diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-08-18 08:30:25 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-08-18 08:30:25 +0000 |
commit | 2f2e51046fd7bce7f53aa4a1796d1d5cb6428e3c (patch) | |
tree | c917d974917a6f39aadfea3c2284962b9e3b8ccf | |
parent | a82bdc9c8d44188a4bd526137d93f218d98c37ec (diff) | |
download | gnutls-2f2e51046fd7bce7f53aa4a1796d1d5cb6428e3c.tar.gz |
Added the gnutls_handshake_set_exportable_detection() function, which
is used to control whether the handshake will check for exportable cipher
suites in the server. In that case an error of GNUTLS_E_EXPORT_CIPHER_SUITE
is returned.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 1 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 49 | ||||
-rw-r--r-- | lib/gnutls_int.h | 2 | ||||
-rw-r--r-- | lib/gnutls_state.c | 18 |
5 files changed, 54 insertions, 19 deletions
@@ -1,6 +1,7 @@ Version 0.5.2 - Added an error code that is returned in clients which connect - to export only servers. + to export only servers. This must be enabled using the + gnutls_handshake_set_exportable_detection() function. - Updated openssl compatibility layer. - Added gnutls_handshake_check_direction() function which returns the state of the handshake when interrupted. diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 52d6875edd..93e203aabf 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -154,6 +154,7 @@ const char* gnutls_strerror( int error); */ void gnutls_handshake_set_private_extensions(GNUTLS_STATE state, int allow); void gnutls_record_set_cbc_protection(GNUTLS_STATE state, int prot); +void gnutls_handshake_set_exportable_detection(GNUTLS_STATE state, int det); void gnutls_handshake_set_rsa_pms_check(GNUTLS_STATE state, int check); /* Record layer functions. diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index b9acc18c7c..6dd01ca71e 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1076,10 +1076,11 @@ static int _gnutls_client_set_ciphersuite(GNUTLS_STATE state, uint16 x; int i, err; - if ( memcmp( suite, EXPORT_CIPHERSUITE, 2)==0) { - gnutls_assert(); - return GNUTLS_E_EXPORT_CIPHER_SUITE; - } + if (state->gnutls_internals.exportable_detection_hack != 0) + if ( memcmp( suite, EXPORT_CIPHERSUITE, 2)==0) { + gnutls_assert(); + return GNUTLS_E_EXPORT_CIPHER_SUITE; + } z = 1; x = _gnutls_supported_ciphersuites(state, &cipher_suites); @@ -1318,7 +1319,7 @@ static int _gnutls_copy_ciphersuites(GNUTLS_STATE state, { int ret, i; GNUTLS_CipherSuite *cipher_suites; - uint16 x; + uint16 cipher_num; int datalen, pos; ret = _gnutls_supported_ciphersuites_sorted(state, &cipher_suites); @@ -1339,18 +1340,27 @@ static int _gnutls_copy_ciphersuites(GNUTLS_STATE state, gnutls_assert(); return ret; } - if (ret==0) { + + /* If no cipher suites were enabled. + */ + if (ret == 0) { gnutls_assert(); return GNUTLS_E_INSUFICIENT_CRED; } - x = ret + 1; /* add 1 for the export cipher suite */ - x *= sizeof(uint16); /* in order to get bytes */ + cipher_num = ret; + + /* for the EXPORT DETECTION */ + if ( state->gnutls_internals.exportable_detection_hack != 0) { + cipher_num += 1; /* add 1 for the export cipher suite */ + } + + cipher_num *= sizeof(uint16); /* in order to get bytes */ datalen = pos = 0; - datalen += sizeof(uint16) + x; + datalen += sizeof(uint16) + cipher_num; *ret_data = gnutls_malloc(datalen); if (*ret_data == NULL) { @@ -1361,16 +1371,19 @@ static int _gnutls_copy_ciphersuites(GNUTLS_STATE state, /* add 2 for the export cipher suite */ - _gnutls_write_uint16(x, *ret_data); + _gnutls_write_uint16(cipher_num, *ret_data); pos += 2; - for (i = 0; i < (x / 2) - 1; i++) { + for (i = 0; i < (cipher_num / 2) - 1; i++) { memcpy( &(*ret_data)[pos], cipher_suites[i].CipherSuite, 2); pos += 2; } - memcpy( &(*ret_data)[pos], EXPORT_CIPHERSUITE, 2); - pos += 2; + /* for the EXPORT DETECTION */ + if ( state->gnutls_internals.exportable_detection_hack != 0) { + memcpy( &(*ret_data)[pos], EXPORT_CIPHERSUITE, 2); + pos += 2; + } gnutls_free(cipher_suites); @@ -1385,7 +1398,7 @@ static int _gnutls_copy_comp_methods(GNUTLS_STATE state, opaque ** ret_data) { int ret, i; - uint8 *compression_methods, z; + uint8 *compression_methods, comp_num; int datalen, pos; ret = @@ -1396,10 +1409,10 @@ static int _gnutls_copy_comp_methods(GNUTLS_STATE state, return ret; } - z = ret; + comp_num = ret; datalen = pos = 0; - datalen += z + 1; + datalen += comp_num + 1; *ret_data = gnutls_malloc(datalen); if (*ret_data == NULL) { @@ -1407,9 +1420,9 @@ static int _gnutls_copy_comp_methods(GNUTLS_STATE state, return GNUTLS_E_MEMORY_ERROR; } - (*ret_data)[pos++] = z; /* put the number of compression methods */ + (*ret_data)[pos++] = comp_num; /* put the number of compression methods */ - for (i = 0; i < z; i++) { + for (i = 0; i < comp_num; i++) { (*ret_data)[pos++] = compression_methods[i]; } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index e4d0546897..a746db703f 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -561,6 +561,8 @@ typedef struct { GNUTLS_Version default_record_version; int cbc_protection_hack; + int exportable_detection_hack; + int rsa_pms_check; /* 0 means enabled */ void* user_ptr; diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 60d2382485..fa31816649 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -468,6 +468,24 @@ void gnutls_record_set_cbc_protection(GNUTLS_STATE state, int prot) } /** + * gnutls_handshake_set_exportable_detection - Used to enable the detection of server's export cipher suites + * @state: is a &GNUTLS_STATE structure. + * @det: is an integer (0 or 1) + * + * The function will allow clients to detect if a server only + * supports exportable ciphersuites. In that case an error code + * of GNUTLS_E_EXPORT_CIPHER_SUITE is returned. + * + * This check will be enabled if det != 0, and disabled otherwise + * (the default behaviour). + * + **/ +void gnutls_handshake_set_exportable_detection(GNUTLS_STATE state, int det) +{ + state->gnutls_internals.exportable_detection_hack = det; +} + +/** * gnutls_handshake_set_private_extensions - Used to enable the private cipher suites * @state: is a &GNUTLS_STATE structure. * @allow: is an integer (0 or 1) |