diff options
-rw-r--r-- | lib/debug.c | 34 | ||||
-rw-r--r-- | lib/debug.h | 14 | ||||
-rw-r--r-- | lib/gnutls.c | 47 | ||||
-rw-r--r-- | lib/gnutls.h | 2 | ||||
-rw-r--r-- | lib/gnutls_algorithms.c | 54 | ||||
-rw-r--r-- | lib/gnutls_algorithms.h | 3 | ||||
-rw-r--r-- | lib/gnutls_cipher.c | 8 | ||||
-rw-r--r-- | lib/gnutls_dh.c | 12 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 13 | ||||
-rw-r--r-- | lib/gnutls_hash_int.c | 28 | ||||
-rw-r--r-- | lib/gnutls_hash_int.h | 4 | ||||
-rw-r--r-- | lib/gnutls_int.h | 25 | ||||
-rw-r--r-- | lib/gnutls_kx.c | 8 |
13 files changed, 179 insertions, 73 deletions
diff --git a/lib/debug.c b/lib/debug.c index 7a5c231780..a927e95fe4 100644 --- a/lib/debug.c +++ b/lib/debug.c @@ -24,10 +24,9 @@ #include "gnutls_int.h" #include "gnutls_errors.h" +#ifdef DEBUG -static char hexconvtab[] = "0123456789abcdef"; - -void dump_mpi(char* prefix, MPI a) +void _gnutls_dump_mpi(char* prefix, MPI a) { char buf[400]; size_t n = sizeof buf; @@ -38,18 +37,18 @@ void dump_mpi(char* prefix, MPI a) } -char *bin2hex(const unsigned char *old, const size_t oldlen) +char *_gnutls_bin2hex(const unsigned char *old, const size_t oldlen) { unsigned char *new = NULL; int i, j; - new = malloc(oldlen * 2 * sizeof(char) + 1); + new = calloc(1, oldlen * 2 * sizeof(char) + 1); if (!new) return (new); - for (i = j = 0; i < oldlen; i++) { - new[j++] = hexconvtab[old[i] >> 4]; - new[j++] = hexconvtab[old[i] & 15]; + for (i = j = 0; j < oldlen; j+=2) { + sprintf(&new[j], "%.2x", old[i]); + i++; } new[j] = '\0'; @@ -57,7 +56,7 @@ char *bin2hex(const unsigned char *old, const size_t oldlen) } -void _print_state(GNUTLS_STATE state) +void _gnutls_print_state(GNUTLS_STATE state) { fprintf(stderr, "GNUTLS State:\n"); @@ -83,7 +82,7 @@ void _print_state(GNUTLS_STATE state) } -void _print_TLSCompressed(GNUTLSCompressed * compressed) +void _gnutls_print_TLSCompressed(GNUTLSCompressed * compressed) { fprintf(stderr, "TLSCompressed packet:\n"); fprintf(stderr, "type: %d\n", compressed->type); @@ -91,12 +90,12 @@ void _print_TLSCompressed(GNUTLSCompressed * compressed) compressed->version.minor); fprintf(stderr, "length: %d\n", compressed->length); fprintf(stderr, "fragment: %s\n", - bin2hex(compressed->fragment, compressed->length)); + _gnutls_bin2hex(compressed->fragment, compressed->length)); fprintf(stderr, "\n"); } -void _print_TLSPlaintext(GNUTLSPlaintext * plaintext) +void _gnutls_print_TLSPlaintext(GNUTLSPlaintext * plaintext) { fprintf(stderr, "TLSPlaintext packet:\n"); fprintf(stderr, "type: %d\n", plaintext->type); @@ -104,12 +103,12 @@ void _print_TLSPlaintext(GNUTLSPlaintext * plaintext) plaintext->version.minor); fprintf(stderr, "length: %d\n", plaintext->length); fprintf(stderr, "fragment: %s\n", - bin2hex(plaintext->fragment, plaintext->length)); + _gnutls_bin2hex(plaintext->fragment, plaintext->length)); fprintf(stderr, "\n"); } -void _print_TLSCiphertext(GNUTLSCiphertext * ciphertext) +void _gnutls_print_TLSCiphertext(GNUTLSCiphertext * ciphertext) { fprintf(stderr, "TLSCiphertext packet:\n"); @@ -119,11 +118,11 @@ void _print_TLSCiphertext(GNUTLSCiphertext * ciphertext) fprintf(stderr, "length: %d\n", ciphertext->length); fprintf(stderr, "fragment: %s\n", - bin2hex(ciphertext->fragment, ciphertext->length)); + _gnutls_bin2hex(ciphertext->fragment, ciphertext->length)); fprintf(stderr, "\n"); } -char* alert2str( int alert) { +char* _gnutls_alert2str( int alert) { static char str[512]; switch(alert) { @@ -205,7 +204,7 @@ static char str[512]; } -char* packet2str( int packet) { +char* _gnutls_packet2str( int packet) { static char str[512]; switch(packet) { @@ -229,3 +228,4 @@ static char str[512]; return str; } +#endif diff --git a/lib/debug.h b/lib/debug.h index 6d14eff9f0..e55b3586be 100644 --- a/lib/debug.h +++ b/lib/debug.h @@ -1,6 +1,8 @@ -void _print_state(GNUTLS_STATE state); -void _print_TLSCompressed(GNUTLSCompressed * compressed); -void _print_TLSPlaintext(GNUTLSPlaintext * plaintext); -void _print_TLSCiphertext( GNUTLSCiphertext *); -char * bin2hex(const unsigned char *old, const size_t oldlen); -void dump_mpi(char* prefix,MPI a); +#ifdef DEBUG +void _gnutls_print_state(GNUTLS_STATE state); +void _gnutls_print_TLSCompressed(GNUTLSCompressed * compressed); +void _gnutls_print_TLSPlaintext(GNUTLSPlaintext * plaintext); +void _gnutls_print_TLSCiphertext( GNUTLSCiphertext *); +char * _gnutls_bin2hex(const unsigned char *old, const size_t oldlen); +void _gnutls_dump_mpi(char* prefix,MPI a); +#endif diff --git a/lib/gnutls.c b/lib/gnutls.c index 9bc40f1773..147f8714fc 100644 --- a/lib/gnutls.c +++ b/lib/gnutls.c @@ -35,12 +35,28 @@ */ int _gnutls_valid_version(GNUTLS_STATE state, int major, int minor) { +GNUTLS_Version ver = {0, major, minor}; - if (state->connection_state.version.major == major && state->connection_state.version.minor == minor) - return 0; + if (_gnutls_version_is_supported(ver) > 0 ) { + return 0; /* supported */ + } return 1; } +GNUTLS_Version gnutls_get_current_version(GNUTLS_STATE state) { +GNUTLS_Version ver; + ver.local = state->connection_state.version.local; + ver.major = state->connection_state.version.major; + ver.minor = state->connection_state.version.minor; + return ver; +} + +void gnutls_set_current_version(GNUTLS_STATE state, int local, int major, int minor) { + state->connection_state.version.local = local; + state->connection_state.version.major = major; + state->connection_state.version.minor = minor; +} + int gnutls_is_secure_memory(const void* mem) { return 0; } @@ -82,8 +98,7 @@ int gnutls_init(GNUTLS_STATE * state, ConnectionEnd con_end) (*state)->gnutls_internals.client_hash = 0; (*state)->gnutls_internals.resumable = RESUME_TRUE; - (*state)->connection_state.version.major = GNUTLS_VERSION_MAJOR; - (*state)->connection_state.version.minor = GNUTLS_VERSION_MINOR; + gnutls_set_current_version ( (*state), 0, GNUTLS_DEFAULT_VERSION_MAJOR, GNUTLS_DEFAULT_VERSION_MINOR); (*state)->gnutls_internals.KEY = NULL; (*state)->gnutls_internals.client_Y = NULL; @@ -131,7 +146,7 @@ int gnutls_deinit(GNUTLS_STATE * state) } -void *_gnutls_cal_PRF_A(MACAlgorithm algorithm, void *secret, int secret_size, void *seed, int seed_size) +void *_gnutls_cal_PRF_A(GNUTLS_STATE state, MACAlgorithm algorithm, void *secret, int secret_size, void *seed, int seed_size) { GNUTLS_MAC_HANDLE td1; @@ -144,7 +159,7 @@ void *_gnutls_cal_PRF_A(MACAlgorithm algorithm, void *secret, int secret_size, v /* Produces "total_bytes" bytes using the hash algorithm specified. * (used in the PRF function) */ -svoid *gnutls_P_hash(MACAlgorithm algorithm, opaque * secret, int secret_size, opaque * seed, int seed_size, int total_bytes) +svoid *gnutls_P_hash(GNUTLS_STATE state, MACAlgorithm algorithm, opaque * secret, int secret_size, opaque * seed, int seed_size, int total_bytes) { GNUTLS_MAC_HANDLE td2; @@ -170,7 +185,7 @@ svoid *gnutls_P_hash(MACAlgorithm algorithm, opaque * secret, int secret_size, o td2 = gnutls_hmac_init(algorithm, secret, secret_size); /* here we calculate A(i+1) */ - Atmp = _gnutls_cal_PRF_A(algorithm, secret, secret_size, A, A_size); + Atmp = _gnutls_cal_PRF_A(state, algorithm, secret, secret_size, A, A_size); A_size = blocksize; gnutls_free(A); A = Atmp; @@ -198,7 +213,7 @@ svoid *gnutls_P_hash(MACAlgorithm algorithm, opaque * secret, int secret_size, o /* The PRF function expands a given secret * needed by the TLS specification */ -svoid *gnutls_PRF(opaque * secret, int secret_size, uint8 * label, int label_size, opaque * seed, int seed_size, int total_bytes) +svoid *gnutls_PRF(GNUTLS_STATE state, opaque * secret, int secret_size, uint8 * label, int label_size, opaque * seed, int seed_size, int total_bytes) { int l_s, i, s_seed_size; char *o1, *o2; @@ -219,8 +234,8 @@ svoid *gnutls_PRF(opaque * secret, int secret_size, uint8 * label, int label_siz l_s++; } - o1 = gnutls_P_hash(GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, total_bytes); - o2 = gnutls_P_hash(GNUTLS_MAC_SHA, s2, l_s, s_seed, s_seed_size, total_bytes); + o1 = gnutls_P_hash(state, GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size, total_bytes); + o2 = gnutls_P_hash(state, GNUTLS_MAC_SHA, s2, l_s, s_seed, s_seed_size, total_bytes); gnutls_free(s_seed); @@ -256,7 +271,7 @@ int _gnutls_set_keys(GNUTLS_STATE state) memmove(&random[32], state->security_parameters.client_random, 32); key_block = - gnutls_PRF(state->security_parameters.master_secret, 48, + gnutls_PRF(state, state->security_parameters.master_secret, 48, keyexp, strlen(keyexp), random, 64, 2 * hash_size + 2 * key_size + 2 * IV_size); state->cipher_specs.client_write_mac_secret = secure_malloc(hash_size); @@ -391,7 +406,7 @@ ssize_t gnutls_send_int(int cd, GNUTLS_STATE state, ContentType type, char *data } #ifdef HARD_DEBUG fprintf(stderr, "Send Packet[%d] %s(%d) with length: %d\n", - (int) state->connection_state.write_sequence_number, packet2str(gcipher->type), gcipher->type, gcipher->length); + (int) state->connection_state.write_sequence_number, _gnutls_packet2str(gcipher->type), gcipher->type, gcipher->length); #endif #ifdef WORDS_BIGENDIAN length = gcipher->length; @@ -601,6 +616,8 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; + } else { + gnutls_set_current_version(state, 0, gcipher.version.major, gcipher.version.minor); } if (Read(cd, &gcipher.length, 2) != 2) { @@ -615,9 +632,9 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data #ifdef HARD_DEBUG fprintf(stderr, "Expected Packet[%d] %s(%d) with length: %d\n", - (int) state->connection_state.read_sequence_number, packet2str(type), type, sizeofdata); + (int) state->connection_state.read_sequence_number, _gnutls_packet2str(type), type, sizeofdata); fprintf(stderr, "Received Packet[%d] %s(%d) with length: %d\n", - (int) state->connection_state.read_sequence_number, packet2str(gcipher.type), gcipher.type, gcipher.length); + (int) state->connection_state.read_sequence_number, _gnutls_packet2str(gcipher.type), gcipher.type, gcipher.length); #endif if (gcipher.length > 18432) { /* 2^14+2048 */ @@ -698,7 +715,7 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data switch (gcipher.type) { case GNUTLS_ALERT: #ifdef HARD_DEBUG - fprintf(stderr, "Alert[%d|%d] - %s - was received\n", tmpdata[0], tmpdata[1], alert2str((int)tmpdata[1])); + fprintf(stderr, "Alert[%d|%d] - %s - was received\n", tmpdata[0], tmpdata[1], _gnutls_alert2str((int)tmpdata[1])); #endif state->gnutls_internals.last_alert = tmpdata[1]; diff --git a/lib/gnutls.h b/lib/gnutls.h index d0b25f6059..6e71e32b0e 100644 --- a/lib/gnutls.h +++ b/lib/gnutls.h @@ -52,6 +52,8 @@ void gnutls_set_cipher_priority( int num, ...); void gnutls_set_kx_priority( int num, ...); void gnutls_set_mac_priority( int num, ...); +/* set our version - local is 0x00 for TLS 1.0 and SSL3 */ +void gnutls_set_current_version(GNUTLS_STATE state, int local, int major, int minor); #define GNUTLS_E_MAC_FAILED -1 #define GNUTLS_E_UNKNOWN_CIPHER -2 diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 663853d882..fc9b1e4f1e 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -22,6 +22,36 @@ #include "gnutls_int.h" #include "gnutls_algorithms.h" +/* TLS Versions */ +#define GNUTLS_VERSION_ENTRY( name, supported) \ + { #name, name, supported } + +typedef struct { + char *name; + GNUTLS_Version id; + int supported; /* 0 not supported, > 0 is supported */ +} gnutls_version_entry; + +#define GNUTLS_SSLv3 { 0, 3, 0 } +#define GNUTLS_WTLS1 { 1, 1, 0 } +#define GNUTLS_TLS1 { 0, 3, 1 } + +static gnutls_version_entry sup_versions[] = { + GNUTLS_VERSION_ENTRY(GNUTLS_SSLv3, 0), + GNUTLS_VERSION_ENTRY(GNUTLS_WTLS1, 0), + GNUTLS_VERSION_ENTRY(GNUTLS_TLS1, 1), + {0} +}; + +#define GNUTLS_VERSION_LOOP(b) \ + gnutls_version_entry *p; \ + for(p = sup_versions; p->name != NULL; p++) { b ; } + +#define GNUTLS_VERSION_ALG_LOOP(a) \ + GNUTLS_VERSION_LOOP( if( memcmp( &p->id, &version, 2)==0) { a; break; } ) + + + #define GNUTLS_CIPHER_ENTRY(name, blksize, keysize, block, iv, priority) \ { #name, name, blksize, keysize, block, iv, priority } @@ -188,7 +218,6 @@ static gnutls_cipher_suite_entry cs_algorithms[] = { - /* Generic Functions */ /* this function makes the whole string lowercase */ @@ -490,6 +519,29 @@ int _gnutls_kx_is_ok(KXAlgorithm algorithm) } +/* Version Functions */ +int _gnutls_version_cmp(GNUTLS_Version ver1, GNUTLS_Version ver2) { + if (ver1.major!=ver2.major) return 1; + if (ver1.minor!=ver2.minor) return 1; + if (ver1.local!=ver2.local) return 1; + return 0; +} + +int _gnutls_version_ssl3(GNUTLS_Version ver) { + if (ver.major!=3) return 1; + if (ver.minor!=0) return 1; + if (ver.local!=0) return 1; + return 0; +} + +int _gnutls_version_is_supported(const GNUTLS_Version version) +{ + size_t ret = 0; + GNUTLS_VERSION_ALG_LOOP(ret = p->supported); + return ret; +} + + /* Cipher Suite's functions */ BulkCipherAlgorithm _gnutls_cipher_suite_get_cipher_algo(const GNUTLS_CipherSuite suite) diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index 7e5cc8e695..96f80303a3 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -1,3 +1,6 @@ +/* functions for version */ +int _gnutls_version_is_supported(const GNUTLS_Version version); + /* functions for macs */ int _gnutls_mac_get_digest_size(MACAlgorithm algorithm); char* _gnutls_mac_get_name(MACAlgorithm algorithm); diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 09734194da..e0257a58ca 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -343,7 +343,11 @@ int i; rand = gcry_random_bytes(1, GCRY_WEAK_RANDOM); /* make rand a multiple of blocksize */ - rand[0] = (rand[0]%(255/blocksize))*blocksize; + if (_gnutls_version_ssl3(state->connection_state.version)==0) { + rand[0]=0; + } else { + rand[0] = (rand[0]%(255/blocksize))*blocksize; + } length = compressed->length + @@ -370,7 +374,7 @@ int i; compressed->version.major; ciphertext->version.minor = compressed->version.minor; - + gcry_free(rand); break; default: diff --git a/lib/gnutls_dh.c b/lib/gnutls_dh.c index 208b887229..65bc84eef7 100644 --- a/lib/gnutls_dh.c +++ b/lib/gnutls_dh.c @@ -73,9 +73,11 @@ MPI gnutls_calc_dh_secret(MPI * ret_x) size_t n = sizeof diffie_hellman_group1_prime; if (gcry_mpi_scan(&prime, GCRYMPI_FMT_USG, - diffie_hellman_group1_prime, &n)) + diffie_hellman_group1_prime, &n)) { + gnutls_assert(); abort(); - /*dump_mpi(stderr, "prime=", prime ); */ + } + /*_gnutls_dump_mpi(stderr, "prime=", prime ); */ g = mpi_set_ui(NULL, 2); x = mpi_new(X_SIZE); /* FIXME: allocate in secure memory */ @@ -123,8 +125,10 @@ MPI gnutls_get_dh_params(MPI * ret_p) size_t n = sizeof diffie_hellman_group1_prime; if (gcry_mpi_scan(&prime, GCRYMPI_FMT_USG, - diffie_hellman_group1_prime, &n)) + diffie_hellman_group1_prime, &n)) { + gnutls_assert(); abort(); + } g = mpi_set_ui(NULL, 2); @@ -146,7 +150,7 @@ MPI gnutls_calc_dh_key(MPI f, MPI x) gnutls_assert(); abort(); } - /*dump_mpi(stderr, "prime=", prime ); */ + /*_gnutls_dump_mpi(stderr, "prime=", prime ); */ k = gcry_mpi_alloc_like(prime); /* k = mpi_new(E_SIZE); FIXME: allocate in secure memory */ diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index a04bbc3580..b2490ceb37 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -63,7 +63,7 @@ int _gnutls_send_finished(int cd, GNUTLS_STATE state) state->gnutls_internals.client_md_sha1, 20); data = - gnutls_PRF(state->security_parameters.master_secret, + gnutls_PRF(state, state->security_parameters.master_secret, 48, CLIENT_MSG, strlen(CLIENT_MSG), concat, 36, 12); } else { /* server */ @@ -72,7 +72,7 @@ int _gnutls_send_finished(int cd, GNUTLS_STATE state) state->gnutls_internals.server_md_sha1, 20); data = - gnutls_PRF(state->security_parameters.master_secret, + gnutls_PRF(state, state->security_parameters.master_secret, 48, SERVER_MSG, strlen(SERVER_MSG), concat, 36, 12); } @@ -111,7 +111,7 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) state->gnutls_internals.server_md_sha1, 20); data = - gnutls_PRF(state->security_parameters.master_secret, + gnutls_PRF(state, state->security_parameters.master_secret, 48, SERVER_MSG, strlen(SERVER_MSG), concat, 36, 12); } else { /* server */ @@ -120,7 +120,7 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) state->gnutls_internals.client_md_sha1, 20); data = - gnutls_PRF(state->security_parameters.master_secret, + gnutls_PRF(state, state->security_parameters.master_secret, 48, CLIENT_MSG, strlen(CLIENT_MSG), concat, 36, 12); } @@ -621,7 +621,7 @@ int _gnutls_recv_hello(int cd, GNUTLS_STATE state, char *data, int datalen, #ifdef HARD_DEBUG fprintf(stderr, "SessionID length: %d\n", session_id_len); fprintf(stderr, "SessionID: %s\n", - bin2hex(&data[pos], session_id_len)); + _gnutls_bin2hex(&data[pos], session_id_len)); #endif pos += session_id_len; @@ -679,7 +679,6 @@ int _gnutls_recv_hello(int cd, GNUTLS_STATE state, char *data, int datalen, #ifdef DEBUG fprintf(stderr, "Client's version: %d.%d\n", data[pos], data[pos+1]); #endif - if ( _gnutls_valid_version( state, data[pos], data[pos+1]) != 0) { gnutls_assert(); return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; @@ -1076,7 +1075,7 @@ int _gnutls_generate_session_id(char **session_id, uint8 * len) *len = 32; #ifdef HARD_DEBUG - fprintf(stderr, "SessionID: %s\n", bin2hex(*session_id, 32)); + fprintf(stderr, "SessionID: %s\n", _gnutls_bin2hex(*session_id, 32)); #endif return 0; } diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index a2856c173b..a0a9c1b9f1 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -37,7 +37,7 @@ GNUTLS_HASH_HANDLE ret; break; case GNUTLS_MAC_SHA: #ifdef USE_MHASH - ret = mhash_init_m( MHASH_SHA1, gnutls_malloc); + ret = mhash_init( MHASH_SHA1); #else ret = gcry_md_open( GCRY_MD_SHA1, 0); #endif @@ -45,7 +45,7 @@ GNUTLS_HASH_HANDLE ret; break; case GNUTLS_MAC_MD5: #ifdef USE_MHASH - ret = mhash_init_m( MHASH_MD5, gnutls_malloc); + ret = mhash_init( MHASH_MD5); #else ret = gcry_md_open( GCRY_MD_MD5, 0); #endif @@ -96,7 +96,7 @@ int gnutls_hash(GNUTLS_HASH_HANDLE handle, void* text, int textlen) { return 0; } -void* gnutls_hash_deinit(GNUTLS_HASH_HANDLE handle) { +void* gnutls_hash_deinit( GNUTLS_HASH_HANDLE handle) { char* mac; int maclen; char* ret; @@ -116,7 +116,7 @@ char* ret; } -GNUTLS_MAC_HANDLE gnutls_hmac_init(MACAlgorithm algorithm, char* key, int keylen) { +GNUTLS_MAC_HANDLE _gnutls_hmac_init( MACAlgorithm algorithm, char* key, int keylen, int dp) { GNUTLS_MAC_HANDLE ret; switch (algorithm) { @@ -125,7 +125,11 @@ GNUTLS_MAC_HANDLE ret; break; case GNUTLS_MAC_SHA: #ifdef USE_MHASH - ret = mhash_hmac_init_m( MHASH_SHA1, key, keylen, 0, gnutls_malloc); + if (dp==0) { + ret = mhash_hmac_init( MHASH_SHA1, key, keylen, 0); + } else { + ret = mhash_hmac_init_dp( MHASH_SHA1, key, keylen, 0); + } #else ret = gcry_md_open( GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); #endif @@ -133,7 +137,11 @@ GNUTLS_MAC_HANDLE ret; break; case GNUTLS_MAC_MD5: #ifdef USE_MHASH - ret = mhash_hmac_init_m( MHASH_MD5, key, keylen, 0, gnutls_malloc); + if (dp==0) { + ret = mhash_hmac_init( MHASH_MD5, key, keylen, 0); + } else { + ret = mhash_hmac_init_dp( MHASH_MD5, key, keylen, 0); + } #else ret = gcry_md_open( GCRY_MD_MD5, GCRY_MD_FLAG_HMAC); #endif @@ -189,13 +197,17 @@ int gnutls_hmac(GNUTLS_MAC_HANDLE handle, void* text, int textlen) { } -void* gnutls_hmac_deinit(GNUTLS_MAC_HANDLE handle) { +void* _gnutls_hmac_deinit( GNUTLS_MAC_HANDLE handle, int dp) { char* mac; int maclen; char* ret; #ifdef USE_MHASH - ret = mhash_hmac_end(handle); + if (dp==0) { + ret = mhash_hmac_end(handle); + } else { + ret = mhash_hmac_end_dp(handle); + } #else maclen = gcry_md_get_algo_dlen(gcry_md_get_algo(handle)); ret = gnutls_malloc( maclen); diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h index fc94fe661e..4b73696cb9 100644 --- a/lib/gnutls_hash_int.h +++ b/lib/gnutls_hash_int.h @@ -21,10 +21,10 @@ #define GNUTLS_HASH_FAILED NULL #define GNUTLS_MAC_FAILED NULL -GNUTLS_MAC_HANDLE gnutls_hmac_init(MACAlgorithm algorithm, char* key, int keylen); +GNUTLS_MAC_HANDLE _gnutls_hmac_init( MACAlgorithm algorithm, char* key, int keylen, int dp); int gnutls_hmac_get_algo_len(MACAlgorithm algorithm); int gnutls_hmac(GNUTLS_HASH_HANDLE handle, void* text, int textlen); -void* gnutls_hmac_deinit(GNUTLS_HASH_HANDLE handle); +void* _gnutls_hmac_deinit( GNUTLS_HASH_HANDLE handle, int dp); GNUTLS_HASH_HANDLE gnutls_hash_init(MACAlgorithm algorithm); int gnutls_hash_get_algo_len(MACAlgorithm algorithm); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b5b5c6e009..430880e2f3 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -2,9 +2,9 @@ #define GNUTLS_INT_H -#undef HARD_DEBUG -#undef READ_DEBUG -#undef WRITE_DEBUG +//#define HARD_DEBUG +//#define READ_DEBUG +//#define WRITE_DEBUG #define DEBUG #define MAX32 4294967295 @@ -135,6 +135,7 @@ typedef struct { typedef struct { + uint8 local; uint8 major; uint8 minor; } GNUTLS_Version; @@ -203,8 +204,8 @@ enum ContentType { GNUTLS_CHANGE_CIPHER_SPEC=20, GNUTLS_ALERT, GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA }; typedef enum ContentType ContentType; -#define GNUTLS_VERSION_MAJOR 3 -#define GNUTLS_VERSION_MINOR 1 +#define GNUTLS_DEFAULT_VERSION_MAJOR 3 +#define GNUTLS_DEFAULT_VERSION_MINOR 1 typedef struct { uint8 major; @@ -284,14 +285,24 @@ typedef struct { /* functions */ int _gnutls_send_alert( int cd, GNUTLS_STATE state, AlertLevel level, AlertDescription desc); int gnutls_close(int cd, GNUTLS_STATE state); -svoid *gnutls_PRF(opaque * secret, int secret_size, uint8 * label, +svoid *gnutls_PRF(GNUTLS_STATE state, opaque * secret, int secret_size, uint8 * label, int label_size, opaque * seed, int seed_size, int total_bytes); int _gnutls_valid_version( GNUTLS_STATE state, int major, int minor); +void gnutls_set_current_version(GNUTLS_STATE state, int local, int major, int minor); +GNUTLS_Version gnutls_get_current_version(GNUTLS_STATE state); int _gnutls_set_keys(GNUTLS_STATE state); ssize_t gnutls_send_int(int cd, GNUTLS_STATE state, ContentType type, char* data, size_t sizeofdata); ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char* data, size_t sizeofdata); int _gnutls_send_change_cipher_spec(int cd, GNUTLS_STATE state); - +int _gnutls_version_cmp(GNUTLS_Version ver1, GNUTLS_Version ver2); +int _gnutls_version_ssl3(GNUTLS_Version ver); + +#define gnutls_hmac_init(x,y,z) _gnutls_version_ssl3(state->connection_state.version) ? \ + _gnutls_hmac_init(x,y,z,1) : \ + _gnutls_hmac_init(x,y,z,0) +#define gnutls_hmac_deinit(x) _gnutls_version_ssl3(state->connection_state.version) ? \ + _gnutls_hmac_deinit(x,1) : \ + _gnutls_hmac_deinit(x,0) #endif /* GNUTLS_INT_H */ diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index a470d3a429..73e9053ec4 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -207,12 +207,12 @@ int _gnutls_send_client_kx_message(int cd, GNUTLS_STATE state) } master = - gnutls_PRF(premaster, premaster_size, + gnutls_PRF(state, premaster, premaster_size, MASTER_SECRET, strlen(MASTER_SECRET), random, 64, 48); secure_free(premaster); #ifdef HARD_DEBUG - fprintf(stderr, "MASTER SECRET: %s\n", bin2hex(master, 48)); + fprintf(stderr, "MASTER SECRET: %s\n", _gnutls_bin2hex(master, 48)); #endif memmove(state->security_parameters.master_secret, master, 48); secure_free(master); @@ -449,11 +449,11 @@ int _gnutls_recv_client_kx_message(int cd, GNUTLS_STATE state) } master = - gnutls_PRF(premaster, premaster_size, + gnutls_PRF(state, premaster, premaster_size, MASTER_SECRET, strlen(MASTER_SECRET), random, 64, 48); secure_free(premaster); #ifdef HARD_DEBUG - fprintf(stderr, "master secret: %s\n", bin2hex(master, 48)); + fprintf(stderr, "master secret: %s\n", _gnutls_bin2hex(master, 48)); #endif memmove(state->security_parameters.master_secret, master, 48); secure_free(master); |