diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2000-11-02 05:08:09 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2000-11-02 05:08:09 +0000 |
commit | ea3cc782a574d29e8cf20ea7fa814a5672ba1e17 (patch) | |
tree | 17eab6dfc159507fa493dd88e1c4c975b52f56ee | |
parent | 7a44b3ef158797335f7fc06596bcaeb73897c001 (diff) | |
download | gnutls-ea3cc782a574d29e8cf20ea7fa814a5672ba1e17.tar.gz |
more fixes and bugs introduced
-rw-r--r-- | doc/TODO | 5 | ||||
-rw-r--r-- | lib/gnutls.c | 3 | ||||
-rw-r--r-- | lib/gnutls_cipher.c | 19 | ||||
-rw-r--r-- | lib/gnutls_errors.c | 1 | ||||
-rw-r--r-- | lib/gnutls_errors.h | 1 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 47 | ||||
-rw-r--r-- | lib/gnutls_int.h | 2 | ||||
-rw-r--r-- | lib/gnutls_kx.c | 11 |
8 files changed, 75 insertions, 14 deletions
@@ -1,3 +1,4 @@ +* x509 Certificate API * Add support for v2.0 init packet -* Add a transparent support for TLS versions (so we can add SSL 3.0) -* Certificate API +* Add a transparent support for multiple versions (so we can add SSL 3.0) +* Resume old sessions diff --git a/lib/gnutls.c b/lib/gnutls.c index 36b0520765..7c97f36ca8 100644 --- a/lib/gnutls.c +++ b/lib/gnutls.c @@ -89,6 +89,9 @@ int gnutls_init(GNUTLS_STATE * state, ConnectionEnd con_end) (*state)->gnutls_internals.client_p = NULL; (*state)->gnutls_internals.client_g = NULL; (*state)->gnutls_internals.dh_secret = NULL; + + (*state)->gnutls_internals.certificate_requested = 0; + (*state)->gnutls_internals.certificate_verify_needed = 0; return 0; } diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 10b4d142ad..456dcc5e7c 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -359,9 +359,9 @@ int _gnutls_TLSCompressed2TLSCiphertext(GNUTLS_STATE state, _gnutls_make_mul(length, _gnutls_cipher_get_block_size (state->security_parameters.bulk_cipher_algorithm)); - pad = + pad = (uint8) length - compressed->length - - state->connection_state.mac_secret_size - 1; + state->connection_state.mac_secret_size; /* set pad bytes pad */ padding = gnutls_malloc(pad); @@ -374,10 +374,6 @@ int _gnutls_TLSCompressed2TLSCiphertext(GNUTLS_STATE state, memmove(&data [state->connection_state.mac_secret_size + compressed->length], padding, pad); - memmove(&data - [pad + - state->connection_state.mac_secret_size + - compressed->length], &pad, 1); gnutls_free(padding); @@ -422,7 +418,7 @@ int _gnutls_TLSCiphertext2TLSCompressed(GNUTLS_STATE state, uint64 seq_num; uint16 length; GNUTLS_MAC_HANDLE td; - + int blocksize = _gnutls_cipher_get_block_size(state->security_parameters.cipher_type); content = gnutls_malloc(ciphertext->length); memmove(content, ciphertext->fragment, ciphertext->length); @@ -463,6 +459,12 @@ int _gnutls_TLSCiphertext2TLSCompressed(GNUTLS_STATE state, ciphertext->version.minor; break; case CIPHER_BLOCK: + +fprintf(stderr, "LEN: %d-%d\n", ciphertext->length, blocksize); + if ( ciphertext->length < blocksize || ciphertext->length % blocksize != 0) { + gnutls_assert(); + return GNUTLS_E_DECRYPTION_FAILED; + } gnutls_cipher_decrypt(state-> connection_state.read_cipher_state, content, ciphertext->length); @@ -470,8 +472,7 @@ int _gnutls_TLSCiphertext2TLSCompressed(GNUTLS_STATE state, pad = content[ciphertext->length - 1]; /* pad */ length = ciphertext->length - - state->connection_state.mac_secret_size - pad - - 1; + state->connection_state.mac_secret_size - pad; if (pad > ciphertext->length - state->connection_state.mac_secret_size) { gnutls_assert(); diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 7ceec431ab..99ce837d82 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -57,6 +57,7 @@ static gnutls_error_entry error_algorithms[] = { GNUTLS_ERROR_ENTRY( GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_UNKNOWN_KX_ALGORITHM, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_MPI_SCAN_FAILED, 1), + GNUTLS_ERROR_ENTRY( GNUTLS_E_DECRYPTION_FAILED, 1), GNUTLS_ERROR_ENTRY( GNUTLS_E_UNIMPLEMENTED_FEATURE, 1), {0} }; diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h index eac021ee6a..808da9a72d 100644 --- a/lib/gnutls_errors.h +++ b/lib/gnutls_errors.h @@ -23,6 +23,7 @@ #define GNUTLS_E_UNKNOWN_CIPHER_SUITE -21 #define GNUTLS_E_UNWANTED_ALGORITHM -22 #define GNUTLS_E_MPI_SCAN_FAILED -23 +#define GNUTLS_E_DECRYPTION_FAILED -24 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -50 diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 6d6f31e263..a04bbc3580 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -351,6 +351,7 @@ int _gnutls_recv_handshake(int cd, GNUTLS_STATE state, uint8 **data, if (length32 > 0 && data!=NULL) memmove( *data, &dataptr[4], length32); + /* here we do the hashing work needed at finished messages */ if (state->gnutls_internals.client_hash == HASH_TRUE) { gnutls_hash(state->gnutls_internals.client_td_md5, dataptr, length32 + 4); @@ -388,6 +389,19 @@ int _gnutls_recv_handshake(int cd, GNUTLS_STATE state, uint8 **data, case GNUTLS_CLIENT_KEY_EXCHANGE: ret = length32; break; + case GNUTLS_CERTIFICATE_REQUEST: +#ifdef HARD_DEBUG + fprintf(stderr, "Requested Client Certificate!\n"); +#endif + /* FIXME: just ignore that message for the time being + * we have to parse it and the store the needed information + */ + state->gnutls_internals.certificate_requested = 1; + ret = length32; + break; + default: + gnutls_assert(); + ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; } gnutls_free(dataptr); return ret; @@ -399,6 +413,29 @@ int _gnutls_send_hello_request(int cd, GNUTLS_STATE state) GNUTLS_HELLO_REQUEST); } +int _gnutls_send_client_certificate(int cd, GNUTLS_STATE state) +{ + char data[1]; + int ret; + + if (state->gnutls_internals.certificate_requested==0) return 0; + + /* we do not have that functionality yet */ + state->gnutls_internals.certificate_verify_needed = 0; +#ifdef HARD_DEBUG + fprintf(stderr, "Sending Client Certificate\n"); +#endif + +/* Here since we do not support certificates yet we + * do not have that functionality. + */ + data[0] = 0; + ret = _gnutls_send_handshake(cd, state, &data, 1, + GNUTLS_CERTIFICATE); + + return ret; +} + int _gnutls_send_hello(int cd, GNUTLS_STATE state, opaque * SessionID, uint8 SessionIDLen) @@ -820,6 +857,16 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) } /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ + HASH(client_hash); + HASH(server_hash); + ret = _gnutls_send_client_certificate(cd, state); + NOT_HASH(client_hash); + NOT_HASH(server_hash); + if (ret < 0) { + ERR("send client certificate", ret); + return ret; + } + HASH(client_hash); HASH(server_hash); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index ea46943a44..fddb479a46 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -189,6 +189,8 @@ typedef struct { MPI client_g; MPI client_p; MPI dh_secret; + int certificate_requested; + int certificate_verify_needed; } GNUTLS_INTERNALS; typedef struct { diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 247efa250d..0f7de47b76 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -210,20 +210,25 @@ int _gnutls_send_client_kx_message(int cd, GNUTLS_STATE state) /* This is the function for the client to send the certificate * verify message - * FIXME: this function does almost nothing except sending shit to + * FIXME: this function does almost nothing except sending garbage to * peer. */ int _gnutls_send_client_certificate_verify(int cd, GNUTLS_STATE state) { uint8 *data; int ret = 0; + + /* if certificate verify is not needed just exit */ + if (state->gnutls_internals.certificate_verify_needed==0) return 0; + #ifdef HARD_DEBUG fprintf(stderr, "Sending client certificate verify message\n"); #endif + switch (_gnutls_cipher_suite_get_kx_algo (state->gnutls_internals.current_cipher_suite)) { case GNUTLS_KX_DHE_DSS: - data=gnutls_malloc(20); + data=gnutls_calloc(1, 20); ret = _gnutls_send_handshake(cd, state, data, 20, @@ -231,7 +236,7 @@ int _gnutls_send_client_certificate_verify(int cd, GNUTLS_STATE state) gnutls_free(data); break; case GNUTLS_KX_DHE_RSA: - data=gnutls_malloc(20+16); + data=gnutls_calloc(1, 20+16); ret = _gnutls_send_handshake(cd, state, data, 20+16, |