diff options
-rw-r--r-- | lib/Makefile.am | 5 | ||||
-rw-r--r-- | lib/debug.c | 6 | ||||
-rw-r--r-- | lib/gnutls_buffers.c | 20 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 101 | ||||
-rw-r--r-- | lib/gnutls_cert.h | 3 | ||||
-rw-r--r-- | lib/gnutls_cipher.c | 190 | ||||
-rw-r--r-- | lib/gnutls_cipher_int.c | 9 | ||||
-rw-r--r-- | lib/gnutls_cipher_int.h | 2 | ||||
-rw-r--r-- | lib/gnutls_compress_int.c | 4 | ||||
-rw-r--r-- | lib/gnutls_datum.c | 8 | ||||
-rw-r--r-- | lib/gnutls_datum.h | 1 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 35 | ||||
-rw-r--r-- | lib/gnutls_hash_int.c | 6 | ||||
-rw-r--r-- | lib/gnutls_int.h | 41 | ||||
-rw-r--r-- | lib/gnutls_kx.c | 6 | ||||
-rw-r--r-- | lib/gnutls_record.c | 111 | ||||
-rw-r--r-- | lib/gnutls_v2_compat.c | 2 |
17 files changed, 238 insertions, 312 deletions
diff --git a/lib/Makefile.am b/lib/Makefile.am index 033beb9c68..789f9610c9 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -14,7 +14,8 @@ EXTRA_DIST = debug.h gnutls_compress.h defines.h \ cert_b64.h gnutls_srp.h auth_srp.h auth_srp_passwd.h gnutls_v2_compat.h \ crypt.h libgnutls-config.in libgnutls.m4 gnutls.h.in gnutls_errors_int.h \ cert_asn1.h cert_der.h gnutls_datum.h auth_x509.h gnutls_gcry.h \ - ext_dnsname.h gnutls_pk.h gnutls_record.h gnutls_cert.h + ext_dnsname.h gnutls_pk.h gnutls_record.h gnutls_cert.h \ + gnutls_privkey.h lib_LTLIBRARIES = libgnutls.la libgnutls_la_SOURCES = gnutls_record.c gnutls_compress.c debug.c \ gnutls_cipher.c gnutls_buffers.c gnutls_handshake.c gnutls_num.c \ @@ -26,6 +27,6 @@ libgnutls_la_SOURCES = gnutls_record.c gnutls_compress.c debug.c \ auth_srp.c auth_srp_passwd.c gnutls_v2_compat.c auth_srp_sb64.c \ cert_ASN.y cert_asn1.c cert_der.c gnutls_datum.c auth_rsa.c \ gnutls_gcry.c ext_dnsname.c gnutls_pk.c gnutls_cert.c \ - gnutls_global.c + gnutls_global.c gnutls_privkey.c libgnutls_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) diff --git a/lib/debug.c b/lib/debug.c index 98b39f5fea..d393556218 100644 --- a/lib/debug.c +++ b/lib/debug.c @@ -63,14 +63,8 @@ void _gnutls_print_state(GNUTLS_STATE state) state->security_parameters.entity); fprintf(stderr, "Cipher Algorithm: %d\n", state->security_parameters.bulk_cipher_algorithm); - fprintf(stderr, "Key Size: %d\n", - state->security_parameters.key_size); - fprintf(stderr, "Key Material: %d\n", - state->security_parameters.key_material_length); fprintf(stderr, "MAC algorithm: %d\n", state->security_parameters.mac_algorithm); - fprintf(stderr, "Hash size: %d\n", - state->security_parameters.hash_size); fprintf(stderr, "Compression Algorithm: %d\n", state->security_parameters.compression_algorithm); fprintf(stderr, "\n"); diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 33eb935d60..2fa0ca49da 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -44,7 +44,7 @@ int gnutls_insertDataBuffer(ContentType type, GNUTLS_STATE state, char *data, in state->gnutls_internals.buffer.data = gnutls_realloc(state->gnutls_internals.buffer.data, state->gnutls_internals.buffer.size); - memmove(&state->gnutls_internals.buffer.data[old_buffer], data, length); + memcpy(&state->gnutls_internals.buffer.data[old_buffer], data, length); } if (type == GNUTLS_HANDSHAKE) { old_buffer = state->gnutls_internals.buffer_handshake.size; @@ -56,7 +56,7 @@ int gnutls_insertDataBuffer(ContentType type, GNUTLS_STATE state, char *data, in state->gnutls_internals.buffer_handshake.data = gnutls_realloc(state->gnutls_internals.buffer_handshake.data, state->gnutls_internals.buffer_handshake.size); - memmove(&state->gnutls_internals.buffer_handshake.data[old_buffer], data, length); + memcpy(&state->gnutls_internals.buffer_handshake.data[old_buffer], data, length); } return 0; @@ -98,10 +98,10 @@ int gnutls_getDataFromBuffer(ContentType type, GNUTLS_STATE state, char *data, i fprintf(stderr, "BUFFER: Read %d bytes of Data(%d)\n", length, type); #endif state->gnutls_internals.buffer.size -= length; - memmove(data, state->gnutls_internals.buffer.data, length); + memcpy(data, state->gnutls_internals.buffer.data, length); /* overwrite buffer */ - memmove(state->gnutls_internals.buffer.data, + memcpy(state->gnutls_internals.buffer.data, &state->gnutls_internals.buffer.data[length], state->gnutls_internals.buffer.size); state->gnutls_internals.buffer.data = @@ -116,10 +116,10 @@ int gnutls_getDataFromBuffer(ContentType type, GNUTLS_STATE state, char *data, i fprintf(stderr, "BUFFER: Read %d bytes of Data(%d)\n", length, type); #endif state->gnutls_internals.buffer_handshake.size -= length; - memmove(data, state->gnutls_internals.buffer_handshake.data, length); + memcpy(data, state->gnutls_internals.buffer_handshake.data, length); /* overwrite buffer */ - memmove(state->gnutls_internals.buffer_handshake.data, + memcpy(state->gnutls_internals.buffer_handshake.data, &state->gnutls_internals.buffer_handshake.data[length], state->gnutls_internals.buffer_handshake.size); state->gnutls_internals.buffer_handshake.data = @@ -270,7 +270,7 @@ int gnutls_insertHashDataBuffer( GNUTLS_STATE state, char *data, int length) state->gnutls_internals.hash_buffer.data = gnutls_realloc(state->gnutls_internals.hash_buffer.data, state->gnutls_internals.hash_buffer.size); - memmove(&state->gnutls_internals.hash_buffer.data[old_buffer], data, length); + memcpy(&state->gnutls_internals.hash_buffer.data[old_buffer], data, length); return 0; } @@ -290,9 +290,9 @@ int gnutls_getHashDataFromBuffer( GNUTLS_STATE state, char *data, int length) fprintf(stderr, "HASH BUFFER: Got %d bytes of Data\n", length); #endif state->gnutls_internals.hash_buffer.size -= length; - memmove(data, state->gnutls_internals.hash_buffer.data, length); + memcpy(data, state->gnutls_internals.hash_buffer.data, length); /* overwrite buffer */ - memmove(state->gnutls_internals.hash_buffer.data, + memcpy(state->gnutls_internals.hash_buffer.data, &state->gnutls_internals.hash_buffer.data[length], state->gnutls_internals.hash_buffer.size); state->gnutls_internals.hash_buffer.data = @@ -313,7 +313,7 @@ int gnutls_readHashDataFromBuffer( GNUTLS_STATE state, char *data, int length) #ifdef BUFFERS_DEBUG fprintf(stderr, "HASH BUFFER: Read %d bytes of Data\n", length); #endif - memmove(data, state->gnutls_internals.hash_buffer.data, length); + memcpy(data, state->gnutls_internals.hash_buffer.data, length); return length; } diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 8133d3f228..aca5da5334 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -28,6 +28,7 @@ #include <cert_der.h> #include <gnutls_datum.h> #include <gnutls_gcry.h> +#include <gnutls_privkey.h> /* KX mappings to PK algorithms */ typedef struct { @@ -197,7 +198,7 @@ int gnutls_allocate_x509_sc(X509PKI_SERVER_CREDENTIALS * res, char *CERTFILE, return GNUTLS_E_PARSING_ERROR; } - res->pkey = gnutls_malloc(1 * sizeof(gnutls_datum)); + res->pkey = gnutls_malloc(1 * sizeof(gnutls_private_key)); if (res->pkey == NULL) return GNUTLS_E_MEMORY_ERROR; @@ -287,6 +288,7 @@ static int _read_rsa_params(opaque * der, int dersize, MPI ** params) gnutls_assert(); \ return GNUTLS_E_ASN1_ERROR; \ } \ + len = sizeof(str); \ if (read_value(name3,str,&len) != ASN_OK) { \ delete_structure( name2); \ continue; \ @@ -296,12 +298,14 @@ static int _read_rsa_params(opaque * der, int dersize, MPI ** params) continue; \ } \ strcpy( name3,name2); \ + len = sizeof(str); \ if (read_value( name3, str, &len) != ASN_OK) { /* CHOICE */ \ delete_structure( name2); \ continue; \ } \ strcat( name3, "."); \ strcat( name3, str); \ + len = sizeof(str) - 1; \ if (read_value(name3,str,&len) != ASN_OK) { \ delete_structure( name2); \ continue; \ @@ -311,6 +315,7 @@ static int _read_rsa_params(opaque * der, int dersize, MPI ** params) delete_structure(name2); \ } + /* This function will attempt to read a Name * ASN.1 structure. (Taken from Fabio's samples!) * --nmav @@ -327,6 +332,7 @@ static int _get_Name_type(char *root, gnutls_cert * gCert) ltostr(k, counter); strcat(name, counter); + len = sizeof(str); result = read_value(name, str, &len); if (result == ASN_ELEMENT_NOT_FOUND) break; @@ -336,11 +342,15 @@ static int _get_Name_type(char *root, gnutls_cert * gCert) strcat(name2, ".?"); ltostr(k2, counter); strcat(name2, counter); + + len = sizeof(str); result = read_value(name2, str, &len); if (result == ASN_ELEMENT_NOT_FOUND) break; strcpy(name3, name2); strcat(name3, ".type"); + + len = sizeof(str); result = read_value(name3, str, &len); if (result != ASN_OK) { @@ -520,92 +530,3 @@ gnutls_cert *_gnutls_find_cert(gnutls_cert ** cert_list, } return cert; } -/* Converts an RSA PKCS#1 key to - * an internal structure (gnutls_private_key) - */ -int _gnutls_pkcs1key2gnutlsKey(gnutls_private_key * pkey, gnutls_datum cert) { - int ret = 0, result; - opaque str[5*1024]; - int len = sizeof(str); - - pkey->pk_algorithm = GNUTLS_PK_RSA; - - /* we do return 2 MPIs - */ - pkey->params = gnutls_malloc(2*sizeof(MPI)); - - if (create_structure("rsakey", "PKCS-1.RSAPrivateKey")!=ASN_OK) { - gnutls_assert(); - return GNUTLS_E_ASN1_ERROR; - } - - result = get_der("rsakey", cert.data, cert.size); - if (result != ASN_OK) { - gnutls_assert(); - return GNUTLS_E_ASN1_PARSING_ERROR; - } - - len = sizeof(str); - result = - read_value("rsakey.privateExponent", str, &len); - if (result != ASN_OK) { - gnutls_assert(); - delete_structure("rsakey"); - return GNUTLS_E_ASN1_PARSING_ERROR; - } - if (gcry_mpi_scan(&pkey->params[0], /* u */ - GCRYMPI_FMT_USG, str, &len) != 0) { - gnutls_assert(); - delete_structure("rsakey"); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - - len = sizeof(str); - result = - read_value("rsakey.modulus", str, &len); - if (result != ASN_OK) { - gnutls_assert(); - delete_structure("rsakey"); - _gnutls_mpi_release(&pkey->params[0]); - return GNUTLS_E_ASN1_PARSING_ERROR; - } - - if (gcry_mpi_scan(&pkey->params[1], /* A */ - GCRYMPI_FMT_USG, str, &len) != 0) { - gnutls_assert(); - delete_structure("rsakey"); - _gnutls_mpi_release(&pkey->params[0]); - return GNUTLS_E_MPI_SCAN_FAILED; - } - - delete_structure("rsakey"); - - if (gnutls_set_datum( &pkey->raw, cert.data, cert.size) < 0) { - _gnutls_mpi_release(&pkey->params[0]); - _gnutls_mpi_release(&pkey->params[1]); - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - return ret; - - -} - -void _gnutls_free_private_key( gnutls_private_key pkey) { -int n, i; - - switch( pkey.pk_algorithm) { - case GNUTLS_PK_RSA: - n = 2;/* the number of parameters in MPI* */ - break; - default: - n=0; - } - for (i=0;i<n;i++) { - _gnutls_mpi_release( &pkey.params[i]); - } - gnutls_free_datum( &pkey.raw); - -} - diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h index 27845f4a9f..cfbaaf8d94 100644 --- a/lib/gnutls_cert.h +++ b/lib/gnutls_cert.h @@ -36,7 +36,4 @@ PKAlgorithm _gnutls_map_pk_get_pk(KXAlgorithm kx_algorithm); int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert); gnutls_cert* _gnutls_find_cert( gnutls_cert** cert_list, int cert_list_length, char* name); -int _gnutls_pkcs1key2gnutlsKey(gnutls_private_key *, gnutls_datum); -void _gnutls_free_private_key( gnutls_private_key); - #endif diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 9f14cbfad4..b5b9e32cf1 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -96,7 +96,8 @@ int _gnutls_decrypt(GNUTLS_STATE state, char *ciphertext, } -/* Sets the specified cipher into the pending state */ +/* Sets the specified cipher into the pending state + */ int _gnutls_set_cipher(GNUTLS_STATE state, BulkCipherAlgorithm algo) { @@ -108,11 +109,6 @@ int _gnutls_set_cipher(GNUTLS_STATE state, BulkCipherAlgorithm algo) state->security_parameters.bulk_cipher_algorithm = algo; - state->security_parameters.key_material_length = - state->security_parameters.key_size = - _gnutls_cipher_get_key_size(algo); - state->security_parameters.IV_size = - _gnutls_cipher_get_iv_size(algo); } else { gnutls_assert(); return GNUTLS_E_UNKNOWN_CIPHER; @@ -122,7 +118,8 @@ int _gnutls_set_cipher(GNUTLS_STATE state, BulkCipherAlgorithm algo) } -/* Sets the specified algorithm into pending compression state */ +/* Sets the specified algorithm into pending compression state + */ int _gnutls_set_compression(GNUTLS_STATE state, CompressionMethod algo) { @@ -136,7 +133,8 @@ int _gnutls_set_compression(GNUTLS_STATE state, CompressionMethod algo) } -/* Sets the specified kx algorithm into pending state */ +/* Sets the specified kx algorithm into pending state + */ int _gnutls_set_kx(GNUTLS_STATE state, KXAlgorithm algo) { @@ -163,8 +161,6 @@ int _gnutls_set_mac(GNUTLS_STATE state, MACAlgorithm algo) if (_gnutls_mac_is_ok(algo) == 0) { state->security_parameters.mac_algorithm = algo; - state->security_parameters.hash_size = - _gnutls_mac_get_digest_size(algo); } else { gnutls_assert(); return GNUTLS_E_UNKNOWN_MAC_ALGORITHM; @@ -229,7 +225,7 @@ int _gnutls_connection_state_init(GNUTLS_STATE state) } /* Setup the keys since we have the master secret */ - if ( (ret=_gnutls_generate_master(state)) < 0) { + if ( (ret = _gnutls_generate_master(state)) < 0) { gnutls_assert(); return ret; } @@ -242,10 +238,12 @@ int _gnutls_connection_state_init(GNUTLS_STATE state) security_parameters.current_cipher_suite)); #endif - if (state->connection_state.write_mac_secret!=NULL) - gnutls_free(state->connection_state.write_mac_secret); - if (state->connection_state.read_mac_secret!=NULL) - gnutls_free(state->connection_state.read_mac_secret); + /* Free all the previous keys/ states etc. + */ + if (state->connection_state.write_mac_secret.data != NULL) + gnutls_sfree_datum( &state->connection_state.write_mac_secret); + if ( state->connection_state.read_mac_secret.data != NULL) + gnutls_sfree_datum( &state->connection_state.read_mac_secret); if (state->connection_state.read_cipher_state != NULL) gnutls_cipher_deinit(state->connection_state. @@ -255,15 +253,7 @@ int _gnutls_connection_state_init(GNUTLS_STATE state) gnutls_cipher_deinit(state->connection_state. write_cipher_state); - if (state->connection_state.read_compression_state!=NULL) - gnutls_free(state->connection_state.read_compression_state); - if (state->connection_state.write_compression_state!=NULL) - gnutls_free(state->connection_state.write_compression_state); - - if (_gnutls_compression_is_ok(state->security_parameters.compression_algorithm) == 0) { - state->connection_state.read_compression_state = NULL; - state->connection_state.write_compression_state = NULL; - } else { + if (_gnutls_compression_is_ok(state->security_parameters.compression_algorithm) != 0) { gnutls_assert(); return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; } @@ -273,35 +263,26 @@ int _gnutls_connection_state_init(GNUTLS_STATE state) mac_size = _gnutls_mac_get_digest_size(state->security_parameters. mac_algorithm); - state->connection_state.read_mac_secret = NULL; - state->connection_state.write_mac_secret = NULL; - state->connection_state.mac_secret_size = - state->security_parameters.hash_size; - if (mac_size > 0) { - state->connection_state.read_mac_secret = - gnutls_malloc(mac_size); - if (state->connection_state.read_mac_secret==NULL) return GNUTLS_E_MEMORY_ERROR; - state->connection_state.write_mac_secret = - gnutls_malloc(mac_size); - if (state->connection_state.write_mac_secret==NULL) return GNUTLS_E_MEMORY_ERROR; - } } else { gnutls_assert(); return GNUTLS_E_UNKNOWN_MAC_ALGORITHM; } +#ifdef HARD_DEBUG + fprintf(stderr, "Initializing internal cipher states\n"); +#endif + switch (state->security_parameters.entity) { case GNUTLS_SERVER: - state->connection_state.write_cipher_state = + /* initialize cipher state + */ + state->connection_state.read_cipher_state = gnutls_cipher_init(state->security_parameters. bulk_cipher_algorithm, - state->cipher_specs. - server_write_key, - state->security_parameters.key_size, - state->cipher_specs.server_write_IV, - state->security_parameters.IV_size); - if (state->connection_state.write_cipher_state == + state->cipher_specs.client_write_key, + state->cipher_specs.client_write_IV); + if (state->connection_state.read_cipher_state == GNUTLS_CIPHER_FAILED && state->security_parameters.bulk_cipher_algorithm != GNUTLS_NULL_CIPHER) { @@ -309,33 +290,32 @@ int _gnutls_connection_state_init(GNUTLS_STATE state) return GNUTLS_E_UNKNOWN_CIPHER; } - if (state->connection_state.mac_secret_size > 0) { - memcpy(state->connection_state.read_mac_secret, - state-> - cipher_specs.client_write_mac_secret, - state->connection_state.mac_secret_size); - memcpy(state->connection_state.write_mac_secret, - state->cipher_specs. - server_write_mac_secret, - state->connection_state.mac_secret_size); - } + state->connection_state.write_cipher_state = + gnutls_cipher_init(state->security_parameters.bulk_cipher_algorithm, + state->cipher_specs.server_write_key, + state->cipher_specs.server_write_IV); - state->connection_state.read_cipher_state = - gnutls_cipher_init(state->security_parameters. - bulk_cipher_algorithm, - state->cipher_specs. - client_write_key, - state->security_parameters.key_size, - state->cipher_specs.client_write_IV, - state->security_parameters.IV_size); - if (state->connection_state.read_cipher_state == - GNUTLS_CIPHER_FAILED - && state->security_parameters.bulk_cipher_algorithm != - GNUTLS_NULL_CIPHER) { + if (state->connection_state.write_cipher_state == GNUTLS_CIPHER_FAILED + && state->security_parameters.bulk_cipher_algorithm != GNUTLS_NULL_CIPHER) { gnutls_assert(); return GNUTLS_E_UNKNOWN_CIPHER; } + /* copy mac secrets from cipherspecs, to connection + * state. + */ + if (mac_size > 0) { + gnutls_sset_datum( &state->connection_state.read_mac_secret, + state->cipher_specs.client_write_mac_secret.data, + state->cipher_specs.client_write_mac_secret.size); + + gnutls_sset_datum( &state->connection_state.write_mac_secret, + state->cipher_specs.server_write_mac_secret.data, + state->cipher_specs.server_write_mac_secret.size); + + } + + break; case GNUTLS_CLIENT: @@ -344,9 +324,8 @@ int _gnutls_connection_state_init(GNUTLS_STATE state) bulk_cipher_algorithm, state->cipher_specs. server_write_key, - state->security_parameters.key_size, - state->cipher_specs.server_write_IV, - state->security_parameters.IV_size); + state->cipher_specs.server_write_IV); + if (state->connection_state.read_cipher_state == GNUTLS_CIPHER_FAILED && state->security_parameters.bulk_cipher_algorithm != @@ -355,25 +334,12 @@ int _gnutls_connection_state_init(GNUTLS_STATE state) return GNUTLS_E_UNKNOWN_CIPHER; } - if (state->connection_state.mac_secret_size > 0) { - memcpy(state->connection_state.read_mac_secret, - state-> - cipher_specs.server_write_mac_secret, - state->connection_state.mac_secret_size); - memcpy(state->connection_state.write_mac_secret, - state-> - cipher_specs.client_write_mac_secret, - state->connection_state.mac_secret_size); - } - state->connection_state.write_cipher_state = gnutls_cipher_init(state->security_parameters. bulk_cipher_algorithm, - state->cipher_specs. - client_write_key, - state->security_parameters.key_size, - state->cipher_specs.client_write_IV, - state->security_parameters.IV_size); + state->cipher_specs.client_write_key, + state->cipher_specs.client_write_IV); + if (state->connection_state.write_cipher_state == GNUTLS_CIPHER_FAILED && state->security_parameters.bulk_cipher_algorithm != @@ -381,6 +347,19 @@ int _gnutls_connection_state_init(GNUTLS_STATE state) gnutls_assert(); return GNUTLS_E_UNKNOWN_CIPHER; } + + /* copy mac secret to connection state + */ + if (mac_size > 0) { + gnutls_sset_datum( &state->connection_state.read_mac_secret, + state->cipher_specs.server_write_mac_secret.data, + state->cipher_specs.server_write_mac_secret.size); + + gnutls_sset_datum( &state->connection_state.write_mac_secret, + state->cipher_specs.client_write_mac_secret.data, + state->cipher_specs.client_write_mac_secret.size); + } + break; default: @@ -409,6 +388,7 @@ int _gnutls_compressed2TLSCiphertext(GNUTLS_STATE state, GNUTLS_MAC_HANDLE td; uint8 type = _type; uint8 major, minor; + int hash_size = state->connection_state.write_mac_secret.size; int blocksize = _gnutls_cipher_get_block_size(state->security_parameters. bulk_cipher_algorithm); @@ -421,17 +401,17 @@ int _gnutls_compressed2TLSCiphertext(GNUTLS_STATE state, gnutls_mac_init_ssl3(state->security_parameters. mac_algorithm, state->connection_state. - write_mac_secret, + write_mac_secret.data, state->connection_state. - mac_secret_size); + write_mac_secret.size); } else { td = gnutls_hmac_init(state->security_parameters. mac_algorithm, state->connection_state. - write_mac_secret, + write_mac_secret.data, state->connection_state. - mac_secret_size); + write_mac_secret.size); } if (td == GNUTLS_MAC_FAILED && state->security_parameters.mac_algorithm != GNUTLS_NULL_MAC) { @@ -462,8 +442,7 @@ int _gnutls_compressed2TLSCiphertext(GNUTLS_STATE state, switch (_gnutls_cipher_is_block(state->security_parameters.bulk_cipher_algorithm)) { case CIPHER_STREAM: length = - compressed.size + - state->security_parameters.hash_size; + compressed.size + hash_size; data = gnutls_malloc(length); if (data==NULL) { @@ -471,8 +450,7 @@ int _gnutls_compressed2TLSCiphertext(GNUTLS_STATE state, return GNUTLS_E_MEMORY_ERROR; } memcpy(data, compressed.data, compressed.size); - memcpy(&data[compressed.size], MAC, - state->security_parameters.hash_size); + memcpy(&data[compressed.size], MAC, hash_size); gnutls_cipher_encrypt(state->connection_state. write_cipher_state, data, length); @@ -499,7 +477,7 @@ int _gnutls_compressed2TLSCiphertext(GNUTLS_STATE state, length = compressed.size + - state->security_parameters.hash_size; + hash_size; pad = (uint8) (blocksize - (length % blocksize)) + rand; @@ -511,8 +489,7 @@ int _gnutls_compressed2TLSCiphertext(GNUTLS_STATE state, } memset(&data[length - pad], pad - 1, pad); memcpy(data, compressed.data, compressed.size); - memcpy(&data[compressed.size], MAC, - state->security_parameters.hash_size); + memcpy(&data[compressed.size], MAC, hash_size); gnutls_cipher_encrypt(state->connection_state. write_cipher_state, data, length); @@ -546,6 +523,9 @@ int _gnutls_ciphertext2TLSCompressed(GNUTLS_STATE state, GNUTLS_MAC_HANDLE td; int blocksize; uint8 major, minor; + int hash_size = state->connection_state.write_mac_secret.size; + /* write_mac secret == read_mac secret size + */ minor = _gnutls_version_get_minor(state->connection_state.version); major = _gnutls_version_get_major(state->connection_state.version); @@ -558,17 +538,17 @@ int _gnutls_ciphertext2TLSCompressed(GNUTLS_STATE state, gnutls_mac_init_ssl3(state->security_parameters. mac_algorithm, state->connection_state. - read_mac_secret, + read_mac_secret.data, state->connection_state. - mac_secret_size); + read_mac_secret.size); } else { td = gnutls_hmac_init(state->security_parameters. mac_algorithm, state->connection_state. - read_mac_secret, + read_mac_secret.data, state->connection_state. - mac_secret_size); + read_mac_secret.size); } if (td == GNUTLS_MAC_FAILED && state->security_parameters.mac_algorithm != GNUTLS_NULL_MAC) { @@ -579,8 +559,7 @@ int _gnutls_ciphertext2TLSCompressed(GNUTLS_STATE state, switch (_gnutls_cipher_is_block(state->security_parameters.bulk_cipher_algorithm)) { case CIPHER_STREAM: length = - ciphertext.size - - state->security_parameters.hash_size; + ciphertext.size - hash_size; data = gnutls_malloc(length); if (data==NULL) { gnutls_assert(); @@ -608,12 +587,10 @@ int _gnutls_ciphertext2TLSCompressed(GNUTLS_STATE state, pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ length = - ciphertext.size - - state->security_parameters.hash_size - pad; + ciphertext.size - hash_size - pad; if (pad > - ciphertext.size - - state->security_parameters.hash_size) { + ciphertext.size - hash_size) { gnutls_assert(); return GNUTLS_E_RECEIVED_BAD_MESSAGE; } @@ -653,8 +630,7 @@ int _gnutls_ciphertext2TLSCompressed(GNUTLS_STATE state, } /* HMAC was not the same. */ if (memcmp - (MAC, &ciphertext.data[compress->size], - state->security_parameters.hash_size) != 0) { + (MAC, &ciphertext.data[compress->size], hash_size) != 0) { gnutls_assert(); return GNUTLS_E_MAC_FAILED; } diff --git a/lib/gnutls_cipher_int.c b/lib/gnutls_cipher_int.c index 97d3600bc0..dbd644b7fb 100644 --- a/lib/gnutls_cipher_int.c +++ b/lib/gnutls_cipher_int.c @@ -22,8 +22,9 @@ #include <gnutls_int.h> #include <gnutls_errors.h> #include <gnutls_cipher_int.h> +#include <gnutls_datum.h> -GNUTLS_CIPHER_HANDLE gnutls_cipher_init( BulkCipherAlgorithm cipher, void* key, int keysize, void* iv, int ivsize) +GNUTLS_CIPHER_HANDLE gnutls_cipher_init( BulkCipherAlgorithm cipher, gnutls_datum key, gnutls_datum iv) { GNUTLS_CIPHER_HANDLE ret; @@ -72,12 +73,12 @@ GNUTLS_CIPHER_HANDLE ret; if (ret!=GNUTLS_CIPHER_FAILED) { #ifdef USE_MCRYPT /* ivsize is assumed to be blocksize */ - if ( mcrypt_generic_init( ret, key, keysize, iv) < 0) { + if ( mcrypt_generic_init( ret, key.data, key.size, iv.data) < 0) { return GNUTLS_CIPHER_FAILED; }; #else - gcry_cipher_setkey(ret, key, keysize); - if (iv!=NULL && ivsize>0) gcry_cipher_setiv(ret, iv, ivsize); + gcry_cipher_setkey(ret, key.data, key.size); + if (iv!=NULL && ivsize>0) gcry_cipher_setiv(ret, iv.data, iv.size); #endif } diff --git a/lib/gnutls_cipher_int.h b/lib/gnutls_cipher_int.h index 1fee972c3c..fd6f812d2f 100644 --- a/lib/gnutls_cipher_int.h +++ b/lib/gnutls_cipher_int.h @@ -30,7 +30,7 @@ # define GNUTLS_CIPHER_FAILED NULL #endif -GNUTLS_CIPHER_HANDLE gnutls_cipher_init( BulkCipherAlgorithm cipher, void* key, int keysize, void* iv, int ivsize); +GNUTLS_CIPHER_HANDLE gnutls_cipher_init( BulkCipherAlgorithm cipher, gnutls_datum key, gnutls_datum iv); int gnutls_cipher_encrypt(GNUTLS_CIPHER_HANDLE handle, void* text, int textlen); int gnutls_cipher_decrypt(GNUTLS_CIPHER_HANDLE handle, void* ciphertext, int ciphertextlen); void gnutls_cipher_deinit(GNUTLS_CIPHER_HANDLE handle); diff --git a/lib/gnutls_compress_int.c b/lib/gnutls_compress_int.c index 95b82f2ad6..e66a524619 100644 --- a/lib/gnutls_compress_int.c +++ b/lib/gnutls_compress_int.c @@ -38,7 +38,7 @@ int err; switch (algorithm) { case GNUTLS_NULL_COMPRESSION: *compressed = gnutls_malloc(plain_size); - memmove(*compressed, plain, plain_size); + memcpy(*compressed, plain, plain_size); compressed_size = plain_size; break; #ifdef HAVE_LIBZ @@ -80,7 +80,7 @@ uLongf size; switch (algorithm) { case GNUTLS_NULL_COMPRESSION: *plain = gnutls_malloc(compressed_size); - memmove(*plain, compressed, compressed_size); + memcpy(*plain, compressed, compressed_size); plain_size = compressed_size; break; #ifdef HAVE_LIBZ diff --git a/lib/gnutls_datum.c b/lib/gnutls_datum.c index 64fd7b91e8..0fb0f3d0c1 100644 --- a/lib/gnutls_datum.c +++ b/lib/gnutls_datum.c @@ -72,3 +72,11 @@ void gnutls_free_datum( gnutls_datum* dat) { dat->data = NULL; dat->size = 0; } + +void gnutls_sfree_datum( gnutls_datum* dat) { + if (dat->data!=NULL && dat->size!=0) + secure_free( dat->data); + + dat->data = NULL; + dat->size = 0; +} diff --git a/lib/gnutls_datum.h b/lib/gnutls_datum.h index 9ecf461bcf..9d04cfea4b 100644 --- a/lib/gnutls_datum.h +++ b/lib/gnutls_datum.h @@ -7,3 +7,4 @@ int gnutls_set_datum( gnutls_datum* dat, const void* data, int data_size); /* uses secure_malloc */ int gnutls_sset_datum( gnutls_datum* dat, const void* data, int data_size); void gnutls_free_datum( gnutls_datum* dat); +void gnutls_sfree_datum( gnutls_datum* dat); diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 1bfc959931..5f0f8c752b 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1193,7 +1193,30 @@ int _gnutls_recv_hello(SOCKET cd, GNUTLS_STATE state, char *data, return ret; } - +/* The packets in gnutls_handshake + * + * Client Server + * + * ClientHello --------> + * ServerHello + * + * Certificate* + * ServerKeyExchange* + * Client Key Exchange0 --------> + * CertificateRequest* + * + * <-------- Server Key Exchange2 + * <-------- ServerHelloDone + * Certificate* + * ClientKeyExchange + * CertificateVerify* + * [ChangeCipherSpec] + * Finished --------> + * [ChangeCipherSpec] + * <-------- Finished + * + */ + /** * gnutls_handshake - This the main function in the handshake protocol. * @cd: is a connection descriptor, as returned by socket(). @@ -1225,7 +1248,7 @@ int gnutls_handshake(SOCKET cd, GNUTLS_STATE state) * * NOTE: I intend to make this function obsolete. If a certificate * cannot be verified then this information will be available in the auth_info - * structure. Thus not need for these functions. + * structure. Thus there's not need for these functions. * * This function initiates the handshake of the TLS/SSL protocol. * Here we will receive - if requested and supported by the ciphersuite - @@ -1254,6 +1277,7 @@ int gnutls_handshake_begin(SOCKET cd, GNUTLS_STATE state) #endif ret = _gnutls_send_hello(cd, state); if (ret < 0) { + gnutls_assert(); ERR("send hello", ret); gnutls_clearHashDataBuffer(state); return ret; @@ -1264,6 +1288,7 @@ int gnutls_handshake_begin(SOCKET cd, GNUTLS_STATE state) _gnutls_recv_handshake(cd, state, NULL, NULL, GNUTLS_SERVER_HELLO); if (ret < 0) { + gnutls_assert(); ERR("recv hello", ret); gnutls_clearHashDataBuffer(state); return ret; @@ -1331,6 +1356,7 @@ int gnutls_handshake_begin(SOCKET cd, GNUTLS_STATE state) ret = _gnutls_recv_client_kx_message0(cd, state); if (ret < 0) { ERR("recv client kx0", ret); + gnutls_assert(); gnutls_clearHashDataBuffer(state); return ret; } @@ -1340,6 +1366,7 @@ int gnutls_handshake_begin(SOCKET cd, GNUTLS_STATE state) ret = _gnutls_send_server_kx_message2(cd, state); if (ret < 0) { ERR("send server kx2", ret); + gnutls_assert(); gnutls_clearHashDataBuffer(state); return ret; } @@ -1360,6 +1387,7 @@ static int _gnutls_send_handshake_final(SOCKET cd, GNUTLS_STATE state, ret = _gnutls_send_change_cipher_spec(cd, state); if (ret < 0) { ERR("send ChangeCipherSpec", ret); + gnutls_assert(); return ret; } @@ -1376,6 +1404,7 @@ static int _gnutls_send_handshake_final(SOCKET cd, GNUTLS_STATE state, ret = _gnutls_send_finished(cd, state); if (ret < 0) { ERR("send Finished", ret); + gnutls_assert(); return ret; } return ret; @@ -1393,6 +1422,7 @@ static int _gnutls_recv_handshake_final(SOCKET cd, GNUTLS_STATE state, NULL, 0, 0); if (ret < 0) { ERR("recv ChangeCipherSpec", ret); + gnutls_assert(); return ret; } @@ -1408,6 +1438,7 @@ static int _gnutls_recv_handshake_final(SOCKET cd, GNUTLS_STATE state, ret = _gnutls_recv_finished(cd, state); if (ret < 0) { ERR("recv finished", ret); + gnutls_assert(); return ret; } return ret; diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index 464baa8aa8..68cf63676d 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -123,7 +123,7 @@ void *gnutls_hash_deinit(GNUTLS_MAC_HANDLE handle) gcry_md_final(handle->handle); mac = gcry_md_read(handle->handle, 0); - memmove(ret, mac, maclen); + memcpy(ret, mac, maclen); gcry_md_close(handle->handle); #endif gnutls_free(handle); @@ -236,7 +236,7 @@ void *gnutls_hmac_deinit(GNUTLS_MAC_HANDLE handle) gcry_md_final(handle->handle); mac = gcry_md_read(handle->handle, 0); - memmove(ret, mac, maclen); + memcpy(ret, mac, maclen); gcry_md_close(handle->handle); #endif gnutls_free(handle); @@ -420,7 +420,7 @@ void *gnutls_ssl3_generate_random(void *secret, int secret_len, void *random, size += block; - memmove(&ret[size - block], digest, + memcpy(&ret[size - block], digest, size > bytes ? (block - (bytes % block)) : block); gnutls_free(digest); i++; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 635fb9a064..4e81835a67 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -193,6 +193,8 @@ typedef struct { /* This structure and AUTH_INFO, are stored in the resume database, * and are restored, in case of resume. + * Holds all the required parameters to resume the current + * state. */ typedef struct { ConnectionEnd entity; @@ -204,39 +206,34 @@ typedef struct { * moved here from gnutls_internals in order to be restored * on resume; */ - GNUTLS_CipherSuite current_cipher_suite; - uint8 IV_size; - uint8 key_size; - uint8 key_material_length; - uint8 hash_size; - opaque master_secret[TLS_MASTER_SIZE]; - opaque client_random[TLS_RANDOM_SIZE]; - opaque server_random[TLS_RANDOM_SIZE]; - opaque session_id[TLS_MAX_SESSION_ID_SIZE]; - uint8 session_id_size; - time_t timestamp; + GNUTLS_CipherSuite current_cipher_suite; + opaque master_secret[TLS_MASTER_SIZE]; + opaque client_random[TLS_RANDOM_SIZE]; + opaque server_random[TLS_RANDOM_SIZE]; + opaque session_id[TLS_MAX_SESSION_ID_SIZE]; + uint8 session_id_size; + time_t timestamp; } SecurityParameters; +/* This structure holds the generated keys + */ typedef struct { - opaque* server_write_mac_secret; - opaque* client_write_mac_secret; - opaque* server_write_IV; - opaque* client_write_IV; - opaque* server_write_key; - opaque* client_write_key; + gnutls_datum server_write_mac_secret; + gnutls_datum client_write_mac_secret; + gnutls_datum server_write_IV; + gnutls_datum client_write_IV; + gnutls_datum server_write_key; + gnutls_datum client_write_key; } CipherSpecs; typedef enum GNUTLS_Version { GNUTLS_TLS1, GNUTLS_SSL3, GNUTLS_VERSION_UNKNOWN=0xff } GNUTLS_Version; typedef struct { GNUTLS_Version version; - opaque* read_compression_state; - opaque* write_compression_state; GNUTLS_CIPHER_HANDLE write_cipher_state; GNUTLS_CIPHER_HANDLE read_cipher_state; - opaque* read_mac_secret; - opaque* write_mac_secret; - uint8 mac_secret_size; + gnutls_datum read_mac_secret; + gnutls_datum write_mac_secret; uint64 read_sequence_number; uint64 write_sequence_number; } ConnectionState; diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 444184bbb0..37d95f6c6c 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -46,8 +46,8 @@ opaque* premaster, *master; int ret = 0; char random[2*TLS_RANDOM_SIZE]; - memmove(random, state->security_parameters.client_random, TLS_RANDOM_SIZE); - memmove(&random[TLS_RANDOM_SIZE], state->security_parameters.server_random, TLS_RANDOM_SIZE); + memcpy(random, state->security_parameters.client_random, TLS_RANDOM_SIZE); + memcpy(&random[TLS_RANDOM_SIZE], state->security_parameters.server_random, TLS_RANDOM_SIZE); /* generate premaster */ premaster_size = state->gnutls_key->key.size; @@ -79,7 +79,7 @@ char random[2*TLS_RANDOM_SIZE]; #ifdef HARD_DEBUG fprintf(stderr, "MASTER SECRET: %s\n", _gnutls_bin2hex(master, TLS_MASTER_SIZE)); #endif - memmove(state->security_parameters.master_secret, master, TLS_MASTER_SIZE); + memcpy(state->security_parameters.master_secret, master, TLS_MASTER_SIZE); secure_free(master); return ret; } diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 6a5250c3d8..614b803175 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -34,6 +34,7 @@ #include "gnutls_auth_int.h" #include "gnutls_num.h" #include "gnutls_record.h" +#include "gnutls_datum.h" #ifdef HAVE_ERRNO_H # include <errno.h> @@ -137,10 +138,8 @@ int gnutls_deinit(GNUTLS_STATE state) gdbm_close(state->gnutls_internals.db_reader); #endif - GNUTLS_FREE(state->connection_state.read_compression_state); - GNUTLS_FREE(state->connection_state.read_mac_secret); - GNUTLS_FREE(state->connection_state.write_compression_state); - GNUTLS_FREE(state->connection_state.write_mac_secret); + gnutls_sfree_datum(&state->connection_state.read_mac_secret); + gnutls_sfree_datum(&state->connection_state.write_mac_secret); GNUTLS_FREE(state->gnutls_internals.buffer.data); GNUTLS_FREE(state->gnutls_internals.buffer_handshake.data); @@ -153,12 +152,12 @@ int gnutls_deinit(GNUTLS_STATE state) if (state->connection_state.write_cipher_state != NULL) gnutls_cipher_deinit(state->connection_state.write_cipher_state); - secure_free(state->cipher_specs.server_write_mac_secret); - secure_free(state->cipher_specs.client_write_mac_secret); - secure_free(state->cipher_specs.server_write_IV); - secure_free(state->cipher_specs.client_write_IV); - secure_free(state->cipher_specs.server_write_key); - secure_free(state->cipher_specs.client_write_key); + gnutls_sfree_datum( &state->cipher_specs.server_write_mac_secret); + gnutls_sfree_datum( &state->cipher_specs.client_write_mac_secret); + gnutls_sfree_datum( &state->cipher_specs.server_write_IV); + gnutls_sfree_datum( &state->cipher_specs.client_write_IV); + gnutls_sfree_datum( &state->cipher_specs.server_write_key); + gnutls_sfree_datum( &state->cipher_specs.client_write_key); mpi_release(state->gnutls_key->KEY); mpi_release(state->gnutls_key->client_Y); @@ -227,7 +226,7 @@ static svoid *gnutls_P_hash( MACAlgorithm algorithm, opaque * secret, int secret } - memmove( A, seed, seed_size); + memcpy( A, seed, seed_size); A_size = seed_size; times = i / blocksize; @@ -259,7 +258,7 @@ static svoid *gnutls_P_hash( MACAlgorithm algorithm, opaque * secret, int secret } if (how > 0) { - memmove(&ret[i * blocksize], final, how); + memcpy(&ret[i * blocksize], final, how); } gnutls_free(final); } @@ -305,8 +304,8 @@ svoid *gnutls_PRF( opaque * secret, int secret_size, uint8 * label, int label_si return NULL; } - memmove(s_seed, label, label_size); - memmove(&s_seed[label_size], seed, seed_size); + memcpy(s_seed, label, label_size); + memcpy(&s_seed[label_size], seed, seed_size); l_s = secret_size / 2; s1 = &secret[0]; @@ -346,20 +345,21 @@ svoid *gnutls_PRF( opaque * secret, int secret_size, uint8 * label, int label_si */ int _gnutls_set_keys(GNUTLS_STATE state) { - char *key_block; + opaque *key_block; char keyexp[] = "key expansion"; char random[2*TLS_RANDOM_SIZE]; int hash_size; int IV_size; int key_size; int block_size; - - hash_size = state->security_parameters.hash_size; - IV_size = state->security_parameters.IV_size; - key_size = state->security_parameters.key_material_length; + int pos; + + hash_size = _gnutls_mac_get_digest_size( state->security_parameters.mac_algorithm); + IV_size = _gnutls_cipher_get_iv_size( state->security_parameters.bulk_cipher_algorithm); + key_size = _gnutls_cipher_get_key_size( state->security_parameters.bulk_cipher_algorithm); - memmove(random, state->security_parameters.server_random, TLS_RANDOM_SIZE); - memmove(&random[TLS_RANDOM_SIZE], state->security_parameters.client_random, TLS_RANDOM_SIZE); + memcpy(random, state->security_parameters.server_random, TLS_RANDOM_SIZE); + memcpy(&random[TLS_RANDOM_SIZE], state->security_parameters.client_random, TLS_RANDOM_SIZE); block_size = 2 * hash_size + 2 * key_size + 2 * IV_size; @@ -379,39 +379,34 @@ int _gnutls_set_keys(GNUTLS_STATE state) fprintf(stderr, "KEY BLOCK[%d]: %s\n",block_size, _gnutls_bin2hex(key_block, block_size)); #endif - if (hash_size>0) { - state->cipher_specs.client_write_mac_secret = secure_malloc(hash_size); - if (state->cipher_specs.client_write_mac_secret==NULL) + pos = 0; + if (hash_size > 0) { + if (gnutls_sset_datum( &state->cipher_specs.client_write_mac_secret, &key_block[pos], hash_size) < 0 ) return GNUTLS_E_MEMORY_ERROR; - memmove(state->cipher_specs.client_write_mac_secret, &key_block[0], hash_size); + pos+=hash_size; - state->cipher_specs.server_write_mac_secret = secure_malloc(hash_size); - if (state->cipher_specs.server_write_mac_secret==NULL) + if (gnutls_sset_datum( &state->cipher_specs.server_write_mac_secret, &key_block[pos], hash_size) < 0 ) return GNUTLS_E_MEMORY_ERROR; - memmove(state->cipher_specs.server_write_mac_secret, &key_block[hash_size], hash_size); + pos+=hash_size; } - if (key_size>0) { - state->cipher_specs.client_write_key = secure_malloc(key_size); - if (state->cipher_specs.client_write_key==NULL) + if (key_size > 0) { + if (gnutls_sset_datum( &state->cipher_specs.client_write_key, &key_block[pos], key_size) < 0 ) return GNUTLS_E_MEMORY_ERROR; - memmove(state->cipher_specs.client_write_key, &key_block[2 * hash_size], key_size); + pos+=key_size; - state->cipher_specs.server_write_key = secure_malloc(key_size); - if (state->cipher_specs.server_write_key==NULL) + if (gnutls_sset_datum( &state->cipher_specs.server_write_key, &key_block[pos], key_size) < 0 ) return GNUTLS_E_MEMORY_ERROR; - memmove(state->cipher_specs.server_write_key, &key_block[2 * hash_size + key_size], key_size); + pos+=key_size; } if (IV_size > 0) { - state->cipher_specs.client_write_IV = secure_malloc(IV_size); - if (state->cipher_specs.client_write_IV==NULL) + if (gnutls_sset_datum( &state->cipher_specs.client_write_IV, &key_block[pos], IV_size) < 0 ) return GNUTLS_E_MEMORY_ERROR; - memmove(state->cipher_specs.client_write_IV, &key_block[2 * key_size + 2 * hash_size], IV_size); + pos+=IV_size; - state->cipher_specs.server_write_IV = secure_malloc(IV_size); - if (state->cipher_specs.server_write_IV==NULL) + if (gnutls_sset_datum( &state->cipher_specs.server_write_IV, &key_block[pos], IV_size) < 0 ) return GNUTLS_E_MEMORY_ERROR; - memmove(state->cipher_specs.server_write_IV, &key_block[2 * hash_size + 2 * key_size + IV_size], IV_size); + pos+=IV_size; } secure_free(key_block); @@ -422,8 +417,8 @@ int _gnutls_send_alert(SOCKET cd, GNUTLS_STATE state, AlertLevel level, AlertDes { uint8 data[2]; - memmove(&data[0], &level, 1); - memmove(&data[1], &desc, 1); + memcpy(&data[0], &level, 1); + memcpy(&data[1], &desc, 1); #ifdef DEBUG fprintf(stderr, "Record: Sending Alert[%d|%d] - %s\n", data[0], data[1], _gnutls_alert2str((int)data[1])); @@ -571,7 +566,7 @@ ssize_t gnutls_send_int(SOCKET cd, GNUTLS_STATE state, ContentType type, const v WRITEuint16( cipher_size, &headers[3]); - memmove( cipher, headers, HEADER_SIZE); + memcpy( cipher, headers, HEADER_SIZE); cipher_size += HEADER_SIZE; if (_gnutls_Write(cd, cipher, cipher_size, flags) != cipher_size) { @@ -819,18 +814,8 @@ ssize_t gnutls_recv_int(SOCKET cd, GNUTLS_STATE state, ContentType type, char *d return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - if (type == GNUTLS_CHANGE_CIPHER_SPEC && recv_type == GNUTLS_CHANGE_CIPHER_SPEC) { -#ifdef RECORD_DEBUG - fprintf(stderr, "Record: ChangeCipherSpec Packet was received\n"); -#endif - gnutls_free(ciphertext); - if (length!=1) { - gnutls_assert(); - return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; - } - return 0; - } - + /* decrypt the data we got + */ tmplen = _gnutls_decrypt( state, ciphertext, length, &tmpdata, recv_type); if (tmplen < 0) { switch (tmplen) { @@ -851,6 +836,20 @@ ssize_t gnutls_recv_int(SOCKET cd, GNUTLS_STATE state, ContentType type, char *d return tmplen; } + /* Check if this is a CHANGE_CIPHER_SPEC + */ + if (type == GNUTLS_CHANGE_CIPHER_SPEC && recv_type == GNUTLS_CHANGE_CIPHER_SPEC) { +#ifdef RECORD_DEBUG + fprintf(stderr, "Record: ChangeCipherSpec Packet was received\n"); +#endif + gnutls_free(ciphertext); + if (tmplen!=1) { + gnutls_assert(); + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + return 0; + } + #ifdef RECORD_DEBUG fprintf(stderr, "Record: Decrypted Packet[%d] %s(%d) with length: %d\n", (int) uint64touint32(&state->connection_state.read_sequence_number), _gnutls_packet2str(recv_type), recv_type, tmplen); diff --git a/lib/gnutls_v2_compat.c b/lib/gnutls_v2_compat.c index 4d266c1049..5614e13794 100644 --- a/lib/gnutls_v2_compat.c +++ b/lib/gnutls_v2_compat.c @@ -78,7 +78,7 @@ static int SelectSuite_v2(GNUTLS_STATE state, opaque ret[2], char *data, ((GNUTLS_CipherSuite *) & data[j+1]))); #endif - memmove(ret, + memcpy(ret, ciphers[i].CipherSuite, 2); gnutls_free(ciphers); |