[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-211-g4faf7ee
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-211-g4faf7ee |
|
Date: |
Sun, 20 Feb 2011 16:01:51 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=4faf7eeb97f7c8bc56cf67b3d927183a9c36e35f
The branch, master has been updated
via 4faf7eeb97f7c8bc56cf67b3d927183a9c36e35f (commit)
via 547cb520766388f2a534da59a2195b1a109f9e5d (commit)
via b3cbd91f4583b0c4ada8dc9ba09dceab882e1b62 (commit)
via 9b385d3e93c6897744417a56da18086daedace56 (commit)
via c3508e2eef3379fcb0259faf05946157004082c4 (commit)
via fc0fc2908cd58326e38f69120ae8a06fd569025a (commit)
via fe04d60ee064bfd6ba550f1f6d6f9c1301d02c10 (commit)
via fa082d45c877727e1e7e2297228f7e6ee0b7f8b6 (commit)
via 2e23f36145196c332def2e68c8f5cfb009950726 (commit)
via 3acdfac30e451bf8737f6c4774cbf212b6149c3b (commit)
from 089391da55d232908b9cdbba7f27b0ccfea26cca (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4faf7eeb97f7c8bc56cf67b3d927183a9c36e35f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 17:01:43 2011 +0100
skip replays in handshake packets.
commit 547cb520766388f2a534da59a2195b1a109f9e5d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 14:22:30 2011 +0100
Forbid SSL v.2 client hello in DTLS.
commit b3cbd91f4583b0c4ada8dc9ba09dceab882e1b62
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 14:12:07 2011 +0100
removed unneeded variables.
commit 9b385d3e93c6897744417a56da18086daedace56
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 14:06:39 2011 +0100
Cleanups in combination of DTLS and TLS buffers.
commit c3508e2eef3379fcb0259faf05946157004082c4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 12:23:16 2011 +0100
gnutls_x509_log replaced with gnutls_audit_log.
commit fc0fc2908cd58326e38f69120ae8a06fd569025a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 12:11:54 2011 +0100
Return a more precise mtu unit to applications.
commit fe04d60ee064bfd6ba550f1f6d6f9c1301d02c10
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 12:11:52 2011 +0100
restart handshake on signals.
commit fa082d45c877727e1e7e2297228f7e6ee0b7f8b6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 11:10:14 2011 +0100
reference counting in epochs is being done using functions.
commit 2e23f36145196c332def2e68c8f5cfb009950726
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 10:55:29 2011 +0100
Added gnutls_dtls_g/set_mtu() to allow setting and getting the DTLS mtu
from application.
commit 3acdfac30e451bf8737f6c4774cbf212b6149c3b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 10:38:33 2011 +0100
Combined DTLS buffers and normal TLS buffers.
-----------------------------------------------------------------------
Summary of changes:
lib/auth_dhe.c | 2 +-
lib/auth_rsa.c | 4 +-
lib/auth_rsa_export.c | 4 +-
lib/auth_srp.c | 2 +-
lib/gnutls_algorithms.c | 2 +-
lib/gnutls_algorithms.h | 2 +
lib/gnutls_buffers.c | 75 +++++++++++++------
lib/gnutls_buffers.h | 6 ++
lib/gnutls_cipher.c | 13 +++-
lib/gnutls_compress.c | 4 +-
lib/gnutls_constate.h | 30 ++++++++
lib/gnutls_dh_primes.c | 2 +-
lib/gnutls_dtls.c | 172 +++++++++++++++++++-------------------------
lib/gnutls_dtls.h | 7 --
lib/gnutls_errors.h | 12 ++--
lib/gnutls_handshake.c | 96 +++++++++++++++----------
lib/gnutls_int.h | 53 ++++++--------
lib/gnutls_mbuffers.c | 5 +-
lib/gnutls_num.c | 28 +++++---
lib/gnutls_record.c | 12 ++--
lib/gnutls_sig.c | 6 +-
lib/gnutls_state.c | 59 ++++++++++++++--
lib/gnutls_state.h | 2 +
lib/includes/gnutls/dtls.h | 3 +
lib/libgnutls.map | 2 +
lib/opencdk/main.h | 2 +-
lib/openpgp/pgp.c | 2 +-
lib/openpgp/pgpverify.c | 4 +-
lib/openpgp/privkey.c | 4 +-
lib/x509/common.c | 4 +-
lib/x509/dn.c | 6 +-
lib/x509/pkcs12.c | 12 ++--
lib/x509/pkcs7.c | 2 +-
lib/x509/privkey_pkcs8.c | 10 ++--
lib/x509/verify.c | 2 +-
lib/x509/x509_write.c | 2 +-
lib/x509_b64.c | 2 +-
src/udp-serv.c | 7 ++-
38 files changed, 393 insertions(+), 269 deletions(-)
diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c
index fafef62..0180fee 100644
--- a/lib/auth_dhe.c
+++ b/lib/auth_dhe.c
@@ -253,7 +253,7 @@ proc_dhe_server_kx (gnutls_session_t session, opaque * data,
sign_algo = _gnutls_tls_aid_to_sign (&aid);
if (sign_algo == GNUTLS_SIGN_UNKNOWN)
{
- _gnutls_x509_log("unknown signature %d.%d\n", aid.sign_algorithm,
aid.hash_algorithm);
+ _gnutls_debug_log("unknown signature %d.%d\n", aid.sign_algorithm,
aid.hash_algorithm);
gnutls_assert ();
return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
}
diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c
index 0ac5bae..a98b8ab 100644
--- a/lib/auth_rsa.c
+++ b/lib/auth_rsa.c
@@ -188,7 +188,7 @@ proc_rsa_client_kx (gnutls_session_t session, opaque * data,
* attack against pkcs-1 formating).
*/
gnutls_assert ();
- _gnutls_x509_log ("auth_rsa: Possible PKCS #1 format attack\n");
+ _gnutls_audit_log ("auth_rsa: Possible PKCS #1 format attack\n");
randomize_key = 1;
}
else
@@ -206,7 +206,7 @@ proc_rsa_client_kx (gnutls_session_t session, opaque * data,
* Ondej Pokorny and Tomas Rosa.
*/
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_audit_log
("auth_rsa: Possible PKCS #1 version check format attack\n");
}
}
diff --git a/lib/auth_rsa_export.c b/lib/auth_rsa_export.c
index 26a0449..1d109d3 100644
--- a/lib/auth_rsa_export.c
+++ b/lib/auth_rsa_export.c
@@ -174,7 +174,7 @@ proc_rsa_export_client_kx (gnutls_session_t session, opaque
* data,
* attack against pkcs-1 formating).
*/
gnutls_assert ();
- _gnutls_x509_log ("auth_rsa: Possible PKCS #1 format attack\n");
+ _gnutls_audit_log ("auth_rsa: Possible PKCS #1 format attack\n");
randomize_key = 1;
}
else
@@ -192,7 +192,7 @@ proc_rsa_export_client_kx (gnutls_session_t session, opaque
* data,
* Ondej Pokorny and Tomas Rosa.
*/
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_audit_log
("auth_rsa: Possible PKCS #1 version check format attack\n");
}
}
diff --git a/lib/auth_srp.c b/lib/auth_srp.c
index 5a46a7b..f5da4de 100644
--- a/lib/auth_srp.c
+++ b/lib/auth_srp.c
@@ -814,7 +814,7 @@ _gnutls_proc_srp_server_kx (gnutls_session_t session,
opaque * data,
*/
if ((ret = check_g_n (data_g, _n_g, data_n, _n_n)) < 0)
{
- _gnutls_x509_log ("Checking the SRP group parameters.\n");
+ _gnutls_audit_log ("SRP group parameters are not in the white list.
Checking validity.\n");
if ((ret = group_check_g_n (session, G, N)) < 0)
{
gnutls_assert ();
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 84fb118..f636f6a 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -2114,7 +2114,7 @@ _gnutls_x509_oid2sign_algorithm (const char *oid)
if (ret == 0)
{
- _gnutls_x509_log ("Unknown SIGN OID: '%s'\n", oid);
+ _gnutls_debug_log ("Unknown SIGN OID: '%s'\n", oid);
return GNUTLS_SIGN_UNKNOWN;
}
return ret;
diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h
index 07cfd34..38e70bc 100644
--- a/lib/gnutls_algorithms.h
+++ b/lib/gnutls_algorithms.h
@@ -77,6 +77,8 @@ int _gnutls_cipher_algo_is_aead (gnutls_cipher_algorithm_t
algorithm);
int _gnutls_cipher_is_ok (gnutls_cipher_algorithm_t algorithm);
int _gnutls_cipher_get_iv_size (gnutls_cipher_algorithm_t algorithm);
int _gnutls_cipher_get_export_flag (gnutls_cipher_algorithm_t algorithm);
+/* at least for now iv_size == tag_size */
+#define _gnutls_cipher_get_tag_size _gnutls_cipher_get_iv_size
/* Functions for key exchange. */
int _gnutls_kx_needs_dh_params (gnutls_kx_algorithm_t algorithm);
diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c
index 41b0244..0cd367f 100644
--- a/lib/gnutls_buffers.c
+++ b/lib/gnutls_buffers.c
@@ -57,7 +57,7 @@
#include <gnutls_state.h>
#include <gnutls_dtls.h>
#include <system.h>
-
+#include <gnutls_constate.h> /* gnutls_epoch_get */
#include <errno.h>
#ifndef EAGAIN
@@ -818,6 +818,7 @@ _gnutls_handshake_io_write_flush (gnutls_session_t session)
&session->internals.handshake_send_buffer;
gnutls_datum_t msg;
int ret;
+ uint16_t epoch;
ssize_t total = 0;
mbuffer_st *cur;
@@ -827,23 +828,27 @@ _gnutls_handshake_io_write_flush (gnutls_session_t
session)
if (IS_DTLS(session))
return _gnutls_dtls_transmit(session);
-
for (cur = _mbuffer_get_first (send_buffer, &msg);
cur != NULL; cur = _mbuffer_get_first (send_buffer, &msg))
{
+ epoch = cur->epoch;
+
ret = _gnutls_send_int (session, cur->type,
cur->htype,
- EPOCH_WRITE_CURRENT,
+ epoch,
msg.data, msg.size, 0);
if (ret >= 0)
{
- _mbuffer_remove_bytes (send_buffer, ret);
+ total += ret;
+
+ ret = _mbuffer_remove_bytes (send_buffer, ret);
+ if (ret == 1)
+ _gnutls_epoch_refcount_dec(session, epoch);
_gnutls_write_log ("HWRITE: wrote %d bytes, %d bytes left.\n",
ret, (int) send_buffer->byte_length);
- total += ret;
}
else
{
@@ -870,13 +875,17 @@ _gnutls_handshake_io_cache_int (gnutls_session_t session,
mbuffer_st * bufel)
{
mbuffer_head_st * send_buffer;
-
+
if (IS_DTLS(session))
- return _gnutls_dtls_handshake_enqueue(session, bufel, htype,
session->internals.dtls.hsk_write_seq-1);
+ {
+ bufel->sequence = session->internals.dtls.hsk_write_seq-1;
+ }
send_buffer =
&session->internals.handshake_send_buffer;
+ bufel->epoch = (uint16_t)_gnutls_epoch_refcount_inc(session,
EPOCH_WRITE_CURRENT);
+
bufel->htype = htype;
if (bufel->htype == GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC)
bufel->type = GNUTLS_CHANGE_CIPHER_SPEC;
@@ -886,8 +895,34 @@ _gnutls_handshake_io_cache_int (gnutls_session_t session,
_mbuffer_enqueue (send_buffer, bufel);
_gnutls_write_log
- ("HWRITE: enqueued %d. Total %d bytes.\n",
- (int) bufel->msg.size, (int) send_buffer->byte_length);
+ ("HWRITE: enqueued [%s] %d. Total %d bytes.\n",
+ _gnutls_handshake2str (bufel->htype), (int) bufel->msg.size, (int)
send_buffer->byte_length);
+
+ return 0;
+}
+
+/* Skips a handshake packet
+ */
+int
+_gnutls_handshake_io_recv_skip (gnutls_session_t session,
+ content_type_t type,
+ gnutls_handshake_description_t htype,
+ size_t ptr_size)
+{
+ opaque * ptr;
+ int ret;
+
+ if (ptr_size == 0) return 0;
+
+ ptr = gnutls_malloc(ptr_size);
+ if (ptr == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ ret = _gnutls_handshake_io_recv_int(session, type, htype, ptr, ptr_size);
+ gnutls_free(ptr);
+
+ if (ret < 0)
+ return gnutls_assert_val(ret);
return 0;
}
@@ -899,7 +934,7 @@ ssize_t
_gnutls_handshake_io_recv_int (gnutls_session_t session,
content_type_t type,
gnutls_handshake_description_t htype,
- void *iptr, size_t sizeOfPtr)
+ void *iptr, size_t ptr_size)
{
size_t left;
ssize_t i;
@@ -907,9 +942,9 @@ _gnutls_handshake_io_recv_int (gnutls_session_t session,
size_t dsize;
ptr = iptr;
- left = sizeOfPtr;
+ left = ptr_size;
- if (sizeOfPtr == 0 || iptr == NULL)
+ if (ptr_size == 0 || iptr == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
@@ -920,31 +955,28 @@ _gnutls_handshake_io_recv_int (gnutls_session_t session,
size_t tmp;
/* if we have already received some data */
- if (sizeOfPtr <= session->internals.handshake_recv_buffer.length)
+ if (ptr_size <= session->internals.handshake_recv_buffer.length)
{
/* if requested less data then return it.
*/
gnutls_assert ();
- tmp = sizeOfPtr;
+ tmp = ptr_size;
_gnutls_buffer_pop_data (&session->internals.handshake_recv_buffer,
iptr, &tmp);
return tmp;
}
gnutls_assert ();
- tmp = sizeOfPtr;
+ tmp = ptr_size;
_gnutls_buffer_pop_data (&session->internals.handshake_recv_buffer,
iptr, &tmp);
left -= tmp;
-
- htype = session->internals.handshake_recv_buffer_htype;
- type = session->internals.handshake_recv_buffer_type;
}
while (left > 0)
{
- dsize = sizeOfPtr - left;
+ dsize = ptr_size - left;
i = _gnutls_recv_int (session, type, htype, &ptr[dsize], left);
if (i < 0)
{
@@ -955,9 +987,6 @@ _gnutls_handshake_io_recv_int (gnutls_session_t session,
_gnutls_buffer_append_data (&session->internals.
handshake_recv_buffer, iptr, dsize);
-
- session->internals.handshake_recv_buffer_htype = htype;
- session->internals.handshake_recv_buffer_type = type;
}
return i;
@@ -974,7 +1003,7 @@ _gnutls_handshake_io_recv_int (gnutls_session_t session,
session->internals.handshake_recv_buffer.length = 0;
- return sizeOfPtr - left;
+ return ptr_size - left;
}
/* Buffer for handshake packets. Keeps the packets in order
diff --git a/lib/gnutls_buffers.h b/lib/gnutls_buffers.h
index 37371ba..6e1b901 100644
--- a/lib/gnutls_buffers.h
+++ b/lib/gnutls_buffers.h
@@ -59,6 +59,12 @@ ssize_t _gnutls_handshake_io_recv_int (gnutls_session_t,
content_type_t,
int _gnutls_handshake_io_cache_int (gnutls_session_t,
gnutls_handshake_description_t,
mbuffer_st * bufel);
+int
+_gnutls_handshake_io_recv_skip (gnutls_session_t session,
+ content_type_t type,
+ gnutls_handshake_description_t htype,
+ size_t ptr_size);
+
ssize_t _gnutls_io_write_flush (gnutls_session_t session);
int
_gnutls_io_check_recv (gnutls_session_t session, void* data, size_t data_size,
unsigned int ms);
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 0f569c3..5952813 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -187,7 +187,7 @@ _gnutls_decrypt (gnutls_session_t session, opaque *
ciphertext,
return ret;
}
- if (gtxt.size > MAX_RECORD_RECV_SIZE)
+ if (gtxt.size > MAX_RECORD_RECV_SIZE(session))
{
_gnutls_free_datum (>xt);
/* This shouldn't have happen and
@@ -197,7 +197,7 @@ _gnutls_decrypt (gnutls_session_t session, opaque *
ciphertext,
}
/* This check is not really needed */
- if (max_data_size < MAX_RECORD_RECV_SIZE)
+ if (max_data_size < MAX_RECORD_RECV_SIZE(session))
{
_gnutls_free_datum (>xt);
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -326,7 +326,14 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
int ver = gnutls_protocol_get_version (session);
int explicit_iv = _gnutls_version_has_explicit_iv
(session->security_parameters.version);
int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state);
- int random_pad = (session->internals.priorities.no_padding == 0) ? 1 : 0;
+ int random_pad;
+
+ /* We don't use long padding if requested or if we are in DTLS.
+ */
+ if (session->internals.priorities.no_padding == 0 && (!IS_DTLS(session)))
+ random_pad = 1;
+ else
+ random_pad = 0;
_gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
session, gnutls_cipher_get_name(params->cipher_algorithm),
gnutls_mac_get_name(params->mac_algorithm),
diff --git a/lib/gnutls_compress.c b/lib/gnutls_compress.c
index 2520832..b0f67ce 100644
--- a/lib/gnutls_compress.c
+++ b/lib/gnutls_compress.c
@@ -48,7 +48,7 @@ _gnutls_m_plaintext2compressed (gnutls_session_t session,
size =
_gnutls_compress (params->write.compression_state,
plaintext->data, plaintext->size, &data,
- MAX_RECORD_SEND_SIZE + EXTRA_COMP_SIZE);
+ MAX_RECORD_SEND_SIZE(session) + EXTRA_COMP_SIZE);
if (size < 0)
{
gnutls_assert ();
@@ -72,7 +72,7 @@ _gnutls_m_compressed2plaintext (gnutls_session_t session,
size =
_gnutls_decompress (params->read.compression_state,
compressed->data, compressed->size, &data,
- MAX_RECORD_RECV_SIZE);
+ MAX_RECORD_RECV_SIZE(session));
if (size < 0)
{
gnutls_assert ();
diff --git a/lib/gnutls_constate.h b/lib/gnutls_constate.h
index aa1cad8..65b609d 100644
--- a/lib/gnutls_constate.h
+++ b/lib/gnutls_constate.h
@@ -47,4 +47,34 @@ void _gnutls_epoch_gc (gnutls_session_t session);
void _gnutls_epoch_free (gnutls_session_t session,
record_parameters_st * state);
+static inline int _gnutls_epoch_refcount_inc(gnutls_session_t session, int
epoch)
+{
+ record_parameters_st * params;
+ int ret;
+
+ ret = _gnutls_epoch_get( session, epoch, ¶ms);
+ if (ret < 0)
+ return ret;
+
+ params->usage_cnt++;
+
+ return params->epoch;
+}
+
+static inline int _gnutls_epoch_refcount_dec(gnutls_session_t session,
uint16_t epoch)
+{
+ record_parameters_st * params;
+ int ret;
+
+ ret = _gnutls_epoch_get( session, epoch, ¶ms);
+ if (ret < 0)
+ return ret;
+
+ params->usage_cnt--;
+ if (params->usage_cnt < 0)
+ return GNUTLS_E_INTERNAL_ERROR;
+
+ return 0;
+}
+
#endif
diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c
index c85d9db..091388e 100644
--- a/lib/gnutls_dh_primes.c
+++ b/lib/gnutls_dh_primes.c
@@ -280,7 +280,7 @@ gnutls_dh_params_import_pkcs3 (gnutls_dh_params_t params,
{
/* couldn't decode DER */
- _gnutls_x509_log ("DHParams: Decoding error %d\n", result);
+ _gnutls_debug_log ("DHParams: Decoding error %d\n", result);
gnutls_assert ();
asn1_delete_structure (&c2);
return _gnutls_asn2err (result);
diff --git a/lib/gnutls_dtls.c b/lib/gnutls_dtls.c
index fdb8479..1f3d9bd 100644
--- a/lib/gnutls_dtls.c
+++ b/lib/gnutls_dtls.c
@@ -33,90 +33,53 @@
#include <gnutls_mbuffers.h>
#include <gnutls_buffers.h>
#include <gnutls_constate.h>
+#include <gnutls_state.h>
#include <gnutls/dtls.h>
-/* This function is called once a handshake message is ready to be
- * queued in the next outgoing flight. The actual transmission occurs
- * in _gnutls_dtls_transmit.
- *
- * This function is called from the handshake layer.
- */
-int
-_gnutls_dtls_handshake_enqueue (gnutls_session_t session,
- mbuffer_st* bufel,
- gnutls_handshake_description_t type,
- uint16_t sequence)
-{
- dtls_hsk_retransmit_buffer *msg;
- record_parameters_st * params;
- int ret;
-
- ret = _gnutls_epoch_get( session, EPOCH_WRITE_CURRENT, ¶ms);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
- msg = gnutls_malloc (sizeof(dtls_hsk_retransmit_buffer));
- if (msg == NULL)
- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-
- msg->bufel = bufel;
-
- msg->next = NULL;
-
- msg->epoch = params->epoch;
- msg->type = type;
- msg->sequence = sequence;
-
- params->usage_cnt++;
-
- _gnutls_dtls_log ("DTLS[%p]: Enqueued Packet[%u] %s(%d) with length: %u on
epoch %d\n",
- session, (uint)sequence, _gnutls_handshake2str (type),
- type, msg->bufel->msg.size, msg->epoch);
-
- *(session->internals.dtls.retransmit_end) = msg;
- session->internals.dtls.retransmit_end = &msg->next;
-
- return 0;
-}
/* This function fragments and transmits a previously buffered
* outgoing message. */
static inline int
transmit_message (gnutls_session_t session,
- dtls_hsk_retransmit_buffer *msg)
+ mbuffer_st *bufel)
{
opaque *data, *mtu_data;
int ret = 0;
unsigned int offset, frag_len, data_size;
- const uint mtu = session->internals.dtls.hsk_mtu;
+ const uint mtu = session->internals.dtls.mtu;
- if (msg->type == GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC)
+ if (bufel->type == GNUTLS_CHANGE_CIPHER_SPEC)
{
- ret = _gnutls_send_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1,
- msg->epoch,
- _mbuffer_get_uhead_ptr(msg->bufel),
- _mbuffer_get_uhead_size(msg->bufel), 0);
- goto leave_epoch;
+ _gnutls_dtls_log ("DTLS[%p]: Sending Packet[%u] fragment %s(%d) with "
+ "length: %u, offset: %u, fragment length: %u\n",
+ session, bufel->sequence,
+ _gnutls_handshake2str (bufel->htype),
+ bufel->htype, data_size, offset, frag_len);
+
+ return _gnutls_send_int (session, bufel->type, -1,
+ bufel->epoch,
+ _mbuffer_get_uhead_ptr(bufel),
+ _mbuffer_get_uhead_size(bufel), 0);
}
mtu_data = gnutls_malloc(mtu + DTLS_HANDSHAKE_HEADER_SIZE);
if (mtu_data == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- data = _mbuffer_get_udata_ptr( msg->bufel);
- data_size = _mbuffer_get_udata_size(msg->bufel);
+ data = _mbuffer_get_udata_ptr( bufel);
+ data_size = _mbuffer_get_udata_size(bufel);
/* Write fixed headers
*/
/* Handshake type */
- mtu_data[0] = (uint8_t) msg->type;
+ mtu_data[0] = (uint8_t) bufel->htype;
/* Total length */
_gnutls_write_uint24 (data_size, &mtu_data[1]);
/* Handshake sequence */
- _gnutls_write_uint16 (msg->sequence, &mtu_data[4]);
+ _gnutls_write_uint16 (bufel->sequence, &mtu_data[4]);
/* Chop up and send handshake message into mtu-size pieces. */
for (offset=0; offset <= data_size; offset += mtu)
@@ -133,46 +96,44 @@ transmit_message (gnutls_session_t session,
/* Fragment length */
_gnutls_write_uint24 (frag_len, &mtu_data[9]);
-
memcpy (&mtu_data[12], data+offset, frag_len);
_gnutls_dtls_log ("DTLS[%p]: Sending Packet[%u] fragment %s(%d) with "
"length: %u, offset: %u, fragment length: %u\n",
- session, msg->sequence,
- _gnutls_handshake2str (msg->type),
- msg->type, data_size, offset, frag_len);
+ session, bufel->sequence,
+ _gnutls_handshake2str (bufel->htype),
+ bufel->htype, data_size, offset, frag_len);
/* FIXME: We should collaborate with the record layer to pack as
* many records possible into a single datagram. We should also
* tell the record layer which epoch to use for encryption.
*/
- ret = _gnutls_send_int (session, GNUTLS_HANDSHAKE, msg->type, msg->epoch,
- mtu_data, DTLS_HANDSHAKE_HEADER_SIZE + frag_len, 0);
+ ret = _gnutls_send_int (session, bufel->type, bufel->htype,
+ bufel->epoch, mtu_data, DTLS_HANDSHAKE_HEADER_SIZE + frag_len, 0);
if (ret < 0)
break;
}
gnutls_free (mtu_data);
-leave_epoch:
return ret;
}
static int drop_usage_count(gnutls_session_t session)
{
- dtls_hsk_retransmit_buffer *msg;
- record_parameters_st * params;
int ret;
+ mbuffer_head_st *const send_buffer =
+ &session->internals.handshake_send_buffer;
+ mbuffer_st *cur;
- for (msg = session->internals.dtls.retransmit; msg != NULL; msg = msg->next)
+ for (cur = send_buffer->head;
+ cur != NULL; cur = cur->next)
{
- ret = _gnutls_epoch_get( session, msg->epoch, ¶ms);
+ ret = _gnutls_epoch_refcount_dec(session, cur->epoch);
if (ret < 0)
return gnutls_assert_val(ret);
- params->usage_cnt--;
- if (params->usage_cnt < 0)
- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
+
return 0;
}
@@ -188,7 +149,9 @@ _gnutls_dtls_transmit (gnutls_session_t session)
int ret;
/* PREPARING -> SENDING state transition */
- dtls_hsk_retransmit_buffer *msg;
+ mbuffer_head_st *const send_buffer =
+ &session->internals.handshake_send_buffer;
+ mbuffer_st *cur;
unsigned int total_timeout = 0;
gnutls_handshake_description_t last_type = 0;
@@ -196,10 +159,11 @@ int ret;
{
_gnutls_dtls_log ("DTLS[%p]: Start of flight transmission.\n", session);
- for (msg = session->internals.dtls.retransmit; msg != NULL; msg =
msg->next)
+ for (cur = send_buffer->head;
+ cur != NULL; cur = cur->next)
{
- transmit_message (session, msg);
- last_type = msg->type;
+ transmit_message (session, cur);
+ last_type = cur->htype;
}
ret = _gnutls_io_write_flush (session);
@@ -207,8 +171,9 @@ int ret;
return gnutls_assert_val(ret);
/* last message in handshake -> no ack */
- if (session->security_parameters.entity == GNUTLS_SERVER &&
- last_type == GNUTLS_HANDSHAKE_FINISHED)
+ if (last_type == GNUTLS_HANDSHAKE_FINISHED &&
+ ((session->security_parameters.entity == GNUTLS_SERVER &&
session->internals.resumed == RESUME_FALSE) ||
+ (session->security_parameters.entity == GNUTLS_CLIENT &&
session->internals.resumed == RESUME_TRUE)))
{
opaque c;
ret = _gnutls_io_check_recv(session, &c, 1,
session->internals.dtls.retrans_timeout);
@@ -244,33 +209,12 @@ int ret;
cleanup:
drop_usage_count(session);
- _gnutls_dtls_clear_outgoing_buffer (session);
+ _mbuffer_clear(send_buffer);
/* SENDING -> WAITING state transition */
return ret;
}
-/* This function clears the outgoing flight buffer. */
-void
-_gnutls_dtls_clear_outgoing_buffer (gnutls_session_t session)
-{
- dtls_hsk_retransmit_buffer *msg, *next;
-
- _gnutls_dtls_log ("DTLS[%p]: Clearing outgoing buffer.\n", session);
-
- for (msg = session->internals.dtls.retransmit; msg != NULL;)
- {
- next = msg->next;
-
- _mbuffer_xfree(&msg->bufel);
- gnutls_free (msg);
-
- msg = next;
- }
-
- session->internals.dtls.retransmit_end = &session->internals.dtls.retransmit;
- session->internals.dtls.retransmit = NULL;
-}
/**
* gnutls_dtls_set_timeouts:
@@ -294,3 +238,37 @@ void gnutls_dtls_set_timeouts (gnutls_session_t session,
unsigned int retrans_ti
session->internals.dtls.retrans_timeout = retrans_timeout;
session->internals.dtls.total_timeout = total_timeout;
}
+
+/**
+ * gnutls_dtls_set_mtu:
+ * @session: is a #gnutls_session_t structure.
+ * @mtu: The maximum transfer unit of the interface
+ *
+ * This function will set the maximum transfer unit of the interface
+ * that DTLS packets are expected to leave from.
+ *
+ **/
+void gnutls_dtls_set_mtu (gnutls_session_t session, unsigned int mtu)
+{
+ session->internals.dtls.mtu = mtu;
+}
+
+/**
+ * gnutls_dtls_get_mtu:
+ * @session: is a #gnutls_session_t structure.
+ *
+ * This function will return the actual maximum transfer unit for
+ * application data. I.e. DTLS headers are subtracted from the
+ * actual MTU.
+ *
+ **/
+unsigned int gnutls_dtls_get_mtu (gnutls_session_t session)
+{
+int ret;
+
+ ret = _gnutls_record_overhead_rt(session);
+ if (ret >= 0)
+ return session->internals.dtls.mtu - ret;
+ else
+ return session->internals.dtls.mtu - RECORD_HEADER_SIZE(session);
+}
diff --git a/lib/gnutls_dtls.h b/lib/gnutls_dtls.h
index 80958dd..d3a4870 100644
--- a/lib/gnutls_dtls.h
+++ b/lib/gnutls_dtls.h
@@ -27,13 +27,6 @@
#include "gnutls_int.h"
-int
-_gnutls_dtls_handshake_enqueue (gnutls_session_t session,
- mbuffer_st* bufel,
- gnutls_handshake_description_t type,
- uint16_t sequence);
-
int _gnutls_dtls_transmit(gnutls_session_t session);
-void _gnutls_dtls_clear_outgoing_buffer(gnutls_session_t session);
#endif
diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h
index 1af2517..2138555 100644
--- a/lib/gnutls_errors.h
+++ b/lib/gnutls_errors.h
@@ -50,7 +50,7 @@ _gnutls_log (int, const char *fmt, ...)
;
#endif
- void _gnutls_mpi_log (const char *prefix, bigint_t a);
+void _gnutls_mpi_log (const char *prefix, bigint_t a);
#ifdef C99_MACROS
#define LEVEL(l, ...) do { if (_gnutls_log_level >= l || _gnutls_log_level >
9) \
@@ -68,7 +68,7 @@ _gnutls_log (int, const char *fmt, ...)
#define _gnutls_dtls_log(...) LEVEL(6, __VA_ARGS__)
#define _gnutls_read_log(...) LEVEL_EQ(7, __VA_ARGS__)
#define _gnutls_write_log(...) LEVEL_EQ(7, __VA_ARGS__)
-#define _gnutls_x509_log(...) LEVEL(1, __VA_ARGS__)
+#define _gnutls_audit_log(...) LEVEL(1, __VA_ARGS__)
#else
#define _gnutls_debug_log _gnutls_null_log
#define _gnutls_handshake_log _gnutls_null_log
@@ -79,9 +79,9 @@ _gnutls_log (int, const char *fmt, ...)
#define _gnutls_dtls_log _gnutls_null_log
#define _gnutls_read_log _gnutls_null_log
#define _gnutls_write_log _gnutls_null_log
-#define _gnutls_x509_log _gnutls_null_log
+#define _gnutls_audit_log _gnutls_null_log
- void _gnutls_null_log (void *, ...);
+void _gnutls_null_log (void *, ...);
#endif /* C99_MACROS */
@@ -89,11 +89,11 @@ _gnutls_log (int, const char *fmt, ...)
otherwise. Making this a macro has been tried, but it interacts
badly with the do..while in the expansion. Welcome to the dark
side. */
- static inline
+static inline
#ifdef __GNUC__
__attribute__ ((always_inline))
#endif
- int gnutls_assert_val_int (int val, const char *file, int line)
+int gnutls_assert_val_int (int val, const char *file, int line)
{
_gnutls_debug_log ("ASSERT: %s:%d\n", file, line);
return val;
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 454232b..2d0aec7 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1226,10 +1226,10 @@ _gnutls_send_handshake (gnutls_session_t session,
mbuffer_st * bufel,
{
_gnutls_handshake_hash_buffers_clear (session);
if ((ret = _gnutls_handshake_hash_init (session)) < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ {
+ gnutls_assert ();
+ return ret;
+ }
}
/* Here we keep the handshake messages in order to hash them...
@@ -1279,6 +1279,11 @@ _gnutls_send_handshake (gnutls_session_t session,
mbuffer_st * bufel,
return ret;
}
+#define _gnutls_handshake_header_buffer_clear( session)
session->internals.handshake_header_buffer.header_size = 0; \
+ session->internals.handshake_header_buffer.sequence = -1; \
+ session->internals.handshake_header_buffer.frag_offset = 0; \
+ session->internals.handshake_header_buffer.frag_length = 0
+
/* This function will read the handshake header and return it to the caller.
If the
* received handshake packet is not the one expected then it buffers the
header, and
* returns UNEXPECTED_HANDSHAKE_PACKET.
@@ -1381,6 +1386,14 @@ _gnutls_recv_handshake_header (gnutls_session_t session,
length32 = _gnutls_read_uint24 (&dataptr[1]);
handshake_header_size = HANDSHAKE_HEADER_SIZE(session);
+ if (IS_DTLS(session))
+ {
+ session->internals.handshake_header_buffer.sequence =
_gnutls_read_uint16 (&dataptr[4]);
+ session->internals.handshake_header_buffer.frag_offset =
_gnutls_read_uint24 (&dataptr[6]);
+ session->internals.handshake_header_buffer.frag_length =
_gnutls_read_uint24 (&dataptr[9]);
+ }
+
+
_gnutls_handshake_log ("HSK[%p]: %s was received [%ld bytes]\n",
session, _gnutls_handshake2str (dataptr[0]),
(long int) (length32 +
HANDSHAKE_HEADER_SIZE(session)));
@@ -1398,7 +1411,10 @@ _gnutls_recv_handshake_header (gnutls_session_t session,
session, _gnutls_handshake2str (*recv_type),
(long int) (length32 + handshake_header_size));
- if (*recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
+ /* The IS_DTLS() check is redundant since the record layer will
+ * prevent us from reaching here.
+ */
+ if (IS_DTLS(session) || *recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
{ /* it should be one or nothing */
gnutls_assert ();
return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
@@ -1411,11 +1427,26 @@ _gnutls_recv_handshake_header (gnutls_session_t session,
session->internals.handshake_header_buffer.packet_length = length32;
session->internals.handshake_header_buffer.recv_type = *recv_type;
- if (_gnutls_is_dtls (session)
- && type == GNUTLS_HANDSHAKE_SERVER_HELLO
- && *recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST)
- return length32;
- else if (*recv_type != type)
+ if (IS_DTLS(session))
+ {
+ if ((int)session->internals.handshake_header_buffer.sequence <=
session->internals.dtls.hsk_read_seq)
+ {
+ _gnutls_audit_log("Dropping replayed handshake packet with sequence
%d\n", session->internals.handshake_header_buffer.sequence);
+ ret = _gnutls_handshake_io_recv_skip(session, GNUTLS_HANDSHAKE,
*recv_type, length32);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ _gnutls_handshake_header_buffer_clear (session);
+ return GNUTLS_E_AGAIN;
+ }
+ session->internals.dtls.hsk_read_seq =
session->internals.handshake_header_buffer.sequence;
+
+ if (type == GNUTLS_HANDSHAKE_SERVER_HELLO
+ && *recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST)
+ return length32;
+ }
+
+ if (*recv_type != type)
{
_gnutls_handshake_log ("HSK[%p]: %s was received, expected %s\n",
session, _gnutls_handshake2str (*recv_type),
@@ -1427,10 +1458,6 @@ _gnutls_recv_handshake_header (gnutls_session_t session,
return length32;
}
-#define _gnutls_handshake_header_buffer_clear( session)
session->internals.handshake_header_buffer.header_size = 0
-
-
-
/* This function will hash the handshake headers and the
* handshake data.
*/
@@ -1501,7 +1528,6 @@ _gnutls_recv_handshake (gnutls_session_t session, uint8_t
** data,
ret = _gnutls_recv_handshake_header (session, type, &recv_type);
if (ret < 0)
{
-
if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
&& optional == OPTIONAL_PACKET)
{
@@ -1553,7 +1579,6 @@ _gnutls_recv_handshake (gnutls_session_t session, uint8_t
** data,
if (data != NULL && length32 > 0)
*data = dataptr;
-
ret = _gnutls_handshake_hash_add_recvd (session, recv_type,
session->
internals.handshake_header_buffer.
@@ -2115,9 +2140,9 @@ _gnutls_send_client_hello (gnutls_session_t session, int
again)
if (again == 0)
{
if(_gnutls_is_dtls(session))
- {
- cookie_len = session->internals.dtls.cookie_len + 1;
- }
+ {
+ cookie_len = session->internals.dtls.cookie_len + 1;
+ }
else
{
cookie_len = 0;
@@ -2185,15 +2210,15 @@ _gnutls_send_client_hello (gnutls_session_t session,
int again)
/* Generate random data
*/
if (!_gnutls_is_dtls (session)
- || session->internals.dtls.hsk_hello_verify_requests == 0)
- {
- _gnutls_tls_create_random (rnd);
- _gnutls_set_client_random (session, rnd);
+ || session->internals.dtls.hsk_hello_verify_requests == 0)
+ {
+ _gnutls_tls_create_random (rnd);
+ _gnutls_set_client_random (session, rnd);
- memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
- }
+ memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
+ }
else
- memcpy (&data[pos], session->security_parameters.client_random,
GNUTLS_RANDOM_SIZE);
+ memcpy (&data[pos], session->security_parameters.client_random,
GNUTLS_RANDOM_SIZE);
pos += GNUTLS_RANDOM_SIZE;
@@ -2212,11 +2237,11 @@ _gnutls_send_client_hello (gnutls_session_t session,
int again)
/* Copy the DTLS cookie
*/
if (_gnutls_is_dtls(session))
- {
- data[pos++] = session->internals.dtls.cookie_len;
- memcpy(&data[pos], &session->internals.dtls.cookie,
session->internals.dtls.cookie_len);
- pos += session->internals.dtls.cookie_len;
- }
+ {
+ data[pos++] = session->internals.dtls.cookie_len;
+ memcpy(&data[pos], &session->internals.dtls.cookie,
session->internals.dtls.cookie_len);
+ pos += session->internals.dtls.cookie_len;
+ }
/* Copy the ciphersuites.
*
@@ -3007,13 +3032,6 @@ send_change_cipher_spec (gnutls_session_t session, int
again)
return gnutls_assert_val(ret);
}
- if (!IS_DTLS(session)) /* remove once combined */
- {
- ret = _gnutls_handshake_io_write_flush (session);
- if (ret < 0)
- return gnutls_assert_val(ret);
- }
-
_gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session);
}
@@ -3515,7 +3533,7 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t
session,
if (ret < 0)
{
gnutls_assert ();
- _gnutls_x509_log ("Could not find an appropriate certificate: %s\n",
+ _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
gnutls_strerror (ret));
cert_cred = NULL;
}
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index d3da01d..47978e6 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -154,12 +154,13 @@ typedef enum transport_t
#define RECORD_HEADER_SIZE(session) (IS_DTLS(session) ?
DTLS_RECORD_HEADER_SIZE : TLS_RECORD_HEADER_SIZE)
#define MAX_RECORD_HEADER_SIZE DTLS_RECORD_HEADER_SIZE
-#define MAX_RECORD_SEND_SIZE
(size_t)session->security_parameters.max_record_send_size
-#define MAX_RECORD_RECV_SIZE
(size_t)session->security_parameters.max_record_recv_size
+#define MAX_RECORD_SEND_SIZE(session)
(IS_DTLS(session)?((size_t)session->internals.dtls.mtu-DTLS_RECORD_HEADER_SIZE):(size_t)session->security_parameters.max_record_send_size)
+#define MAX_RECORD_RECV_SIZE(session)
((size_t)session->security_parameters.max_record_recv_size)
#define MAX_PAD_SIZE 255
#define EXTRA_COMP_SIZE 2048
-#define MAX_RECORD_OVERHEAD
(MAX_CIPHER_BLOCK_SIZE/*iv*/+MAX_PAD_SIZE+EXTRA_COMP_SIZE)
-#define MAX_RECV_SIZE(session)
(MAX_RECORD_OVERHEAD+MAX_RECORD_RECV_SIZE+RECORD_HEADER_SIZE(session))
+#define MAX_RECORD_OVERHEAD
(MAX_CIPHER_BLOCK_SIZE/*iv*/+MAX_PAD_SIZE+EXTRA_COMP_SIZE+MAX_HASH_SIZE/*MAC*/)
+#define MAX_RECORD_OVERHEAD_RT(session)
(2*MAX_CIPHER_BLOCK_SIZE/*iv+pad*/+MAX_HASH_SIZE)
+#define MAX_RECV_SIZE(session)
(MAX_RECORD_OVERHEAD+MAX_RECORD_RECV_SIZE(session)+RECORD_HEADER_SIZE(session))
#define TLS_HANDSHAKE_HEADER_SIZE 4
#define DTLS_HANDSHAKE_HEADER_SIZE (TLS_HANDSHAKE_HEADER_SIZE+8)
@@ -265,8 +266,15 @@ typedef struct mbuffer_st
unsigned int user_mark; /* only used during fill in */
size_t maximum_size;
- gnutls_handshake_description_t htype;
+ /* record layer content type */
content_type_t type;
+
+ /* Record layer epoch of message */
+ uint16_t epoch;
+
+ /* Handshake layer type and sequence of message */
+ gnutls_handshake_description_t htype;
+ uint16_t sequence;
} mbuffer_st;
typedef struct mbuffer_head_st
@@ -278,25 +286,6 @@ typedef struct mbuffer_head_st
size_t byte_length;
} mbuffer_head_st;
-/* This is a linked list used to buffer the next flight of outgoing
- handshake messages. Messages are queued whole; they are fragmented
- dynamically on transmit. */
-typedef struct dtls_hsk_retransmit_buffer
-{
- struct dtls_hsk_retransmit_buffer *next;
-
- /* The actual handshake message */
- mbuffer_st* bufel;
-
- /* Record layer epoch of message */
- uint16_t epoch;
-
- /* Handshake layer type and sequence of message */
- gnutls_handshake_description_t type;
- uint16_t sequence;
-} dtls_hsk_retransmit_buffer;
-
-
typedef enum
{
HANDSHAKE_MAC_TYPE_10 = 1, /* TLS 1.0 style */
@@ -562,16 +551,12 @@ typedef struct
/* For DTLS handshake fragmentation and reassembly. */
uint16_t hsk_write_seq;
- uint16_t hsk_read_seq;
- uint16_t hsk_mtu;
+ int hsk_read_seq;
+ uint16_t mtu;
unsigned int retrans_timeout;
unsigned int total_timeout;
- /* Head of the next outgoing flight. */
- dtls_hsk_retransmit_buffer *retransmit;
- dtls_hsk_retransmit_buffer **retransmit_end;
-
unsigned int hsk_hello_verify_requests;
} dtls_st;
@@ -584,6 +569,11 @@ typedef struct
/* this holds the length of the handshake packet */
size_t packet_length;
gnutls_handshake_description_t recv_type;
+
+ /* DTLS fields */
+ uint16_t sequence;
+ size_t frag_offset;
+ size_t frag_length;
} handshake_header_buffer_st;
typedef union
@@ -654,8 +644,6 @@ typedef struct
* protocol only. freed using _gnutls_handshake_io_buffer_clear();
*/
mbuffer_head_st handshake_send_buffer;
- content_type_t handshake_recv_buffer_type;
- gnutls_handshake_description_t handshake_recv_buffer_htype;
gnutls_buffer_st handshake_recv_buffer;
/* this buffer holds a record packet -mostly used for
@@ -816,6 +804,7 @@ typedef struct
*/
uint16_t srp_prime_bits;
+ /* A handshake process has been completed */
int initial_negotiation_completed:1;
struct
diff --git a/lib/gnutls_mbuffers.c b/lib/gnutls_mbuffers.c
index a12f640..b964771 100644
--- a/lib/gnutls_mbuffers.c
+++ b/lib/gnutls_mbuffers.c
@@ -176,7 +176,8 @@ remove_front (mbuffer_head_st * buf)
*
* Useful for uses that treat the buffer as a simple array of bytes.
*
- * Returns 0 on success or an error code otherwise.
+ * If more than one mbuffer_st have been removed it
+ * returns 1, 0 otherwise and an error code on error.
*
* Cost: O(n)
* n: Number of segments needed to remove the specified amount of data.
@@ -186,6 +187,7 @@ _mbuffer_remove_bytes (mbuffer_head_st * buf, size_t bytes)
{
size_t left = bytes;
mbuffer_st *bufel, *next;
+ int ret = 0;
if (bytes > buf->byte_length)
{
@@ -201,6 +203,7 @@ _mbuffer_remove_bytes (mbuffer_head_st * buf, size_t bytes)
{
left -= (bufel->msg.size - bufel->mark);
remove_front (buf);
+ ret = 1;
}
else
{
diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c
index 2528447..2e5c049 100644
--- a/lib/gnutls_num.c
+++ b/lib/gnutls_num.c
@@ -69,15 +69,25 @@ _gnutls_uint64pp (uint64 * x)
int
_gnutls_uint48pp (uint64 * x)
{
- int ret;
-
- ret = _gnutls_uint64pp(x);
- if (ret != 0)
- return ret;
-
- if (x->i[6] != 0)
- return -1;
-
+ register int i, y = 0;
+
+ for (i = 5; i >= 0; i--)
+ {
+ y = 0;
+ if (x->i[i] == 0xff)
+ {
+ x->i[i] = 0;
+ y = 1;
+ }
+ else
+ x->i[i]++;
+
+ if (y == 0)
+ break;
+ }
+ if (y != 0)
+ return -1; /* over 48 bits */
+
return 0;
}
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index d1ba96a..950579a 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -431,8 +431,8 @@ _gnutls_send_int (gnutls_session_t session, content_type_t
type,
(int) _gnutls_uint64touint32 (&record_state->sequence_number),
_gnutls_packet2str (type), type, (int) sizeofdata);
- if (sizeofdata > MAX_RECORD_SEND_SIZE)
- data2send_size = MAX_RECORD_SEND_SIZE;
+ if (sizeofdata > MAX_RECORD_SEND_SIZE(session))
+ data2send_size = MAX_RECORD_SEND_SIZE(session);
else
data2send_size = sizeofdata;
@@ -601,7 +601,7 @@ record_check_headers (gnutls_session_t session,
*/
if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE
- && headers[0] > 127)
+ && headers[0] > 127 && !(IS_DTLS(session)))
{
/* if msb set and expecting handshake message
@@ -626,7 +626,7 @@ record_check_headers (gnutls_session_t session,
session, *length);
}
- else if(_gnutls_is_dtls(session))
+ else if(IS_DTLS(session))
{
/* dtls version 1.0 */
*recv_type = headers[0];
@@ -849,9 +849,9 @@ get_temp_recv_buffer (gnutls_session_t session,
gnutls_datum_t * tmp)
if (gnutls_compression_get (session) != GNUTLS_COMP_NULL ||
session->internals.priorities.allow_large_records != 0)
- max_record_size = MAX_RECORD_RECV_SIZE + EXTRA_COMP_SIZE;
+ max_record_size = MAX_RECORD_RECV_SIZE(session) + EXTRA_COMP_SIZE;
else
- max_record_size = MAX_RECORD_RECV_SIZE;
+ max_record_size = MAX_RECORD_RECV_SIZE(session);
/* We allocate MAX_RECORD_RECV_SIZE length
* because we cannot predict the output data by the record
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 7aa02a3..fe42ebc 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -643,7 +643,7 @@ _gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t
session,
if (ret < 0)
{
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_debug_log
("Server did not allow either '%s' or '%s' for signing\n",
gnutls_mac_get_name (hash_algo),
gnutls_mac_get_name (session->internals.handshake_mac_handle.
@@ -652,7 +652,7 @@ _gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t
session,
}
}
- _gnutls_x509_log ("sign handshake cert vrfy: picked %s with %s\n",
+ _gnutls_debug_log ("sign handshake cert vrfy: picked %s with %s\n",
gnutls_sign_algorithm_get_name (sign_algo),
gnutls_mac_get_name (hash_algo));
@@ -850,7 +850,7 @@ encode_ber_digest_info (gnutls_digest_algorithm_t hash,
if (algo == NULL)
{
gnutls_assert ();
- _gnutls_x509_log ("Hash algorithm: %d\n", hash);
+ _gnutls_debug_log ("Hash algorithm: %d has no OID\n", hash);
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index ab2350e..2ba28af 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -258,6 +258,9 @@ _gnutls_handshake_internal_state_init (gnutls_session_t
session)
session->internals.last_handshake_out = -1;
session->internals.resumable = RESUME_TRUE;
+
+ session->internals.dtls.hsk_read_seq = -1;
+ session->internals.dtls.hsk_write_seq = 0;
}
void
@@ -402,14 +405,11 @@ gnutls_init_dtls (gnutls_session_t * session,
/* Flags do nothing, so just copy them into the struct for now. */
(*session)->internals.dtls.flags = flags;
- (*session)->internals.dtls.hsk_mtu = DTLS_DEFAULT_MTU;
+ (*session)->internals.dtls.mtu = DTLS_DEFAULT_MTU;
(*session)->internals.transport = GNUTLS_DGRAM;
- /* Initialize pointer used to enqueue messages for retransmit. */
- (*session)->internals.dtls.retransmit_end =
&(*session)->internals.dtls.retransmit;
-
- (*session)->internals.dtls.retrans_timeout = 1000;
- (*session)->internals.dtls.total_timeout = 4000;
+ (*session)->internals.dtls.retrans_timeout = 300;
+ (*session)->internals.dtls.total_timeout = 6000;
return 0;
}
@@ -1343,3 +1343,50 @@ gnutls_session_channel_binding (gnutls_session_t session,
return 0;
}
+
+/* returns overhead imposed by the record layer (encryption/compression)
+ * etc. It does include the record layer headers.
+ *
+ * It may return a negative value on error.
+ */
+int _gnutls_record_overhead_rt(gnutls_session_t session)
+{
+record_parameters_st *params;
+int total = 0, ret, iv_size;
+
+ if (session->internals.initial_negotiation_completed == 0)
+ return 0;
+
+ ret = _gnutls_epoch_get (session, EPOCH_WRITE_CURRENT, ¶ms);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* requires padding */
+ iv_size = _gnutls_cipher_get_iv_size(params->cipher_algorithm);
+ total += iv_size;
+
+ if (_gnutls_cipher_is_block (params->cipher_algorithm) == CIPHER_BLOCK)
+ {
+ if (!IS_DTLS(session))
+ total += MAX_PAD_SIZE;
+ else
+ total += iv_size; /* iv_size == block_size */
+ }
+
+ if (params->mac_algorithm == GNUTLS_MAC_AEAD)
+ total += _gnutls_cipher_get_tag_size(params->cipher_algorithm);
+ else
+ {
+ ret = _gnutls_hmac_get_algo_len(params->mac_algorithm);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ total+=ret;
+ }
+
+ if (params->compression_algorithm != GNUTLS_COMP_NULL)
+ total += EXTRA_COMP_SIZE;
+
+ total += RECORD_HEADER_SIZE(session);
+
+ return total;
+}
diff --git a/lib/gnutls_state.h b/lib/gnutls_state.h
index 995b4a7..0035bb5 100644
--- a/lib/gnutls_state.h
+++ b/lib/gnutls_state.h
@@ -34,6 +34,8 @@ void
_gnutls_record_set_default_version (gnutls_session_t session,
unsigned char major, unsigned char minor);
+int _gnutls_record_overhead_rt(gnutls_session_t session);
+
#include <gnutls_auth.h>
#define CHECK_AUTH(auth, ret) if (gnutls_auth_get_type(session) != auth) { \
diff --git a/lib/includes/gnutls/dtls.h b/lib/includes/gnutls/dtls.h
index db391d9..27b0b4c 100644
--- a/lib/includes/gnutls/dtls.h
+++ b/lib/includes/gnutls/dtls.h
@@ -43,6 +43,9 @@ int gnutls_init_dtls (gnutls_session_t * session,
void gnutls_dtls_set_timeouts (gnutls_session_t session, unsigned int
retrans_timeout,
unsigned int total_timeout);
+unsigned int gnutls_dtls_get_mtu (gnutls_session_t session);
+void gnutls_dtls_set_mtu (gnutls_session_t session, unsigned int mtu);
+
#ifdef __cplusplus
}
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 5576c5a..90ba4b5 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -701,6 +701,8 @@ GNUTLS_3_0_0 {
gnutls_cipher_add_auth;
gnutls_dtls_set_timeouts;
gnutls_transport_set_pull_timeout_function;
+ gnutls_dtls_get_mtu;
+ gnutls_dtls_set_mtu;
} GNUTLS_2_12;
GNUTLS_PRIVATE {
diff --git a/lib/opencdk/main.h b/lib/opencdk/main.h
index 271b9d7..b11a3c4 100644
--- a/lib/opencdk/main.h
+++ b/lib/opencdk/main.h
@@ -28,7 +28,7 @@
#include "types.h"
#define _cdk_log_debug _gnutls_hard_log
-#define _cdk_log_info _gnutls_x509_log
+#define _cdk_log_info _gnutls_debug_log
#define _cdk_get_log_level() _gnutls_log_level
#define cdk_malloc gnutls_malloc
diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c
index 01f7a70..ada1fe1 100644
--- a/lib/openpgp/pgp.c
+++ b/lib/openpgp/pgp.c
@@ -1597,7 +1597,7 @@ gnutls_openpgp_crt_set_preferred_key_id
(gnutls_openpgp_crt_t key,
ret = gnutls_openpgp_crt_get_subkey_idx (key, keyid);
if (ret < 0)
{
- _gnutls_x509_log ("the requested subkey does not exist\n");
+ _gnutls_debug_log ("the requested subkey does not exist\n");
gnutls_assert ();
return ret;
}
diff --git a/lib/openpgp/pgpverify.c b/lib/openpgp/pgpverify.c
index 3a5771b..7e27b7c 100644
--- a/lib/openpgp/pgpverify.c
+++ b/lib/openpgp/pgpverify.c
@@ -82,12 +82,12 @@ gnutls_openpgp_crt_verify_ring (gnutls_openpgp_crt_t key,
}
else if (rc != CDK_Success)
{
- _gnutls_x509_log ("cdk_pk_check_sigs: error %d\n", rc);
+ _gnutls_debug_log ("cdk_pk_check_sigs: error %d\n", rc);
rc = _gnutls_map_cdk_rc (rc);
gnutls_assert ();
return rc;
}
- _gnutls_x509_log ("status: %x\n", status);
+ _gnutls_debug_log ("status: %x\n", status);
if (status & CDK_KEY_INVALID)
*verify |= GNUTLS_CERT_INVALID;
diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c
index 2ebcb99..6f2a396 100644
--- a/lib/openpgp/privkey.c
+++ b/lib/openpgp/privkey.c
@@ -268,7 +268,7 @@ _gnutls_openpgp_get_algo (int cdk_algo)
algo = GNUTLS_PK_DSA;
else
{
- _gnutls_x509_log ("Unknown OpenPGP algorithm %d\n", cdk_algo);
+ _gnutls_debug_log ("Unknown OpenPGP algorithm %d\n", cdk_algo);
algo = GNUTLS_PK_UNKNOWN;
}
@@ -1214,7 +1214,7 @@ gnutls_openpgp_privkey_set_preferred_key_id
(gnutls_openpgp_privkey_t key,
ret = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
if (ret < 0)
{
- _gnutls_x509_log ("the requested subkey does not exist\n");
+ _gnutls_debug_log ("the requested subkey does not exist\n");
gnutls_assert ();
return ret;
}
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 5119cbe..21774df 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -258,7 +258,7 @@ _gnutls_x509_oid_data2string (const char *oid, void *value,
asn1_err)) != ASN1_SUCCESS)
{
gnutls_assert ();
- _gnutls_x509_log ("asn1_der_decoding: %s:%s\n", str, asn1_err);
+ _gnutls_debug_log ("asn1_der_decoding: %s:%s\n", str, asn1_err);
asn1_delete_structure (&tmpasn);
return _gnutls_asn2err (result);
}
@@ -1333,7 +1333,7 @@ _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char
*src_name,
algo = _gnutls_x509_oid2pk_algorithm (oid);
if (algo == GNUTLS_PK_UNKNOWN)
{
- _gnutls_x509_log
+ _gnutls_debug_log
("%s: unknown public key algorithm: %s\n", __func__, oid);
}
diff --git a/lib/x509/dn.c b/lib/x509/dn.c
index 9757258..c7b2020 100644
--- a/lib/x509/dn.c
+++ b/lib/x509/dn.c
@@ -279,7 +279,7 @@ _gnutls_x509_parse_dn (ASN1_TYPE asn1_struct,
if (result < 0)
{
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_debug_log
("Found OID: '%s' with value '%s'\n",
oid, _gnutls_bin2hex (value2, len, escaped, sizeof_escaped,
NULL));
@@ -660,7 +660,7 @@ _gnutls_x509_encode_and_write_attribute (const char
*given_oid,
if (val_name == NULL)
{
gnutls_assert ();
- _gnutls_x509_log ("Cannot find OID: %s\n", given_oid);
+ _gnutls_debug_log ("Cannot find OID: %s\n", given_oid);
return GNUTLS_E_X509_UNSUPPORTED_OID;
}
@@ -1001,7 +1001,7 @@ gnutls_x509_dn_import (gnutls_x509_dn_t dn, const
gnutls_datum_t * data)
if (result != ASN1_SUCCESS)
{
/* couldn't decode DER */
- _gnutls_x509_log ("ASN.1 Decoding error: %s\n", err);
+ _gnutls_debug_log ("ASN.1 Decoding error: %s\n", err);
gnutls_assert ();
return _gnutls_asn2err (result);
}
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 32a8f46..f278612 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -65,7 +65,7 @@ _decode_pkcs12_auth_safe (ASN1_TYPE pkcs12, ASN1_TYPE *
authen_safe,
if (strcmp (oid, DATA_OID) != 0)
{
gnutls_assert ();
- _gnutls_x509_log ("Unknown PKCS12 Content OID '%s'\n", oid);
+ _gnutls_debug_log ("Unknown PKCS12 Content OID '%s'\n", oid);
return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE;
}
@@ -96,7 +96,7 @@ _decode_pkcs12_auth_safe (ASN1_TYPE pkcs12, ASN1_TYPE *
authen_safe,
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
- _gnutls_x509_log ("DER error: %s\n", error_str);
+ _gnutls_debug_log ("DER error: %s\n", error_str);
result = _gnutls_asn2err (result);
goto cleanup;
}
@@ -236,7 +236,7 @@ gnutls_pkcs12_import (gnutls_pkcs12_t pkcs12,
if (result != ASN1_SUCCESS)
{
result = _gnutls_asn2err (result);
- _gnutls_x509_log ("DER error: %s\n", error_str);
+ _gnutls_debug_log ("DER error: %s\n", error_str);
gnutls_assert ();
goto cleanup;
}
@@ -486,7 +486,7 @@ _pkcs12_decode_safe_contents (const gnutls_datum_t *
content,
{
_gnutls_free_datum (&attr_val);
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_debug_log
("Error decoding PKCS12 Bag Attribute OID '%s'\n", oid);
continue;
}
@@ -504,7 +504,7 @@ _pkcs12_decode_safe_contents (const gnutls_datum_t *
content,
{
_gnutls_free_datum (&attr_val);
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_debug_log
("Error decoding PKCS12 Bag Attribute OID '%s'\n", oid);
continue;
}
@@ -514,7 +514,7 @@ _pkcs12_decode_safe_contents (const gnutls_datum_t *
content,
else
{
_gnutls_free_datum (&attr_val);
- _gnutls_x509_log
+ _gnutls_debug_log
("Unknown PKCS12 Bag Attribute OID '%s'\n", oid);
}
}
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 2e5b52a..d8b85ee 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -63,7 +63,7 @@ _decode_pkcs7_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata,
if (strcmp (oid, SIGNED_DATA_OID) != 0)
{
gnutls_assert ();
- _gnutls_x509_log ("Unknown PKCS7 Content OID '%s'\n", oid);
+ _gnutls_debug_log ("Unknown PKCS7 Content OID '%s'\n", oid);
return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE;
}
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index a065205..09e858e 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -120,7 +120,7 @@ check_schema (const char *oid)
if (strcmp (oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0)
return PKCS12_RC2_40_SHA1;
- _gnutls_x509_log ("PKCS encryption schema OID '%s' is unsupported.\n", oid);
+ _gnutls_debug_log ("PKCS encryption schema OID '%s' is unsupported.\n", oid);
return GNUTLS_E_UNKNOWN_CIPHER_TYPE;
}
@@ -438,7 +438,7 @@ _gnutls_pkcs_flags_to_schema (unsigned int flags)
else
{
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_debug_log
("Selecting default encryption PKCS12_3DES_SHA1 (flags: %u).\n",
flags);
schema = PKCS12_3DES_SHA1;
@@ -1106,7 +1106,7 @@ decode_private_key_info (const gnutls_datum_t * der,
else
{
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_debug_log
("PKCS #8 private key OID '%s' is unsupported.\n", oid);
result = GNUTLS_E_UNKNOWN_PK_ALGORITHM;
goto error;
@@ -1273,7 +1273,7 @@ read_pbkdf2_params (ASN1_TYPE pbes2_asn,
if (strcmp (oid, PBKDF2_OID) != 0)
{
gnutls_assert ();
- _gnutls_x509_log
+ _gnutls_debug_log
("PKCS #8 key derivation OID '%s' is unsupported.\n", oid);
return _gnutls_asn2err (result);
}
@@ -1473,7 +1473,7 @@ oid2cipher (const char *oid, gnutls_cipher_algorithm_t *
algo)
return 0;
}
- _gnutls_x509_log ("PKCS #8 encryption OID '%s' is unsupported.\n", oid);
+ _gnutls_debug_log ("PKCS #8 encryption OID '%s' is unsupported.\n", oid);
return GNUTLS_E_UNKNOWN_CIPHER_TYPE;
}
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index f2f05fa..a33be90 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -711,7 +711,7 @@ decode_ber_digest_info (const gnutls_datum_t * info,
if (*hash == GNUTLS_MAC_UNKNOWN)
{
- _gnutls_x509_log ("verify.c: HASH OID: %s\n", str);
+ _gnutls_debug_log ("verify.c: HASH OID: %s\n", str);
gnutls_assert ();
asn1_delete_structure (&dinfo);
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index a0b830e..5d31a83 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -907,7 +907,7 @@ disable_optional_stuff (gnutls_x509_crt_t cert)
if (cert->use_extensions == 0)
{
- _gnutls_x509_log ("Disabling X.509 extensions.\n");
+ _gnutls_debug_log ("Disabling X.509 extensions.\n");
asn1_write_value (cert->cert, "tbsCertificate.extensions", NULL, 0);
}
diff --git a/lib/x509_b64.c b/lib/x509_b64.c
index de3c099..272c00d 100644
--- a/lib/x509_b64.c
+++ b/lib/x509_b64.c
@@ -469,7 +469,7 @@ _gnutls_fbase64_decode (const char *header, const opaque *
data,
if (kdata == NULL)
{
gnutls_assert ();
- _gnutls_x509_log ("Could not find '%s'\n", ENDSTR);
+ _gnutls_debug_log ("Could not find '%s'\n", ENDSTR);
return GNUTLS_E_BASE64_DECODING_ERROR;
}
data_size -= strlen (ENDSTR);
diff --git a/src/udp-serv.c b/src/udp-serv.c
index 332917e..2843483 100644
--- a/src/udp-serv.c
+++ b/src/udp-serv.c
@@ -63,7 +63,12 @@ int udp_server(const char* name, int port)
gnutls_transport_set_pull_function (session, pull_func);
gnutls_transport_set_pull_timeout_function (session,
pull_timeout_func);
- ret = gnutls_handshake(session);
+ do
+ {
+ ret = gnutls_handshake(session);
+ }
+ while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
if (ret < 0)
{
fprintf(stderr, "Error in handshake(): %s\n",
gnutls_strerror(ret));
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-211-g4faf7ee,
Nikos Mavrogiannopoulos <=