_psk = { NULL, 0 };
- gnutls_datum_t *ppsk;
size_t dh_secret_size;
int ret;
- if (session->security_parameters.entity == GNUTLS_CLIENT)
- {
- gnutls_psk_client_credentials_t cred;
-
- cred = (gnutls_psk_client_credentials_t)
- _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
-
- if (cred == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
- }
-
- ppsk = &cred->key;
-
- }
- else
+ if (session->security_parameters.entity == GNUTLS_SERVER)
{ /* SERVER side */
psk_auth_info_t info;
@@ -142,6 +126,41 @@ error:
return ret;
}
+/* returns the username and they key for the PSK session.
+ * Free is non zero if they have to be freed.
+ */
+int _gnutls_find_psk_key( gnutls_session_t session,
gnutls_psk_client_credentials_t cred,
+ gnutls_datum_t * username, gnutls_datum* key, int* free)
+{
+char* user_p;
+int ret;
+
+ *free = 0;
+
+ if (cred->username.data != NULL && cred->key.data != NULL)
+ {
+ username->data = cred->username.data;
+ username->size = cred->username.size;
+ key->data = cred->key.data;
+ key->size = cred->key.size;
+ }
+ else if (cred->get_function != NULL)
+ {
+ ret = cred->get_function (session, &user_p, key);
+ if (ret)
+ return gnutls_assert_val(ret);
+
+ username->data = user_p;
+ username->size = strlen(user_p);
+
+ *free = 1;
+ }
+ else
+ return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
+
+ return 0;
+}
+
/* Generates the PSK client key exchange
*
@@ -156,7 +175,9 @@ error:
int
_gnutls_gen_psk_client_kx (gnutls_session_t session, gnutls_buffer_st* data)
{
- int ret;
+ int ret, free;
+ gnutls_datum_t username;
+ gnutls_datum_t key;
gnutls_psk_client_credentials_t cred;
cred = (gnutls_psk_client_credentials_t)
@@ -168,50 +189,31 @@ _gnutls_gen_psk_client_kx (gnutls_session_t session,
gnutls_buffer_st* data)
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
- if (cred->username.data == NULL && cred->key.data == NULL &&
- cred->get_function != NULL)
- {
- char *username;
- gnutls_datum_t key;
-
- ret = cred->get_function (session, &username, &key);
- if (ret)
- {
- gnutls_assert ();
- return ret;
- }
-
- ret = _gnutls_set_datum (&cred->username, username, strlen (username));
- gnutls_free (username);
- if (ret < 0)
- {
- gnutls_assert ();
- _gnutls_free_datum (&key);
- return ret;
- }
+ ret = _gnutls_find_psk_key( session, cred, &username, &key, &free);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
- ret = _gnutls_set_datum (&cred->key, key.data, key.size);
- _gnutls_free_datum (&key);
- if (ret < 0)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
- }
- else if (cred->username.data == NULL || cred->key.data == NULL)
+ ret = _gnutls_set_psk_session_key (session, &key, NULL);
+ if (ret < 0)
{
- gnutls_assert ();
- return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ gnutls_assert();
+ goto cleanup;
}
-
- ret = _gnutls_set_psk_session_key (session, NULL);
+
+ ret = _gnutls_buffer_append_data_prefix(data, 16, username.data,
username.size);
if (ret < 0)
{
- gnutls_assert ();
- return ret;
+ gnutls_assert();
}
- return _gnutls_buffer_append_data_prefix(data, 16, cred->username.data,
cred->username.size);
+cleanup:
+ if (free)
+ {
+ gnutls_free(username.data);
+ gnutls_free(key.data);
+ }
+
+ return ret;
}
@@ -265,7 +267,7 @@ _gnutls_proc_psk_client_kx (gnutls_session_t session,
opaque * data,
memcpy (info->username, username.data, username.size);
info->username[username.size] = 0;
- ret = _gnutls_set_psk_session_key (session, NULL);
+ ret = _gnutls_set_psk_session_key (session, NULL, NULL);
if (ret < 0)
{
gnutls_assert ();
@@ -328,10 +330,10 @@ _gnutls_proc_psk_server_kx (gnutls_session_t session,
opaque * data,
ssize_t data_size = _data_size;
int ret;
gnutls_datum_t hint;
- gnutls_psk_server_credentials_t cred;
+ gnutls_psk_client_credentials_t cred;
psk_auth_info_t info;
- cred = (gnutls_psk_server_credentials_t)
+ cred = (gnutls_psk_client_credentials_t)
_gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
if (cred == NULL)
@@ -368,7 +370,7 @@ _gnutls_proc_psk_server_kx (gnutls_session_t session,
opaque * data,
memcpy (info->hint, hint.data, hint.size);
info->hint[hint.size] = 0;
- ret = _gnutls_set_psk_session_key (session, NULL);
+ ret = _gnutls_set_psk_session_key (session, &cred->key, NULL);
if (ret < 0)
{
gnutls_assert ();
@@ -381,4 +383,4 @@ error:
return ret;
}
-#endif /* ENABLE_SRP */
+#endif /* ENABLE_PSK */
diff --git a/lib/auth_psk.h b/lib/auth_psk.h
index c79da6b..40e88f1 100644
--- a/lib/auth_psk.h
+++ b/lib/auth_psk.h
@@ -68,7 +68,11 @@ typedef struct psk_auth_info_st
typedef struct psk_auth_info_st psk_auth_info_st;
int
-_gnutls_set_psk_session_key (gnutls_session_t session, gnutls_datum_t * psk2);
+_gnutls_set_psk_session_key (gnutls_session_t session, gnutls_datum_t* key,
gnutls_datum_t * psk2);
+
+int _gnutls_find_psk_key( gnutls_session_t session,
gnutls_psk_client_credentials_t cred,
+ gnutls_datum_t * username, gnutls_datum* key, int* free);
+
#else
#define _gnutls_set_psk_session_key(x,y) GNUTLS_E_INTERNAL_ERROR
#endif /* ENABLE_PSK */
diff --git a/lib/ext_cert_type.c b/lib/ext_cert_type.c
index ca5f7a0..5a03878 100644
--- a/lib/ext_cert_type.c
+++ b/lib/ext_cert_type.c
@@ -43,7 +43,7 @@ static int _gnutls_cert_type_recv_params (gnutls_session_t
session,
const opaque * data,
size_t data_size);
static int _gnutls_cert_type_send_params (gnutls_session_t session,
- opaque * data, size_t);
+ gnutls_buffer_st * extdata);
extension_entry_st ext_mod_cert_type = {
.name = "CERT TYPE",
@@ -153,8 +153,6 @@ _gnutls_cert_type_recv_params (gnutls_session_t session,
_gnutls_session_cert_type_set (session, new_type);
}
-
-
}
return 0;
@@ -163,11 +161,12 @@ _gnutls_cert_type_recv_params (gnutls_session_t session,
/* returns data_size or a negative number on failure
*/
static int
-_gnutls_cert_type_send_params (gnutls_session_t session, opaque * data,
- size_t data_size)
+_gnutls_cert_type_send_params (gnutls_session_t session, gnutls_buffer_st*
extdata)
{
unsigned len, i;
-
+ int ret;
+ uint8_t p;
+
/* this function sends the client extension data (dnsname) */
if (session->security_parameters.entity == GNUTLS_CLIENT)
{
@@ -187,21 +186,21 @@ _gnutls_cert_type_send_params (gnutls_session_t session,
opaque * data,
return 0;
}
- if (data_size < len + 1)
- {
- gnutls_assert ();
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
- }
-
/* this is a vector!
*/
- data[0] = (uint8_t) len;
+ p = (uint8_t) len;
+ ret = _gnutls_buffer_append_data(extdata, &p, 1);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
for (i = 0; i < len; i++)
{
- data[i + 1] =
+ p =
_gnutls_cert_type2num (session->internals.priorities.
cert_type.priority[i]);
+ ret = _gnutls_buffer_append_data(extdata, &p, 1);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
}
return len + 1;
}
@@ -212,14 +211,13 @@ _gnutls_cert_type_send_params (gnutls_session_t session,
opaque * data,
if (session->security_parameters.cert_type != DEFAULT_CERT_TYPE)
{
len = 1;
- if (data_size < len)
- {
- gnutls_assert ();
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
- }
- data[0] =
+ p =
_gnutls_cert_type2num (session->security_parameters.cert_type);
+ ret = _gnutls_buffer_append_data(extdata, &p, 1);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
return len;
}
diff --git a/lib/ext_max_record.c b/lib/ext_max_record.c
index 35931d8..195d37a 100644
--- a/lib/ext_max_record.c
+++ b/lib/ext_max_record.c
@@ -35,7 +35,7 @@ static int _gnutls_max_record_recv_params (gnutls_session_t
session,
const opaque * data,
size_t data_size);
static int _gnutls_max_record_send_params (gnutls_session_t session,
- opaque * data, size_t);
+ gnutls_buffer_st* extdata);
static int _gnutls_max_record_unpack (gnutls_buffer_st * ps,
extension_priv_data_t * _priv);
@@ -141,10 +141,9 @@ _gnutls_max_record_recv_params (gnutls_session_t session,
/* returns data_size or a negative number on failure
*/
static int
-_gnutls_max_record_send_params (gnutls_session_t session, opaque * data,
- size_t data_size)
+_gnutls_max_record_send_params (gnutls_session_t session, gnutls_buffer_st*
extdata)
{
- uint16_t len;
+ uint8_t p;
int ret;
/* this function sends the client extension data (dnsname) */
@@ -162,15 +161,12 @@ _gnutls_max_record_send_params (gnutls_session_t session,
opaque * data,
if (epriv.num != DEFAULT_MAX_RECORD_SIZE)
{
- len = 1;
- if (data_size < len)
- {
- gnutls_assert ();
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
- }
+ p = (uint8_t) _gnutls_mre_record2num (epriv.num);
+ ret = _gnutls_buffer_append_data( extdata, &p, 1);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
- data[0] = (uint8_t) _gnutls_mre_record2num (epriv.num);
- return len;
+ return 1;
}
}
@@ -180,21 +176,17 @@ _gnutls_max_record_send_params (gnutls_session_t session,
opaque * data,
if (session->security_parameters.max_record_recv_size !=
DEFAULT_MAX_RECORD_SIZE)
{
- len = 1;
- if (data_size < len)
- {
- gnutls_assert ();
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
- }
-
- data[0] =
+ p =
(uint8_t)
_gnutls_mre_record2num
(session->security_parameters.max_record_recv_size);
- return len;
- }
+ ret = _gnutls_buffer_append_data( extdata, &p, 1);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ return 1;
+ }
}
return 0;
diff --git a/lib/ext_safe_renegotiation.c b/lib/ext_safe_renegotiation.c
index c34d450..a44c1de 100644
--- a/lib/ext_safe_renegotiation.c
+++ b/lib/ext_safe_renegotiation.c
@@ -29,8 +29,7 @@
static int _gnutls_sr_recv_params (gnutls_session_t state,
const opaque * data, size_t data_size);
-static int _gnutls_sr_send_params (gnutls_session_t state,
- opaque * data, size_t);
+static int _gnutls_sr_send_params (gnutls_session_t state, gnutls_buffer_st*);
static void _gnutls_sr_deinit_data (extension_priv_data_t priv);
extension_entry_st ext_mod_sr = {
@@ -362,18 +361,17 @@ _gnutls_sr_recv_params (gnutls_session_t session,
}
static int
-_gnutls_sr_send_params (gnutls_session_t session,
- opaque * data, size_t _data_size)
+_gnutls_sr_send_params (gnutls_session_t session, gnutls_buffer_st* extdata)
{
/* The format of this extension is a one-byte length of verify data followed
* by the verify data itself. Note that the length byte does not include
* itself; IOW, empty verify data is represented as a length of 0. That means
* the minimum extension is one byte: 0x00.
*/
- ssize_t data_size = _data_size;
sr_ext_st *priv;
- int ret, set = 0;
+ int ret, set = 0, len;
extension_priv_data_t epriv;
+ size_t init_length = extdata->length;
if (session->internals.priorities.sr == SR_DISABLED)
{
@@ -406,36 +404,35 @@ _gnutls_sr_send_params (gnutls_session_t session,
else
priv = epriv.ptr;
- data[0] = 0;
-
/* Always offer the extension if we're a client */
if (priv->connection_using_safe_renegotiation ||
session->security_parameters.entity == GNUTLS_CLIENT)
{
- DECR_LEN (data_size, 1);
- data[0] = priv->client_verify_data_len;
-
- DECR_LEN (data_size, priv->client_verify_data_len);
+ len = priv->client_verify_data_len;
+ if (session->security_parameters.entity == GNUTLS_SERVER)
+ len += priv->server_verify_data_len;
+
+ ret = _gnutls_buffer_append_prefix(extdata, 8, len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
- if (priv->client_verify_data_len > 0)
- memcpy (&data[1], priv->client_verify_data,
- priv->client_verify_data_len);
+ ret = _gnutls_buffer_append_data(extdata, priv->client_verify_data,
+ priv->client_verify_data_len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
if (session->security_parameters.entity == GNUTLS_SERVER)
{
- data[0] += priv->server_verify_data_len;
-
- DECR_LEN (data_size, priv->server_verify_data_len);
-
- if (priv->server_verify_data_len > 0)
- memcpy (&data[1 + priv->client_verify_data_len],
- priv->server_verify_data, priv->server_verify_data_len);
+ ret = _gnutls_buffer_append_data(extdata, priv->server_verify_data,
+ priv->server_verify_data_len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
}
}
else
return 0;
- return 1 + data[0]; /* don't forget the length byte */
+ return extdata->length - init_length;
}
static void
diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c
index 1dccb70..c223fd8 100644
--- a/lib/ext_server_name.c
+++ b/lib/ext_server_name.c
@@ -33,7 +33,7 @@ static int _gnutls_server_name_recv_params (gnutls_session_t
session,
const opaque * data,
size_t data_size);
static int _gnutls_server_name_send_params (gnutls_session_t session,
- opaque * data, size_t);
+ gnutls_buffer_st* extdata);
static int _gnutls_server_name_unpack (gnutls_buffer_st * ps,
extension_priv_data_t * _priv);
@@ -174,12 +174,10 @@ _gnutls_server_name_recv_params (gnutls_session_t session,
*/
static int
_gnutls_server_name_send_params (gnutls_session_t session,
- opaque * data, size_t _data_size)
+ gnutls_buffer_st* extdata)
{
uint16_t len;
- opaque *p;
unsigned i;
- ssize_t data_size = _data_size;
int total_size = 0, ret;
server_name_ext_st *priv;
extension_priv_data_t epriv;
@@ -214,13 +212,12 @@ _gnutls_server_name_send_params (gnutls_session_t session,
total_size += 1 + 2 + len;
}
- p = data;
-
/* UINT16: write total size of all names
*/
- DECR_LENGTH_RET (data_size, 2, GNUTLS_E_SHORT_MEMORY_BUFFER);
- _gnutls_write_uint16 (total_size - 2, p);
- p += 2;
+ ret = _gnutls_buffer_append_prefix(extdata, 16, total_size - 2);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
for (i = 0; i < priv->server_names_size; i++)
{
@@ -235,17 +232,14 @@ _gnutls_server_name_send_params (gnutls_session_t session,
* UINT16: size of the first name
* LEN: the actual server name.
*/
- DECR_LENGTH_RET (data_size, len + 3,
- GNUTLS_E_SHORT_MEMORY_BUFFER);
+ ret = _gnutls_buffer_append_prefix(extdata, 8, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
- *p = 0; /* NAME_DNS type */
- p++;
+ ret = _gnutls_buffer_append_data_prefix(extdata, 16,
priv->server_names[i].name, len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
- _gnutls_write_uint16 (len, p);
- p += 2;
-
- memcpy (p, priv->server_names[i].name, len);
- p += len;
break;
default:
gnutls_assert ();
diff --git a/lib/ext_session_ticket.c b/lib/ext_session_ticket.c
index 3c77868..25a01a0 100644
--- a/lib/ext_session_ticket.c
+++ b/lib/ext_session_ticket.c
@@ -48,7 +48,7 @@
static int session_ticket_recv_params (gnutls_session_t session,
const opaque * data, size_t data_size);
static int session_ticket_send_params (gnutls_session_t session,
- opaque * data, size_t data_size);
+ gnutls_buffer_st* extdata);
static int session_ticket_unpack (gnutls_buffer_st * ps,
extension_priv_data_t * _priv);
static int session_ticket_pack (extension_priv_data_t _priv,
@@ -361,9 +361,8 @@ session_ticket_recv_params (gnutls_session_t session,
*/
static int
session_ticket_send_params (gnutls_session_t session,
- opaque * data, size_t _data_size)
+ gnutls_buffer_st * extdata)
{
- ssize_t data_size = _data_size;
session_ticket_ext_st *priv = NULL;
extension_priv_data_t epriv;
int ret;
@@ -403,9 +402,9 @@ session_ticket_send_params (gnutls_session_t session,
if (priv->session_ticket_len > 0)
{
- DECR_LENGTH_RET (data_size, priv->session_ticket_len,
- GNUTLS_E_SHORT_MEMORY_BUFFER);
- memcpy (data, priv->session_ticket, priv->session_ticket_len);
+ ret = _gnutls_buffer_append_data( extdata, priv->session_ticket,
priv->session_ticket_len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
return priv->session_ticket_len;
}
diff --git a/lib/ext_signature.c b/lib/ext_signature.c
index af6328b..3517829 100644
--- a/lib/ext_signature.c
+++ b/lib/ext_signature.c
@@ -39,7 +39,7 @@ static int _gnutls_signature_algorithm_recv_params
(gnutls_session_t session,
const opaque * data,
size_t data_size);
static int _gnutls_signature_algorithm_send_params (gnutls_session_t session,
- opaque * data, size_t);
+ gnutls_buffer_st *
extdata);
static void signature_algorithms_deinit_data (extension_priv_data_t priv);
static int signature_algorithms_pack (extension_priv_data_t epriv,
gnutls_buffer_st * ps);
@@ -87,7 +87,7 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t
session, opaque * data,
p += 2;
- for (i = j = 0; i < session->internals.priorities.sign_algo.algorithms; i +=
2, j++)
+ for (i = j = 0; j < session->internals.priorities.sign_algo.algorithms; i +=
2, j++)
{
aid =
_gnutls_sign_to_tls_aid (session->internals.priorities.
@@ -96,7 +96,7 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t
session, opaque * data,
if (aid == NULL)
continue;
- _gnutls_debug_log ("EXT[SIGA]: sent signature algo (%d.%d) %s\n",
aid->hash_algorithm,
+ _gnutls_debug_log ("EXT[%p]: sent signature algo (%d.%d) %s\n",
session, aid->hash_algorithm,
aid->sign_algorithm,
gnutls_sign_get_name(session->internals.priorities.sign_algo.priority[j]));
*p = aid->hash_algorithm;
p++;
@@ -106,7 +106,6 @@ _gnutls_sign_algorithm_write_params (gnutls_session_t
session, opaque * data,
}
_gnutls_write_uint16 (len, len_p);
-
return len + 2;
}
@@ -138,7 +137,7 @@ _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
sig = _gnutls_tls_aid_to_sign (&aid);
- _gnutls_debug_log ("EXT[SIGA]: rcvd signature algo (%d.%d) %s\n",
aid.hash_algorithm,
+ _gnutls_debug_log ("EXT[%p]: rcvd signature algo (%d.%d) %s\n",
session, aid.hash_algorithm,
aid.sign_algorithm, gnutls_sign_get_name(sig));
if (sig != GNUTLS_SIGN_UNKNOWN)
@@ -211,9 +210,10 @@ _gnutls_signature_algorithm_recv_params (gnutls_session_t
session,
*/
static int
_gnutls_signature_algorithm_send_params (gnutls_session_t session,
- opaque * data, size_t data_size)
+ gnutls_buffer_st* extdata)
{
int ret;
+ size_t init_length = extdata->length;
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
/* this function sends the client extension data */
@@ -222,14 +222,18 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t
session,
{
if (session->internals.priorities.sign_algo.algorithms > 0)
{
+ uint8_t p[MAX_SIGN_ALGO_SIZE];
+
ret =
- _gnutls_sign_algorithm_write_params (session, data, data_size);
+ _gnutls_sign_algorithm_write_params (session, p, sizeof(p));
if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
- return ret;
+ return gnutls_assert_val(ret);
+
+ ret = _gnutls_buffer_append_data(extdata, p, ret);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ return extdata->length - init_length;
}
}
@@ -243,8 +247,7 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t
session,
*/
gnutls_sign_algorithm_t
_gnutls_session_get_sign_algo (gnutls_session_t session,
- gnutls_pk_algorithm_t pk,
- gnutls_digest_algorithm_t * hash)
+ gnutls_pk_algorithm_t pk)
{
unsigned i;
int ret;
@@ -262,15 +265,13 @@ _gnutls_session_get_sign_algo (gnutls_session_t session,
|| priv->sign_algorithms_size == 0)
/* none set, allow all */
{
- *hash = GNUTLS_DIG_SHA1;
- return _gnutls_x509_pk_to_sign (pk, *hash);
+ return _gnutls_x509_pk_to_sign (pk, GNUTLS_DIG_SHA1);
}
for (i = 0; i < priv->sign_algorithms_size; i++)
{
if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) == pk)
{
- *hash = _gnutls_sign_get_hash_algorithm (priv->sign_algorithms[i]);
return priv->sign_algorithms[i];
}
}
@@ -322,6 +323,10 @@ _gnutls_session_sign_algo_requested (gnutls_session_t
session,
for (i = 0; i < priv->sign_algorithms_size; i++)
{
+ _gnutls_handshake_log("HSK[%p]: allowed sign algorithm: %s (%d)-- want
%s (%d)\n", session,
+ gnutls_sign_get_name(priv->sign_algorithms[i]),
priv->sign_algorithms[i],
+ gnutls_sign_get_name(sig), sig);
+
if (priv->sign_algorithms[i] == sig)
{
return 0; /* ok */
diff --git a/lib/ext_signature.h b/lib/ext_signature.h
index 9d507ed..b56c772 100644
--- a/lib/ext_signature.h
+++ b/lib/ext_signature.h
@@ -37,9 +37,7 @@ int _gnutls_session_sign_algo_requested (gnutls_session_t
session,
gnutls_sign_algorithm_t _gnutls_session_get_sign_algo (gnutls_session_t
session,
gnutls_pk_algorithm_t
- pk,
-
gnutls_digest_algorithm_t
- * hash);
+ pk);
int _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
const opaque * data, size_t data_size);
int _gnutls_sign_algorithm_write_params (gnutls_session_t session,
diff --git a/lib/ext_srp.c b/lib/ext_srp.c
index e77be77..e97d997 100644
--- a/lib/ext_srp.c
+++ b/lib/ext_srp.c
@@ -42,8 +42,7 @@ static int _gnutls_srp_pack (extension_priv_data_t epriv,
static void _gnutls_srp_deinit_data (extension_priv_data_t epriv);
static int _gnutls_srp_recv_params (gnutls_session_t state,
const opaque * data, size_t data_size);
-static int _gnutls_srp_send_params (gnutls_session_t state, opaque * data,
- size_t);
+static int _gnutls_srp_send_params (gnutls_session_t state, gnutls_buffer_st *
extdata);
extension_entry_st ext_mod_srp = {
.name = "SRP",
@@ -106,12 +105,14 @@ _gnutls_srp_recv_params (gnutls_session_t session, const
opaque * data,
* data is allocated locally
*/
static int
-_gnutls_srp_send_params (gnutls_session_t session, opaque * data,
- size_t data_size)
+_gnutls_srp_send_params (gnutls_session_t session,
+ gnutls_buffer_st * extdata)
{
unsigned len;
+ int ret;
extension_priv_data_t epriv;
srp_ext_st *priv;
+ char *username = NULL, *password = NULL;
if (_gnutls_kx_priority (session, GNUTLS_KX_SRP) < 0 &&
_gnutls_kx_priority (session, GNUTLS_KX_SRP_DSS) < 0 &&
@@ -135,21 +136,16 @@ _gnutls_srp_send_params (gnutls_session_t session, opaque
* data,
{ /* send username */
len = MIN (strlen (cred->username), 255);
- if (data_size < len + 1)
- {
- gnutls_assert ();
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
- }
+ ret = _gnutls_buffer_append_data_prefix(extdata, 8, cred->username,
len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
- data[0] = (uint8_t) len;
- memcpy (&data[1], cred->username, len);
return len + 1;
}
else if (cred->get_function != NULL)
{
/* Try the callback
*/
- char *username = NULL, *password = NULL;
if (cred->get_function (session, &username, &password) < 0
|| username == NULL || password == NULL)
@@ -160,19 +156,12 @@ _gnutls_srp_send_params (gnutls_session_t session, opaque
* data,
len = MIN (strlen (username), 255);
- if (data_size < len + 1)
- {
- gnutls_free (username);
- gnutls_free (password);
- gnutls_assert ();
- return GNUTLS_E_SHORT_MEMORY_BUFFER;
- }
-
priv = gnutls_malloc (sizeof (*priv));
if (priv == NULL)
{
gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
+ ret = GNUTLS_E_MEMORY_ERROR;
+ goto cleanup;
}
priv->username = username;
@@ -181,12 +170,23 @@ _gnutls_srp_send_params (gnutls_session_t session, opaque
* data,
epriv.ptr = priv;
_gnutls_ext_set_session_data (session, GNUTLS_EXTENSION_SRP, epriv);
- data[0] = (uint8_t) len;
- memcpy (&data[1], username, len);
+ ret = _gnutls_buffer_append_data_prefix(extdata, 8, username, len);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(ret);
+ goto cleanup;
+ }
+
return len + 1;
}
}
return 0;
+
+cleanup:
+ gnutls_free (username);
+ gnutls_free (password);
+
+ return ret;
}
static void
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 1d7d973..e388c1d 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -261,6 +261,7 @@ static const gnutls_hash_entry hash_algorithms[] = {
{"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256, 32},
{"SHA384", HASH_OID_SHA384, GNUTLS_MAC_SHA384, 48},
{"SHA512", HASH_OID_SHA512, GNUTLS_MAC_SHA512, 64},
+ {"SHA224", HASH_OID_SHA224, GNUTLS_MAC_SHA224, 28},
{"AEAD", NULL, GNUTLS_MAC_AEAD, 0},
{"MD2", HASH_OID_MD2, GNUTLS_MAC_MD2, 0}, /* not used as MAC */
{"RIPEMD160", HASH_OID_RMD160, GNUTLS_MAC_RMD160, 20},
diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c
index 6449a39..4510651 100644
--- a/lib/gnutls_extensions.c
+++ b/lib/gnutls_extensions.c
@@ -236,32 +236,16 @@ _gnutls_extension_list_add (gnutls_session_t session,
uint16_t type)
}
int
-_gnutls_gen_extensions (gnutls_session_t session, opaque * data,
- size_t data_size, gnutls_ext_parse_type_t parse_type)
+_gnutls_gen_extensions (gnutls_session_t session, gnutls_buffer_st * extdata,
+ gnutls_ext_parse_type_t parse_type)
{
int size;
- uint16_t pos = 0;
- opaque *sdata;
- size_t sdata_size;
- size_t i;
+ int pos, size_pos, ret;
+ size_t i, init_size = extdata->length;
- if (data_size < 2)
- {
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
- }
+ pos = extdata->length; /* we will store length later on */
+ _gnutls_buffer_append_prefix( extdata, 16, 0);
- /* allocate enough data for each extension.
- */
- sdata_size = data_size;
- sdata = gnutls_malloc (sdata_size);
- if (sdata == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
- pos += 2;
for (i = 0; i < extfunc_size; i++)
{
extension_entry_st *p = &extfunc[i];
@@ -272,30 +256,27 @@ _gnutls_gen_extensions (gnutls_session_t session, opaque
* data,
if (parse_type != GNUTLS_EXT_ANY && p->parse_type != parse_type)
continue;
- size = p->send_func (session, sdata, sdata_size);
+ ret = _gnutls_buffer_append_prefix( extdata, 16, p->type);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ size_pos = extdata->length;
+ ret = _gnutls_buffer_append_prefix (extdata, 16, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ size = p->send_func (session, extdata);
+ /* returning GNUTLS_E_INT_RET_0 means to send an empty
+ * extension of this type.
+ */
if (size > 0 || size == GNUTLS_E_INT_RET_0)
{
if (size == GNUTLS_E_INT_RET_0)
size = 0;
-
- if (data_size < pos + (size_t) size + 4)
- {
- gnutls_assert ();
- gnutls_free (sdata);
- return GNUTLS_E_INTERNAL_ERROR;
- }
-
- /* write extension type */
- _gnutls_write_uint16 (p->type, &data[pos]);
- pos += 2;
-
- /* write size */
- _gnutls_write_uint16 (size, &data[pos]);
- pos += 2;
-
- memcpy (&data[pos], sdata, size);
- pos += size;
-
+
+ /* write the real size */
+ _gnutls_write_uint16(size, &extdata->data[size_pos]);
+
/* add this extension to the extension list
*/
_gnutls_extension_list_add (session, p->type);
@@ -306,24 +287,19 @@ _gnutls_gen_extensions (gnutls_session_t session, opaque
* data,
else if (size < 0)
{
gnutls_assert ();
- gnutls_free (sdata);
return size;
}
+ else if (size == 0)
+ extdata->length -= 4; /* reset type and size */
}
- size = pos;
- pos -= 2; /* remove the size of the size header! */
-
- _gnutls_write_uint16 (pos, data);
+ /* remove any initial data, and the size of the header */
+ size = extdata->length - init_size - 2;
+
+ if ( size > 0)
+ _gnutls_write_uint16(size, &extdata->data[pos]);
- if (size == 2)
- { /* empty */
- size = 0;
- }
-
- gnutls_free (sdata);
return size;
-
}
int
diff --git a/lib/gnutls_extensions.h b/lib/gnutls_extensions.h
index a381b82..9906f5b 100644
--- a/lib/gnutls_extensions.h
+++ b/lib/gnutls_extensions.h
@@ -26,11 +26,18 @@
#ifndef GNUTLS_EXTENSIONS_H
#define GNUTLS_EXTENSIONS_H
+#include <gnutls_str.h>
+
+typedef int (*gnutls_ext_recv_func) (gnutls_session_t session,
+ const unsigned char *data, size_t len);
+typedef int (*gnutls_ext_send_func) (gnutls_session_t session,
+ gnutls_buffer_st *extdata);
+
int _gnutls_parse_extensions (gnutls_session_t session,
gnutls_ext_parse_type_t parse_type,
const opaque * data, int data_size);
-int _gnutls_gen_extensions (gnutls_session_t session, opaque * data,
- size_t data_size, gnutls_ext_parse_type_t);
+int _gnutls_gen_extensions (gnutls_session_t session, gnutls_buffer_st *
extdata,
+ gnutls_ext_parse_type_t);
int _gnutls_ext_init (void);
void _gnutls_ext_deinit (void);
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index de899c2..84fb9e1 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1874,14 +1874,14 @@ _gnutls_read_server_hello (gnutls_session_t session,
*/
static int
_gnutls_copy_ciphersuites (gnutls_session_t session,
- opaque * ret_data, size_t ret_data_size,
+ gnutls_buffer_st * cdata,
int add_scsv)
{
int ret, i;
cipher_suite_st *cipher_suites;
uint16_t cipher_num;
- int datalen, pos;
uint16_t loop_max;
+ size_t init_length = cdata->length;
ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites);
if (ret < 0)
@@ -1919,44 +1919,52 @@ _gnutls_copy_ciphersuites (gnutls_session_t session,
cipher_num *= sizeof (uint16_t); /* in order to get bytes */
- datalen = pos = 0;
-
- datalen += sizeof (uint16_t) + cipher_num;
-
- if ((size_t) datalen > ret_data_size)
+ ret = _gnutls_buffer_append_prefix(cdata, 16, cipher_num);
+ if (ret < 0)
{
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
+ gnutls_assert();
+ goto cleanup;
}
- _gnutls_write_uint16 (cipher_num, ret_data);
- pos += 2;
loop_max = add_scsv ? cipher_num - 2 : cipher_num;
-
for (i = 0; i < (loop_max / 2); i++)
{
- memcpy (&ret_data[pos], cipher_suites[i].suite, 2);
- pos += 2;
+ ret = _gnutls_buffer_append_data( cdata, cipher_suites[i].suite, 2);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
}
if (add_scsv)
{
+ uint8_t p[2];
/* Safe renegotiation signalling CS value is { 0x00, 0xff } */
- ret_data[pos++] = 0x00;
- ret_data[pos++] = 0xff;
+ p[0] = 0x00;
+ p[1] = 0xff;
+ ret = _gnutls_buffer_append_data( cdata, p, 2);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
ret = _gnutls_ext_sr_send_cs (session);
if (ret < 0)
{
gnutls_assert ();
- gnutls_free (cipher_suites);
- return ret;
+ goto cleanup;
}
}
+ ret = cdata->length - init_length;
+
+cleanup:
gnutls_free (cipher_suites);
- return datalen;
+ return ret;
}
@@ -1965,11 +1973,11 @@ _gnutls_copy_ciphersuites (gnutls_session_t session,
*/
static int
_gnutls_copy_comp_methods (gnutls_session_t session,
- opaque * ret_data, size_t ret_data_size)
+ gnutls_buffer_st * cdata)
{
int ret, i;
uint8_t *compression_methods, comp_num;
- int datalen, pos;
+ size_t init_length = cdata->length;
ret = _gnutls_supported_compression_methods (session, &compression_methods);
if (ret < 0)
@@ -1980,25 +1988,30 @@ _gnutls_copy_comp_methods (gnutls_session_t session,
comp_num = ret;
- datalen = pos = 0;
- datalen += comp_num + 1;
-
- if ((size_t) datalen > ret_data_size)
+ /* put the number of compression methods */
+ ret = _gnutls_buffer_append_prefix(cdata, 8, comp_num);
+ if (ret < 0)
{
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
+ gnutls_assert();
+ goto cleanup;
}
- ret_data[pos++] = comp_num; /* put the number of compression methods */
-
for (i = 0; i < comp_num; i++)
{
- ret_data[pos++] = compression_methods[i];
+ ret = _gnutls_buffer_append_data(cdata, &compression_methods[i], 1);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
}
+ ret = cdata->length - init_length;
+
+cleanup:
gnutls_free (compression_methods);
- return datalen;
+ return ret;
}
/* This should be sufficient by now. It should hold all the extensions
@@ -2013,16 +2026,17 @@ _gnutls_send_client_hello (gnutls_session_t session,
int again)
{
mbuffer_st *bufel = NULL;
opaque *data = NULL;
- int extdatalen;
int pos = 0, type;
int datalen = 0, ret = 0;
opaque rnd[GNUTLS_RANDOM_SIZE];
gnutls_protocol_t hver;
- opaque *extdata = NULL;
+ gnutls_buffer_st extdata;
int rehandshake = 0;
uint8_t session_id_len =
session->internals.resumed_security_parameters.session_id_size;
+ _gnutls_buffer_init(&extdata);
+
/* note that rehandshake is different than resuming
*/
if (session->security_parameters.session_id_size)
@@ -2043,14 +2057,6 @@ _gnutls_send_client_hello (gnutls_session_t session, int
again)
return GNUTLS_E_MEMORY_ERROR;
}
data = _mbuffer_get_udata_ptr (bufel);
- extdatalen = MAX_EXT_DATA_LENGTH;
-
- extdata = gnutls_malloc (extdatalen);
- if (extdata == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
/* if we are resuming a session then we set the
* version number to the previously established.
@@ -2072,7 +2078,6 @@ _gnutls_send_client_hello (gnutls_session_t session, int
again)
{
gnutls_assert ();
gnutls_free (bufel);
- gnutls_free (extdata);
return GNUTLS_E_INTERNAL_ERROR;
}
@@ -2132,55 +2137,26 @@ _gnutls_send_client_hello (gnutls_session_t session,
int again)
gnutls_protocol_get_version (session) == GNUTLS_SSL3)
{
ret =
- _gnutls_copy_ciphersuites (session, extdata, extdatalen, TRUE);
+ _gnutls_copy_ciphersuites (session, &extdata, TRUE);
_gnutls_extension_list_add (session,
GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
}
else
- ret = _gnutls_copy_ciphersuites (session, extdata, extdatalen, FALSE);
+ ret = _gnutls_copy_ciphersuites (session, &extdata, FALSE);
- if (ret > 0)
- {
- ret = _mbuffer_append_data (bufel, extdata, ret);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_free (extdata);
- return ret;
- }
- }
- else
+ if (ret < 0)
{
- if (extdatalen == 0)
- extdatalen = GNUTLS_E_INTERNAL_ERROR;
- gnutls_free (bufel);
- gnutls_free (extdata);
- gnutls_assert ();
- return ret;
+ gnutls_assert();
+ goto cleanup;
}
-
/* Copy the compression methods.
*/
- ret = _gnutls_copy_comp_methods (session, extdata, extdatalen);
- if (ret > 0)
- {
- ret = _mbuffer_append_data (bufel, extdata, ret);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_free (extdata);
- return ret;
- }
- }
- else
+ ret = _gnutls_copy_comp_methods (session, &extdata);
+ if (ret < 0)
{
- if (extdatalen == 0)
- extdatalen = GNUTLS_E_INTERNAL_ERROR;
- gnutls_free (bufel);
- gnutls_free (extdata);
- gnutls_assert ();
- return ret;
+ gnutls_assert();
+ goto cleanup;
}
/* Generate and copy TLS extensions.
@@ -2195,32 +2171,29 @@ _gnutls_send_client_hello (gnutls_session_t session,
int again)
type = GNUTLS_EXT_NONE;
}
- ret = _gnutls_gen_extensions (session, extdata, extdatalen, type);
-
- if (ret > 0)
+ ret = _gnutls_gen_extensions (session, &extdata, type);
+ if (ret < 0)
{
- ret = _mbuffer_append_data (bufel, extdata, ret);
- if (ret < 0)
- {
- gnutls_assert ();
- gnutls_free (extdata);
- return ret;
- }
+ gnutls_assert();
+ goto cleanup;
}
- else if (ret < 0)
+
+ ret = _mbuffer_append_data (bufel, extdata.data, extdata.length);
+ if (ret < 0)
{
gnutls_assert ();
- gnutls_free (bufel);
- gnutls_free (extdata);
- return ret;
+ goto cleanup;
}
}
- gnutls_free (extdata);
+ _gnutls_buffer_clear(&extdata);
- ret =
+ return
_gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_CLIENT_HELLO);
+cleanup:
+ gnutls_free (bufel);
+ _gnutls_buffer_clear(&extdata);
return ret;
}
@@ -2229,8 +2202,7 @@ _gnutls_send_server_hello (gnutls_session_t session, int
again)
{
mbuffer_st *bufel = NULL;
opaque *data = NULL;
- opaque *extdata = NULL;
- int extdatalen;
+ gnutls_buffer_st extdata;
int pos = 0;
int datalen, ret = 0;
uint8_t comp;
@@ -2239,30 +2211,21 @@ _gnutls_send_server_hello (gnutls_session_t session,
int again)
datalen = 0;
+ _gnutls_buffer_init(&extdata);
+
if (again == 0)
{
-
- extdata = gnutls_malloc (MAX_EXT_DATA_LENGTH);
- if (extdata == NULL)
- {
- gnutls_assert ();
- return GNUTLS_E_MEMORY_ERROR;
- }
-
datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
ret =
- _gnutls_gen_extensions (session, extdata, MAX_EXT_DATA_LENGTH,
- GNUTLS_EXT_ANY);
-
+ _gnutls_gen_extensions (session, &extdata, GNUTLS_EXT_ANY);
if (ret < 0)
{
gnutls_assert ();
goto fail;
}
- extdatalen = ret;
bufel =
- _gnutls_handshake_alloc (datalen + extdatalen, datalen + extdatalen);
+ _gnutls_handshake_alloc (datalen + extdata.length, datalen +
extdata.length);
if (bufel == NULL)
{
gnutls_assert ();
@@ -2303,11 +2266,10 @@ _gnutls_send_server_hello (gnutls_session_t session,
int again)
data[pos++] = comp;
- if (extdatalen > 0)
+ if (extdata.length > 0)
{
- datalen += extdatalen;
-
- memcpy (&data[pos], extdata, extdatalen);
+ datalen += extdata.length;
+ memcpy (&data[pos], extdata.data, extdata.length);
}
}
@@ -2315,7 +2277,7 @@ _gnutls_send_server_hello (gnutls_session_t session, int
again)
_gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_SERVER_HELLO);
fail:
- gnutls_free (extdata);
+ _gnutls_buffer_clear(&extdata);
return ret;
}
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index b01dc5c..ed35489 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -98,10 +98,35 @@ typedef struct
#define GNUTLS_MASTER_SIZE 48
#define GNUTLS_RANDOM_SIZE 32
+/* TLS Extensions */
/* we can receive up to MAX_EXT_TYPES extensions.
*/
#define MAX_EXT_TYPES 32
+ /**
+ * gnutls_ext_parse_type_t:
+ * @GNUTLS_EXT_NONE: Never parsed
+ * @GNUTLS_EXT_ANY: Any extension type.
+ * @GNUTLS_EXT_APPLICATION: Application extension.
+ * @GNUTLS_EXT_TLS: TLS-internal extension.
+ * @GNUTLS_EXT_MANDATORY: Extension parsed even if resuming (or extensions
are disabled).
+ *
+ * Enumeration of different TLS extension types. This flag
+ * indicates for an extension whether it is useful to application
+ * level or TLS level only. This is (only) used to parse the
+ * application level extensions before the "client_hello" callback
+ * is called.
+ */
+ typedef enum
+ {
+ GNUTLS_EXT_ANY = 0,
+ GNUTLS_EXT_APPLICATION = 1,
+ GNUTLS_EXT_TLS = 2,
+ GNUTLS_EXT_MANDATORY = 3,
+ GNUTLS_EXT_NONE = 4
+ } gnutls_ext_parse_type_t;
+
+
/* The initial size of the receive
* buffer size. This will grow if larger
* packets are received.
@@ -322,6 +347,7 @@ typedef struct
*/
#define MAX_SIGNATURE_ALGORITHMS 16
+#define MAX_SIGN_ALGO_SIZE (2 + MAX_SIGNATURE_ALGORITHMS * 2)
#define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
index 90e9daf..9fa0326 100644
--- a/lib/gnutls_pk.c
+++ b/lib/gnutls_pk.c
@@ -421,7 +421,7 @@ _gnutls_dsa_sign (gnutls_datum_t * signature,
k = hash->size;
if (k < 20)
- { /* SHA1 or better only */
+ { /* SHA1 or better only */
gnutls_assert ();
return GNUTLS_E_PK_SIGN_FAILED;
}
@@ -501,8 +501,8 @@ _gnutls_dsa_verify (const gnutls_datum_t * vdata,
pk_params.params[i] = params[i];
pk_params.params_nr = params_len;
- if (vdata->size > 20)
- { /* SHA1 or better only */
+ if (vdata->size < 20)
+ { /* SHA1 or better only */
gnutls_assert ();
return GNUTLS_E_PK_SIG_VERIFY_FAILED;
}
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index bd39f01..c2a6956 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -219,11 +219,6 @@ static const int kx_priority_performance[] = {
GNUTLS_KX_RSA,
GNUTLS_KX_DHE_RSA,
GNUTLS_KX_DHE_DSS,
- GNUTLS_KX_PSK,
- GNUTLS_KX_DHE_PSK,
- GNUTLS_KX_SRP_RSA,
- GNUTLS_KX_SRP_DSS,
- GNUTLS_KX_SRP,
/* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
* GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
*/
@@ -234,11 +229,6 @@ static const int kx_priority_export[] = {
GNUTLS_KX_RSA,
GNUTLS_KX_DHE_RSA,
GNUTLS_KX_DHE_DSS,
- GNUTLS_KX_PSK,
- GNUTLS_KX_DHE_PSK,
- GNUTLS_KX_SRP_RSA,
- GNUTLS_KX_SRP_DSS,
- GNUTLS_KX_SRP,
GNUTLS_KX_RSA_EXPORT,
0
};
@@ -249,12 +239,7 @@ static const int kx_priority_secure[] = {
*/
GNUTLS_KX_DHE_RSA,
GNUTLS_KX_DHE_DSS,
- GNUTLS_KX_DHE_PSK,
- GNUTLS_KX_SRP_RSA,
- GNUTLS_KX_SRP_DSS,
GNUTLS_KX_RSA,
- GNUTLS_KX_PSK,
- GNUTLS_KX_SRP,
/* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add!
* GNUTLS_KX_RSA_EXPORT: Deprecated, don't add!
*/
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 17ebf40..a4c3f20 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -121,7 +121,40 @@ _gnutls_rsa_encode_sig (gnutls_mac_algorithm_t algo,
return 0;
}
+static int
+get_hash_algo(gnutls_session_t session, gnutls_cert* cert,
+ gnutls_sign_algorithm_t sign_algo,
+ gnutls_digest_algorithm_t *hash_algo)
+{
+int ret;
+gnutls_protocol_t ver = gnutls_protocol_get_version (session);
+
+ if (cert->subject_pk_algorithm == GNUTLS_PK_DSA)
+ { /* override */
+ *hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
+
+ if (!_gnutls_version_has_selectable_sighash (ver) && *hash_algo !=
GNUTLS_DIG_SHA1)
+ {
+ /* In TLS < 1.2 one cannot use anything but SHA1
+ */
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ ret = _gnutls_session_sign_algo_requested(session,
_gnutls_x509_pk_to_sign (GNUTLS_PK_DSA, *hash_algo));
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+ else
+ {
+ if (sign_algo == GNUTLS_SIGN_UNKNOWN)
+ *hash_algo = GNUTLS_DIG_SHA1;
+ else
+ *hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
+ }
+ return 0;
+}
/* Generates a signature of all the random data and the parameters.
* Used in DHE_* ciphersuites.
@@ -140,14 +173,20 @@ _gnutls_handshake_sign_data (gnutls_session_t session,
gnutls_cert * cert,
gnutls_digest_algorithm_t hash_algo;
*sign_algo =
- _gnutls_session_get_sign_algo (session, cert->subject_pk_algorithm,
- &hash_algo);
+ _gnutls_session_get_sign_algo (session, cert->subject_pk_algorithm);
if (*sign_algo == GNUTLS_SIGN_UNKNOWN)
{
gnutls_assert ();
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
+ ret = get_hash_algo(session, cert, *sign_algo, &hash_algo);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ _gnutls_handshake_log("HSK[%p]: hash from highest priority sigalgorithm: %s
(%d)\n",
+ session, gnutls_mac_get_name(hash_algo), hash_algo);
+
ret = _gnutls_hash_init (&td_sha, hash_algo);
if (ret < 0)
{
@@ -164,7 +203,7 @@ _gnutls_handshake_sign_data (gnutls_session_t session,
gnutls_cert * cert,
switch (cert->subject_pk_algorithm)
{
case GNUTLS_PK_RSA:
- if (!_gnutls_version_has_selectable_prf (ver))
+ if (!_gnutls_version_has_selectable_sighash (ver))
{
digest_hd_st td_md5;
@@ -219,6 +258,7 @@ _gnutls_handshake_sign_data (gnutls_session_t session,
gnutls_cert * cert,
_gnutls_hash_deinit (&td_sha, NULL);
return GNUTLS_E_INTERNAL_ERROR;
}
+
ret = _gnutls_tls_sign (session, cert, pkey, &dconcat, signature);
if (ret < 0)
{
@@ -392,7 +432,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
digest_hd_st td_sha;
opaque concat[MAX_SIG_SIZE];
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
- gnutls_digest_algorithm_t hash_algo = GNUTLS_DIG_SHA1;
+ gnutls_digest_algorithm_t hash_algo;
ret = _gnutls_session_sign_algo_enabled (session, algo);
if (ret < 0)
@@ -401,7 +441,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
return ret;
}
- if (!_gnutls_version_has_selectable_prf (ver))
+ if (!_gnutls_version_has_selectable_sighash (ver))
{
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
if (ret < 0)
@@ -417,14 +457,15 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
_gnutls_hash (&td_md5, params->data, params->size);
}
- if (algo != GNUTLS_SIGN_UNKNOWN)
- hash_algo = _gnutls_sign_get_hash_algorithm (algo);
+ ret = get_hash_algo(session, cert, algo, &hash_algo);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
ret = _gnutls_hash_init (&td_sha, hash_algo);
if (ret < 0)
{
gnutls_assert ();
- if (!_gnutls_version_has_selectable_prf (ver))
+ if (!_gnutls_version_has_selectable_sighash (ver))
_gnutls_hash_deinit (&td_md5, NULL);
return ret;
}
@@ -435,7 +476,7 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
GNUTLS_RANDOM_SIZE);
_gnutls_hash (&td_sha, params->data, params->size);
- if (!_gnutls_version_has_selectable_prf (ver))
+ if (!_gnutls_version_has_selectable_sighash (ver))
{
_gnutls_hash_deinit (&td_md5, concat);
_gnutls_hash_deinit (&td_sha, &concat[16]);
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 7f463f7..2f90f01 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -59,6 +59,8 @@ void
_gnutls_session_cert_type_set (gnutls_session_t session,
gnutls_certificate_type_t ct)
{
+ _gnutls_handshake_log("HSK[%p]: Selected certificate type %s (%d)\n",
session,
+ gnutls_certificate_type_get_name(ct), ct);
session->security_parameters.cert_type = ct;
}
diff --git a/lib/includes/gnutls/compat.h b/lib/includes/gnutls/compat.h
index fed5795..bc8431d 100644
--- a/lib/includes/gnutls/compat.h
+++ b/lib/includes/gnutls/compat.h
@@ -266,4 +266,22 @@ gnutls_sign_callback_get (gnutls_session_t session, void
**userdata)
unsigned int flags)
_GNUTLS_GCC_ATTR_DEPRECATED;
+ /* functions to set priority of cipher suites
+ */
+ int gnutls_cipher_set_priority (gnutls_session_t session, const int *list)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+ int gnutls_mac_set_priority (gnutls_session_t session, const int *list)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+ int gnutls_compression_set_priority (gnutls_session_t session,
+ const int *list)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+ int gnutls_kx_set_priority (gnutls_session_t session, const int *list)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+ int gnutls_protocol_set_priority (gnutls_session_t session,
+ const int *list)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+ int gnutls_certificate_type_set_priority (gnutls_session_t session,
+ const int *list)
+ _GNUTLS_GCC_ATTR_DEPRECATED;
+
#endif /* _GNUTLS_COMPAT_H */
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 385d238..0a3ec6c 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -797,37 +797,6 @@ extern "C"
size_t seed_size, const char *seed,
size_t outsize, char *out);
-/* TLS Extensions */
-
- typedef int (*gnutls_ext_recv_func) (gnutls_session_t session,
- const unsigned char *data, size_t len);
- typedef int (*gnutls_ext_send_func) (gnutls_session_t session,
- unsigned char *data, size_t len);
-
- /**
- * gnutls_ext_parse_type_t:
- * @GNUTLS_EXT_NONE: Never parsed
- * @GNUTLS_EXT_ANY: Any extension type.
- * @GNUTLS_EXT_APPLICATION: Application extension.
- * @GNUTLS_EXT_TLS: TLS-internal extension.
- * @GNUTLS_EXT_MANDATORY: Extension parsed even if resuming (or extensions
are disabled).
- *
- * Enumeration of different TLS extension types. This flag
- * indicates for an extension whether it is useful to application
- * level or TLS level only. This is (only) used to parse the
- * application level extensions before the "client_hello" callback
- * is called.
- */
- typedef enum
- {
- GNUTLS_EXT_ANY = 0,
- GNUTLS_EXT_APPLICATION = 1,
- GNUTLS_EXT_TLS = 2,
- GNUTLS_EXT_MANDATORY = 3,
- GNUTLS_EXT_NONE = 4
- } gnutls_ext_parse_type_t;
-
-
/**
* gnutls_server_name_type_t:
* @GNUTLS_NAME_DNS: Domain Name System name type.
@@ -871,18 +840,6 @@ extern "C"
int gnutls_session_ticket_enable_server (gnutls_session_t session,
const gnutls_datum_t * key);
- /* functions to set priority of cipher suites
- */
- int gnutls_cipher_set_priority (gnutls_session_t session, const int *list);
- int gnutls_mac_set_priority (gnutls_session_t session, const int *list);
- int gnutls_compression_set_priority (gnutls_session_t session,
- const int *list);
- int gnutls_kx_set_priority (gnutls_session_t session, const int *list);
- int gnutls_protocol_set_priority (gnutls_session_t session,
- const int *list);
- int gnutls_certificate_type_set_priority (gnutls_session_t session,
- const int *list);
-
/* if you just want some defaults, use the following.
*/
int gnutls_priority_init (gnutls_priority_t * priority_cache,
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 001b9b2..6d37078 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -288,6 +288,7 @@ _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo,
if (vdata->size != _gnutls_hash_get_algo_len (hash))
{
gnutls_assert ();
+ _gnutls_debug_log("Asked to sign %d bytes with hash %s\n",
vdata->size, gnutls_mac_get_name(hash));
ret = GNUTLS_E_PK_SIGN_FAILED;
goto dsa_fail;
}
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index d5842bc..11805d5 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -46,6 +46,7 @@
#define HASH_OID_MD5 "1.2.840.113549.2.5"
#define HASH_OID_MD2 "1.2.840.113549.2.2"
#define HASH_OID_RMD160 "1.3.36.3.2.1"
+#define HASH_OID_SHA224 "2.16.840.1.101.3.4.2.4"
#define HASH_OID_SHA256 "2.16.840.1.101.3.4.2.1"
#define HASH_OID_SHA384 "2.16.840.1.101.3.4.2.2"
#define HASH_OID_SHA512 "2.16.840.1.101.3.4.2.3"
diff --git a/src/cli.c b/src/cli.c
index 9ef43f9..1576b73 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -1292,7 +1292,8 @@ init_global_tls_stuff (void)
gnutls_strerror (ret));
}
}
- gnutls_psk_set_client_credentials_function (psk_cred, psk_callback);
+ else
+ gnutls_psk_set_client_credentials_function (psk_cred, psk_callback);
#endif
#ifdef ENABLE_ANON
diff --git a/tests/Makefile.am b/tests/Makefile.am
index b8adcfd..09c4052 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -68,7 +68,7 @@ openssl_LDADD = $(LDADD) ../libextra/libgnutls-openssl.la
endif
if ENABLE_OPENPGP
-ctests += openpgp-auth openpgp-keyring pgps2kgnu
+ctests += openpgp-auth openpgp-auth2 openpgp-keyring pgps2kgnu
openpgp_keyring_LDADD = $(LDADD) ../libextra/libgnutls-extra.la
endif
diff --git a/tests/anonself.c b/tests/anonself.c
index f110e18..134b88b 100644
--- a/tests/anonself.c
+++ b/tests/anonself.c
@@ -62,7 +62,6 @@ client (void)
char buffer[MAX_BUF + 1];
gnutls_anon_client_credentials_t anoncred;
/* Need to enable anonymous KX specifically. */
- const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
gnutls_global_init ();
@@ -77,8 +76,7 @@ client (void)
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
- gnutls_set_default_priority (session);
- gnutls_kx_set_priority (session, kx_prio);
+ gnutls_priority_set_direct (session,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
/* put the anonymous credentials to the current session
*/
@@ -164,15 +162,13 @@ static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
- const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
gnutls_init (&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
- gnutls_set_default_priority (session);
- gnutls_kx_set_priority (session, kx_prio);
+ gnutls_priority_set_direct (session,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
diff --git a/tests/dhepskself.c b/tests/dhepskself.c
index 00bf679..9319624 100644
--- a/tests/dhepskself.c
+++ b/tests/dhepskself.c
@@ -66,8 +66,8 @@ client (void)
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
-// if (debug)
-// gnutls_global_set_log_level (99);
+ if (debug)
+ gnutls_global_set_log_level (5);
gnutls_psk_allocate_client_credentials (&pskcred);
gnutls_psk_set_client_credentials (pskcred, "test", &key,
@@ -78,7 +78,7 @@ client (void)
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
- gnutls_set_default_priority (session);
+ gnutls_priority_set_direct (session, "NORMAL:+DHE-PSK", NULL);
/* put the anonymous credentials to the current session
*/
@@ -162,7 +162,7 @@ initialize_tls_session (void)
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
- gnutls_set_default_priority (session);
+ gnutls_priority_set_direct(session, "NORMAL:+DHE-PSK", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_PSK, server_pskcred);
diff --git a/tests/mini-eagain.c b/tests/mini-eagain.c
index 92c912a..9bb7e2c 100644
--- a/tests/mini-eagain.c
+++ b/tests/mini-eagain.c
@@ -161,7 +161,6 @@ doit (void)
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* Need to enable anonymous KX specifically. */
- const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
char buffer[MAX_BUF + 1];
ssize_t ns;
int ret, transferred = 0, msglen;
@@ -178,8 +177,7 @@ doit (void)
gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
gnutls_init (&server, GNUTLS_SERVER);
- gnutls_set_default_priority (server);
- gnutls_kx_set_priority (server, kx_prio);
+ gnutls_priority_set_direct (server,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits (server, 1024);
gnutls_transport_set_push_function (server, server_push);
@@ -188,8 +186,7 @@ doit (void)
/* Init client */
gnutls_anon_allocate_client_credentials (&c_anoncred);
gnutls_init (&client, GNUTLS_CLIENT);
- gnutls_set_default_priority (client);
- gnutls_kx_set_priority (client, kx_prio);
+ gnutls_priority_set_direct (client,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
diff --git a/tests/mini.c b/tests/mini.c
index 30678ec..21f7687 100644
--- a/tests/mini.c
+++ b/tests/mini.c
@@ -153,7 +153,6 @@ doit (void)
gnutls_session_t client;
int n, cret = GNUTLS_E_AGAIN;
/* Need to enable anonymous KX specifically. */
- const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
char buffer[MAX_BUF + 1];
ssize_t ns;
int ret;
@@ -170,8 +169,7 @@ doit (void)
gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
gnutls_init (&server, GNUTLS_SERVER);
- gnutls_set_default_priority (server);
- gnutls_kx_set_priority (server, kx_prio);
+ gnutls_priority_set_direct (server,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits (server, 1024);
gnutls_transport_set_push_function (server, server_push);
@@ -180,8 +178,7 @@ doit (void)
/* Init client */
gnutls_anon_allocate_client_credentials (&c_anoncred);
gnutls_init (&client, GNUTLS_CLIENT);
- gnutls_set_default_priority (client);
- gnutls_kx_set_priority (client, kx_prio);
+ gnutls_priority_set_direct (client,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
diff --git a/tests/openpgp-auth.c b/tests/openpgp-auth.c
index 77a1bfd..eed99c1 100644
--- a/tests/openpgp-auth.c
+++ b/tests/openpgp-auth.c
@@ -50,26 +50,6 @@ static const char *key_id = NULL
static const char rsa_params_file[] = "../guile/tests/rsa-parameters.pem";
-static const int protocols[] = { GNUTLS_TLS1_0, 0 };
-static const int cert_types[] = { GNUTLS_CRT_OPENPGP, 0 };
-
-static const int ciphers[] = {
- GNUTLS_CIPHER_NULL, GNUTLS_CIPHER_ARCFOUR,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC,
- 0
-};
-
-static const int kx[] = {
- GNUTLS_KX_RSA, GNUTLS_KX_RSA_EXPORT,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS,
- 0
-};
-
-static const int macs[] = {
- GNUTLS_MAC_SHA1, GNUTLS_MAC_RMD160, GNUTLS_MAC_MD5,
- 0
-};
-
static void
log_message (int level, const char *message)
{
@@ -133,7 +113,7 @@ doit ()
if (err != 0)
fail ("client session %d\n", err);
- gnutls_set_default_priority (session);
+ gnutls_priority_set_direct (session,
"NONE:+VERS-TLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+DHE-DSS:+CTYPE-OPENPGP",
NULL);
gnutls_transport_set_ptr (session,
(gnutls_transport_ptr_t) (intptr_t)
sockets[0]);
@@ -154,16 +134,11 @@ doit ()
if (err != 0)
fail ("client credential_set %d\n", err);
- gnutls_protocol_set_priority (session, protocols);
- gnutls_certificate_type_set_priority (session, cert_types);
- gnutls_cipher_set_priority (session, ciphers);
- gnutls_kx_set_priority (session, kx);
- gnutls_mac_set_priority (session, macs);
gnutls_dh_set_prime_bits (session, 1024);
err = gnutls_handshake (session);
if (err != 0)
- fail ("client handshake %d\n", err);
+ fail ("client handshake %s (%d) \n", gnutls_strerror(err), err);
else if (debug)
printf ("client handshake successful\n");
@@ -201,7 +176,7 @@ doit ()
if (err != 0)
fail ("server session %d\n", err);
- gnutls_set_default_priority (session);
+ gnutls_priority_set_direct (session,
"NONE:+VERS-TLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+DHE-DSS:+CTYPE-OPENPGP",
NULL);
gnutls_transport_set_ptr (session,
(gnutls_transport_ptr_t) (intptr_t)
sockets[1]);
@@ -250,16 +225,11 @@ doit ()
if (err != 0)
fail ("server credential_set %d\n", err);
- gnutls_protocol_set_priority (session, protocols);
- gnutls_certificate_type_set_priority (session, cert_types);
- gnutls_cipher_set_priority (session, ciphers);
- gnutls_kx_set_priority (session, kx);
- gnutls_mac_set_priority (session, macs);
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
err = gnutls_handshake (session);
if (err != 0)
- fail ("server handshake %d\n", err);
+ fail ("server handshake %s (%d) \n", gnutls_strerror(err), err);
received = gnutls_record_recv (session, greetings, sizeof (greetings));
if (received != sizeof (message)
@@ -269,7 +239,7 @@ doit ()
err = gnutls_bye (session, GNUTLS_SHUT_RDWR);
if (err != 0)
- fail ("server bye %d\n", err);
+ fail ("server bye %s (%d) \n", gnutls_strerror(err), err);
if (debug)
printf ("server done\n");
diff --git a/tests/openpgp-auth.c b/tests/openpgp-auth2.c
similarity index 86%
copy from tests/openpgp-auth.c
copy to tests/openpgp-auth2.c
index 77a1bfd..95c1712 100644
--- a/tests/openpgp-auth.c
+++ b/tests/openpgp-auth2.c
@@ -38,6 +38,11 @@
#include <errno.h>
#include <stdio.h>
+/* This is the same test as openpgp-auth but tests
+ * openpgp under the latest TLS protocol (TLSv1.2). In
+ * addition it tests DSS signatures under that.
+ */
+
static const char message[] = "Hello, brave GNU world!";
/* The OpenPGP key pair for use and the key ID in those keys. */
@@ -50,26 +55,6 @@ static const char *key_id = NULL
static const char rsa_params_file[] = "../guile/tests/rsa-parameters.pem";
-static const int protocols[] = { GNUTLS_TLS1_0, 0 };
-static const int cert_types[] = { GNUTLS_CRT_OPENPGP, 0 };
-
-static const int ciphers[] = {
- GNUTLS_CIPHER_NULL, GNUTLS_CIPHER_ARCFOUR,
- GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC,
- 0
-};
-
-static const int kx[] = {
- GNUTLS_KX_RSA, GNUTLS_KX_RSA_EXPORT,
- GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS,
- 0
-};
-
-static const int macs[] = {
- GNUTLS_MAC_SHA1, GNUTLS_MAC_RMD160, GNUTLS_MAC_MD5,
- 0
-};
-
static void
log_message (int level, const char *message)
{
@@ -133,7 +118,7 @@ doit ()
if (err != 0)
fail ("client session %d\n", err);
- gnutls_set_default_priority (session);
+ gnutls_priority_set_direct (session,
"NONE:+VERS-TLS1.2:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+DHE-DSS:+CTYPE-OPENPGP",
NULL);
gnutls_transport_set_ptr (session,
(gnutls_transport_ptr_t) (intptr_t)
sockets[0]);
@@ -154,16 +139,11 @@ doit ()
if (err != 0)
fail ("client credential_set %d\n", err);
- gnutls_protocol_set_priority (session, protocols);
- gnutls_certificate_type_set_priority (session, cert_types);
- gnutls_cipher_set_priority (session, ciphers);
- gnutls_kx_set_priority (session, kx);
- gnutls_mac_set_priority (session, macs);
gnutls_dh_set_prime_bits (session, 1024);
err = gnutls_handshake (session);
if (err != 0)
- fail ("client handshake %d\n", err);
+ fail ("client handshake %s (%d) \n", gnutls_strerror(err), err);
else if (debug)
printf ("client handshake successful\n");
@@ -201,7 +181,7 @@ doit ()
if (err != 0)
fail ("server session %d\n", err);
- gnutls_set_default_priority (session);
+ gnutls_priority_set_direct (session,
"NONE:+VERS-TLS1.2:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+DHE-DSS:+CTYPE-OPENPGP",
NULL);
gnutls_transport_set_ptr (session,
(gnutls_transport_ptr_t) (intptr_t)
sockets[1]);
@@ -250,16 +230,11 @@ doit ()
if (err != 0)
fail ("server credential_set %d\n", err);
- gnutls_protocol_set_priority (session, protocols);
- gnutls_certificate_type_set_priority (session, cert_types);
- gnutls_cipher_set_priority (session, ciphers);
- gnutls_kx_set_priority (session, kx);
- gnutls_mac_set_priority (session, macs);
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
err = gnutls_handshake (session);
if (err != 0)
- fail ("server handshake %d\n", err);
+ fail ("server handshake %s (%d) \n", gnutls_strerror(err), err);
received = gnutls_record_recv (session, greetings, sizeof (greetings));
if (received != sizeof (message)
@@ -269,7 +244,7 @@ doit ()
err = gnutls_bye (session, GNUTLS_SHUT_RDWR);
if (err != 0)
- fail ("server bye %d\n", err);
+ fail ("server bye %s (%d) \n", gnutls_strerror(err), err);
if (debug)
printf ("server done\n");
diff --git a/tests/pskself.c b/tests/pskself.c
index 36377c2..09001ff 100644
--- a/tests/pskself.c
+++ b/tests/pskself.c
@@ -55,7 +55,6 @@ client (void)
char buffer[MAX_BUF + 1];
gnutls_psk_client_credentials_t pskcred;
/* Need to enable anonymous KX specifically. */
- const int kx_prio[] = { GNUTLS_KX_PSK, 0 };
const gnutls_datum_t key = { (char *) "DEADBEEF", 8 };
gnutls_global_init ();
@@ -69,8 +68,7 @@ client (void)
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
- gnutls_set_default_priority (session);
- gnutls_kx_set_priority (session, kx_prio);
+ gnutls_priority_set_direct (session, "NORMAL:+PSK", NULL);
/* put the anonymous credentials to the current session
*/
@@ -150,15 +148,13 @@ static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
- const int kx_prio[] = { GNUTLS_KX_PSK, 0 };
gnutls_init (&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
- gnutls_set_default_priority (session);
- gnutls_kx_set_priority (session, kx_prio);
+ gnutls_priority_set_direct (session, "NORMAL:+PSK", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_PSK, server_pskcred);
diff --git a/tests/resume.c b/tests/resume.c
index 835d432..f016c9a 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -91,7 +91,6 @@ client (struct params_res *params)
char buffer[MAX_BUF + 1];
gnutls_anon_client_credentials_t anoncred;
/* Need to enable anonymous KX specifically. */
- const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
/* variables used in session resuming
*/
@@ -118,8 +117,7 @@ client (struct params_res *params)
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
- gnutls_set_default_priority (session);
- gnutls_kx_set_priority (session, kx_prio);
+ gnutls_priority_set_direct (session,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
/* put the anonymous credentials to the current session
*/
@@ -243,15 +241,13 @@ static gnutls_session_t
initialize_tls_session (struct params_res *params)
{
gnutls_session_t session;
- const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
gnutls_init (&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
- gnutls_set_default_priority (session);
- gnutls_kx_set_priority (session, kx_prio);
+ gnutls_priority_set_direct (session,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-139-g262b701,
Nikos Mavrogiannopoulos <=