diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2000-12-05 00:29:17 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2000-12-05 00:29:17 +0000 |
commit | 0f516a7a1b8f0de2c4a3c50401abfebaa8f92bf3 (patch) | |
tree | 2d153d5cd9c40e2b8bde80e4b5f2eaefb726885f | |
parent | 2461571cab81ece160ab134718ea4bc074cb5d12 (diff) | |
download | gnutls-0f516a7a1b8f0de2c4a3c50401abfebaa8f92bf3.tar.gz |
Priorities were moved to the state (were global)
-rw-r--r-- | lib/gnutls.c | 15 | ||||
-rw-r--r-- | lib/gnutls.h | 21 | ||||
-rw-r--r-- | lib/gnutls_algorithms.c | 167 | ||||
-rw-r--r-- | lib/gnutls_algorithms.h | 15 | ||||
-rw-r--r-- | lib/gnutls_cipher.c | 4 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 167 | ||||
-rw-r--r-- | lib/gnutls_handshake.h | 1 | ||||
-rw-r--r-- | lib/gnutls_hash_int.c | 6 | ||||
-rw-r--r-- | lib/gnutls_hash_int.h | 2 | ||||
-rw-r--r-- | lib/gnutls_int.h | 42 | ||||
-rw-r--r-- | lib/gnutls_kx.c | 14 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 26 |
12 files changed, 286 insertions, 194 deletions
diff --git a/lib/gnutls.c b/lib/gnutls.c index d370b59df4..087fbb5263 100644 --- a/lib/gnutls.c +++ b/lib/gnutls.c @@ -96,6 +96,15 @@ int gnutls_init(GNUTLS_STATE * state, ConnectionEnd con_end) (*state)->gnutls_internals.certificate_requested = 0; (*state)->gnutls_internals.certificate_verify_needed = 0; + (*state)->gnutls_internals.MACAlgorithmPriority.algorithm_priority=NULL; + (*state)->gnutls_internals.MACAlgorithmPriority.algorithms=0; + + (*state)->gnutls_internals.KXAlgorithmPriority.algorithm_priority=NULL; + (*state)->gnutls_internals.KXAlgorithmPriority.algorithms=0; + + (*state)->gnutls_internals.BulkCipherAlgorithmPriority.algorithm_priority=NULL; + (*state)->gnutls_internals.BulkCipherAlgorithmPriority.algorithms=0; + return 0; } @@ -128,6 +137,12 @@ int gnutls_deinit(GNUTLS_STATE * state) mpi_release((*state)->gnutls_internals.client_g); mpi_release((*state)->gnutls_internals.dh_secret); + /* free priorities */ + gnutls_free((*state)->gnutls_internals.MACAlgorithmPriority.algorithm_priority); + gnutls_free((*state)->gnutls_internals.KXAlgorithmPriority.algorithm_priority); + gnutls_free((*state)->gnutls_internals.BulkCipherAlgorithmPriority.algorithm_priority); + + gnutls_free(*state); return 0; } diff --git a/lib/gnutls.h b/lib/gnutls.h index cf712f8822..1594344903 100644 --- a/lib/gnutls.h +++ b/lib/gnutls.h @@ -57,20 +57,21 @@ void gnutls_perror( int error); #define gnutls_recv( x, y, z, w) gnutls_recv_int( x, y, GNUTLS_APPLICATION_DATA, z, w) /* functions to set priority of cipher suites */ -void gnutls_set_cipher_priority( int num, ...); -void gnutls_set_kx_priority( int num, ...); -void gnutls_set_mac_priority( int num, ...); +void gnutls_set_cipher_priority( GNUTLS_STATE state, int num, ...); +void gnutls_set_kx_priority( GNUTLS_STATE state, int num, ...); +void gnutls_set_mac_priority( GNUTLS_STATE state, int num, ...); /* set our version - local is 0x00 for TLS 1.0 and SSL3 */ void gnutls_set_current_version(GNUTLS_STATE state, GNUTLS_Version version); -#define GNUTLS_E_MAC_FAILED -1 -#define GNUTLS_E_UNKNOWN_CIPHER -2 -#define GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM -3 -#define GNUTLS_E_UNKNOWN_MAC_ALGORITHM -4 -#define GNUTLS_E_UNKNOWN_ERROR -5 -#define GNUTLS_E_UNKNOWN_CIPHER_TYPE -6 -#define GNUTLS_E_LARGE_PACKET -7 +/* these are deprecated must be replaced by gnutls_errors.h */ +#define GNUTLS_E_MAC_FAILED -1 +#define GNUTLS_E_UNKNOWN_CIPHER -2 +#define GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM -3 +#define GNUTLS_E_UNKNOWN_MAC_ALGORITHM -4 +#define GNUTLS_E_UNKNOWN_ERROR -5 +#define GNUTLS_E_UNKNOWN_CIPHER_TYPE -6 +#define GNUTLS_E_LARGE_PACKET -7 #define GNUTLS_E_UNSUPPORTED_VERSION_PACKET -8 #define GNUTLS_E_UNEXPECTED_PACKET_LENGTH -9 #define GNUTLS_E_INVALID_SESSION -10 diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 7345628666..fbc64e7b9c 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -47,8 +47,8 @@ static gnutls_version_entry sup_versions[] = { GNUTLS_VERSION_LOOP( if( (p->id->local == version.local)&&(p->id->major == version.major)&&(p->id->minor == version.minor) ) { a; break; } ) -#define GNUTLS_CIPHER_ENTRY(name, blksize, keysize, block, iv, priority) \ - { #name, name, blksize, keysize, block, iv, priority } +#define GNUTLS_CIPHER_ENTRY(name, blksize, keysize, block, iv) \ + { #name, name, blksize, keysize, block, iv } struct gnutls_cipher_entry { char *name; @@ -57,21 +57,19 @@ struct gnutls_cipher_entry { size_t keysize; size_t block; size_t iv; - int priority; }; typedef struct gnutls_cipher_entry gnutls_cipher_entry; static gnutls_cipher_entry algorithms[] = { - GNUTLS_CIPHER_ENTRY(GNUTLS_3DES, 8, 24, 1, 8, -1), - GNUTLS_CIPHER_ENTRY(GNUTLS_RIJNDAEL, 16, 16, 1, 16, -1), + GNUTLS_CIPHER_ENTRY(GNUTLS_3DES, 8, 24, 1, 8), + GNUTLS_CIPHER_ENTRY(GNUTLS_RIJNDAEL, 16, 16, 1, 16), #ifdef USE_MCRYPT - GNUTLS_CIPHER_ENTRY(GNUTLS_DES, 8, 8, 1, 8, -1), - GNUTLS_CIPHER_ENTRY(GNUTLS_ARCFOUR, 1, 16, 0, 0, -1), + GNUTLS_CIPHER_ENTRY(GNUTLS_DES, 8, 8, 1, 8), + GNUTLS_CIPHER_ENTRY(GNUTLS_ARCFOUR, 1, 16, 0, 0,), #else - GNUTLS_CIPHER_ENTRY(GNUTLS_DES, 8, 8, 1, 8, -2), - GNUTLS_CIPHER_ENTRY(GNUTLS_ARCFOUR, 1, 16, 0, 0, -2), + GNUTLS_CIPHER_ENTRY(GNUTLS_ARCFOUR, 1, 16, 0, 0), #endif - GNUTLS_CIPHER_ENTRY(GNUTLS_NULL, 1, 0, 0, 0, -1), + GNUTLS_CIPHER_ENTRY(GNUTLS_NULL, 1, 0, 0, 0), {0} }; @@ -83,21 +81,20 @@ static gnutls_cipher_entry algorithms[] = { GNUTLS_LOOP( if(p->id == algorithm) { a; break; } ) -#define GNUTLS_HASH_ENTRY(name, hashsize, priority) \ - { #name, name, hashsize, priority } +#define GNUTLS_HASH_ENTRY(name, hashsize) \ + { #name, name, hashsize } struct gnutls_hash_entry { char *name; MACAlgorithm id; size_t digestsize; - int priority; }; typedef struct gnutls_hash_entry gnutls_hash_entry; static gnutls_hash_entry hash_algorithms[] = { - GNUTLS_HASH_ENTRY(GNUTLS_MAC_SHA, 20, -1), - GNUTLS_HASH_ENTRY(GNUTLS_MAC_MD5, 16, -1), - GNUTLS_HASH_ENTRY(GNUTLS_MAC_NULL, 0, -1), + GNUTLS_HASH_ENTRY(GNUTLS_MAC_SHA, 20), + GNUTLS_HASH_ENTRY(GNUTLS_MAC_MD5, 16), + GNUTLS_HASH_ENTRY(GNUTLS_MAC_NULL, 0), {0} }; @@ -111,8 +108,8 @@ static gnutls_hash_entry hash_algorithms[] = { -#define GNUTLS_KX_ALGO_ENTRY(name, server_cert, server_kx, client_cert, RSA_premaster, DH_public_value, priority) \ - { #name, name, server_cert, server_kx, client_cert, RSA_premaster, DH_public_value, priority } +#define GNUTLS_KX_ALGO_ENTRY(name, server_cert, server_kx, client_cert, RSA_premaster, DH_public_value) \ + { #name, name, server_cert, server_kx, client_cert, RSA_premaster, DH_public_value } struct gnutls_kx_algo_entry { char *name; @@ -122,17 +119,16 @@ struct gnutls_kx_algo_entry { int client_cert; int RSA_premaster; int DH_public_value; - int priority; }; typedef struct gnutls_kx_algo_entry gnutls_kx_algo_entry; static gnutls_kx_algo_entry kx_algorithms[] = { - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_ANON_DH, 0, 1, 0, 0, 1, -1), - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_RSA, 1, 0, 1, 1, 0, -2), - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DHE_DSS, 1, 1, 1, 0, 0, -1), - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DHE_RSA, 1, 1, 1, 0, 0, -1), - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DH_DSS, 1, 0, 1, 0, 0, -2), - GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DH_RSA, 1, 0, 1, 0, 0, -2), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_ANON_DH, 0, 1, 0, 0, 1), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_RSA, 1, 0, 1, 1, 0), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DHE_DSS, 1, 1, 1, 0, 0), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DHE_RSA, 1, 1, 1, 0, 0), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DH_DSS, 1, 0, 1, 0, 0), + GNUTLS_KX_ALGO_ENTRY(GNUTLS_KX_DH_RSA, 1, 0, 1, 0, 0), {0} }; @@ -235,17 +231,13 @@ int _gnutls_mac_get_digest_size(MACAlgorithm algorithm) } -void _gnutls_mac_set_priority(MACAlgorithm algorithm, int prio) +int _gnutls_mac_priority(GNUTLS_STATE state, MACAlgorithm algorithm) /* actually returns the priority */ { - GNUTLS_HASH_ALG_LOOP( if (p->priority >= -1) p->priority=prio); -} - -int _gnutls_mac_priority(MACAlgorithm algorithm) /* actually returns the priority */ -{ - size_t ret = 0; - GNUTLS_HASH_ALG_LOOP(ret = p->priority); - return ret; - + int i, num = state->gnutls_internals.MACAlgorithmPriority.algorithms; + for (i=0;i<num;i++) { + if (state->gnutls_internals.MACAlgorithmPriority.algorithm_priority[i]==algorithm) return i; + } + return -1; } @@ -311,18 +303,14 @@ int _gnutls_cipher_get_block_size(BulkCipherAlgorithm algorithm) } -void _gnutls_cipher_set_priority(BulkCipherAlgorithm algorithm, int prio) -{ - GNUTLS_ALG_LOOP(if (p->priority >= -1) p->priority=prio); -} - /* returns the priority */ -int _gnutls_cipher_priority(BulkCipherAlgorithm algorithm) +int _gnutls_cipher_priority(GNUTLS_STATE state, BulkCipherAlgorithm algorithm) { - size_t ret = 0; - GNUTLS_ALG_LOOP(ret = p->priority); - return ret; - + int i, num = state->gnutls_internals.BulkCipherAlgorithmPriority.algorithms; + for (i=0;i<num;i++) { + if (state->gnutls_internals.BulkCipherAlgorithmPriority.algorithm_priority[i]==algorithm) return i; + } + return -1; } @@ -412,23 +400,13 @@ int _gnutls_kx_server_certificate(KXAlgorithm algorithm) } -void _gnutls_kx_set_priority(KXAlgorithm algorithm, int prio) -{ - GNUTLS_KX_ALG_LOOP(if (p->priority >= -1) p->priority=prio); -} - -void _gnutls_prio() -{ - GNUTLS_KX_LOOP(fprintf(stderr, "prio: %s/%d\n",p->name, p->priority)); -} - - -int _gnutls_kx_priority(KXAlgorithm algorithm) +int _gnutls_kx_priority(GNUTLS_STATE state, KXAlgorithm algorithm) { - size_t ret = 0; - GNUTLS_KX_ALG_LOOP(ret = p->priority); - return ret; - + int i, num = state->gnutls_internals.KXAlgorithmPriority.algorithms; + for (i=0;i<num;i++) { + if (state->gnutls_internals.KXAlgorithmPriority.algorithm_priority[i]==algorithm) return i; + } + return -1; } int _gnutls_kx_server_key_exchange(KXAlgorithm algorithm) @@ -615,13 +593,33 @@ int _gnutls_cipher_suite_count() return counter; } +static void bsort(GNUTLS_STATE state, void *_base, size_t nmemb, size_t size, int (*compar)(GNUTLS_STATE, const void *, const void *)) { +int i,j; +int full=nmemb*size; +char* base=_base; +char* tmp=gnutls_malloc(size); + + for (i=0;i<full;i+=size) { + for (j=0;j<full;j+=size) { + if (compar(state, &base[i], &base[j]) < 0) { + memcpy(tmp, &base[i], size); + memcpy(&base[i], &base[j], size); + memcpy(&base[j], tmp, size); + } + } + } + free(tmp); + +} + + /* a compare function for hash(mac) algorithms (using priorities). For use with qsort */ -static int _gnutls_compare_mac_algo(const void* i_A1, const void* i_A2) +static int _gnutls_compare_mac_algo(GNUTLS_STATE state, const void* i_A1, const void* i_A2) { MACAlgorithm A1 = _gnutls_cipher_suite_get_mac_algo( *(GNUTLS_CipherSuite*)i_A1); MACAlgorithm A2 = _gnutls_cipher_suite_get_mac_algo( *(GNUTLS_CipherSuite*)i_A2); - int p1 = _gnutls_mac_priority(A1); - int p2 = _gnutls_mac_priority(A2); + int p1 = _gnutls_mac_priority(state, A1); + int p2 = _gnutls_mac_priority(state, A2); if (p1 > p2) { return -1; @@ -637,12 +635,12 @@ static int _gnutls_compare_mac_algo(const void* i_A1, const void* i_A2) /* a compare function for block algorithms (using priorities). For use with qsort */ -static int _gnutls_compare_cipher_algo(const void* i_A1, const void* i_A2) +static int _gnutls_compare_cipher_algo(GNUTLS_STATE state, const void* i_A1, const void* i_A2) { BulkCipherAlgorithm A1 = _gnutls_cipher_suite_get_cipher_algo( *(GNUTLS_CipherSuite*)i_A1); BulkCipherAlgorithm A2 = _gnutls_cipher_suite_get_cipher_algo( *(GNUTLS_CipherSuite*)i_A2); - int p1 = _gnutls_cipher_priority(A1); - int p2 = _gnutls_cipher_priority(A2); + int p1 = _gnutls_cipher_priority(state, A1); + int p2 = _gnutls_cipher_priority(state, A2); if (p1 > p2) { return -1; /* we actually want descending order */ @@ -658,12 +656,12 @@ static int _gnutls_compare_cipher_algo(const void* i_A1, const void* i_A2) /* a compare function for KX algorithms (using priorities). For use with qsort */ -static int _gnutls_compare_kx_algo(const void* i_A1, const void* i_A2) +static int _gnutls_compare_kx_algo(GNUTLS_STATE state, const void* i_A1, const void* i_A2) { KXAlgorithm A1 = _gnutls_cipher_suite_get_kx_algo(*(GNUTLS_CipherSuite*)i_A1); KXAlgorithm A2 = _gnutls_cipher_suite_get_kx_algo(*(GNUTLS_CipherSuite*)i_A2); - int p1 = _gnutls_kx_priority(A1); - int p2 = _gnutls_kx_priority(A2); + int p1 = _gnutls_kx_priority(state, A1); + int p2 = _gnutls_kx_priority(state, A2); if (p1 > p2) { return -1; @@ -677,7 +675,7 @@ static int _gnutls_compare_kx_algo(const void* i_A1, const void* i_A2) } } -int _gnutls_supported_ciphersuites(GNUTLS_CipherSuite ** ciphers) +int _gnutls_supported_ciphersuites(GNUTLS_STATE state, GNUTLS_CipherSuite ** ciphers) { int i, ret_count, j=0; @@ -701,19 +699,19 @@ int _gnutls_supported_ciphersuites(GNUTLS_CipherSuite ** ciphers) } /* First sort using MAC priority (lowest) */ - qsort(tmp_ciphers, count, sizeof(GNUTLS_CipherSuite), _gnutls_compare_mac_algo); + bsort(state, tmp_ciphers, count, sizeof(GNUTLS_CipherSuite), _gnutls_compare_mac_algo); /* then sort using block algorithm's priorities */ - qsort(tmp_ciphers, count, sizeof(GNUTLS_CipherSuite), _gnutls_compare_cipher_algo); + bsort(state, tmp_ciphers, count, sizeof(GNUTLS_CipherSuite), _gnutls_compare_cipher_algo); /* Last try KX algorithms priority */ - qsort(tmp_ciphers, count, sizeof(GNUTLS_CipherSuite), _gnutls_compare_kx_algo); + bsort(state, tmp_ciphers, count, sizeof(GNUTLS_CipherSuite), _gnutls_compare_kx_algo); for (i = 0; i < count; i++) { - if (_gnutls_kx_priority( _gnutls_cipher_suite_get_kx_algo(tmp_ciphers[i])) < 0) continue; - if (_gnutls_mac_priority( _gnutls_cipher_suite_get_mac_algo(tmp_ciphers[i])) < 0) continue; - if (_gnutls_cipher_priority( _gnutls_cipher_suite_get_cipher_algo(tmp_ciphers[i])) < 0) continue; + if (_gnutls_kx_priority( state, _gnutls_cipher_suite_get_kx_algo(tmp_ciphers[i])) < 0) continue; + if (_gnutls_mac_priority( state, _gnutls_cipher_suite_get_mac_algo(tmp_ciphers[i])) < 0) continue; + if (_gnutls_cipher_priority( state, _gnutls_cipher_suite_get_cipher_algo(tmp_ciphers[i])) < 0) continue; (*ciphers)[j].CipherSuite[0] = tmp_ciphers[i].CipherSuite[0]; (*ciphers)[j].CipherSuite[1] = tmp_ciphers[i].CipherSuite[1]; @@ -735,3 +733,18 @@ int _gnutls_supported_ciphersuites(GNUTLS_CipherSuite ** ciphers) gnutls_free(tmp_ciphers); return ret_count; } + +/* For compression - FIXME!!! */ +#define SUPPORTED_COMPRESSION_METHODS 1 +int _gnutls_supported_compression_methods(GNUTLS_STATE state, CompressionMethod ** comp) +{ + + *comp = + gnutls_malloc(SUPPORTED_COMPRESSION_METHODS * + sizeof(CompressionMethod)); + +/* NULL Compression */ + (*comp)[0] = COMPRESSION_NULL; + + return SUPPORTED_COMPRESSION_METHODS; +} diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index 2b3a19b78d..376d0eb648 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -5,12 +5,14 @@ int _gnutls_version_is_supported(GNUTLS_STATE state, const GNUTLS_Version versio int _gnutls_mac_get_digest_size(MACAlgorithm algorithm); char* _gnutls_mac_get_name(MACAlgorithm algorithm); int _gnutls_mac_is_ok(MACAlgorithm algorithm); -int _gnutls_mac_priority(MACAlgorithm algorithm); +int _gnutls_mac_priority(GNUTLS_STATE state, MACAlgorithm algorithm); int _gnutls_mac_count(); /* functions for cipher suites */ int _gnutls_cipher_suite_is_ok(GNUTLS_CipherSuite algorithm); -int _gnutls_supported_ciphersuites(GNUTLS_CipherSuite **ciphers); +int _gnutls_supported_ciphersuites(GNUTLS_STATE state, GNUTLS_CipherSuite **ciphers); +int _gnutls_supported_compression_methods(GNUTLS_STATE state, CompressionMethod **comp); + int _gnutls_cipher_suite_count(); char* _gnutls_cipher_suite_get_name(GNUTLS_CipherSuite algorithm); BulkCipherAlgorithm _gnutls_cipher_suite_get_cipher_algo(const GNUTLS_CipherSuite algorithm); @@ -19,7 +21,7 @@ MACAlgorithm _gnutls_cipher_suite_get_mac_algo(const GNUTLS_CipherSuite algorith GNUTLS_CipherSuite _gnutls_cipher_suite_get_suite_name(GNUTLS_CipherSuite algorithm); /* functions for ciphers */ -int _gnutls_cipher_priority(BulkCipherAlgorithm algorithm); +int _gnutls_cipher_priority(GNUTLS_STATE state, BulkCipherAlgorithm algorithm); int _gnutls_cipher_get_block_size(BulkCipherAlgorithm algorithm); int _gnutls_cipher_is_block(BulkCipherAlgorithm algorithm); int _gnutls_cipher_count(); @@ -29,7 +31,7 @@ int _gnutls_cipher_get_iv_size(BulkCipherAlgorithm algorithm); char *_gnutls_cipher_get_name(BulkCipherAlgorithm algorithm); /* functions for key exchange */ -int _gnutls_kx_priority(KXAlgorithm algorithm); +int _gnutls_kx_priority(GNUTLS_STATE state, KXAlgorithm algorithm); int _gnutls_kx_server_certificate(KXAlgorithm algorithm); int _gnutls_kx_server_key_exchange(KXAlgorithm algorithm); int _gnutls_kx_client_certificate(KXAlgorithm algorithm); @@ -38,8 +40,3 @@ int _gnutls_kx_DH_public_value(KXAlgorithm algorithm); char *_gnutls_kx_get_name(KXAlgorithm algorithm); int _gnutls_kx_is_ok(KXAlgorithm algorithm); int _gnutls_kx_count(); - -/* functions to set priority */ -void _gnutls_kx_set_priority(KXAlgorithm algorithm, int prio); -void _gnutls_mac_set_priority(MACAlgorithm algorithm, int prio); -void _gnutls_cipher_set_priority(BulkCipherAlgorithm algorithm, int prio); diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 56449335a8..1a5bcd0992 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -126,7 +126,7 @@ int _gnutls_set_cipher(GNUTLS_STATE state, BulkCipherAlgorithm algo) { if (_gnutls_cipher_is_ok(algo) == 0) { - if (_gnutls_cipher_priority(algo) < 0) { + if (_gnutls_cipher_priority(state, algo) < 0) { gnutls_assert(); return GNUTLS_E_UNWANTED_ALGORITHM; } @@ -183,7 +183,7 @@ int _gnutls_set_mac(GNUTLS_STATE state, MACAlgorithm algo) gnutls_assert(); return GNUTLS_E_UNKNOWN_MAC_ALGORITHM; } - if (_gnutls_mac_priority(algo) < 0) { + if (_gnutls_mac_priority(state, algo) < 0) { gnutls_assert(); return GNUTLS_E_UNWANTED_ALGORITHM; } diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 1ec032fa42..215fba392b 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -62,23 +62,33 @@ int _gnutls_send_finished(int cd, GNUTLS_STATE state) memmove(&concat[16], state->gnutls_internals.client_md_sha1, 20); - data = - gnutls_PRF( state->security_parameters.master_secret, - 48, CLIENT_MSG, strlen(CLIENT_MSG), concat, - 36, 12); + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + data = concat; + } else { + data = + gnutls_PRF( state->security_parameters.master_secret, + 48, CLIENT_MSG, strlen(CLIENT_MSG), concat, + 36, 12); + } } else { /* server */ memmove(concat, state->gnutls_internals.server_md_md5, 16); memmove(&concat[16], state->gnutls_internals.server_md_sha1, 20); - data = - gnutls_PRF( state->security_parameters.master_secret, - 48, SERVER_MSG, strlen(SERVER_MSG), concat, - 36, 12); + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + data = concat; + } else { + data = + gnutls_PRF( state->security_parameters.master_secret, + 48, SERVER_MSG, strlen(SERVER_MSG), concat, + 36, 12); + } } ret = _gnutls_send_handshake(cd, state, data, 12, GNUTLS_FINISHED); - gnutls_free(data); + if (_gnutls_version_ssl3(state->connection_state.version) != 0) { + gnutls_free(data); + } return ret; } @@ -110,19 +120,27 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) memmove(&concat[16], state->gnutls_internals.server_md_sha1, 20); - data = - gnutls_PRF( state->security_parameters.master_secret, - 48, SERVER_MSG, strlen(SERVER_MSG), concat, - 36, 12); + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + data = concat; + } else { + data = + gnutls_PRF( state->security_parameters.master_secret, + 48, SERVER_MSG, strlen(SERVER_MSG), concat, + 36, 12); + } } else { /* server */ memmove(concat, state->gnutls_internals.client_md_md5, 16); memmove(&concat[16], state->gnutls_internals.client_md_sha1, 20); - data = - gnutls_PRF( state->security_parameters.master_secret, - 48, CLIENT_MSG, strlen(CLIENT_MSG), concat, - 36, 12); + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + data = concat; + } else { + data = + gnutls_PRF( state->security_parameters.master_secret, + 48, CLIENT_MSG, strlen(CLIENT_MSG), concat, + 36, 12); + } } if (memcmp(vrfy, data, 12) != 0) { @@ -138,12 +156,12 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) /* This selects the best supported ciphersuite from the ones provided */ -int SelectSuite(opaque ret[2], char *data, int datalen) +int SelectSuite(GNUTLS_STATE state, opaque ret[2], char *data, int datalen) { int x, i, j; GNUTLS_CipherSuite *ciphers; - x = _gnutls_supported_ciphersuites(&ciphers); + x = _gnutls_supported_ciphersuites(state, &ciphers); #ifdef HARD_DEBUG fprintf(stderr, "Requested cipher suites: \n"); for (j=0;j<datalen;j+=2) fprintf(stderr, "\t%s\n", _gnutls_cipher_suite_get_name( *((GNUTLS_CipherSuite*)&data[j]) )); @@ -175,12 +193,12 @@ int SelectSuite(opaque ret[2], char *data, int datalen) } /* This selects the best supported compression method from the ones provided */ -int SelectCompMethod(CompressionMethod * ret, char *data, int datalen) +int SelectCompMethod(GNUTLS_STATE state, CompressionMethod * ret, char *data, int datalen) { int x, i, j; CompressionMethod *ciphers; - x = _gnutls_supported_compression_methods(&ciphers); + x = _gnutls_supported_compression_methods(state, &ciphers); memset(ret, '\0', sizeof(CompressionMethod)); fprintf(stderr, "datalen: %d\n",datalen); for (j = 0; j < datalen; j++) { @@ -202,22 +220,6 @@ fprintf(stderr, "datalen: %d\n",datalen); } - - -#define SUPPORTED_COMPRESSION_METHODS 1 -int _gnutls_supported_compression_methods(CompressionMethod ** comp) -{ - - *comp = - gnutls_malloc(SUPPORTED_COMPRESSION_METHODS * - sizeof(CompressionMethod)); - -/* NULL Compression */ - (*comp)[0] = COMPRESSION_NULL; - - return SUPPORTED_COMPRESSION_METHODS; -} - int _gnutls_send_handshake(int cd, GNUTLS_STATE state, void *i_data, uint32 i_datasize, HandshakeType type) { @@ -488,7 +490,7 @@ int _gnutls_send_hello(int cd, GNUTLS_STATE state, opaque * SessionID, } pos += session_id_len; - x = _gnutls_supported_ciphersuites(&cipher_suites); + x = _gnutls_supported_ciphersuites(state, &cipher_suites); x *= sizeof(uint16); /* in order to get bytes */ #ifdef WORDS_BIGENDIAN memmove(&data[pos], &x, sizeof(uint16)); @@ -509,7 +511,7 @@ int _gnutls_send_hello(int cd, GNUTLS_STATE state, opaque * SessionID, } z = _gnutls_supported_compression_methods - (&compression_methods); + (state, &compression_methods); memmove(&data[pos++], &z, 1); /* put the number of compression methods */ datalen += z; @@ -640,7 +642,7 @@ int _gnutls_recv_hello(int cd, GNUTLS_STATE state, char *data, int datalen, pos += 2; z = 1; - x = _gnutls_supported_ciphersuites(&cipher_suites); + x = _gnutls_supported_ciphersuites(state, &cipher_suites); for (i = 0; i < x; i++) { if (memcmp (&cipher_suites[i], cipher_suite.CipherSuite, @@ -654,12 +656,15 @@ int _gnutls_recv_hello(int cd, GNUTLS_STATE state, char *data, int datalen, memmove(state->gnutls_internals. current_cipher_suite.CipherSuite, cipher_suite.CipherSuite, 2); - +#ifdef HARD_DEBUG + fprintf(stderr, "Selected cipher suite: "); + fprintf(stderr, "%s\n", _gnutls_cipher_suite_get_name(state->gnutls_internals.current_cipher_suite ) ); +#endif z = 1; memmove(&compression_method, &data[pos++], 1); z = _gnutls_supported_compression_methods - (&compression_methods); + (state, &compression_methods); for (i = 0; i < z; i++) { if (memcmp (&compression_methods[i], &compression_method, @@ -715,7 +720,7 @@ int _gnutls_recv_hello(int cd, GNUTLS_STATE state, char *data, int datalen, #ifndef WORDS_BIGENDIAN sizeOfSuites = byteswap16(sizeOfSuites); #endif - ret = SelectSuite(state->gnutls_internals. + ret = SelectSuite(state, state->gnutls_internals. current_cipher_suite.CipherSuite, &data[pos], sizeOfSuites); @@ -724,7 +729,7 @@ int _gnutls_recv_hello(int cd, GNUTLS_STATE state, char *data, int datalen, pos += sizeOfSuites; memmove(&z, &data[pos++], 1); /* z is the number of compression methods */ - ret = SelectCompMethod(&state-> + ret = SelectCompMethod(state, &state-> gnutls_internals.compression_method, &data[pos], z); pos+=z; @@ -801,11 +806,18 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) /* These are in order to hash the messages transmitted and received. * (needed by the protocol) */ - state->gnutls_internals.client_td_md5 = gnutls_hash_init(GNUTLS_MAC_MD5); - state->gnutls_internals.client_td_sha1 = gnutls_hash_init(GNUTLS_MAC_SHA); - state->gnutls_internals.server_td_md5 = gnutls_hash_init(GNUTLS_MAC_MD5); - state->gnutls_internals.server_td_sha1 = gnutls_hash_init(GNUTLS_MAC_SHA); - + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { +/* FIXME!!! we need to keep the messages and hash them - later! */ +// state->gnutls_internals.client_td_md5 = gnutls_hash_init_ssl3(GNUTLS_MAC_MD5); +// state->gnutls_internals.client_td_sha1 = gnutls_hash_init_ssl3(GNUTLS_MAC_SHA); +// state->gnutls_internals.server_td_md5 = gnutls_hash_init_ssl3(GNUTLS_MAC_MD5); +// state->gnutls_internals.server_td_sha1 = gnutls_hash_init_ssl3(GNUTLS_MAC_SHA); + } else { + state->gnutls_internals.client_td_md5 = gnutls_hash_init(GNUTLS_MAC_MD5); + state->gnutls_internals.client_td_sha1 = gnutls_hash_init(GNUTLS_MAC_SHA); + state->gnutls_internals.server_td_md5 = gnutls_hash_init(GNUTLS_MAC_MD5); + state->gnutls_internals.server_td_sha1 = gnutls_hash_init(GNUTLS_MAC_SHA); + } if (state->security_parameters.entity == GNUTLS_CLIENT) { HASH(client_hash); HASH(server_hash); @@ -905,12 +917,17 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) ERR("send ChangeCipherSpec", ret); return ret; } - - + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + state->gnutls_internals.client_md_md5 = + gnutls_hash_deinit_ssl3(state->gnutls_internals.client_td_md5); + state->gnutls_internals.client_md_sha1 = + gnutls_hash_deinit_ssl3(state->gnutls_internals.client_td_sha1); + } else { state->gnutls_internals.client_md_md5 = gnutls_hash_deinit(state->gnutls_internals.client_td_md5); state->gnutls_internals.client_md_sha1 = gnutls_hash_deinit(state->gnutls_internals.client_td_sha1); + } /* Initialize the connection state (start encryption) */ ret = _gnutls_connection_state_init(state); @@ -937,11 +954,17 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) return ret; } - state->gnutls_internals.server_md_md5 = - gnutls_hash_deinit(state->gnutls_internals.server_td_md5); - state->gnutls_internals.server_md_sha1 = - gnutls_hash_deinit(state->gnutls_internals.server_td_sha1); - + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + state->gnutls_internals.server_md_md5 = + gnutls_hash_deinit_ssl3(state->gnutls_internals.server_td_md5); + state->gnutls_internals.server_md_sha1 = + gnutls_hash_deinit_ssl3(state->gnutls_internals.server_td_sha1); + } else { + state->gnutls_internals.server_md_md5 = + gnutls_hash_deinit(state->gnutls_internals.server_td_md5); + state->gnutls_internals.server_md_sha1 = + gnutls_hash_deinit(state->gnutls_internals.server_td_sha1); + } NOT_HASH(client_hash); NOT_HASH(server_hash); ret = _gnutls_recv_finished(cd, state); @@ -1031,11 +1054,17 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) ret = _gnutls_connection_state_init(state); if (ret<0) return ret; - state->gnutls_internals.client_md_md5 = - gnutls_hash_deinit(state->gnutls_internals.client_td_md5); - state->gnutls_internals.client_md_sha1 = - gnutls_hash_deinit(state->gnutls_internals.client_td_sha1); - + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + state->gnutls_internals.client_md_md5 = + gnutls_hash_deinit_ssl3(state->gnutls_internals.client_td_md5); + state->gnutls_internals.client_md_sha1 = + gnutls_hash_deinit_ssl3(state->gnutls_internals.client_td_sha1); + } else { + state->gnutls_internals.client_md_md5 = + gnutls_hash_deinit(state->gnutls_internals.client_td_md5); + state->gnutls_internals.client_md_sha1 = + gnutls_hash_deinit(state->gnutls_internals.client_td_sha1); + } NOT_HASH(client_hash); HASH(server_hash); ret = _gnutls_recv_finished(cd, state); @@ -1052,11 +1081,17 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) return ret; } - state->gnutls_internals.server_md_md5 = - gnutls_hash_deinit(state->gnutls_internals.server_td_md5); - state->gnutls_internals.server_md_sha1 = - gnutls_hash_deinit(state->gnutls_internals.server_td_sha1); - + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + state->gnutls_internals.server_md_md5 = + gnutls_hash_deinit_ssl3(state->gnutls_internals.server_td_md5); + state->gnutls_internals.server_md_sha1 = + gnutls_hash_deinit_ssl3(state->gnutls_internals.server_td_sha1); + } else { + state->gnutls_internals.server_md_md5 = + gnutls_hash_deinit(state->gnutls_internals.server_td_md5); + state->gnutls_internals.server_md_sha1 = + gnutls_hash_deinit(state->gnutls_internals.server_td_sha1); + } NOT_HASH(client_hash); NOT_HASH(server_hash); ret = _gnutls_send_finished(cd, state); diff --git a/lib/gnutls_handshake.h b/lib/gnutls_handshake.h index 93d8851828..727decf4c5 100644 --- a/lib/gnutls_handshake.h +++ b/lib/gnutls_handshake.h @@ -1,4 +1,3 @@ -int _gnutls_supported_compression_methods(CompressionMethod **comp); int _gnutls_send_handshake(int cd, GNUTLS_STATE state, void* i_data, uint32 i_datasize, HandshakeType type); int _gnutls_send_hello_request(int cd, GNUTLS_STATE state); int _gnutls_send_hello(int cd, GNUTLS_STATE state, opaque* SessionID, uint8 SessionIDLen); diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index 186299d025..9b10c010c0 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -305,7 +305,7 @@ void *gnutls_hash_deinit_ssl3(GNUTLS_MAC_HANDLE handle) return ret; } -void *ssl3_sha(int i, char *secret, int secret_len, char *random, +static void *ssl3_sha(int i, char *secret, int secret_len, char *random, int random_len) { int j; @@ -323,7 +323,7 @@ void *ssl3_sha(int i, char *secret, int secret_len, char *random, gnutls_hash(td, random, random_len); return gnutls_hash_deinit(td); } -void *ssl3_md5(int i, char *secret, int secret_len, char *random, +static void *ssl3_md5(int i, char *secret, int secret_len, char *random, int random_len) { int j; @@ -343,7 +343,7 @@ void *ssl3_md5(int i, char *secret, int secret_len, char *random, } -void *ssl3_generate_random(void *secret, int secret_len, void *random, +void *gnutls_ssl3_generate_random(void *secret, int secret_len, void *random, int random_len, int bytes) { int size = 0, i = 0; diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h index 5e622897ef..27f7589a45 100644 --- a/lib/gnutls_hash_int.h +++ b/lib/gnutls_hash_int.h @@ -40,4 +40,6 @@ int gnutls_hash_get_algo_len(MACAlgorithm algorithm); int gnutls_hash(GNUTLS_MAC_HANDLE handle, void* text, int textlen); void* gnutls_hash_deinit(GNUTLS_MAC_HANDLE handle); +void *gnutls_ssl3_generate_random(void *secret, int secret_len, void *random, int random_len, int bytes); + #endif /* GNUTLS_HASH_INT_H */ diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index ced36d5f6c..f42c4ebe4f 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -160,15 +160,29 @@ typedef struct { uint8 CipherSuite[2]; } GNUTLS_CipherSuite; +typedef struct { + int* algorithm_priority; + int algorithms; +} BulkCipherAlgorithm_Priority; + +typedef struct { + int* algorithm_priority; + int algorithms; +} MACAlgorithm_Priority; + +typedef struct { + int* algorithm_priority; + int algorithms; +} KXAlgorithm_Priority; typedef struct { char* buffer; uint32 bufferSize; char* buffer_handshake; uint32 bufferSize_handshake; - ResumableSession resumable; - ValidSession valid_connection; - AlertDescription last_alert; + ResumableSession resumable; /* TRUE or FALSE */ + ValidSession valid_connection; /* true or FALSE */ + AlertDescription last_alert; /* last alert received */ GNUTLS_CipherSuite current_cipher_suite; CompressionMethod compression_method; /* for the handshake protocol */ @@ -180,16 +194,20 @@ typedef struct { GNUTLS_MAC_HANDLE server_td_sha1; void* server_md_md5; void* server_md_sha1; - int server_hash; - int client_hash; + int server_hash; + int client_hash; /* For DH KX */ - MPI KEY; - MPI client_Y; - MPI client_g; - MPI client_p; - MPI dh_secret; - int certificate_requested; - int certificate_verify_needed; + MPI KEY; + MPI client_Y; + MPI client_g; + MPI client_p; + MPI dh_secret; + int certificate_requested; /* non zero if client certificate was requested */ + int certificate_verify_needed; /* non zero if we should expect for certificate verify */ + BulkCipherAlgorithm_Priority BulkCipherAlgorithmPriority; + MACAlgorithm_Priority MACAlgorithmPriority; + KXAlgorithm_Priority KXAlgorithmPriority; + } GNUTLS_INTERNALS; typedef struct { diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index b3dbd45e28..1f16e973b5 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -206,10 +206,16 @@ int _gnutls_send_client_kx_message(int cd, GNUTLS_STATE state) ret = GNUTLS_E_UNKNOWN_KX_ALGORITHM; } + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + master = + gnutls_ssl3_generate_random( premaster, premaster_size, + random, 64, 48); + } else { master = gnutls_PRF( premaster, premaster_size, MASTER_SECRET, strlen(MASTER_SECRET), random, 64, 48); + } secure_free(premaster); #ifdef HARD_DEBUG fprintf(stderr, "MASTER SECRET: %s\n", _gnutls_bin2hex(master, 48)); @@ -448,10 +454,16 @@ int _gnutls_recv_client_kx_message(int cd, GNUTLS_STATE state) } } + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + master = + gnutls_ssl3_generate_random( premaster, premaster_size, + random, 64, 48); secure_free(premaster); + } else { master = gnutls_PRF( premaster, premaster_size, MASTER_SECRET, strlen(MASTER_SECRET), - random, 64, 48); secure_free(premaster); + random, 64, 48); secure_free(premaster); + } #ifdef HARD_DEBUG fprintf(stderr, "master secret: %s\n", _gnutls_bin2hex(master, 48)); #endif diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index f5f6706aef..82eddfc5bb 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -24,55 +24,55 @@ /* the prototypes for these are in gnutls.h */ -void gnutls_set_cipher_priority( int num, ...) { +void gnutls_set_cipher_priority( GNUTLS_STATE state, int num, ...) { va_list ap; int i; BulkCipherAlgorithm* _ap; - int rnum = num+1; va_start( ap, num); _ap = ap; + state->gnutls_internals.BulkCipherAlgorithmPriority.algorithm_priority = gnutls_malloc(sizeof(int*)*num); + state->gnutls_internals.BulkCipherAlgorithmPriority.algorithms = num; for (i=0;i<num;i++) { - _gnutls_cipher_set_priority( _ap[i], rnum); - rnum--; + state->gnutls_internals.BulkCipherAlgorithmPriority.algorithm_priority[i] = _ap[i]; } va_end(ap); } -void gnutls_set_kx_priority( int num, ...) { +void gnutls_set_kx_priority( GNUTLS_STATE state, int num, ...) { va_list ap; int i; KXAlgorithm *_ap; - int rnum = num+1; va_start( ap, num); _ap = ap; - + + state->gnutls_internals.KXAlgorithmPriority.algorithm_priority = gnutls_malloc(sizeof(int*)*num); + state->gnutls_internals.KXAlgorithmPriority.algorithms = num; for (i=0;i<num;i++) { - _gnutls_kx_set_priority( _ap[i], rnum); - rnum--; + state->gnutls_internals.KXAlgorithmPriority.algorithm_priority[i] = _ap[i]; } va_end(ap); } -void gnutls_set_mac_priority( int num, ...) { +void gnutls_set_mac_priority( GNUTLS_STATE state, int num, ...) { va_list ap; int i; MACAlgorithm *_ap; - int rnum = num+1; va_start( ap, num); _ap = ap; + state->gnutls_internals.MACAlgorithmPriority.algorithm_priority = gnutls_malloc(sizeof(int*)*num); + state->gnutls_internals.MACAlgorithmPriority.algorithms = num; for (i=0;i<num;i++) { - _gnutls_mac_set_priority( _ap[i], rnum); - rnum--; + state->gnutls_internals.MACAlgorithmPriority.algorithm_priority[i] = _ap[i]; } va_end(ap); }
\ No newline at end of file |