[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] Replace explicit version checks with feature checks
From: |
Jonathan Bastien-Filiatrault |
Subject: |
[PATCH] Replace explicit version checks with feature checks |
Date: |
Tue, 18 Aug 2009 22:55:30 -0400 |
User-agent: |
Mozilla-Thunderbird 2.0.0.19 (X11/20090103) |
The following changes since commit 47cd212fda611873b72bf70df48b7de3563a3276:
Jonathan Bastien-Filiatrault (1):
Remove hardcoded version checks in auth_cert.c.
are available in the git repository at:
git://x2a.org/gnutls.git version-checks
Alternatively, you may find the patch attached.
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index c0e7547..a5244c8 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -1352,7 +1352,7 @@ _gnutls_proc_cert_cert_req (gnutls_session_t session,
opaque * data,
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
- if (ver == GNUTLS_TLS1_2)
+ if (_gnutls_version_has_selectable_sighash(ver))
{
/* read supported hashes */
int hash_num;
@@ -1526,7 +1526,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t
session, opaque ** data)
session->internals.ignore_rdn_sequence == 0)
size += cred->x509_rdn_sequence.size;
- if (ver == GNUTLS_TLS1_2)
+ if (_gnutls_version_has_selectable_sighash(ver))
/* Need at least one byte to announce the number of supported hash
functions (see below). */
size += 1;
@@ -1546,7 +1546,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t
session, opaque ** data)
pdata[2] = DSA_SIGN; /* only these for now */
pdata += CERTTYPE_SIZE;
- if (ver == GNUTLS_TLS1_2)
+ if (_gnutls_version_has_selectable_sighash(ver))
{
/* Supported hashes (nothing for now -- FIXME). */
*pdata = 0;
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 6be0849..08054c4 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -1178,6 +1178,67 @@ _gnutls_version_is_supported (gnutls_session_t session,
return 1;
}
+
+/* This function determines if the version specified has a
+ cipher-suite selected PRF hash function instead of the old
+ hardcoded MD5+SHA1. */
+int
+_gnutls_version_has_selectable_prf (gnutls_protocol_t version)
+{
+ return version == GNUTLS_TLS1_2;
+}
+
+/* This function determines if the version specified has selectable
+ signature/hash functions for certificate authentification. */
+int
+_gnutls_version_has_selectable_sighash (gnutls_protocol_t version)
+{
+ return version == GNUTLS_TLS1_2;
+}
+
+/* This function determines if the version specified has support for
+ TLS extensions. */
+int
+_gnutls_version_has_extensions (gnutls_protocol_t version)
+{
+ switch(version) {
+ case GNUTLS_TLS1_0:
+ case GNUTLS_TLS1_1:
+ case GNUTLS_TLS1_2:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+/* This function determines if the version specified has explicit IVs
+ (for CBC attack prevention). */
+int
+_gnutls_version_has_explicit_iv (gnutls_protocol_t version)
+{
+ switch(version) {
+ case GNUTLS_TLS1_1:
+ case GNUTLS_TLS1_2:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+/* This function determines if the version specified can have
+ non-minimal padding. */
+int _gnutls_version_has_variable_padding (gnutls_protocol_t version)
+{
+ switch(version) {
+ case GNUTLS_TLS1_0:
+ case GNUTLS_TLS1_1:
+ case GNUTLS_TLS1_2:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
/* Type to KX mappings */
gnutls_kx_algorithm_t
_gnutls_map_kx_get_kx (gnutls_credentials_type_t type, int server)
diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h
index 2c55f24..0e2f2b7 100644
--- a/lib/gnutls_algorithms.h
+++ b/lib/gnutls_algorithms.h
@@ -38,6 +38,13 @@ int _gnutls_version_get_major (gnutls_protocol_t ver);
int _gnutls_version_get_minor (gnutls_protocol_t ver);
gnutls_protocol_t _gnutls_version_get (int major, int minor);
+/* Functions for feature checks */
+int _gnutls_version_has_selectable_prf (gnutls_protocol_t version);
+int _gnutls_version_has_selectable_sighash (gnutls_protocol_t version);
+int _gnutls_version_has_extensions (gnutls_protocol_t version);
+int _gnutls_version_has_explicit_iv (gnutls_protocol_t version);
+int _gnutls_version_has_variable_padding (gnutls_protocol_t version);
+
/* Functions for MACs. */
int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm);
gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm (const char *oid);
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 8defc2b..565a000 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -275,7 +275,7 @@ calc_enc_length (gnutls_session_t session, int data_size,
*pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
length += *pad;
- if (session->security_parameters.version >= GNUTLS_TLS1_1)
+ if
(_gnutls_version_has_explicit_iv(session->security_parameters.version))
length += blocksize; /* for the IV */
break;
@@ -344,7 +344,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
write_sequence_number), 8);
_gnutls_hmac (&td, &type, 1);
- if (ver >= GNUTLS_TLS1)
+ if (_gnutls_version_has_variable_padding(ver))
{ /* TLS 1.0 or higher */
_gnutls_hmac (&td, &major, 1);
_gnutls_hmac (&td, &minor, 1);
@@ -376,7 +376,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
data_ptr = cipher_data;
if (block_algo == CIPHER_BLOCK &&
- session->security_parameters.version >= GNUTLS_TLS1_1)
+ _gnutls_version_has_explicit_iv(session->security_parameters.version))
{
/* copy the random IV.
*/
@@ -497,7 +497,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
/* ignore the IV in TLS 1.1.
*/
- if (session->security_parameters.version >= GNUTLS_TLS1_1)
+ if
(_gnutls_version_has_explicit_iv(session->security_parameters.version))
{
ciphertext.size -= blocksize;
ciphertext.data += blocksize;
@@ -527,7 +527,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
/* Check the pading bytes (TLS 1.x)
*/
- if (ver >= GNUTLS_TLS1 && pad_failed == 0)
+ if (_gnutls_version_has_variable_padding(ver) && pad_failed == 0)
for (i = 2; i < pad; i++)
{
if (ciphertext.data[ciphertext.size - i] !=
@@ -554,7 +554,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
read_sequence_number), 8);
_gnutls_hmac (&td, &type, 1);
- if (ver >= GNUTLS_TLS1)
+ if (_gnutls_version_has_variable_padding(ver))
{ /* TLS 1.x */
_gnutls_hmac (&td, &major, 1);
_gnutls_hmac (&td, &minor, 1);
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 5ccd317..c2d986a 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -205,7 +205,7 @@ _gnutls_finished (gnutls_session_t session, int type, void
*ret)
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
int rc;
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
rc =
_gnutls_hash_copy (&td_md5,
@@ -226,7 +226,7 @@ _gnutls_finished (gnutls_session_t session, int type, void
*ret)
return rc;
}
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
_gnutls_hash_deinit (&td_md5, concat);
_gnutls_hash_deinit (&td_sha, &concat[16]);
@@ -438,7 +438,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque
* data,
/* Parse the extensions (if any)
*/
- if (neg_version >= GNUTLS_TLS1)
+ if (_gnutls_version_has_extensions(neg_version))
{
ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
&data[pos], len);
@@ -457,7 +457,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque
* data,
return ret;
}
- if (neg_version >= GNUTLS_TLS1)
+ if (_gnutls_version_has_extensions(neg_version))
{
ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS,
&data[pos], len);
@@ -1563,7 +1563,7 @@ _gnutls_read_server_hello (gnutls_session_t session,
/* Parse extensions.
*/
- if (version >= GNUTLS_TLS1)
+ if (_gnutls_version_has_extensions(version))
{
ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY,
&data[pos], len);
@@ -1863,7 +1863,7 @@ _gnutls_send_client_hello (gnutls_session_t session, int
again)
/* Generate and copy TLS extensions.
*/
- if (hver >= GNUTLS_TLS1)
+ if (_gnutls_version_has_extensions(hver))
{
extdatalen =
_gnutls_gen_extensions (session, extdata, sizeof (extdata));
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 81f5aa3..3da0060 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -153,7 +153,7 @@ _gnutls_tls_sign_params (gnutls_session_t session,
gnutls_cert * cert,
switch (cert->subject_pk_algorithm)
{
case GNUTLS_PK_RSA:
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
digest_hd_st td_md5;
@@ -444,7 +444,7 @@ _gnutls_verify_sig_params (gnutls_session_t session,
gnutls_cert * cert,
opaque concat[36];
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
if (ret < 0)
@@ -464,7 +464,7 @@ _gnutls_verify_sig_params (gnutls_session_t session,
gnutls_cert * cert,
if (ret < 0)
{
gnutls_assert ();
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
_gnutls_hash_deinit (&td_md5, NULL);
return ret;
}
@@ -475,7 +475,7 @@ _gnutls_verify_sig_params (gnutls_session_t session,
gnutls_cert * cert,
GNUTLS_RANDOM_SIZE);
_gnutls_hash (&td_sha, params->data, params->size);
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
_gnutls_hash_deinit (&td_md5, concat);
_gnutls_hash_deinit (&td_sha, &concat[16]);
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index d9abd55..2e2e874 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -899,7 +899,7 @@ _gnutls_PRF (gnutls_session_t session,
memcpy (s_seed, label, label_size);
memcpy (&s_seed[label_size], seed, seed_size);
- if (ver >= GNUTLS_TLS1_2)
+ if (_gnutls_version_has_selectable_prf(ver))
{
result =
_gnutls_P_hash (GNUTLS_MAC_SHA1, secret, secret_size,
- [PATCH] Replace explicit version checks with feature checks,
Jonathan Bastien-Filiatrault <=
- Re: [PATCH] Replace explicit version checks with feature checks, Simon Josefsson, 2009/08/19
- Re: [PATCH] Replace explicit version checks with feature checks, Jonathan Bastien-Filiatrault, 2009/08/19
- Re: [PATCH] Replace explicit version checks with feature checks, Simon Josefsson, 2009/08/19
- Re: [PATCH] Replace explicit version checks with feature checks, Jonathan Bastien-Filiatrault, 2009/08/20
- Re: [PATCH] Replace explicit version checks with feature checks, Simon Josefsson, 2009/08/21
- Re: [PATCH] Replace explicit version checks with feature checks, Jonathan Bastien-Filiatrault, 2009/08/22
- Re: [PATCH] Replace explicit version checks with feature checks, Simon Josefsson, 2009/08/31
- Re: [PATCH] Replace explicit version checks with feature checks, Jonathan Bastien-Filiatrault, 2009/08/31