summaryrefslogtreecommitdiff
path: root/lib/system
diff options
context:
space:
mode:
Diffstat (limited to 'lib/system')
-rw-r--r--lib/system/certs.c223
-rw-r--r--lib/system/fastopen.c107
-rw-r--r--lib/system/keys-dummy.c11
-rw-r--r--lib/system/keys-win.c521
-rw-r--r--lib/system/ktls.c704
-rw-r--r--lib/system/ktls.h16
-rw-r--r--lib/system/sockets.c60
-rw-r--r--lib/system/threads.c6
8 files changed, 748 insertions, 900 deletions
diff --git a/lib/system/certs.c b/lib/system/certs.c
index b7d9a0b312..4c649b2141 100644
--- a/lib/system/certs.c
+++ b/lib/system/certs.c
@@ -32,22 +32,22 @@
#include "system.h"
#ifdef _WIN32
-# include <windows.h>
-# include <wincrypt.h>
+#include <windows.h>
+#include <wincrypt.h>
-#else /* !_WIN32 */
+#else /* !_WIN32 */
-# include <poll.h>
+#include <poll.h>
-# if defined(HAVE_GETPWUID_R)
-# include <pwd.h>
-# endif
+#if defined(HAVE_GETPWUID_R)
+#include <pwd.h>
+#endif
#endif
#ifdef __APPLE__
-# include <CoreFoundation/CoreFoundation.h>
-# include <Security/Security.h>
-# include <Availability.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <Availability.h>
#endif
/* System specific function wrappers for certificate stores.
@@ -103,59 +103,49 @@ int _gnutls_find_config_path(char *path, size_t max_size)
return 0;
}
-#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11))
-static
-int
-add_system_trust(gnutls_x509_trust_list_t list,
- unsigned int tl_flags, unsigned int tl_vflags)
+#if defined(DEFAULT_TRUST_STORE_FILE) || \
+ (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11))
+static int add_system_trust(gnutls_x509_trust_list_t list,
+ unsigned int tl_flags, unsigned int tl_vflags)
{
int ret, r = 0;
const char *crl_file =
-# ifdef DEFAULT_CRL_FILE
- DEFAULT_CRL_FILE;
-# else
- NULL;
-# endif
-
-# if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
- ret =
- gnutls_x509_trust_list_add_trust_file(list,
- DEFAULT_TRUST_STORE_PKCS11,
- crl_file,
- GNUTLS_X509_FMT_DER,
- tl_flags, tl_vflags);
+#ifdef DEFAULT_CRL_FILE
+ DEFAULT_CRL_FILE;
+#else
+ NULL;
+#endif
+
+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+ ret = gnutls_x509_trust_list_add_trust_file(
+ list, DEFAULT_TRUST_STORE_PKCS11, crl_file, GNUTLS_X509_FMT_DER,
+ tl_flags, tl_vflags);
if (ret > 0)
r += ret;
-# endif
-
-# ifdef DEFAULT_TRUST_STORE_FILE
- ret =
- gnutls_x509_trust_list_add_trust_file(list,
- DEFAULT_TRUST_STORE_FILE,
- crl_file,
- GNUTLS_X509_FMT_PEM,
- tl_flags, tl_vflags);
+#endif
+
+#ifdef DEFAULT_TRUST_STORE_FILE
+ ret = gnutls_x509_trust_list_add_trust_file(
+ list, DEFAULT_TRUST_STORE_FILE, crl_file, GNUTLS_X509_FMT_PEM,
+ tl_flags, tl_vflags);
if (ret > 0)
r += ret;
-# endif
+#endif
-# ifdef DEFAULT_BLOCKLIST_FILE
- ret =
- gnutls_x509_trust_list_remove_trust_file(list,
- DEFAULT_BLOCKLIST_FILE,
- GNUTLS_X509_FMT_PEM);
+#ifdef DEFAULT_BLOCKLIST_FILE
+ ret = gnutls_x509_trust_list_remove_trust_file(
+ list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
_gnutls_debug_log("Could not load blocklist file '%s'\n",
DEFAULT_BLOCKLIST_FILE);
}
-# endif
+#endif
return r;
}
#elif defined(_WIN32)
-static
-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
- unsigned int tl_vflags)
+static int add_system_trust(gnutls_x509_trust_list_t list,
+ unsigned int tl_flags, unsigned int tl_vflags)
{
unsigned int i;
int r = 0;
@@ -167,15 +157,13 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
gnutls_datum_t data;
if (i == 0)
- store =
- CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
- CERT_SYSTEM_STORE_CURRENT_USER,
- L"ROOT");
+ store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_CURRENT_USER,
+ L"ROOT");
else
- store =
- CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
- CERT_SYSTEM_STORE_CURRENT_USER,
- L"CA");
+ store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_CURRENT_USER,
+ L"CA");
if (store == NULL)
return GNUTLS_E_FILE_ERROR;
@@ -187,10 +175,10 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
if (cert->dwCertEncodingType == X509_ASN_ENCODING) {
data.data = cert->pbCertEncoded;
data.size = cert->cbCertEncoded;
- if (gnutls_x509_trust_list_add_trust_mem
- (list, &data, NULL,
- GNUTLS_X509_FMT_DER, tl_flags,
- tl_vflags) > 0)
+ if (gnutls_x509_trust_list_add_trust_mem(
+ list, &data, NULL,
+ GNUTLS_X509_FMT_DER, tl_flags,
+ tl_vflags) > 0)
r++;
}
cert = CertEnumCertificatesInStore(store, cert);
@@ -200,40 +188,36 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
if (crl->dwCertEncodingType == X509_ASN_ENCODING) {
data.data = crl->pbCrlEncoded;
data.size = crl->cbCrlEncoded;
- gnutls_x509_trust_list_add_trust_mem(list,
- NULL,
- &data,
- GNUTLS_X509_FMT_DER,
- tl_flags,
- tl_vflags);
+ gnutls_x509_trust_list_add_trust_mem(
+ list, NULL, &data, GNUTLS_X509_FMT_DER,
+ tl_flags, tl_vflags);
}
crl = pCertEnumCRLsInStore(store, crl);
}
CertCloseStore(store, 0);
}
-# ifdef DEFAULT_BLOCKLIST_FILE
- ret =
- gnutls_x509_trust_list_remove_trust_file(list,
- DEFAULT_BLOCKLIST_FILE,
- GNUTLS_X509_FMT_PEM);
+#ifdef DEFAULT_BLOCKLIST_FILE
+ ret = gnutls_x509_trust_list_remove_trust_file(
+ list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
_gnutls_debug_log("Could not load blocklist file '%s'\n",
DEFAULT_BLOCKLIST_FILE);
}
-# endif
+#endif
return r;
}
-#elif defined(ANDROID) || defined(__ANDROID__) || defined(DEFAULT_TRUST_STORE_DIR)
+#elif defined(ANDROID) || defined(__ANDROID__) || \
+ defined(DEFAULT_TRUST_STORE_DIR)
-# include <dirent.h>
-# include <unistd.h>
+#include <dirent.h>
+#include <unistd.h>
-# if defined(ANDROID) || defined(__ANDROID__)
-# define DEFAULT_TRUST_STORE_DIR "/system/etc/security/cacerts/"
+#if defined(ANDROID) || defined(__ANDROID__)
+#define DEFAULT_TRUST_STORE_DIR "/system/etc/security/cacerts/"
-# define DEFAULT_REVOCATION_DIR "/data/misc/keychain/cacerts-removed"
+#define DEFAULT_REVOCATION_DIR "/data/misc/keychain/cacerts-removed"
static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type)
{
@@ -261,8 +245,8 @@ static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type)
if (ret < 0) {
continue;
}
- ret = gnutls_x509_trust_list_remove_trust_file
- (list, pathbuf.ptr, type);
+ ret = gnutls_x509_trust_list_remove_trust_file(
+ list, pathbuf.ptr, type);
if (ret >= 0) {
r += ret;
}
@@ -274,42 +258,38 @@ static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type)
return r;
}
-# endif
+#endif
/* This works on android 4.x
*/
-static
-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
- unsigned int tl_vflags)
+static int add_system_trust(gnutls_x509_trust_list_t list,
+ unsigned int tl_flags, unsigned int tl_vflags)
{
int r = 0, ret;
- ret =
- gnutls_x509_trust_list_add_trust_dir(list, DEFAULT_TRUST_STORE_DIR,
- NULL, GNUTLS_X509_FMT_PEM,
- tl_flags, tl_vflags);
+ ret = gnutls_x509_trust_list_add_trust_dir(list,
+ DEFAULT_TRUST_STORE_DIR,
+ NULL, GNUTLS_X509_FMT_PEM,
+ tl_flags, tl_vflags);
if (ret >= 0)
r += ret;
-# if defined(ANDROID) || defined(__ANDROID__)
+#if defined(ANDROID) || defined(__ANDROID__)
ret = load_revoked_certs(list, GNUTLS_X509_FMT_DER);
if (ret >= 0)
r -= ret;
- ret =
- gnutls_x509_trust_list_add_trust_dir(list,
- "/data/misc/keychain/cacerts-added/",
- NULL, GNUTLS_X509_FMT_DER,
- tl_flags, tl_vflags);
+ ret = gnutls_x509_trust_list_add_trust_dir(
+ list, "/data/misc/keychain/cacerts-added/", NULL,
+ GNUTLS_X509_FMT_DER, tl_flags, tl_vflags);
if (ret >= 0)
r += ret;
-# endif
+#endif
return r;
}
#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
-static
-int osstatus_error(status)
+static int osstatus_error(status)
{
CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
_gnutls_debug_log("Error loading system root certificates: %s\n",
@@ -319,20 +299,18 @@ int osstatus_error(status)
return GNUTLS_E_FILE_ERROR;
}
-static
-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
- unsigned int tl_vflags)
+static int add_system_trust(gnutls_x509_trust_list_t list,
+ unsigned int tl_flags, unsigned int tl_vflags)
{
int r = 0;
SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
- kSecTrustSettingsDomainAdmin,
- kSecTrustSettingsDomainSystem
- };
+ kSecTrustSettingsDomainAdmin,
+ kSecTrustSettingsDomainSystem };
for (size_t d = 0; d < sizeof(domain) / sizeof(*domain); d++) {
CFArrayRef certs = NULL;
- OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
- &certs);
+ OSStatus status =
+ SecTrustSettingsCopyCertificates(domain[d], &certs);
if (status == errSecNoTrustSettings)
continue;
if (status != errSecSuccess)
@@ -341,7 +319,7 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
int cert_count = CFArrayGetCount(certs);
for (int i = 0; i < cert_count; i++) {
SecCertificateRef cert =
- (void *)CFArrayGetValueAtIndex(certs, i);
+ (void *)CFArrayGetValueAtIndex(certs, i);
CFDataRef der;
status = SecItemExport(cert, kSecFormatX509Cert, 0,
NULL, &der);
@@ -351,35 +329,35 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
return osstatus_error(status);
}
- if (gnutls_x509_trust_list_add_trust_mem(list,
- &
- (gnutls_datum_t)
- {
- .data =
- (void *)
- CFDataGetBytePtr(der),.size = CFDataGetLength(der),}, NULL, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags) > 0)
+ if (gnutls_x509_trust_list_add_trust_mem(
+ list,
+ &(gnutls_datum_t){
+ .data = (void *)CFDataGetBytePtr(
+ der),
+ .size = CFDataGetLength(der),
+ },
+ NULL, GNUTLS_X509_FMT_DER, tl_flags,
+ tl_vflags) > 0)
r++;
CFRelease(der);
}
CFRelease(certs);
}
-# ifdef DEFAULT_BLOCKLIST_FILE
- ret =
- gnutls_x509_trust_list_remove_trust_file(list,
- DEFAULT_BLOCKLIST_FILE,
- GNUTLS_X509_FMT_PEM);
+#ifdef DEFAULT_BLOCKLIST_FILE
+ ret = gnutls_x509_trust_list_remove_trust_file(
+ list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
_gnutls_debug_log("Could not load blocklist file '%s'\n",
DEFAULT_BLOCKLIST_FILE);
}
-# endif
+#endif
return r;
}
#else
-# define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE
+#define add_system_trust(x, y, z) GNUTLS_E_UNIMPLEMENTED_FEATURE
#endif
@@ -399,10 +377,9 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
*
* Since: 3.1
**/
-int
-gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
- unsigned int tl_flags,
- unsigned int tl_vflags)
+int gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
+ unsigned int tl_flags,
+ unsigned int tl_vflags)
{
return add_system_trust(list, tl_flags | GNUTLS_TL_NO_DUPLICATES,
tl_vflags);
diff --git a/lib/system/fastopen.c b/lib/system/fastopen.c
index e60abf4aa5..4369223144 100644
--- a/lib/system/fastopen.c
+++ b/lib/system/fastopen.c
@@ -26,23 +26,25 @@
#include "errors.h"
#include <sys/socket.h>
-#include <netinet/in.h> /* IPPROTO_TCP */
+#include <netinet/in.h> /* IPPROTO_TCP */
#include <errno.h>
#include <sys/stat.h>
#include <sys/types.h>
/* Get TCP_FASTOPEN */
#ifdef HAVE_NETINET_TCP_H
-# include <netinet/tcp.h>
+#include <netinet/tcp.h>
#endif
/* TCP Fast Open on OSX behaves differently from Linux, so define these helpers */
-#if defined __APPLE__ && defined __MACH__ && defined CONNECT_DATA_IDEMPOTENT && defined CONNECT_RESUME_ON_READ_WRITE
-# if defined __has_builtin && __has_builtin(__builtin_available)
-# define TCP_FASTOPEN_OSX
-# endif
+#if defined __APPLE__ && defined __MACH__ && \
+ defined CONNECT_DATA_IDEMPOTENT && \
+ defined CONNECT_RESUME_ON_READ_WRITE
+#if defined __has_builtin && __has_builtin(__builtin_available)
+#define TCP_FASTOPEN_OSX
+#endif
#elif defined TCP_FASTOPEN && defined MSG_FASTOPEN
-# define TCP_FASTOPEN_LINUX
+#define TCP_FASTOPEN_LINUX
#endif
/* Do not use the gnulib functions for sending and receiving data.
@@ -54,8 +56,8 @@
#undef connect
#ifdef _WIN32
-static ssize_t
-tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
+static ssize_t tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec,
+ int iovec_cnt)
{
tfo_st *p = ptr;
int fd = p->fd;
@@ -80,9 +82,9 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
return system_writev(GNUTLS_INT_TO_POINTER(fd), iovec, iovec_cnt);
}
-#else /* sendmsg */
-static ssize_t
-tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
+#else /* sendmsg */
+static ssize_t tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec,
+ int iovec_cnt)
{
tfo_st *p = ptr;
int fd = p->fd;
@@ -96,14 +98,14 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
if (likely(!p->connect_addrlen))
return sendmsg(fd, &hdr, p->flags);
-# if defined(TCP_FASTOPEN_LINUX)
+#if defined(TCP_FASTOPEN_LINUX)
if (!p->connect_only) {
int on = 1;
- if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on))
- == -1)
- _gnutls_debug_log
- ("Failed to set socket option FASTOPEN\n");
+ if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on,
+ sizeof(on)) == -1)
+ _gnutls_debug_log(
+ "Failed to set socket option FASTOPEN\n");
hdr.msg_name = &p->connect_addr;
hdr.msg_namelen = p->connect_addrlen;
@@ -113,20 +115,19 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
if (ret < 0) {
if (errno == EINPROGRESS) {
gnutls_assert();
- errno = EAGAIN; // GnuTLS does not handle EINPROGRESS
+ errno = EAGAIN; // GnuTLS does not handle EINPROGRESS
} else if (errno == EOPNOTSUPP) {
// fallback from fastopen, e.g. when fastopen is disabled in system
- _gnutls_debug_log
- ("Fallback from TCP Fast Open... TFO is not enabled at system level\n");
+ _gnutls_debug_log(
+ "Fallback from TCP Fast Open... TFO is not enabled at system level\n");
p->connect_only = 1;
goto connect_only;
}
}
} else {
- connect_only:
- ret =
- connect(fd, (struct sockaddr *)&p->connect_addr,
- p->connect_addrlen);
+ connect_only:
+ ret = connect(fd, (struct sockaddr *)&p->connect_addr,
+ p->connect_addrlen);
if (errno == ENOTCONN || errno == EINPROGRESS) {
gnutls_assert();
errno = EAGAIN;
@@ -135,40 +136,37 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
if (ret == 0)
p->connect_only = 0;
}
-# elif defined(TCP_FASTOPEN_OSX)
+#elif defined(TCP_FASTOPEN_OSX)
{
- if (__builtin_available
- (macOS 10.11, iOS 9.0, tvOS 9.0, watchOS 2.0, *)) {
- sa_endpoints_t endpoints = {.sae_dstaddr =
- (struct sockaddr *)&p->
- connect_addr,.sae_dstaddrlen =
- p->connect_addrlen
+ if (__builtin_available(macOS 10.11, iOS 9.0, tvOS 9.0,
+ watchOS 2.0, *)) {
+ sa_endpoints_t endpoints = {
+ .sae_dstaddr =
+ (struct sockaddr *)&p->connect_addr,
+ .sae_dstaddrlen = p->connect_addrlen
};
- ret =
- connectx(fd, &endpoints, SAE_ASSOCID_ANY,
- CONNECT_RESUME_ON_READ_WRITE |
- CONNECT_DATA_IDEMPOTENT, NULL, 0, NULL,
- NULL);
+ ret = connectx(fd, &endpoints, SAE_ASSOCID_ANY,
+ CONNECT_RESUME_ON_READ_WRITE |
+ CONNECT_DATA_IDEMPOTENT,
+ NULL, 0, NULL, NULL);
} else {
- ret =
- connect(fd, (struct sockaddr *)&p->connect_addr,
- p->connect_addrlen);
+ ret = connect(fd, (struct sockaddr *)&p->connect_addr,
+ p->connect_addrlen);
}
if (errno == ENOTCONN || errno == EINPROGRESS) {
gnutls_assert();
errno = EAGAIN;
}
}
-# else
- ret =
- connect(fd, (struct sockaddr *)&p->connect_addr,
- p->connect_addrlen);
+#else
+ ret = connect(fd, (struct sockaddr *)&p->connect_addr,
+ p->connect_addrlen);
if (errno == ENOTCONN || errno == EINPROGRESS) {
gnutls_assert();
errno = EAGAIN;
}
-# endif
+#endif
if (ret == 0 || errno != EAGAIN) {
/* This has to be called just once, connect info not needed any more */
@@ -177,19 +175,18 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
return ret;
}
-#endif /* sendmsg */
+#endif /* sendmsg */
-static
-int tfo_recv_timeout(gnutls_transport_ptr_t ptr, unsigned int ms)
+static int tfo_recv_timeout(gnutls_transport_ptr_t ptr, unsigned int ms)
{
tfo_st *p = ptr;
- return gnutls_system_recv_timeout((gnutls_transport_ptr_t) (long)p->fd,
+ return gnutls_system_recv_timeout((gnutls_transport_ptr_t)(long)p->fd,
ms);
}
-static ssize_t
-tfo_read(gnutls_transport_ptr_t ptr, void *data, size_t data_size)
+static ssize_t tfo_read(gnutls_transport_ptr_t ptr, void *data,
+ size_t data_size)
{
tfo_st *p = ptr;
@@ -228,13 +225,13 @@ tfo_read(gnutls_transport_ptr_t ptr, void *data, size_t data_size)
*
* Since: 3.5.3
**/
-void
-gnutls_transport_set_fastopen(gnutls_session_t session,
- int fd, struct sockaddr *connect_addr,
- socklen_t connect_addrlen, unsigned int flags)
+void gnutls_transport_set_fastopen(gnutls_session_t session, int fd,
+ struct sockaddr *connect_addr,
+ socklen_t connect_addrlen,
+ unsigned int flags)
{
if (connect_addrlen >
- (socklen_t) sizeof(session->internals.tfo.connect_addr)) {
+ (socklen_t)sizeof(session->internals.tfo.connect_addr)) {
gnutls_assert();
return;
}
diff --git a/lib/system/keys-dummy.c b/lib/system/keys-dummy.c
index d2fb5910c4..750bee2b35 100644
--- a/lib/system/keys-dummy.c
+++ b/lib/system/keys-dummy.c
@@ -33,13 +33,10 @@ void gnutls_system_key_iter_deinit(gnutls_system_key_iter_t iter)
return;
}
-int
-gnutls_system_key_iter_get_info(gnutls_system_key_iter_t * iter,
- unsigned cert_type,
- char **cert_url,
- char **key_url,
- char **label,
- gnutls_datum_t * der, unsigned int flags)
+int gnutls_system_key_iter_get_info(gnutls_system_key_iter_t *iter,
+ unsigned cert_type, char **cert_url,
+ char **key_url, char **label,
+ gnutls_datum_t *der, unsigned int flags)
{
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
}
diff --git a/lib/system/keys-win.c b/lib/system/keys-win.c
index 27152558ef..3811b81b3b 100644
--- a/lib/system/keys-win.c
+++ b/lib/system/keys-win.c
@@ -22,8 +22,8 @@
// Before including any Windows header we need to set _WIN32_WINNT to Vista
// (or higher) so that the NCRYPT stuff can be used.
#if _WIN32_WINNT < 0x600
-# undef _WIN32_WINNT
-# define _WIN32_WINNT 0x600
+#undef _WIN32_WINNT
+#define _WIN32_WINNT 0x600
#endif
#include <config.h>
@@ -39,7 +39,7 @@
#include <urls.h>
#if !defined(_WIN32)
-# error should not be included
+#error should not be included
#endif
#include <wincrypt.h>
@@ -47,61 +47,60 @@
#include <winapifamily.h>
#ifdef __MINGW32__
-# include <_mingw.h>
-# ifdef __MINGW64_VERSION_MAJOR
+#include <_mingw.h>
+#ifdef __MINGW64_VERSION_MAJOR
/* MinGW64 */
-# include <ncrypt.h>
-# else
+#include <ncrypt.h>
+#else
/* mingw.org's MinGW */
-# include <security.h>
-# define BCRYPT_PAD_PKCS1 0x00000002
-# define BCRYPT_RSA_ALGORITHM L"RSA"
-# define BCRYPT_DSA_ALGORITHM L"DSA"
-# define BCRYPT_SHA1_ALGORITHM L"SHA1"
-# define BCRYPT_SHA256_ALGORITHM L"SHA256"
-# define BCRYPT_SHA384_ALGORITHM L"SHA384"
-# define BCRYPT_SHA512_ALGORITHM L"SHA512"
-# define BCRYPT_ECDSA_P256_ALGORITHM L"ECDSA_P256"
-# define BCRYPT_ECDSA_P384_ALGORITHM L"ECDSA_P384"
-# define BCRYPT_ECDSA_P521_ALGORITHM L"ECDSA_P521"
+#include <security.h>
+#define BCRYPT_PAD_PKCS1 0x00000002
+#define BCRYPT_RSA_ALGORITHM L"RSA"
+#define BCRYPT_DSA_ALGORITHM L"DSA"
+#define BCRYPT_SHA1_ALGORITHM L"SHA1"
+#define BCRYPT_SHA256_ALGORITHM L"SHA256"
+#define BCRYPT_SHA384_ALGORITHM L"SHA384"
+#define BCRYPT_SHA512_ALGORITHM L"SHA512"
+#define BCRYPT_ECDSA_P256_ALGORITHM L"ECDSA_P256"
+#define BCRYPT_ECDSA_P384_ALGORITHM L"ECDSA_P384"
+#define BCRYPT_ECDSA_P521_ALGORITHM L"ECDSA_P521"
typedef ULONG_PTR NCRYPT_HANDLE;
typedef ULONG_PTR NCRYPT_PROV_HANDLE;
typedef ULONG_PTR NCRYPT_KEY_HANDLE;
typedef struct _BCRYPT_PKCS1_PADDING_INFO {
LPCWSTR pszAlgId;
} BCRYPT_PKCS1_PADDING_INFO;
-# endif
-#else /* non-mingw */
-# include <ncrypt.h>
+#endif
+#else /* non-mingw */
+#include <ncrypt.h>
#endif
// MinGW headers may not have these defines
#ifndef NCRYPT_SHA1_ALGORITHM
-# define NCRYPT_SHA1_ALGORITHM BCRYPT_SHA1_ALGORITHM
+#define NCRYPT_SHA1_ALGORITHM BCRYPT_SHA1_ALGORITHM
#endif
#ifndef NCRYPT_SHA256_ALGORITHM
-# define NCRYPT_SHA256_ALGORITHM BCRYPT_SHA256_ALGORITHM
+#define NCRYPT_SHA256_ALGORITHM BCRYPT_SHA256_ALGORITHM
#endif
#ifndef NCRYPT_SHA384_ALGORITHM
-# define NCRYPT_SHA384_ALGORITHM BCRYPT_SHA384_ALGORITHM
+#define NCRYPT_SHA384_ALGORITHM BCRYPT_SHA384_ALGORITHM
#endif
#ifndef NCRYPT_SHA512_ALGORITHM
-# define NCRYPT_SHA512_ALGORITHM BCRYPT_SHA512_ALGORITHM
+#define NCRYPT_SHA512_ALGORITHM BCRYPT_SHA512_ALGORITHM
#endif
#ifndef NCRYPT_PAD_PKCS1_FLAG
-# define NCRYPT_PAD_PKCS1_FLAG 2
+#define NCRYPT_PAD_PKCS1_FLAG 2
#endif
#ifndef NCRYPT_ALGORITHM_PROPERTY
-# define NCRYPT_ALGORITHM_PROPERTY L"Algorithm Name"
+#define NCRYPT_ALGORITHM_PROPERTY L"Algorithm Name"
#endif
#ifndef CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID
-# define CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID 99
+#define CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID 99
#endif
#define MAX_WID_SIZE 48
-static
-void *memrev(unsigned char *pvData, DWORD cbData);
+static void *memrev(unsigned char *pvData, DWORD cbData);
struct system_key_iter_st {
HCERTSTORE store;
@@ -109,57 +108,42 @@ struct system_key_iter_st {
};
typedef struct priv_st {
- DWORD dwKeySpec; /* CAPI key */
- HCRYPTPROV hCryptProv; /* CAPI keystore */
- NCRYPT_KEY_HANDLE nc; /* CNG Keystore */
+ DWORD dwKeySpec; /* CAPI key */
+ HCRYPTPROV hCryptProv; /* CAPI keystore */
+ NCRYPT_KEY_HANDLE nc; /* CNG Keystore */
gnutls_pk_algorithm_t pk;
gnutls_sign_algorithm_t sign_algo;
} priv_st;
-typedef SECURITY_STATUS(WINAPI * NCryptDeleteKeyFunc) (NCRYPT_KEY_HANDLE hKey,
- DWORD dwFlags);
-
-typedef SECURITY_STATUS(WINAPI *
- NCryptOpenStorageProviderFunc) (NCRYPT_PROV_HANDLE *
- phProvider,
- LPCWSTR pszProviderName,
- DWORD dwFlags);
-
-typedef SECURITY_STATUS(WINAPI *
- NCryptOpenKeyFunc) (NCRYPT_PROV_HANDLE hProvider,
- NCRYPT_KEY_HANDLE * phKey,
- LPCWSTR pszKeyName,
- DWORD dwLegacyKeySpec,
- DWORD dwFlags);
-
-typedef SECURITY_STATUS(WINAPI * NCryptGetPropertyFunc) (NCRYPT_HANDLE hObject,
- LPCWSTR pszProperty,
- PBYTE pbOutput,
- DWORD cbOutput,
- DWORD * pcbResult,
- DWORD dwFlags);
-
-typedef SECURITY_STATUS(WINAPI * NCryptFreeObjectFunc) (NCRYPT_HANDLE hObject);
-
-typedef SECURITY_STATUS(WINAPI * NCryptDecryptFunc) (NCRYPT_KEY_HANDLE hKey,
- PBYTE pbInput,
- DWORD cbInput,
- VOID * pPaddingInfo,
- PBYTE pbOutput,
- DWORD cbOutput,
- DWORD * pcbResult,
+typedef SECURITY_STATUS(WINAPI *NCryptDeleteKeyFunc)(NCRYPT_KEY_HANDLE hKey,
DWORD dwFlags);
-typedef SECURITY_STATUS(WINAPI * NCryptSignHashFunc) (NCRYPT_KEY_HANDLE hKey,
- VOID * pPaddingInfo,
- PBYTE pbHashValue,
- DWORD cbHashValue,
- PBYTE pbSignature,
- DWORD cbSignature,
- DWORD * pcbResult,
- DWORD dwFlags);
+typedef SECURITY_STATUS(WINAPI *NCryptOpenStorageProviderFunc)(
+ NCRYPT_PROV_HANDLE *phProvider, LPCWSTR pszProviderName, DWORD dwFlags);
+
+typedef SECURITY_STATUS(WINAPI *NCryptOpenKeyFunc)(NCRYPT_PROV_HANDLE hProvider,
+ NCRYPT_KEY_HANDLE *phKey,
+ LPCWSTR pszKeyName,
+ DWORD dwLegacyKeySpec,
+ DWORD dwFlags);
+
+typedef SECURITY_STATUS(WINAPI *NCryptGetPropertyFunc)(
+ NCRYPT_HANDLE hObject, LPCWSTR pszProperty, PBYTE pbOutput,
+ DWORD cbOutput, DWORD *pcbResult, DWORD dwFlags);
+
+typedef SECURITY_STATUS(WINAPI *NCryptFreeObjectFunc)(NCRYPT_HANDLE hObject);
+
+typedef SECURITY_STATUS(WINAPI *NCryptDecryptFunc)(
+ NCRYPT_KEY_HANDLE hKey, PBYTE pbInput, DWORD cbInput,
+ VOID *pPaddingInfo, PBYTE pbOutput, DWORD cbOutput, DWORD *pcbResult,
+ DWORD dwFlags);
+
+typedef SECURITY_STATUS(WINAPI *NCryptSignHashFunc)(
+ NCRYPT_KEY_HANDLE hKey, VOID *pPaddingInfo, PBYTE pbHashValue,
+ DWORD cbHashValue, PBYTE pbSignature, DWORD cbSignature,
+ DWORD *pcbResult, DWORD dwFlags);
-static int StrCmpW(const WCHAR * str1, const WCHAR * str2)
+static int StrCmpW(const WCHAR *str1, const WCHAR *str2)
{
while (*str1 && (*str1 == *str2)) {
str1++;
@@ -177,23 +161,23 @@ static NCryptFreeObjectFunc pNCryptFreeObject;
static NCryptDecryptFunc pNCryptDecrypt;
static NCryptSignHashFunc pNCryptSignHash;
#else
-# define pNCryptDeleteKey NCryptDeleteKey
-# define pNCryptOpenStorageProvider NCryptOpenStorageProvider
-# define pNCryptOpenKey NCryptOpenKey
-# define pNCryptGetProperty NCryptGetProperty
-# define pNCryptFreeObject NCryptFreeObject
-# define pNCryptDecrypt NCryptDecrypt
-# define pNCryptSignHash NCryptSignHash
+#define pNCryptDeleteKey NCryptDeleteKey
+#define pNCryptOpenStorageProvider NCryptOpenStorageProvider
+#define pNCryptOpenKey NCryptOpenKey
+#define pNCryptGetProperty NCryptGetProperty
+#define pNCryptFreeObject NCryptFreeObject
+#define pNCryptDecrypt NCryptDecrypt
+#define pNCryptSignHash NCryptSignHash
#endif
static unsigned ncrypt_init = 0;
static HMODULE ncrypt_lib;
-#define WIN_URL SYSTEM_URL"win:"
+#define WIN_URL SYSTEM_URL "win:"
#define WIN_URL_SIZE 11
-static int
-get_id(const char *url, uint8_t * bin, size_t *bin_size, unsigned cert)
+static int get_id(const char *url, uint8_t *bin, size_t *bin_size,
+ unsigned cert)
{
int ret;
unsigned url_size = strlen(url);
@@ -201,12 +185,12 @@ get_id(const char *url, uint8_t * bin, size_t *bin_size, unsigned cert)
gnutls_datum_t tmp;
if (cert != 0) {
- if (url_size < sizeof(WIN_URL)
- || strncmp(url, WIN_URL, WIN_URL_SIZE) != 0)
+ if (url_size < sizeof(WIN_URL) ||
+ strncmp(url, WIN_URL, WIN_URL_SIZE) != 0)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
} else {
- if (url_size < sizeof(WIN_URL)
- || strncmp(url, WIN_URL, WIN_URL_SIZE) != 0)
+ if (url_size < sizeof(WIN_URL) ||
+ strncmp(url, WIN_URL, WIN_URL_SIZE) != 0)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
@@ -234,8 +218,7 @@ get_id(const char *url, uint8_t * bin, size_t *bin_size, unsigned cert)
}
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
-static
-void *memrev(unsigned char *pvData, DWORD cbData)
+static void *memrev(unsigned char *pvData, DWORD cbData)
{
char t;
DWORD i;
@@ -248,11 +231,10 @@ void *memrev(unsigned char *pvData, DWORD cbData)
return pvData;
}
-static
-int capi_sign(gnutls_privkey_t key, void *userdata,
- const gnutls_datum_t * raw_data, gnutls_datum_t * signature)
+static int capi_sign(gnutls_privkey_t key, void *userdata,
+ const gnutls_datum_t *raw_data, gnutls_datum_t *signature)
{
- priv_st *priv = (priv_st *) userdata;
+ priv_st *priv = (priv_st *)userdata;
ALG_ID Algid;
HCRYPTHASH hHash = 0;
uint8_t digest[MAX_HASH_SIZE];
@@ -290,9 +272,8 @@ int capi_sign(gnutls_privkey_t key, void *userdata,
break;
default:
digest_size = sizeof(digest);
- ret =
- decode_ber_digest_info(raw_data, &algo, digest,
- &digest_size);
+ ret = decode_ber_digest_info(raw_data, &algo, digest,
+ &digest_size);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -300,11 +281,11 @@ int capi_sign(gnutls_privkey_t key, void *userdata,
case GNUTLS_DIG_SHA1:
Algid = CALG_SHA1;
break;
-# ifdef NCRYPT_SHA224_ALGORITHM
+#ifdef NCRYPT_SHA224_ALGORITHM
case GNUTLS_DIG_SHA224:
Algid = CALG_SHA_224;
break;
-# endif
+#endif
case GNUTLS_DIG_SHA256:
Algid = CALG_SHA_256;
break;
@@ -315,8 +296,8 @@ int capi_sign(gnutls_privkey_t key, void *userdata,
Algid = CALG_SHA_512;
break;
default:
- return
- gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
+ return gnutls_assert_val(
+ GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
}
}
@@ -336,9 +317,9 @@ int capi_sign(gnutls_privkey_t key, void *userdata,
goto fail;
}
- if (!CryptGetHashParam
- (hHash, HP_HASHSIZE, (BYTE *) & size1, &sizesize, 0)
- || digest_size != size1) {
+ if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&size1, &sizesize,
+ 0) ||
+ digest_size != size1) {
gnutls_assert();
_gnutls_debug_log("error in hash size: %d\n", (int)size1);
ret = GNUTLS_E_PK_SIGN_FAILED;
@@ -359,8 +340,8 @@ int capi_sign(gnutls_privkey_t key, void *userdata,
if (signature->data == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- if (!CryptSignHash
- (hHash, priv->dwKeySpec, NULL, 0, signature->data, &ret_sig)) {
+ if (!CryptSignHash(hHash, priv->dwKeySpec, NULL, 0, signature->data,
+ &ret_sig)) {
gnutls_assert();
_gnutls_debug_log("error in signing: %d\n",
(int)GetLastError());
@@ -374,18 +355,18 @@ int capi_sign(gnutls_privkey_t key, void *userdata,
signature->size = ret_sig;
return 0;
- fail:
+fail:
if (hHash != 0)
CryptDestroyHash(hHash);
gnutls_free(signature->data);
return ret;
}
-static
-int capi_decrypt(gnutls_privkey_t key, void *userdata,
- const gnutls_datum_t * ciphertext, gnutls_datum_t * plaintext)
+static int capi_decrypt(gnutls_privkey_t key, void *userdata,
+ const gnutls_datum_t *ciphertext,
+ gnutls_datum_t *plaintext)
{
- priv_st *priv = (priv_st *) userdata;
+ priv_st *priv = (priv_st *)userdata;
DWORD size = 0;
int ret;
@@ -404,31 +385,29 @@ int capi_decrypt(gnutls_privkey_t key, void *userdata,
}
memcpy(plaintext->data, ciphertext->data, size);
- if (0 ==
- CryptDecrypt(priv->hCryptProv, 0, true, 0, plaintext->data,
- &size)) {
+ if (0 == CryptDecrypt(priv->hCryptProv, 0, true, 0, plaintext->data,
+ &size)) {
gnutls_assert();
ret = GNUTLS_E_PK_DECRYPTION_FAILED;
goto fail;
}
return 0;
- fail:
+fail:
gnutls_free(plaintext->data);
return ret;
}
-static
-void capi_deinit(gnutls_privkey_t key, void *userdata)
+static void capi_deinit(gnutls_privkey_t key, void *userdata)
{
- priv_st *priv = (priv_st *) userdata;
+ priv_st *priv = (priv_st *)userdata;
CryptReleaseContext(priv->hCryptProv, 0);
gnutls_free(priv);
}
static int capi_info(gnutls_privkey_t key, unsigned int flags, void *userdata)
{
- priv_st *priv = (priv_st *) userdata;
+ priv_st *priv = (priv_st *)userdata;
if (flags & GNUTLS_PRIVKEY_INFO_PK_ALGO)
return priv->pk;
@@ -437,18 +416,16 @@ static int capi_info(gnutls_privkey_t key, unsigned int flags, void *userdata)
return -1;
}
-static
-int privkey_import_capi(gnutls_privkey_t pkey, const char *url,
- priv_st * priv, CRYPT_KEY_PROV_INFO * kpi)
+static int privkey_import_capi(gnutls_privkey_t pkey, const char *url,
+ priv_st *priv, CRYPT_KEY_PROV_INFO *kpi)
{
HCRYPTPROV hCryptProv = 0;
int ret, enc_too = 0;
DWORD i, dwErrCode = 0;
- if (CryptAcquireContextW(&hCryptProv,
- kpi->pwszContainerName,
- kpi->pwszProvName,
- kpi->dwProvType, kpi->dwFlags)) {
+ if (CryptAcquireContextW(&hCryptProv, kpi->pwszContainerName,
+ kpi->pwszProvName, kpi->dwProvType,
+ kpi->dwFlags)) {
for (i = 0; i < kpi->cProvParam; i++)
if (!CryptSetProvParam(hCryptProv,
kpi->rgProvParam[i].dwParam,
@@ -462,20 +439,19 @@ int privkey_import_capi(gnutls_privkey_t pkey, const char *url,
}
if (ERROR_SUCCESS != dwErrCode) {
- _gnutls_debug_log
- ("error in getting cryptprov: %d from %s\n",
- (int)GetLastError(), url);
+ _gnutls_debug_log("error in getting cryptprov: %d from %s\n",
+ (int)GetLastError(), url);
ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
goto cleanup;
}
{
BYTE buf[100 + sizeof(PROV_ENUMALGS_EX) * 2];
- PROV_ENUMALGS_EX *pAlgo = (PROV_ENUMALGS_EX *) buf;
+ PROV_ENUMALGS_EX *pAlgo = (PROV_ENUMALGS_EX *)buf;
DWORD len = sizeof(buf);
- if (CryptGetProvParam
- (hCryptProv, PP_ENUMALGS_EX, buf, &len, CRYPT_FIRST)) {
+ if (CryptGetProvParam(hCryptProv, PP_ENUMALGS_EX, buf, &len,
+ CRYPT_FIRST)) {
DWORD hash = 0;
do {
switch (pAlgo->aiAlgid) {
@@ -484,10 +460,9 @@ int privkey_import_capi(gnutls_privkey_t pkey, const char *url,
enc_too = 1;
break;
case CALG_DSS_SIGN:
- priv->pk =
- priv->pk ==
- GNUTLS_PK_RSA ?
- GNUTLS_PK_RSA : GNUTLS_PK_DSA;
+ priv->pk = priv->pk == GNUTLS_PK_RSA ?
+ GNUTLS_PK_RSA :
+ GNUTLS_PK_DSA;
break;
case CALG_SHA1:
hash = 1;
@@ -499,18 +474,16 @@ int privkey_import_capi(gnutls_privkey_t pkey, const char *url,
break;
}
- len = sizeof(buf); // reset the buffer size
- } while (CryptGetProvParam
- (hCryptProv, PP_ENUMALGS_EX, buf, &len,
- CRYPT_NEXT));
+ len = sizeof(buf); // reset the buffer size
+ } while (CryptGetProvParam(hCryptProv, PP_ENUMALGS_EX,
+ buf, &len, CRYPT_NEXT));
if (priv->pk == GNUTLS_PK_DSA)
priv->sign_algo = GNUTLS_SIGN_DSA_SHA1;
else
priv->sign_algo =
- (hash >
- 1) ? GNUTLS_SIGN_RSA_SHA256 :
- GNUTLS_SIGN_RSA_SHA1;
+ (hash > 1) ? GNUTLS_SIGN_RSA_SHA256 :
+ GNUTLS_SIGN_RSA_SHA1;
}
}
@@ -518,21 +491,19 @@ int privkey_import_capi(gnutls_privkey_t pkey, const char *url,
priv->dwKeySpec = kpi->dwKeySpec;
ret = gnutls_privkey_import_ext3(pkey, priv, capi_sign,
- (enc_too !=
- 0) ? capi_decrypt : NULL,
+ (enc_too != 0) ? capi_decrypt : NULL,
capi_deinit, capi_info, 0);
- cleanup:
+cleanup:
if (ret < 0) {
if (hCryptProv != 0)
CryptReleaseContext(hCryptProv, 0);
}
return ret;
}
-#endif /* WINAPI_PARTITION_DESKTOP */
+#endif /* WINAPI_PARTITION_DESKTOP */
-static
-int cng_sign(gnutls_privkey_t key, void *userdata,
- const gnutls_datum_t * raw_data, gnutls_datum_t * signature)
+static int cng_sign(gnutls_privkey_t key, void *userdata,
+ const gnutls_datum_t *raw_data, gnutls_datum_t *signature)
{
priv_st *priv = userdata;
BCRYPT_PKCS1_PADDING_INFO _info;
@@ -550,17 +521,15 @@ int cng_sign(gnutls_privkey_t key, void *userdata,
signature->size = 0;
if (priv->pk == GNUTLS_PK_RSA) {
-
flags = BCRYPT_PAD_PKCS1;
info = &_info;
- if (raw_data->size == 36) { /* TLS 1.0 MD5+SHA1 */
+ if (raw_data->size == 36) { /* TLS 1.0 MD5+SHA1 */
_info.pszAlgId = NULL;
} else {
digest_size = sizeof(digest);
- ret =
- decode_ber_digest_info(raw_data, &algo, digest,
- &digest_size);
+ ret = decode_ber_digest_info(raw_data, &algo, digest,
+ &digest_size);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -583,17 +552,16 @@ int cng_sign(gnutls_privkey_t key, void *userdata,
_info.pszAlgId = NCRYPT_SHA512_ALGORITHM;
break;
default:
- return
- gnutls_assert_val
- (GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
+ return gnutls_assert_val(
+ GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
}
data.data = digest;
data.size = digest_size;
}
}
- r = pNCryptSignHash(priv->nc, info, data.data, data.size,
- NULL, 0, &ret_sig, flags);
+ r = pNCryptSignHash(priv->nc, info, data.data, data.size, NULL, 0,
+ &ret_sig, flags);
if (FAILED(r)) {
gnutls_assert();
_gnutls_debug_log("error in pre-signing: %d\n",
@@ -620,14 +588,14 @@ int cng_sign(gnutls_privkey_t key, void *userdata,
signature->size = ret_sig;
return 0;
- fail:
+fail:
gnutls_free(signature->data);
return ret;
}
-static
-int cng_decrypt(gnutls_privkey_t key, void *userdata,
- const gnutls_datum_t * ciphertext, gnutls_datum_t * plaintext)
+static int cng_decrypt(gnutls_privkey_t key, void *userdata,
+ const gnutls_datum_t *ciphertext,
+ gnutls_datum_t *plaintext)
{
priv_st *priv = userdata;
SECURITY_STATUS r;
@@ -641,8 +609,8 @@ int cng_decrypt(gnutls_privkey_t key, void *userdata,
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
- r = pNCryptDecrypt(priv->nc, ciphertext->data, ciphertext->size,
- NULL, NULL, 0, &ret_dec, NCRYPT_PAD_PKCS1_FLAG);
+ r = pNCryptDecrypt(priv->nc, ciphertext->data, ciphertext->size, NULL,
+ NULL, 0, &ret_dec, NCRYPT_PAD_PKCS1_FLAG);
if (FAILED(r)) {
gnutls_assert();
return GNUTLS_E_PK_DECRYPTION_FAILED;
@@ -655,9 +623,9 @@ int cng_decrypt(gnutls_privkey_t key, void *userdata,
return GNUTLS_E_MEMORY_ERROR;
}
- r = pNCryptDecrypt(priv->nc, ciphertext->data, ciphertext->size,
- NULL, plaintext->data, plaintext->size,
- &ret_dec, NCRYPT_PAD_PKCS1_FLAG);
+ r = pNCryptDecrypt(priv->nc, ciphertext->data, ciphertext->size, NULL,
+ plaintext->data, plaintext->size, &ret_dec,
+ NCRYPT_PAD_PKCS1_FLAG);
if (FAILED(r)) {
gnutls_assert();
ret = GNUTLS_E_PK_DECRYPTION_FAILED;
@@ -666,13 +634,12 @@ int cng_decrypt(gnutls_privkey_t key, void *userdata,
plaintext->size = ret_dec;
return 0;
- fail:
+fail:
gnutls_free(plaintext->data);
return ret;
}
-static
-void cng_deinit(gnutls_privkey_t key, void *userdata)
+static void cng_deinit(gnutls_privkey_t key, void *userdata)
{
priv_st *priv = userdata;
pNCryptFreeObject(priv->nc);
@@ -690,10 +657,9 @@ static int cng_info(gnutls_privkey_t key, unsigned int flags, void *userdata)
return -1;
}
-static
-int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url,
- priv_st * priv, CRYPT_KEY_PROV_INFO * kpi,
- NCRYPT_PROV_HANDLE * sctx)
+static int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url,
+ priv_st *priv, CRYPT_KEY_PROV_INFO *kpi,
+ NCRYPT_PROV_HANDLE *sctx)
{
SECURITY_STATUS r;
NCRYPT_KEY_HANDLE nc = 0;
@@ -707,9 +673,8 @@ int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url,
goto cleanup;
}
- r = pNCryptGetProperty(nc, NCRYPT_ALGORITHM_PROPERTY,
- (BYTE *) algo_str, sizeof(algo_str),
- &algo_str_size, 0);
+ r = pNCryptGetProperty(nc, NCRYPT_ALGORITHM_PROPERTY, (BYTE *)algo_str,
+ sizeof(algo_str), &algo_str_size, 0);
if (FAILED(r)) {
ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
goto cleanup;
@@ -739,10 +704,9 @@ int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url,
priv->nc = nc;
ret = gnutls_privkey_import_ext3(pkey, priv, cng_sign,
- (enc_too !=
- 0) ? cng_decrypt : NULL,
+ (enc_too != 0) ? cng_decrypt : NULL,
cng_deinit, cng_info, 0);
- cleanup:
+cleanup:
if (ret < 0) {
if (nc != 0)
pNCryptFreeObject(nc);
@@ -766,9 +730,10 @@ int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url,
-*/
int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url)
{
-#if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) && _WIN32_WINNT < 0x0A00 /*win10 */
+#if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) && \
+ _WIN32_WINNT < 0x0A00 /*win10 */
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
-#else /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */
+#else /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */
uint8_t id[MAX_WID_SIZE];
HCERTSTORE store = NULL;
size_t id_size;
@@ -799,26 +764,24 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url)
blob.cbData = id_size;
blob.pbData = id;
- store =
- CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
- CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
+ store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
if (store == NULL) {
gnutls_assert();
ret = GNUTLS_E_FILE_ERROR;
goto cleanup;
}
- cert = CertFindCertificateInStore(store,
- X509_ASN_ENCODING,
- 0,
- CERT_FIND_KEY_IDENTIFIER,
- &blob, NULL);
+ cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0,
+ CERT_FIND_KEY_IDENTIFIER, &blob,
+ NULL);
if (cert == NULL) {
char buf[64];
_gnutls_debug_log("cannot find ID: %s from %s\n",
- _gnutls_bin2hex(id, id_size,
- buf, sizeof(buf), NULL), url);
+ _gnutls_bin2hex(id, id_size, buf, sizeof(buf),
+ NULL),
+ url);
ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
goto cleanup;
}
@@ -850,7 +813,7 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url)
}
r = pNCryptOpenStorageProvider(&sctx, kpi->pwszProvName, 0);
- if (!FAILED(r)) { /* if this works carry on with CNG */
+ if (!FAILED(r)) { /* if this works carry on with CNG */
ret = privkey_import_ncrypt(pkey, url, priv, kpi, &sctx);
if (ret < 0) {
@@ -858,24 +821,24 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url)
goto cleanup;
}
} else {
-# if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
+#if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
/* CAPI is not supported in UWP */
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
-# else /* WINAPI_PARTITION_DESKTOP */
+#else /* WINAPI_PARTITION_DESKTOP */
/* this should be CAPI */
- _gnutls_debug_log
- ("error in opening CNG keystore: %x from %ls\n", (int)r,
- kpi->pwszProvName);
+ _gnutls_debug_log(
+ "error in opening CNG keystore: %x from %ls\n", (int)r,
+ kpi->pwszProvName);
ret = privkey_import_capi(pkey, url, priv, kpi);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
-# endif /* WINAPI_PARTITION_DESKTOP */
+#endif /* WINAPI_PARTITION_DESKTOP */
}
ret = 0;
- cleanup:
+cleanup:
if (ret < 0) {
gnutls_free(priv);
}
@@ -889,7 +852,7 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url)
CertCloseStore(store, 0);
return ret;
-#endif /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */
+#endif /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */
}
int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url)
@@ -913,26 +876,24 @@ int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url)
blob.cbData = id_size;
blob.pbData = id;
- store =
- CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
- CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
+ store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
if (store == NULL) {
gnutls_assert();
ret = GNUTLS_E_FILE_ERROR;
goto cleanup;
}
- cert = CertFindCertificateInStore(store,
- X509_ASN_ENCODING,
- 0,
- CERT_FIND_KEY_IDENTIFIER,
- &blob, NULL);
+ cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0,
+ CERT_FIND_KEY_IDENTIFIER, &blob,
+ NULL);
if (cert == NULL) {
char buf[64];
_gnutls_debug_log("cannot find ID: %s from %s\n",
- _gnutls_bin2hex(id, id_size,
- buf, sizeof(buf), NULL), url);
+ _gnutls_bin2hex(id, id_size, buf, sizeof(buf),
+ NULL),
+ url);
ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
goto cleanup;
}
@@ -947,7 +908,7 @@ int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url)
}
ret = 0;
- cleanup:
+cleanup:
if (cert != 0)
CertFreeCertificateContext(cert);
@@ -973,9 +934,8 @@ void gnutls_system_key_iter_deinit(gnutls_system_key_iter_t iter)
gnutls_free(iter);
}
-static
-int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
- char **label, gnutls_datum_t * der)
+static int get_win_urls(const CERT_CONTEXT *cert, char **cert_url,
+ char **key_url, char **label, gnutls_datum_t *der)
{
BOOL r;
int ret;
@@ -1013,9 +973,9 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
tl_size = sizeof(name);
r = CertGetCertificateContextProperty(cert, CERT_FRIENDLY_NAME_PROP_ID,
name, &tl_size);
- if (r != 0) { /* optional */
- ret =
- _gnutls_ucs2_to_utf8(name, tl_size, &tmp_label, bigendian);
+ if (r != 0) { /* optional */
+ ret = _gnutls_ucs2_to_utf8(name, tl_size, &tmp_label,
+ bigendian);
if (ret < 0) {
gnutls_assert();
goto fail;
@@ -1038,8 +998,8 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
goto fail;
}
- ret =
- _gnutls_buffer_append_printf(&str, WIN_URL "id=%s;type=cert", hex);
+ ret = _gnutls_buffer_append_printf(&str, WIN_URL "id=%s;type=cert",
+ hex);
if (ret < 0) {
gnutls_assert();
goto fail;
@@ -1052,9 +1012,8 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
goto fail;
}
- ret =
- _gnutls_buffer_append_escape(&str, tmp_label.data,
- tmp_label.size, " ");
+ ret = _gnutls_buffer_append_escape(&str, tmp_label.data,
+ tmp_label.size, " ");
if (ret < 0) {
gnutls_assert();
goto fail;
@@ -1071,9 +1030,8 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
*cert_url = (char *)str.data;
_gnutls_buffer_init(&str);
- ret =
- _gnutls_buffer_append_printf(&str, WIN_URL "id=%s;type=privkey",
- hex);
+ ret = _gnutls_buffer_append_printf(&str, WIN_URL "id=%s;type=privkey",
+ hex);
if (ret < 0) {
gnutls_assert();
goto fail;
@@ -1086,9 +1044,8 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
goto fail;
}
- ret =
- _gnutls_buffer_append_escape(&str, tmp_label.data,
- tmp_label.size, " ");
+ ret = _gnutls_buffer_append_escape(&str, tmp_label.data,
+ tmp_label.size, " ");
if (ret < 0) {
gnutls_assert();
goto fail;
@@ -1108,7 +1065,7 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
ret = 0;
goto cleanup;
- fail:
+fail:
if (der)
gnutls_free(der->data);
if (cert_url)
@@ -1117,7 +1074,7 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
gnutls_free(*key_url);
if (label)
gnutls_free(*label);
- cleanup:
+cleanup:
_gnutls_buffer_clear(&str);
return ret;
}
@@ -1146,13 +1103,10 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url,
*
* Since: 3.4.0
**/
-int
-gnutls_system_key_iter_get_info(gnutls_system_key_iter_t * iter,
- unsigned cert_type,
- char **cert_url,
- char **key_url,
- char **label,
- gnutls_datum_t * der, unsigned int flags)
+int gnutls_system_key_iter_get_info(gnutls_system_key_iter_t *iter,
+ unsigned cert_type, char **cert_url,
+ char **key_url, char **label,
+ gnutls_datum_t *der, unsigned int flags)
{
if (ncrypt_init == 0)
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
@@ -1164,33 +1118,30 @@ gnutls_system_key_iter_get_info(gnutls_system_key_iter_t * iter,
if (*iter == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- (*iter)->store =
- CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
- CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
+ (*iter)->store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_CURRENT_USER,
+ L"MY");
if ((*iter)->store == NULL) {
gnutls_free(*iter);
*iter = NULL;
- return
- gnutls_assert_val
- (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+ return gnutls_assert_val(
+ GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
}
(*iter)->cert =
- CertEnumCertificatesInStore((*iter)->store, NULL);
+ CertEnumCertificatesInStore((*iter)->store, NULL);
return get_win_urls((*iter)->cert, cert_url, key_url, label,
der);
} else {
if ((*iter)->cert == NULL)
- return
- gnutls_assert_val
- (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+ return gnutls_assert_val(
+ GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
- (*iter)->cert =
- CertEnumCertificatesInStore((*iter)->store, (*iter)->cert);
+ (*iter)->cert = CertEnumCertificatesInStore((*iter)->store,
+ (*iter)->cert);
return get_win_urls((*iter)->cert, cert_url, key_url, label,
der);
-
}
}
@@ -1239,23 +1190,20 @@ int gnutls_system_key_delete(const char *cert_url, const char *key_url)
blob.cbData = id_size;
blob.pbData = id;
- store =
- CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
- CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
+ store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
+ CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
if (store != NULL) {
do {
- cert = CertFindCertificateInStore(store,
- X509_ASN_ENCODING,
- 0,
- CERT_FIND_KEY_IDENTIFIER,
- &blob, cert);
+ cert = CertFindCertificateInStore(
+ store, X509_ASN_ENCODING, 0,
+ CERT_FIND_KEY_IDENTIFIER, &blob, cert);
if (cert && key_url) {
nc_size = sizeof(nc);
- r = CertGetCertificateContextProperty(cert,
- CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID,
- &nc,
- &nc_size);
+ r = CertGetCertificateContextProperty(
+ cert,
+ CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID,
+ &nc, &nc_size);
if (r != 0) {
pNCryptDeleteKey(nc, 0);
pNCryptFreeObject(nc);
@@ -1411,9 +1359,8 @@ int gnutls_system_key_add_x509(gnutls_x509_crt_t crt,
goto cleanup;
}
- ret =
- gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size,
- sha);
+ ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size,
+ sha);
gnutls_free(data.data);
if (ret < 0) {
gnutls_assert();
@@ -1423,11 +1370,9 @@ int gnutls_system_key_add_x509(gnutls_x509_crt_t crt,
blob.cbData = sizeof(sha);
blob.pbData = sha;
- cert = CertFindCertificateInStore(store,
- X509_ASN_ENCODING,
- 0,
- CERT_FIND_SHA1_HASH,
- &blob, NULL);
+ cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0,
+ CERT_FIND_SHA1_HASH, &blob,
+ NULL);
if (cert == NULL) {
gnutls_assert();
@@ -1444,7 +1389,7 @@ int gnutls_system_key_add_x509(gnutls_x509_crt_t crt,
ret = 0;
- cleanup:
+cleanup:
if (p12 != NULL)
gnutls_pkcs12_deinit(p12);
if (bag1 != NULL)
@@ -1467,53 +1412,51 @@ int _gnutls_system_key_init(void)
return gnutls_assert_val(GNUTLS_E_CRYPTO_INIT_FAILED);
}
- pNCryptDeleteKey =
- (NCryptDeleteKeyFunc) GetProcAddress(ncrypt_lib, "NCryptDeleteKey");
+ pNCryptDeleteKey = (NCryptDeleteKeyFunc)GetProcAddress(
+ ncrypt_lib, "NCryptDeleteKey");
if (pNCryptDeleteKey == NULL) {
ret = GNUTLS_E_CRYPTO_INIT_FAILED;
goto fail;
}
pNCryptOpenStorageProvider =
- (NCryptOpenStorageProviderFunc) GetProcAddress(ncrypt_lib,
- "NCryptOpenStorageProvider");
+ (NCryptOpenStorageProviderFunc)GetProcAddress(
+ ncrypt_lib, "NCryptOpenStorageProvider");
if (pNCryptOpenStorageProvider == NULL) {
ret = GNUTLS_E_CRYPTO_INIT_FAILED;
goto fail;
}
pNCryptOpenKey =
- (NCryptOpenKeyFunc) GetProcAddress(ncrypt_lib, "NCryptOpenKey");
+ (NCryptOpenKeyFunc)GetProcAddress(ncrypt_lib, "NCryptOpenKey");
if (pNCryptOpenKey == NULL) {
ret = GNUTLS_E_CRYPTO_INIT_FAILED;
goto fail;
}
- pNCryptGetProperty =
- (NCryptGetPropertyFunc) GetProcAddress(ncrypt_lib,
- "NCryptGetProperty");
+ pNCryptGetProperty = (NCryptGetPropertyFunc)GetProcAddress(
+ ncrypt_lib, "NCryptGetProperty");
if (pNCryptGetProperty == NULL) {
ret = GNUTLS_E_CRYPTO_INIT_FAILED;
goto fail;
}
- pNCryptFreeObject =
- (NCryptFreeObjectFunc) GetProcAddress(ncrypt_lib,
- "NCryptFreeObject");
+ pNCryptFreeObject = (NCryptFreeObjectFunc)GetProcAddress(
+ ncrypt_lib, "NCryptFreeObject");
if (pNCryptFreeObject == NULL) {
ret = GNUTLS_E_CRYPTO_INIT_FAILED;
goto fail;
}
pNCryptDecrypt =
- (NCryptDecryptFunc) GetProcAddress(ncrypt_lib, "NCryptDecrypt");
+ (NCryptDecryptFunc)GetProcAddress(ncrypt_lib, "NCryptDecrypt");
if (pNCryptDecrypt == NULL) {
ret = GNUTLS_E_CRYPTO_INIT_FAILED;
goto fail;
}
- pNCryptSignHash =
- (NCryptSignHashFunc) GetProcAddress(ncrypt_lib, "NCryptSignHash");
+ pNCryptSignHash = (NCryptSignHashFunc)GetProcAddress(ncrypt_lib,
+ "NCryptSignHash");
if (pNCryptSignHash == NULL) {
ret = GNUTLS_E_CRYPTO_INIT_FAILED;
goto fail;
@@ -1521,7 +1464,7 @@ int _gnutls_system_key_init(void)
ncrypt_init = 1;
return 0;
- fail:
+fail:
FreeLibrary(ncrypt_lib);
return ret;
#else
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
index bb59fab7c0..060194bdf6 100644
--- a/lib/system/ktls.c
+++ b/lib/system/ktls.c
@@ -25,14 +25,14 @@
#ifdef ENABLE_KTLS
-# include <linux/tls.h>
-# include <record.h>
-# include <sys/socket.h>
-# include <netinet/tcp.h>
-# include <unistd.h>
-# include <errno.h>
-# include "ext/session_ticket.h"
-# include <sys/sendfile.h>
+#include <linux/tls.h>
+#include <record.h>
+#include <sys/socket.h>
+#include <netinet/tcp.h>
+#include <unistd.h>
+#include <errno.h>
+#include "ext/session_ticket.h"
+#include <sys/sendfile.h>
/**
* gnutls_transport_is_ktls_enabled:
@@ -67,18 +67,18 @@ void _gnutls_ktls_enable(gnutls_session_t session)
session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
}
} else {
- _gnutls_record_log
- ("Unable to set TCP_ULP for read socket: %d\n", errno);
+ _gnutls_record_log(
+ "Unable to set TCP_ULP for read socket: %d\n", errno);
}
if (sockin != sockout) {
- if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof("tls"))
- == 0) {
+ if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls",
+ sizeof("tls")) == 0) {
session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
} else {
- _gnutls_record_log
- ("Unable to set TCP_ULP for write socket: %d\n",
- errno);
+ _gnutls_record_log(
+ "Unable to set TCP_ULP for write socket: %d\n",
+ errno);
}
}
}
@@ -117,203 +117,170 @@ int _gnutls_ktls_set_keys(gnutls_session_t session,
if (in & GNUTLS_KTLS_RECV) {
switch (cipher) {
- case GNUTLS_CIPHER_AES_128_GCM:
- {
- struct tls12_crypto_info_aes_gcm_128
- crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
-
- crypto_info.info.cipher_type =
- TLS_CIPHER_AES_GCM_128;
- assert(cipher_key.size ==
- TLS_CIPHER_AES_GCM_128_KEY_SIZE);
-
- /* for TLS 1.2 IV is generated in kernel */
- if (version == GNUTLS_TLS1_2) {
- crypto_info.info.version =
- TLS_1_2_VERSION;
- memcpy(crypto_info.iv, seq_number,
- TLS_CIPHER_AES_GCM_128_IV_SIZE);
- } else {
- crypto_info.info.version =
- TLS_1_3_VERSION;
- assert(iv.size ==
- TLS_CIPHER_AES_GCM_128_SALT_SIZE
- +
+ case GNUTLS_CIPHER_AES_128_GCM: {
+ struct tls12_crypto_info_aes_gcm_128 crypto_info;
+ memset(&crypto_info, 0, sizeof(crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128;
+ assert(cipher_key.size ==
+ TLS_CIPHER_AES_GCM_128_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number,
+ TLS_CIPHER_AES_GCM_128_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size ==
+ TLS_CIPHER_AES_GCM_128_SALT_SIZE +
TLS_CIPHER_AES_GCM_128_IV_SIZE);
- memcpy(crypto_info.iv, iv.data +
+ memcpy(crypto_info.iv,
+ iv.data +
TLS_CIPHER_AES_GCM_128_SALT_SIZE,
- TLS_CIPHER_AES_GCM_128_IV_SIZE);
- }
+ TLS_CIPHER_AES_GCM_128_IV_SIZE);
+ }
- memcpy(crypto_info.salt, iv.data,
- TLS_CIPHER_AES_GCM_128_SALT_SIZE);
- memcpy(crypto_info.rec_seq, seq_number,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- memcpy(crypto_info.key, cipher_key.data,
- TLS_CIPHER_AES_GCM_128_KEY_SIZE);
-
- if (setsockopt(sockin, SOL_TLS, TLS_RX,
- &crypto_info,
- sizeof(crypto_info))) {
- session->internals.ktls_enabled &=
- ~GNUTLS_KTLS_RECV;
- return
- gnutls_assert_val
- (GNUTLS_E_INTERNAL_ERROR);
- }
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_AES_GCM_128_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_AES_GCM_128_KEY_SIZE);
+
+ if (setsockopt(sockin, SOL_TLS, TLS_RX, &crypto_info,
+ sizeof(crypto_info))) {
+ session->internals.ktls_enabled &=
+ ~GNUTLS_KTLS_RECV;
+ return gnutls_assert_val(
+ GNUTLS_E_INTERNAL_ERROR);
}
- break;
- case GNUTLS_CIPHER_AES_256_GCM:
- {
- struct tls12_crypto_info_aes_gcm_256
- crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
-
- crypto_info.info.cipher_type =
- TLS_CIPHER_AES_GCM_256;
- assert(cipher_key.size ==
- TLS_CIPHER_AES_GCM_256_KEY_SIZE);
-
- /* for TLS 1.2 IV is generated in kernel */
- if (version == GNUTLS_TLS1_2) {
- crypto_info.info.version =
- TLS_1_2_VERSION;
- memcpy(crypto_info.iv, seq_number,
- TLS_CIPHER_AES_GCM_256_IV_SIZE);
- } else {
- crypto_info.info.version =
- TLS_1_3_VERSION;
- assert(iv.size ==
- TLS_CIPHER_AES_GCM_256_SALT_SIZE
- +
+ } break;
+ case GNUTLS_CIPHER_AES_256_GCM: {
+ struct tls12_crypto_info_aes_gcm_256 crypto_info;
+ memset(&crypto_info, 0, sizeof(crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256;
+ assert(cipher_key.size ==
+ TLS_CIPHER_AES_GCM_256_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number,
+ TLS_CIPHER_AES_GCM_256_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size ==
+ TLS_CIPHER_AES_GCM_256_SALT_SIZE +
TLS_CIPHER_AES_GCM_256_IV_SIZE);
- memcpy(crypto_info.iv,
- iv.data +
+ memcpy(crypto_info.iv,
+ iv.data +
TLS_CIPHER_AES_GCM_256_SALT_SIZE,
- TLS_CIPHER_AES_GCM_256_IV_SIZE);
- }
+ TLS_CIPHER_AES_GCM_256_IV_SIZE);
+ }
- memcpy(crypto_info.salt, iv.data,
- TLS_CIPHER_AES_GCM_256_SALT_SIZE);
- memcpy(crypto_info.rec_seq, seq_number,
- TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
- memcpy(crypto_info.key, cipher_key.data,
- TLS_CIPHER_AES_GCM_256_KEY_SIZE);
-
- if (setsockopt(sockin, SOL_TLS, TLS_RX,
- &crypto_info,
- sizeof(crypto_info))) {
- session->internals.ktls_enabled &=
- ~GNUTLS_KTLS_RECV;
- return
- gnutls_assert_val
- (GNUTLS_E_INTERNAL_ERROR);
- }
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_AES_GCM_256_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_AES_GCM_256_KEY_SIZE);
+
+ if (setsockopt(sockin, SOL_TLS, TLS_RX, &crypto_info,
+ sizeof(crypto_info))) {
+ session->internals.ktls_enabled &=
+ ~GNUTLS_KTLS_RECV;
+ return gnutls_assert_val(
+ GNUTLS_E_INTERNAL_ERROR);
}
- break;
- case GNUTLS_CIPHER_AES_128_CCM:
- {
- struct tls12_crypto_info_aes_ccm_128
- crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
-
- crypto_info.info.cipher_type =
- TLS_CIPHER_AES_CCM_128;
- assert(cipher_key.size ==
- TLS_CIPHER_AES_CCM_128_KEY_SIZE);
-
- /* for TLS 1.2 IV is generated in kernel */
- if (version == GNUTLS_TLS1_2) {
- crypto_info.info.version =
- TLS_1_2_VERSION;
- memcpy(crypto_info.iv, seq_number,
- TLS_CIPHER_AES_CCM_128_IV_SIZE);
- } else {
- crypto_info.info.version =
- TLS_1_3_VERSION;
- assert(iv.size ==
- TLS_CIPHER_AES_CCM_128_SALT_SIZE
- +
+ } break;
+ case GNUTLS_CIPHER_AES_128_CCM: {
+ struct tls12_crypto_info_aes_ccm_128 crypto_info;
+ memset(&crypto_info, 0, sizeof(crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128;
+ assert(cipher_key.size ==
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number,
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size ==
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE +
TLS_CIPHER_AES_CCM_128_IV_SIZE);
- memcpy(crypto_info.iv, iv.data +
+ memcpy(crypto_info.iv,
+ iv.data +
TLS_CIPHER_AES_CCM_128_SALT_SIZE,
- TLS_CIPHER_AES_CCM_128_IV_SIZE);
- }
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ }
- memcpy(crypto_info.salt, iv.data,
- TLS_CIPHER_AES_CCM_128_SALT_SIZE);
- memcpy(crypto_info.rec_seq, seq_number,
- TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
- memcpy(crypto_info.key, cipher_key.data,
- TLS_CIPHER_AES_CCM_128_KEY_SIZE);
-
- if (setsockopt(sockin, SOL_TLS, TLS_RX,
- &crypto_info,
- sizeof(crypto_info))) {
- session->internals.ktls_enabled &=
- ~GNUTLS_KTLS_RECV;
- return
- gnutls_assert_val
- (GNUTLS_E_INTERNAL_ERROR);
- }
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
+
+ if (setsockopt(sockin, SOL_TLS, TLS_RX, &crypto_info,
+ sizeof(crypto_info))) {
+ session->internals.ktls_enabled &=
+ ~GNUTLS_KTLS_RECV;
+ return gnutls_assert_val(
+ GNUTLS_E_INTERNAL_ERROR);
}
- break;
- case GNUTLS_CIPHER_CHACHA20_POLY1305:
- {
- struct tls12_crypto_info_chacha20_poly1305
- crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
-
- crypto_info.info.cipher_type =
- TLS_CIPHER_CHACHA20_POLY1305;
- assert(cipher_key.size ==
- TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
-
- /* for TLS 1.2 IV is generated in kernel */
- if (version == GNUTLS_TLS1_2) {
- crypto_info.info.version =
- TLS_1_2_VERSION;
- memcpy(crypto_info.iv, seq_number,
- TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
- } else {
- crypto_info.info.version =
- TLS_1_3_VERSION;
- assert(iv.size ==
- TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE
- +
+ } break;
+ case GNUTLS_CIPHER_CHACHA20_POLY1305: {
+ struct tls12_crypto_info_chacha20_poly1305 crypto_info;
+ memset(&crypto_info, 0, sizeof(crypto_info));
+
+ crypto_info.info.cipher_type =
+ TLS_CIPHER_CHACHA20_POLY1305;
+ assert(cipher_key.size ==
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number,
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size ==
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE +
TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
- memcpy(crypto_info.iv, iv.data +
+ memcpy(crypto_info.iv,
+ iv.data +
TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
- TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
- }
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ }
- memcpy(crypto_info.salt, iv.data,
- TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
- memcpy(crypto_info.rec_seq, seq_number,
- TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
- memcpy(crypto_info.key, cipher_key.data,
- TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
-
- if (setsockopt(sockin, SOL_TLS, TLS_RX,
- &crypto_info,
- sizeof(crypto_info))) {
- session->internals.ktls_enabled &=
- ~GNUTLS_KTLS_RECV;
- return
- gnutls_assert_val
- (GNUTLS_E_INTERNAL_ERROR);
- }
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
+
+ if (setsockopt(sockin, SOL_TLS, TLS_RX, &crypto_info,
+ sizeof(crypto_info))) {
+ session->internals.ktls_enabled &=
+ ~GNUTLS_KTLS_RECV;
+ return gnutls_assert_val(
+ GNUTLS_E_INTERNAL_ERROR);
}
- break;
+ } break;
default:
assert(0);
}
-
}
ret = gnutls_record_get_state(session, 0, &mac_key, &iv, &cipher_key,
@@ -324,210 +291,175 @@ int _gnutls_ktls_set_keys(gnutls_session_t session,
if (in & GNUTLS_KTLS_SEND) {
switch (cipher) {
- case GNUTLS_CIPHER_AES_128_GCM:
- {
- struct tls12_crypto_info_aes_gcm_128
- crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
-
- crypto_info.info.cipher_type =
- TLS_CIPHER_AES_GCM_128;
-
- assert(cipher_key.size ==
- TLS_CIPHER_AES_GCM_128_KEY_SIZE);
-
- /* for TLS 1.2 IV is generated in kernel */
- if (version == GNUTLS_TLS1_2) {
- crypto_info.info.version =
- TLS_1_2_VERSION;
- memcpy(crypto_info.iv, seq_number,
- TLS_CIPHER_AES_GCM_128_IV_SIZE);
- } else {
- crypto_info.info.version =
- TLS_1_3_VERSION;
- assert(iv.size ==
- TLS_CIPHER_AES_GCM_128_SALT_SIZE
- +
+ case GNUTLS_CIPHER_AES_128_GCM: {
+ struct tls12_crypto_info_aes_gcm_128 crypto_info;
+ memset(&crypto_info, 0, sizeof(crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128;
+
+ assert(cipher_key.size ==
+ TLS_CIPHER_AES_GCM_128_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number,
+ TLS_CIPHER_AES_GCM_128_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size ==
+ TLS_CIPHER_AES_GCM_128_SALT_SIZE +
TLS_CIPHER_AES_GCM_128_IV_SIZE);
- memcpy(crypto_info.iv,
- iv.data +
+ memcpy(crypto_info.iv,
+ iv.data +
TLS_CIPHER_AES_GCM_128_SALT_SIZE,
- TLS_CIPHER_AES_GCM_128_IV_SIZE);
- }
+ TLS_CIPHER_AES_GCM_128_IV_SIZE);
+ }
- memcpy(crypto_info.salt, iv.data,
- TLS_CIPHER_AES_GCM_128_SALT_SIZE);
- memcpy(crypto_info.rec_seq, seq_number,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- memcpy(crypto_info.key, cipher_key.data,
- TLS_CIPHER_AES_GCM_128_KEY_SIZE);
-
- if (setsockopt(sockout, SOL_TLS, TLS_TX,
- &crypto_info,
- sizeof(crypto_info))) {
- session->internals.ktls_enabled &=
- ~GNUTLS_KTLS_SEND;
- return
- gnutls_assert_val
- (GNUTLS_E_INTERNAL_ERROR);
- }
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_AES_GCM_128_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_AES_GCM_128_KEY_SIZE);
+
+ if (setsockopt(sockout, SOL_TLS, TLS_TX, &crypto_info,
+ sizeof(crypto_info))) {
+ session->internals.ktls_enabled &=
+ ~GNUTLS_KTLS_SEND;
+ return gnutls_assert_val(
+ GNUTLS_E_INTERNAL_ERROR);
}
- break;
- case GNUTLS_CIPHER_AES_256_GCM:
- {
- struct tls12_crypto_info_aes_gcm_256
- crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
-
- crypto_info.info.cipher_type =
- TLS_CIPHER_AES_GCM_256;
- assert(cipher_key.size ==
- TLS_CIPHER_AES_GCM_256_KEY_SIZE);
-
- /* for TLS 1.2 IV is generated in kernel */
- if (version == GNUTLS_TLS1_2) {
- crypto_info.info.version =
- TLS_1_2_VERSION;
- memcpy(crypto_info.iv, seq_number,
- TLS_CIPHER_AES_GCM_256_IV_SIZE);
- } else {
- crypto_info.info.version =
- TLS_1_3_VERSION;
- assert(iv.size ==
- TLS_CIPHER_AES_GCM_256_SALT_SIZE
- +
+ } break;
+ case GNUTLS_CIPHER_AES_256_GCM: {
+ struct tls12_crypto_info_aes_gcm_256 crypto_info;
+ memset(&crypto_info, 0, sizeof(crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256;
+ assert(cipher_key.size ==
+ TLS_CIPHER_AES_GCM_256_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number,
+ TLS_CIPHER_AES_GCM_256_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size ==
+ TLS_CIPHER_AES_GCM_256_SALT_SIZE +
TLS_CIPHER_AES_GCM_256_IV_SIZE);
- memcpy(crypto_info.iv,
- iv.data +
+ memcpy(crypto_info.iv,
+ iv.data +
TLS_CIPHER_AES_GCM_256_SALT_SIZE,
- TLS_CIPHER_AES_GCM_256_IV_SIZE);
- }
+ TLS_CIPHER_AES_GCM_256_IV_SIZE);
+ }
- memcpy(crypto_info.salt, iv.data,
- TLS_CIPHER_AES_GCM_256_SALT_SIZE);
- memcpy(crypto_info.rec_seq, seq_number,
- TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
- memcpy(crypto_info.key, cipher_key.data,
- TLS_CIPHER_AES_GCM_256_KEY_SIZE);
-
- if (setsockopt(sockout, SOL_TLS, TLS_TX,
- &crypto_info,
- sizeof(crypto_info))) {
- session->internals.ktls_enabled &=
- ~GNUTLS_KTLS_SEND;
- return
- gnutls_assert_val
- (GNUTLS_E_INTERNAL_ERROR);
- }
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_AES_GCM_256_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_AES_GCM_256_KEY_SIZE);
+
+ if (setsockopt(sockout, SOL_TLS, TLS_TX, &crypto_info,
+ sizeof(crypto_info))) {
+ session->internals.ktls_enabled &=
+ ~GNUTLS_KTLS_SEND;
+ return gnutls_assert_val(
+ GNUTLS_E_INTERNAL_ERROR);
}
- break;
- case GNUTLS_CIPHER_AES_128_CCM:
- {
- struct tls12_crypto_info_aes_ccm_128
- crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
-
- crypto_info.info.cipher_type =
- TLS_CIPHER_AES_CCM_128;
- assert(cipher_key.size ==
- TLS_CIPHER_AES_CCM_128_KEY_SIZE);
-
- /* for TLS 1.2 IV is generated in kernel */
- if (version == GNUTLS_TLS1_2) {
- crypto_info.info.version =
- TLS_1_2_VERSION;
- memcpy(crypto_info.iv, seq_number,
- TLS_CIPHER_AES_CCM_128_IV_SIZE);
- } else {
- crypto_info.info.version =
- TLS_1_3_VERSION;
- assert(iv.size ==
- TLS_CIPHER_AES_CCM_128_SALT_SIZE
- +
+ } break;
+ case GNUTLS_CIPHER_AES_128_CCM: {
+ struct tls12_crypto_info_aes_ccm_128 crypto_info;
+ memset(&crypto_info, 0, sizeof(crypto_info));
+
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128;
+ assert(cipher_key.size ==
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number,
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size ==
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE +
TLS_CIPHER_AES_CCM_128_IV_SIZE);
- memcpy(crypto_info.iv,
- iv.data +
+ memcpy(crypto_info.iv,
+ iv.data +
TLS_CIPHER_AES_CCM_128_SALT_SIZE,
- TLS_CIPHER_AES_CCM_128_IV_SIZE);
- }
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ }
- memcpy(crypto_info.salt, iv.data,
- TLS_CIPHER_AES_CCM_128_SALT_SIZE);
- memcpy(crypto_info.rec_seq, seq_number,
- TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
- memcpy(crypto_info.key, cipher_key.data,
- TLS_CIPHER_AES_CCM_128_KEY_SIZE);
-
- if (setsockopt(sockout, SOL_TLS, TLS_TX,
- &crypto_info,
- sizeof(crypto_info))) {
- session->internals.ktls_enabled &=
- ~GNUTLS_KTLS_SEND;
- return
- gnutls_assert_val
- (GNUTLS_E_INTERNAL_ERROR);
- }
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
+
+ if (setsockopt(sockout, SOL_TLS, TLS_TX, &crypto_info,
+ sizeof(crypto_info))) {
+ session->internals.ktls_enabled &=
+ ~GNUTLS_KTLS_SEND;
+ return gnutls_assert_val(
+ GNUTLS_E_INTERNAL_ERROR);
}
- break;
- case GNUTLS_CIPHER_CHACHA20_POLY1305:
- {
- struct tls12_crypto_info_chacha20_poly1305
- crypto_info;
- memset(&crypto_info, 0, sizeof(crypto_info));
-
- crypto_info.info.cipher_type =
- TLS_CIPHER_CHACHA20_POLY1305;
- assert(cipher_key.size ==
- TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
-
- /* for TLS 1.2 IV is generated in kernel */
- if (version == GNUTLS_TLS1_2) {
- crypto_info.info.version =
- TLS_1_2_VERSION;
- memcpy(crypto_info.iv, seq_number,
- TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
- } else {
- crypto_info.info.version =
- TLS_1_3_VERSION;
- assert(iv.size ==
- TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE
- +
+ } break;
+ case GNUTLS_CIPHER_CHACHA20_POLY1305: {
+ struct tls12_crypto_info_chacha20_poly1305 crypto_info;
+ memset(&crypto_info, 0, sizeof(crypto_info));
+
+ crypto_info.info.cipher_type =
+ TLS_CIPHER_CHACHA20_POLY1305;
+ assert(cipher_key.size ==
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
+
+ /* for TLS 1.2 IV is generated in kernel */
+ if (version == GNUTLS_TLS1_2) {
+ crypto_info.info.version = TLS_1_2_VERSION;
+ memcpy(crypto_info.iv, seq_number,
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ } else {
+ crypto_info.info.version = TLS_1_3_VERSION;
+ assert(iv.size ==
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE +
TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
- memcpy(crypto_info.iv,
- iv.data +
+ memcpy(crypto_info.iv,
+ iv.data +
TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
- TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
- }
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ }
- memcpy(crypto_info.salt, iv.data,
- TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
- memcpy(crypto_info.rec_seq, seq_number,
- TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
- memcpy(crypto_info.key, cipher_key.data,
- TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
-
- if (setsockopt(sockout, SOL_TLS, TLS_TX,
- &crypto_info,
- sizeof(crypto_info))) {
- session->internals.ktls_enabled &=
- ~GNUTLS_KTLS_SEND;
- return
- gnutls_assert_val
- (GNUTLS_E_INTERNAL_ERROR);
- }
+ memcpy(crypto_info.salt, iv.data,
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
+ memcpy(crypto_info.rec_seq, seq_number,
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
+ memcpy(crypto_info.key, cipher_key.data,
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
+
+ if (setsockopt(sockout, SOL_TLS, TLS_TX, &crypto_info,
+ sizeof(crypto_info))) {
+ session->internals.ktls_enabled &=
+ ~GNUTLS_KTLS_SEND;
+ return gnutls_assert_val(
+ GNUTLS_E_INTERNAL_ERROR);
}
- break;
+ } break;
default:
assert(0);
}
// set callback for sending handshake messages
- gnutls_handshake_set_read_function(session,
- _gnutls_ktls_send_handshake_msg);
+ gnutls_handshake_set_read_function(
+ session, _gnutls_ktls_send_handshake_msg);
// set callback for sending alert messages
gnutls_alert_set_read_function(session,
@@ -537,8 +469,8 @@ int _gnutls_ktls_set_keys(gnutls_session_t session,
return in;
}
-ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
- off_t * offset, size_t count)
+ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, off_t *offset,
+ size_t count)
{
ssize_t ret;
int sockin, sockout;
@@ -578,7 +510,7 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
while (data_to_send > 0) {
char cmsg[CMSG_SPACE(sizeof(unsigned char))];
struct msghdr msg = { 0 };
- struct iovec msg_iov; /* Vector of data to send/receive into. */
+ struct iovec msg_iov; /* Vector of data to send/receive into. */
struct cmsghdr *hdr;
msg.msg_control = cmsg;
@@ -632,8 +564,8 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
gnutls_handshake_description_t htype,
const void *data, size_t data_size)
{
- return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE,
- data, data_size);
+ return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE, data,
+ data_size);
}
int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
@@ -642,8 +574,8 @@ int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
gnutls_alert_description_t alert_desc)
{
uint8_t data[2];
- data[0] = (uint8_t) alert_level;
- data[1] = (uint8_t) alert_desc;
+ data[0] = (uint8_t)alert_level;
+ data[1] = (uint8_t)alert_desc;
return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
}
@@ -720,23 +652,23 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
unsigned char record_type;
int ret;
- ret = _gnutls_ktls_recv_control_msg(session,
- &record_type, data, data_size);
+ ret = _gnutls_ktls_recv_control_msg(session, &record_type, data,
+ data_size);
if (ret > 0) {
switch (record_type) {
case GNUTLS_CHANGE_CIPHER_SPEC:
- return
- gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
+ return gnutls_assert_val(
+ GNUTLS_E_UNIMPLEMENTED_FEATURE);
break;
case GNUTLS_ALERT:
session_invalidate(session);
ret = 0;
break;
case GNUTLS_HANDSHAKE:
- ret = gnutls_handshake_write(session,
- GNUTLS_ENCRYPTION_LEVEL_APPLICATION,
- data, ret);
+ ret = gnutls_handshake_write(
+ session, GNUTLS_ENCRYPTION_LEVEL_APPLICATION,
+ data, ret);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -758,7 +690,7 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
return ret;
}
-#else //ENABLE_KTLS
+#else //ENABLE_KTLS
gnutls_transport_ktls_enable_flags_t
gnutls_transport_is_ktls_enabled(gnutls_session_t session)
{
@@ -775,8 +707,8 @@ int _gnutls_ktls_set_keys(gnutls_session_t sessioni,
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
}
-ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
- off_t * offset, size_t count)
+ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, off_t *offset,
+ size_t count)
{
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
}
@@ -803,4 +735,4 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
}
-#endif //ENABLE_KTLS
+#endif //ENABLE_KTLS
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
index 186612e326..65c5cf149e 100644
--- a/lib/system/ktls.h
+++ b/lib/system/ktls.h
@@ -1,15 +1,15 @@
#ifndef GNUTLS_LIB_ACCELERATED_KTLS_H
-# define GNUTLS_LIB_ACCELERATED_KTLS_H
+#define GNUTLS_LIB_ACCELERATED_KTLS_H
-# include "gnutls_int.h"
+#include "gnutls_int.h"
void _gnutls_ktls_enable(gnutls_session_t session);
int _gnutls_ktls_set_keys(gnutls_session_t session,
gnutls_transport_ktls_enable_flags_t in);
-ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
- off_t * offset, size_t count);
+ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, off_t *offset,
+ size_t count);
int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
gnutls_record_encryption_level_t level,
@@ -24,7 +24,8 @@ int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
int _gnutls_ktls_send_control_msg(gnutls_session_t session,
unsigned char record_type, const void *data,
size_t data_size);
-# define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
+#define _gnutls_ktls_send(x, y, z) \
+ _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
unsigned char *record_type, void *data,
@@ -32,6 +33,7 @@ int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
void *data, size_t data_size);
-# define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z)
+#define _gnutls_ktls_recv(x, y, z) \
+ _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z)
-#endif /* GNUTLS_LIB_ACCELERATED_KTLS_H */
+#endif /* GNUTLS_LIB_ACCELERATED_KTLS_H */
diff --git a/lib/system/sockets.c b/lib/system/sockets.c
index 6367114f30..f8eb62c2c6 100644
--- a/lib/system/sockets.c
+++ b/lib/system/sockets.c
@@ -32,9 +32,9 @@
#include <sys/types.h>
#ifdef _WIN32
-# include <windows.h>
-#else /* !_WIN32 */
-# include <poll.h>
+#include <windows.h>
+#else /* !_WIN32 */
+#include <poll.h>
#endif
/* System specific socket function wrappers.
@@ -44,9 +44,9 @@
/* Do not use the gnulib functions for sending and receiving data.
* Using them makes gnutls only working with gnulib applications.
*/
-# undef send
-# undef recv
-# undef select
+#undef send
+#undef recv
+#undef select
int system_errno(gnutls_transport_ptr p)
{
@@ -74,14 +74,14 @@ int system_errno(gnutls_transport_ptr p)
return ret;
}
-ssize_t
-system_write(gnutls_transport_ptr ptr, const void *data, size_t data_size)
+ssize_t system_write(gnutls_transport_ptr ptr, const void *data,
+ size_t data_size)
{
return send(GNUTLS_POINTER_TO_INT(ptr), data, data_size, 0);
}
-ssize_t
-system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
+ssize_t system_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec,
+ int iovec_cnt)
{
WSABUF bufs[32];
DWORD bytes_sent;
@@ -91,28 +91,30 @@ system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
if ((size_t)iovec_cnt > sizeof(bufs) / sizeof(bufs[0]))
iovec_cnt = sizeof(bufs) / sizeof(bufs[0]);
- while (to_send_cnt < (DWORD) iovec_cnt && to_send_bytes < SSIZE_MAX) {
+ while (to_send_cnt < (DWORD)iovec_cnt && to_send_bytes < SSIZE_MAX) {
bufs[to_send_cnt].buf = iovec[to_send_cnt].iov_base;
if (to_send_bytes + iovec[to_send_cnt].iov_len > SSIZE_MAX) {
/* Return value limit: successful result value cannot
* exceed SSIZE_MAX */
size_t space_left = (size_t)SSIZE_MAX - to_send_bytes;
- bufs[to_send_cnt].len = (unsigned long)
- (space_left > ULONG_MAX ? ULONG_MAX : space_left);
+ bufs[to_send_cnt].len =
+ (unsigned long)(space_left > ULONG_MAX ?
+ ULONG_MAX :
+ space_left);
to_send_cnt++;
break;
}
-# ifdef _WIN64
+#ifdef _WIN64
if (iovec[to_send_cnt].iov_len > ULONG_MAX) {
/* WSASend() limitation */
bufs[to_send_cnt].len = ULONG_MAX;
to_send_cnt++;
break;
}
-# endif
+#endif
bufs[to_send_cnt].len =
- (unsigned long)iovec[to_send_cnt].iov_len;
+ (unsigned long)iovec[to_send_cnt].iov_len;
to_send_bytes += iovec[to_send_cnt].iov_len;
to_send_cnt++;
}
@@ -121,23 +123,22 @@ system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
0, NULL, NULL) != 0)
return -1;
- return (ssize_t) bytes_sent;
+ return (ssize_t)bytes_sent;
}
-#else /* POSIX */
+#else /* POSIX */
int system_errno(gnutls_transport_ptr_t ptr)
{
-# if defined(_AIX) || defined(AIX)
+#if defined(_AIX) || defined(AIX)
if (errno == 0)
errno = EAGAIN;
-# endif
+#endif
return errno;
}
-static ssize_t
-_system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec,
- int iovec_cnt, int flags)
+static ssize_t _system_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec,
+ int iovec_cnt, int flags)
{
struct msghdr hdr;
@@ -148,18 +149,17 @@ _system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec,
return sendmsg(GNUTLS_POINTER_TO_INT(ptr), &hdr, flags);
}
-# ifdef MSG_NOSIGNAL
-ssize_t
-system_writev_nosignal(gnutls_transport_ptr_t ptr, const giovec_t * iovec,
- int iovec_cnt)
+#ifdef MSG_NOSIGNAL
+ssize_t system_writev_nosignal(gnutls_transport_ptr_t ptr,
+ const giovec_t *iovec, int iovec_cnt)
{
return _system_writev(ptr, iovec, iovec_cnt, MSG_NOSIGNAL);
}
-# endif
+#endif
-ssize_t
-system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt)
+ssize_t system_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec,
+ int iovec_cnt)
{
return _system_writev(ptr, iovec, iovec_cnt, 0);
}
diff --git a/lib/system/threads.c b/lib/system/threads.c
index a98cd968c3..bca790a21f 100644
--- a/lib/system/threads.c
+++ b/lib/system/threads.c
@@ -57,7 +57,7 @@ static int gnutls_system_mutex_init(void **priv)
static int gnutls_system_mutex_deinit(void **priv)
{
- if (glthread_lock_destroy((gl_lock_t *) * priv)) {
+ if (glthread_lock_destroy((gl_lock_t *)*priv)) {
return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
}
free(*priv);
@@ -66,7 +66,7 @@ static int gnutls_system_mutex_deinit(void **priv)
static int gnutls_system_mutex_lock(void **priv)
{
- if (glthread_lock_lock((gl_lock_t *) * priv)) {
+ if (glthread_lock_lock((gl_lock_t *)*priv)) {
return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
}
return 0;
@@ -74,7 +74,7 @@ static int gnutls_system_mutex_lock(void **priv)
static int gnutls_system_mutex_unlock(void **priv)
{
- if (glthread_lock_unlock((gl_lock_t *) * priv)) {
+ if (glthread_lock_unlock((gl_lock_t *)*priv)) {
return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
}
return 0;
View Lorry Controller Status