diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-01-17 18:56:49 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-01-17 18:56:49 +0000 |
commit | 4d7a5a6520f7cdd2d903e13e9a4aade28009a269 (patch) | |
tree | c93953f1022734da5eeafaa1b179d5df64927217 | |
parent | c806339008d3737c87aada2fa785bb600a76054b (diff) | |
download | gnutls-4d7a5a6520f7cdd2d903e13e9a4aade28009a269.tar.gz |
Renamed gnutls_x509pki_s/get_dh_bits() to gnutls_dh_s/get_dhe_bits().
Renamed gnutls_anon_server/client_get_dh_bits() to gnutls_dh_get_dha_bits().
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | doc/tex/ex3.tex | 4 | ||||
-rw-r--r-- | lib/auth_dhe_rsa.c | 4 | ||||
-rw-r--r-- | lib/gnutls_algorithms.c | 19 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 34 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 3 | ||||
-rw-r--r-- | lib/gnutls_int.h | 27 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 38 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 15 | ||||
-rw-r--r-- | src/common.h | 2 | ||||
-rw-r--r-- | src/serv.c | 4 |
11 files changed, 81 insertions, 71 deletions
@@ -6,6 +6,8 @@ Version ?.?.? - gnutls_check_pending() was renamed to gnutls_record_check_pending() - Key exchange methods changed so they do not depend on the Certificate type (GNUTLS_KX_X509PKI_* renamed to GNUTLS_KX_*) +- Renamed gnutls_x509pki_s/get_dh_bits() to gnutls_dh_s/get_dhe_bits() +- Renamed gnutls_anon_server/client_get_dh_bits() to gnutls_dh_get_dha_bits() Version 0.3.2 (5/01/2002) - Corrected bug which did not allow a client to accept multiple CA names diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex index 3502020ecf..e7a2df3e07 100644 --- a/doc/tex/ex3.tex +++ b/doc/tex/ex3.tex @@ -33,7 +33,7 @@ int print_info(GNUTLS_STATE state) switch (cred) { case GNUTLS_ANON: printf("- Anonymous DH using prime of %d bits\n", - gnutls_anon_client_get_dh_bits(state)); + gnutls_dh_get_dha_bits(state)); break; case GNUTLS_X509PKI: /* in case of X509 PKI @@ -63,7 +63,7 @@ int print_info(GNUTLS_STATE state) */ if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { printf("\n- Ephemeral DH using prime of %d bits\n", - gnutls_x509pki_server_get_dh_bits(state)); + gnutls_dh_get_dhe_bits(state)); } /* if the certificate list is available, then diff --git a/lib/auth_dhe_rsa.c b/lib/auth_dhe_rsa.c index b9cb10b373..23fd18938a 100644 --- a/lib/auth_dhe_rsa.c +++ b/lib/auth_dhe_rsa.c @@ -69,7 +69,7 @@ static int gen_dhe_rsa_server_kx(GNUTLS_STATE state, opaque ** data) gnutls_datum signature, ddata; X509PKI_AUTH_INFO info; - bits = state->gnutls_internals.x509pki_dhe_bits; + bits = state->gnutls_internals.dhe_bits; if (bits < MIN_BITS) bits = DEFAULT_BITS; /* default */ @@ -361,7 +361,7 @@ static int proc_dhe_rsa_client_kx(GNUTLS_STATE state, opaque * data, MPI g, p; int bits, ret; - bits = state->gnutls_internals.x509pki_dhe_bits; + bits = state->gnutls_internals.dhe_bits; if (bits < MIN_BITS) bits = DEFAULT_BITS; /* default */ diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 8608f8a0e9..66b85f3360 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -23,13 +23,6 @@ #include "gnutls_errors.h" #include "gnutls_cert.h" -#define MAX_CIPHER 256 -#define MAX_MAC 256 -#define MAX_KX 256 -#define MAX_CIPHERSUITE 256 -#define MAX_COMPRESSION 256 -#define MAX_VERSION 256 - /* Cred type mappings to KX algorithms */ typedef struct { @@ -401,7 +394,7 @@ const char *gnutls_mac_get_name(MACAlgorithm algorithm) int _gnutls_mac_count() { uint8 i, counter = 0; - for (i = 0; i < MAX_MAC; i++) { + for (i = 0; i < MAX_MAC_ALGOS; i++) { if (_gnutls_mac_is_ok(i) == 0) counter++; } @@ -483,7 +476,7 @@ CompressionMethod _gnutls_compression_get_id(int num) int _gnutls_compression_count() { uint8 i, counter = 0; - for (i = 0; i < MAX_COMPRESSION; i++) { + for (i = 0; i < MAX_COMPRESSION_ALGOS; i++) { if (_gnutls_compression_is_ok(i) == 0) counter++; } @@ -576,7 +569,7 @@ const char *gnutls_cipher_get_name(BulkCipherAlgorithm algorithm) int _gnutls_cipher_count() { uint8 i, counter = 0; - for (i = 0; i < MAX_CIPHER; i++) { + for (i = 0; i < MAX_CIPHER_ALGOS; i++) { if (_gnutls_cipher_is_ok(i) == 0) counter++; } @@ -638,7 +631,7 @@ const char *gnutls_kx_get_name(KXAlgorithm algorithm) int _gnutls_kx_count() { uint8 i, counter = 0; - for (i = 0; i < MAX_KX; i++) { + for (i = 0; i < MAX_KX_ALGOS; i++) { if (_gnutls_kx_is_ok(i) == 0) counter++; } @@ -853,7 +846,7 @@ int _gnutls_cipher_suite_count() GNUTLS_CipherSuite suite; int i, counter = 0, j; - for (j = 0; j < MAX_CIPHERSUITE; j++) { + for (j = 0; j < MAX_CIPHERSUITES; j++) { suite.CipherSuite[0] = j; #ifdef DEBUG # warning CHECK SUPPORTED CIPHER SUITES HERE @@ -861,7 +854,7 @@ int _gnutls_cipher_suite_count() if (j != 0x00 && j != 0xF6) continue; - for (i = 0; i < MAX_CIPHERSUITE; i++) { + for (i = 0; i < MAX_CIPHERSUITES; i++) { suite.CipherSuite[1] = i; if (_gnutls_cipher_suite_is_ok(suite) == 0) counter++; diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 97d9124aa5..74372f69b2 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -47,11 +47,11 @@ typedef struct { /* This table maps the Key exchange algorithms to * the certificate algorithms. Eg. if we have * RSA algorithm in the certificate then we can - * use GNUTLS_KX_X509PKI_RSA or GNUTLS_KX_X509PKI_DHE_RSA. + * use GNUTLS_KX_RSA or GNUTLS_KX_DHE_RSA. */ static const gnutls_pk_map pk_mappings[] = { - {GNUTLS_KX_X509PKI_RSA, GNUTLS_PK_RSA}, - {GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_PK_RSA}, + {GNUTLS_KX_RSA, GNUTLS_PK_RSA}, + {GNUTLS_KX_DHE_RSA, GNUTLS_PK_RSA}, {0} }; @@ -605,7 +605,7 @@ int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_da } /** - * gnutls_x509pki_set_dh_bits - Used to set the bits for a DHE_* ciphersuite + * gnutls_dh_set_dhe_bits - Used to set the bits for a DHE_* ciphersuite * @state: is a &GNUTLS_STATE structure. * @bits: is the number of bits * @@ -613,11 +613,17 @@ int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_da * This value will only be used in case of DHE ciphersuite. * **/ -void gnutls_x509pki_set_dh_bits(GNUTLS_STATE state, int bits) +void gnutls_dh_set_dhe_bits(GNUTLS_STATE state, int bits) { - state->gnutls_internals.x509pki_dhe_bits = bits; + state->gnutls_internals.dhe_bits = bits; } +#ifdef DEBUG +# warning REMOVE THIS ON LIBRARY VERSION CHANGE +#endif +void gnutls_x509pki_set_dh_bits(GNUTLS_STATE state, int bits) { + gnutls_dh_set_dhe_bits( state, bits); +} static int _read_rsa_params(opaque * der, int dersize, MPI * params) { @@ -1096,7 +1102,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, { if (_gnutls_map_kx_get_cred(alg) == GNUTLS_X509PKI) { switch (alg) { - case GNUTLS_KX_X509PKI_RSA: + case GNUTLS_KX_RSA: if (cert->keyUsage != 0) { if (! (cert-> @@ -1107,7 +1113,8 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, return 0; } return 0; - case GNUTLS_KX_X509PKI_DHE_RSA: + case GNUTLS_KX_DHE_RSA: + case GNUTLS_KX_DHE_DSS: if (cert->keyUsage != 0) { if (! (cert-> @@ -1128,7 +1135,7 @@ int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, /* returns the KX algorithms that are supported by a * certificate. (Eg a certificate with RSA params, supports - * GNUTLS_KX_X509PKI_RSA algorithm). + * GNUTLS_KX_RSA algorithm). * This function also uses the KeyUsage field of the certificate * extensions in order to disable unneded algorithms. */ @@ -1138,10 +1145,10 @@ int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg, KXAlgorithm kx; int i; PKAlgorithm pk; - KXAlgorithm kxlist[255]; + KXAlgorithm kxlist[MAX_KX_ALGOS]; i = 0; - for (kx = 0; kx < 255; kx++) { + for (kx = 0; kx < MAX_KX_ALGOS; kx++) { pk = _gnutls_map_pk_get_pk(kx); if (pk == cert->subject_pk_algorithm) { if (_gnutls_check_x509pki_key_usage(cert, kx) == 0) { @@ -1151,6 +1158,11 @@ int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg, } } + if (i==0) { + gnutls_assert(); + return GNUTLS_E_INVALID_PARAMETERS; + } + *alg = gnutls_calloc(1, sizeof(KXAlgorithm) * i); if (*alg == NULL) return GNUTLS_E_MEMORY_ERROR; diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index cfd2c254a6..db68d4714a 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -943,7 +943,8 @@ int _gnutls_recv_handshake(GNUTLS_STATE state, uint8 ** data, ret = length32; break; case GNUTLS_SERVER_HELLO_DONE: - ret = 0; + if (length32==0) ret = 0; + else ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; break; case GNUTLS_FINISHED: ret = length32; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index c9539afdf1..dd78dd1857 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -127,10 +127,6 @@ typedef enum HandshakeType { GNUTLS_HELLO_REQUEST, GNUTLS_CLIENT_HELLO, GNUTLS_S GNUTLS_FINISHED=20 } HandshakeType; typedef struct { - ChangeCipherSpecType type; -} ChangeCipherSpec; - -typedef struct { opaque * data; int size; } gnutls_datum; @@ -141,6 +137,12 @@ typedef struct { AlertDescription description; } Alert; +#define MAX_KX_ALGOS 16 +#define MAX_CIPHER_ALGOS 16 +#define MAX_MAC_ALGOS 16 +#define MAX_CIPHERSUITES 256 +#define MAX_COMPRESSION_ALGOS 4 +#define MAX_VERSIONS 4 /* STATE */ typedef enum ConnectionEnd { GNUTLS_SERVER=1, GNUTLS_CLIENT } ConnectionEnd; @@ -172,10 +174,11 @@ typedef int (*DB_STORE_FUNC)(void*, gnutls_datum key, gnutls_datum data); typedef int (*DB_REMOVE_FUNC)(void*, gnutls_datum key); typedef gnutls_datum (*DB_RETR_FUNC)(void*, gnutls_datum key); -typedef struct { +typedef struct AUTH_CRED { KXAlgorithm algorithm; + /* the type of credentials depends on algorithm */ void* credentials; - void* next; + struct AUTH_CRED* next; } AUTH_CRED; @@ -251,7 +254,7 @@ typedef struct { opaque srp_username[MAX_SRP_USERNAME]; } TLSExtensions; -/* AUTH_INFO structures MUST NOT contain malloced +/* AUTH_INFO structures now MAY contain malloced * elements. */ @@ -412,7 +415,7 @@ typedef struct { /* gdbm */ char* db_name; - int expire_time; + int expire_time; /* after expire_time seconds this session will expire */ struct MOD_AUTH_STRUCT_INT* auth_struct; /* used in handshake packets and KX algorithms */ int v2_hello; /* 0 if the client hello is v3+. * non-zero if we got a v2 hello. @@ -429,7 +432,9 @@ typedef struct { * if none. */ /* this is the highest version available - * to the peer. (advertized version) + * to the peer. (advertized version). + * This is obtained by the Handshake Client Hello + * message. (some implementations read the Record version) */ uint8 adv_version_major; uint8 adv_version_minor; @@ -448,7 +453,9 @@ typedef struct { */ x509pki_client_cert_callback_func* client_cert_callback; x509pki_server_cert_callback_func* server_cert_callback; - int x509pki_dhe_bits; + + /* how may bits to use for DHE? */ + int dhe_bits; int max_handshake_data_buffer_size; diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 60134f16b6..82e1ce6f73 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -55,15 +55,14 @@ const char *gnutls_srp_server_get_username(GNUTLS_STATE state) /* ANON */ /** - * gnutls_anon_server_get_dh_bits - This function returns the bits used in DH authentication + * gnutls_dh_get_dha_bits - This function returns the bits used in anonymous DH authentication * @state: is a gnutls state * - * This function will return the bits used in the Diffie Hellman authentication - * with the peer. This should only be called in case of a server. - * Returns a negative value in case of an error. + * This function will return the bits used in the anonymous Diffie Hellman authentication + * with the peer. Returns a negative value in case of an error. * **/ -int gnutls_anon_server_get_dh_bits(GNUTLS_STATE state) +int gnutls_dh_get_dha_bits(GNUTLS_STATE state) { ANON_SERVER_AUTH_INFO info; @@ -75,25 +74,16 @@ int gnutls_anon_server_get_dh_bits(GNUTLS_STATE state) return info->dh_bits; } -/** - * gnutls_anon_client_get_dh_bits - This function returns the bits used in DH authentication - * @state: is a gnutls state - * - * This function will return the bits used in the Diffie Hellman authentication - * with the peer. This should only be called in case of a client. - * Returns a negative value in case of an error. - * - **/ +#ifdef DEBUG +# warning REMOVE THESE ON LIBRARY UPGRADE +#endif +int gnutls_anon_server_get_dh_bits(GNUTLS_STATE state) +{ + return gnutls_dh_get_dha_bits( state); +} int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state) { - ANON_CLIENT_AUTH_INFO info; - - CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_UNKNOWN_ERROR; - return info->dh_bits; + return gnutls_dh_get_dha_bits( state); } @@ -126,7 +116,7 @@ const gnutls_datum *gnutls_x509pki_get_peer_certificate_list(GNUTLS_STATE state, /** - * gnutls_x509pki_get_dh_bits - This function returns the number of bits used in a DHE handshake + * gnutls_dh_get_dhe_bits - This function returns the number of bits used in a DHE handshake * @state: is a gnutls state * * This function will return the number of bits used in a Diffie Hellman Handshake. This will only @@ -135,7 +125,7 @@ const gnutls_datum *gnutls_x509pki_get_peer_certificate_list(GNUTLS_STATE state, * Returns a negative value in case of an error. * **/ -int gnutls_x509pki_get_dh_bits(GNUTLS_STATE state) +int gnutls_dh_get_dhe_bits(GNUTLS_STATE state) { X509PKI_AUTH_INFO info; diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 9057fec8a1..0efa9d1484 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -52,8 +52,16 @@ const char* gnutls_srp_server_get_username( GNUTLS_STATE state); /* ANON */ -int gnutls_anon_server_get_dh_bits( GNUTLS_STATE state); -int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state); +int gnutls_dh_get_dha_bits( GNUTLS_STATE state); + +#define gnutls_anon_server_get_dh_bits gnutls_dh_get_dha_bits +#define gnutls_anon_client_get_dh_bits gnutls_dh_get_dha_bits + +void gnutls_dh_set_dhe_bits( GNUTLS_STATE state, int bits); +int gnutls_dh_get_dhe_bits( GNUTLS_STATE); + +#define gnutls_x509pki_set_dh_bits gnutls_dh_set_dhe_bits +#define gnutls_x509pki_get_dh_bits gnutls_dh_get_dhe_bits /* X509PKI */ @@ -62,8 +70,6 @@ void gnutls_x509pki_set_client_cert_callback( GNUTLS_X509PKI_CREDENTIALS, x509pk void gnutls_x509pki_set_server_cert_callback( GNUTLS_X509PKI_CREDENTIALS, x509pki_server_cert_callback_func *); void gnutls_x509pki_server_set_cert_request( GNUTLS_STATE, CertificateRequest); -void gnutls_x509pki_set_dh_bits( GNUTLS_STATE state, int bits); - /* X.509 certificate handling functions */ int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*); int gnutls_x509pki_extract_certificate_dn( const gnutls_datum*, gnutls_DN*); @@ -76,7 +82,6 @@ int gnutls_x509pki_extract_subject_dns_name( const gnutls_datum*, char*, int*); /* get data from the state */ const gnutls_datum* gnutls_x509pki_get_peer_certificate_list( GNUTLS_STATE, int* list_size); -int gnutls_x509pki_get_dh_bits( GNUTLS_STATE); int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE); int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE); diff --git a/src/common.h b/src/common.h index 9d2aee344f..8a475f2109 100644 --- a/src/common.h +++ b/src/common.h @@ -60,7 +60,7 @@ GNUTLS_KXAlgorithm kx; */ if (kx == GNUTLS_KX_X509PKI_DHE_RSA || kx == GNUTLS_KX_X509PKI_DHE_DSS) { printf("\n- Ephemeral DH using prime of %d bits\n", - gnutls_x509pki_server_get_dh_bits( state)); + gnutls_dh_get_dhe_bits( state)); } if (cert_list_size > 0) { diff --git a/src/serv.c b/src/serv.c index 0a8aa1a675..0f8efb9682 100644 --- a/src/serv.c +++ b/src/serv.c @@ -133,7 +133,7 @@ void peer_print_info( GNUTLS_STATE state) if (gnutls_kx_get_algo(state) == GNUTLS_KX_ANON_DH) { sprintf(tmp2, "<p> Connect using anonymous DH (prime of %d bits)</p>\n", - gnutls_anon_server_get_dh_bits( state)); + gnutls_dh_get_dha_bits( state)); } /* print state information */ @@ -147,7 +147,7 @@ void peer_print_info( GNUTLS_STATE state) if (gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_RSA || gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_DSS) { sprintf(tmp2, "Ephemeral DH using prime of <b>%d</b> bits.<br>\n", - gnutls_x509pki_server_get_dh_bits( state)); + gnutls_dh_get_dhe_bits( state)); } tmp = |