diff options
Diffstat (limited to 'lib/system')
-rw-r--r-- | lib/system/certs.c | 223 | ||||
-rw-r--r-- | lib/system/fastopen.c | 107 | ||||
-rw-r--r-- | lib/system/keys-dummy.c | 11 | ||||
-rw-r--r-- | lib/system/keys-win.c | 521 | ||||
-rw-r--r-- | lib/system/ktls.c | 704 | ||||
-rw-r--r-- | lib/system/ktls.h | 16 | ||||
-rw-r--r-- | lib/system/sockets.c | 60 | ||||
-rw-r--r-- | lib/system/threads.c | 6 |
8 files changed, 748 insertions, 900 deletions
diff --git a/lib/system/certs.c b/lib/system/certs.c index b7d9a0b312..4c649b2141 100644 --- a/lib/system/certs.c +++ b/lib/system/certs.c @@ -32,22 +32,22 @@ #include "system.h" #ifdef _WIN32 -# include <windows.h> -# include <wincrypt.h> +#include <windows.h> +#include <wincrypt.h> -#else /* !_WIN32 */ +#else /* !_WIN32 */ -# include <poll.h> +#include <poll.h> -# if defined(HAVE_GETPWUID_R) -# include <pwd.h> -# endif +#if defined(HAVE_GETPWUID_R) +#include <pwd.h> +#endif #endif #ifdef __APPLE__ -# include <CoreFoundation/CoreFoundation.h> -# include <Security/Security.h> -# include <Availability.h> +#include <CoreFoundation/CoreFoundation.h> +#include <Security/Security.h> +#include <Availability.h> #endif /* System specific function wrappers for certificate stores. @@ -103,59 +103,49 @@ int _gnutls_find_config_path(char *path, size_t max_size) return 0; } -#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) -static -int -add_system_trust(gnutls_x509_trust_list_t list, - unsigned int tl_flags, unsigned int tl_vflags) +#if defined(DEFAULT_TRUST_STORE_FILE) || \ + (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) +static int add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, unsigned int tl_vflags) { int ret, r = 0; const char *crl_file = -# ifdef DEFAULT_CRL_FILE - DEFAULT_CRL_FILE; -# else - NULL; -# endif - -# if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11) - ret = - gnutls_x509_trust_list_add_trust_file(list, - DEFAULT_TRUST_STORE_PKCS11, - crl_file, - GNUTLS_X509_FMT_DER, - tl_flags, tl_vflags); +#ifdef DEFAULT_CRL_FILE + DEFAULT_CRL_FILE; +#else + NULL; +#endif + +#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11) + ret = gnutls_x509_trust_list_add_trust_file( + list, DEFAULT_TRUST_STORE_PKCS11, crl_file, GNUTLS_X509_FMT_DER, + tl_flags, tl_vflags); if (ret > 0) r += ret; -# endif - -# ifdef DEFAULT_TRUST_STORE_FILE - ret = - gnutls_x509_trust_list_add_trust_file(list, - DEFAULT_TRUST_STORE_FILE, - crl_file, - GNUTLS_X509_FMT_PEM, - tl_flags, tl_vflags); +#endif + +#ifdef DEFAULT_TRUST_STORE_FILE + ret = gnutls_x509_trust_list_add_trust_file( + list, DEFAULT_TRUST_STORE_FILE, crl_file, GNUTLS_X509_FMT_PEM, + tl_flags, tl_vflags); if (ret > 0) r += ret; -# endif +#endif -# ifdef DEFAULT_BLOCKLIST_FILE - ret = - gnutls_x509_trust_list_remove_trust_file(list, - DEFAULT_BLOCKLIST_FILE, - GNUTLS_X509_FMT_PEM); +#ifdef DEFAULT_BLOCKLIST_FILE + ret = gnutls_x509_trust_list_remove_trust_file( + list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM); if (ret < 0) { _gnutls_debug_log("Could not load blocklist file '%s'\n", DEFAULT_BLOCKLIST_FILE); } -# endif +#endif return r; } #elif defined(_WIN32) -static -int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, - unsigned int tl_vflags) +static int add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, unsigned int tl_vflags) { unsigned int i; int r = 0; @@ -167,15 +157,13 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, gnutls_datum_t data; if (i == 0) - store = - CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, - CERT_SYSTEM_STORE_CURRENT_USER, - L"ROOT"); + store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_CURRENT_USER, + L"ROOT"); else - store = - CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, - CERT_SYSTEM_STORE_CURRENT_USER, - L"CA"); + store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_CURRENT_USER, + L"CA"); if (store == NULL) return GNUTLS_E_FILE_ERROR; @@ -187,10 +175,10 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, if (cert->dwCertEncodingType == X509_ASN_ENCODING) { data.data = cert->pbCertEncoded; data.size = cert->cbCertEncoded; - if (gnutls_x509_trust_list_add_trust_mem - (list, &data, NULL, - GNUTLS_X509_FMT_DER, tl_flags, - tl_vflags) > 0) + if (gnutls_x509_trust_list_add_trust_mem( + list, &data, NULL, + GNUTLS_X509_FMT_DER, tl_flags, + tl_vflags) > 0) r++; } cert = CertEnumCertificatesInStore(store, cert); @@ -200,40 +188,36 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, if (crl->dwCertEncodingType == X509_ASN_ENCODING) { data.data = crl->pbCrlEncoded; data.size = crl->cbCrlEncoded; - gnutls_x509_trust_list_add_trust_mem(list, - NULL, - &data, - GNUTLS_X509_FMT_DER, - tl_flags, - tl_vflags); + gnutls_x509_trust_list_add_trust_mem( + list, NULL, &data, GNUTLS_X509_FMT_DER, + tl_flags, tl_vflags); } crl = pCertEnumCRLsInStore(store, crl); } CertCloseStore(store, 0); } -# ifdef DEFAULT_BLOCKLIST_FILE - ret = - gnutls_x509_trust_list_remove_trust_file(list, - DEFAULT_BLOCKLIST_FILE, - GNUTLS_X509_FMT_PEM); +#ifdef DEFAULT_BLOCKLIST_FILE + ret = gnutls_x509_trust_list_remove_trust_file( + list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM); if (ret < 0) { _gnutls_debug_log("Could not load blocklist file '%s'\n", DEFAULT_BLOCKLIST_FILE); } -# endif +#endif return r; } -#elif defined(ANDROID) || defined(__ANDROID__) || defined(DEFAULT_TRUST_STORE_DIR) +#elif defined(ANDROID) || defined(__ANDROID__) || \ + defined(DEFAULT_TRUST_STORE_DIR) -# include <dirent.h> -# include <unistd.h> +#include <dirent.h> +#include <unistd.h> -# if defined(ANDROID) || defined(__ANDROID__) -# define DEFAULT_TRUST_STORE_DIR "/system/etc/security/cacerts/" +#if defined(ANDROID) || defined(__ANDROID__) +#define DEFAULT_TRUST_STORE_DIR "/system/etc/security/cacerts/" -# define DEFAULT_REVOCATION_DIR "/data/misc/keychain/cacerts-removed" +#define DEFAULT_REVOCATION_DIR "/data/misc/keychain/cacerts-removed" static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) { @@ -261,8 +245,8 @@ static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) if (ret < 0) { continue; } - ret = gnutls_x509_trust_list_remove_trust_file - (list, pathbuf.ptr, type); + ret = gnutls_x509_trust_list_remove_trust_file( + list, pathbuf.ptr, type); if (ret >= 0) { r += ret; } @@ -274,42 +258,38 @@ static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) return r; } -# endif +#endif /* This works on android 4.x */ -static -int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, - unsigned int tl_vflags) +static int add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, unsigned int tl_vflags) { int r = 0, ret; - ret = - gnutls_x509_trust_list_add_trust_dir(list, DEFAULT_TRUST_STORE_DIR, - NULL, GNUTLS_X509_FMT_PEM, - tl_flags, tl_vflags); + ret = gnutls_x509_trust_list_add_trust_dir(list, + DEFAULT_TRUST_STORE_DIR, + NULL, GNUTLS_X509_FMT_PEM, + tl_flags, tl_vflags); if (ret >= 0) r += ret; -# if defined(ANDROID) || defined(__ANDROID__) +#if defined(ANDROID) || defined(__ANDROID__) ret = load_revoked_certs(list, GNUTLS_X509_FMT_DER); if (ret >= 0) r -= ret; - ret = - gnutls_x509_trust_list_add_trust_dir(list, - "/data/misc/keychain/cacerts-added/", - NULL, GNUTLS_X509_FMT_DER, - tl_flags, tl_vflags); + ret = gnutls_x509_trust_list_add_trust_dir( + list, "/data/misc/keychain/cacerts-added/", NULL, + GNUTLS_X509_FMT_DER, tl_flags, tl_vflags); if (ret >= 0) r += ret; -# endif +#endif return r; } #elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 -static -int osstatus_error(status) +static int osstatus_error(status) { CFStringRef err_str = SecCopyErrorMessageString(status, NULL); _gnutls_debug_log("Error loading system root certificates: %s\n", @@ -319,20 +299,18 @@ int osstatus_error(status) return GNUTLS_E_FILE_ERROR; } -static -int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, - unsigned int tl_vflags) +static int add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, unsigned int tl_vflags) { int r = 0; SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser, - kSecTrustSettingsDomainAdmin, - kSecTrustSettingsDomainSystem - }; + kSecTrustSettingsDomainAdmin, + kSecTrustSettingsDomainSystem }; for (size_t d = 0; d < sizeof(domain) / sizeof(*domain); d++) { CFArrayRef certs = NULL; - OSStatus status = SecTrustSettingsCopyCertificates(domain[d], - &certs); + OSStatus status = + SecTrustSettingsCopyCertificates(domain[d], &certs); if (status == errSecNoTrustSettings) continue; if (status != errSecSuccess) @@ -341,7 +319,7 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, int cert_count = CFArrayGetCount(certs); for (int i = 0; i < cert_count; i++) { SecCertificateRef cert = - (void *)CFArrayGetValueAtIndex(certs, i); + (void *)CFArrayGetValueAtIndex(certs, i); CFDataRef der; status = SecItemExport(cert, kSecFormatX509Cert, 0, NULL, &der); @@ -351,35 +329,35 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, return osstatus_error(status); } - if (gnutls_x509_trust_list_add_trust_mem(list, - & - (gnutls_datum_t) - { - .data = - (void *) - CFDataGetBytePtr(der),.size = CFDataGetLength(der),}, NULL, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags) > 0) + if (gnutls_x509_trust_list_add_trust_mem( + list, + &(gnutls_datum_t){ + .data = (void *)CFDataGetBytePtr( + der), + .size = CFDataGetLength(der), + }, + NULL, GNUTLS_X509_FMT_DER, tl_flags, + tl_vflags) > 0) r++; CFRelease(der); } CFRelease(certs); } -# ifdef DEFAULT_BLOCKLIST_FILE - ret = - gnutls_x509_trust_list_remove_trust_file(list, - DEFAULT_BLOCKLIST_FILE, - GNUTLS_X509_FMT_PEM); +#ifdef DEFAULT_BLOCKLIST_FILE + ret = gnutls_x509_trust_list_remove_trust_file( + list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM); if (ret < 0) { _gnutls_debug_log("Could not load blocklist file '%s'\n", DEFAULT_BLOCKLIST_FILE); } -# endif +#endif return r; } #else -# define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE +#define add_system_trust(x, y, z) GNUTLS_E_UNIMPLEMENTED_FEATURE #endif @@ -399,10 +377,9 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, * * Since: 3.1 **/ -int -gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, - unsigned int tl_flags, - unsigned int tl_vflags) +int gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, + unsigned int tl_vflags) { return add_system_trust(list, tl_flags | GNUTLS_TL_NO_DUPLICATES, tl_vflags); diff --git a/lib/system/fastopen.c b/lib/system/fastopen.c index e60abf4aa5..4369223144 100644 --- a/lib/system/fastopen.c +++ b/lib/system/fastopen.c @@ -26,23 +26,25 @@ #include "errors.h" #include <sys/socket.h> -#include <netinet/in.h> /* IPPROTO_TCP */ +#include <netinet/in.h> /* IPPROTO_TCP */ #include <errno.h> #include <sys/stat.h> #include <sys/types.h> /* Get TCP_FASTOPEN */ #ifdef HAVE_NETINET_TCP_H -# include <netinet/tcp.h> +#include <netinet/tcp.h> #endif /* TCP Fast Open on OSX behaves differently from Linux, so define these helpers */ -#if defined __APPLE__ && defined __MACH__ && defined CONNECT_DATA_IDEMPOTENT && defined CONNECT_RESUME_ON_READ_WRITE -# if defined __has_builtin && __has_builtin(__builtin_available) -# define TCP_FASTOPEN_OSX -# endif +#if defined __APPLE__ && defined __MACH__ && \ + defined CONNECT_DATA_IDEMPOTENT && \ + defined CONNECT_RESUME_ON_READ_WRITE +#if defined __has_builtin && __has_builtin(__builtin_available) +#define TCP_FASTOPEN_OSX +#endif #elif defined TCP_FASTOPEN && defined MSG_FASTOPEN -# define TCP_FASTOPEN_LINUX +#define TCP_FASTOPEN_LINUX #endif /* Do not use the gnulib functions for sending and receiving data. @@ -54,8 +56,8 @@ #undef connect #ifdef _WIN32 -static ssize_t -tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) +static ssize_t tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec, + int iovec_cnt) { tfo_st *p = ptr; int fd = p->fd; @@ -80,9 +82,9 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) return system_writev(GNUTLS_INT_TO_POINTER(fd), iovec, iovec_cnt); } -#else /* sendmsg */ -static ssize_t -tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) +#else /* sendmsg */ +static ssize_t tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec, + int iovec_cnt) { tfo_st *p = ptr; int fd = p->fd; @@ -96,14 +98,14 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) if (likely(!p->connect_addrlen)) return sendmsg(fd, &hdr, p->flags); -# if defined(TCP_FASTOPEN_LINUX) +#if defined(TCP_FASTOPEN_LINUX) if (!p->connect_only) { int on = 1; - if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)) - == -1) - _gnutls_debug_log - ("Failed to set socket option FASTOPEN\n"); + if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, + sizeof(on)) == -1) + _gnutls_debug_log( + "Failed to set socket option FASTOPEN\n"); hdr.msg_name = &p->connect_addr; hdr.msg_namelen = p->connect_addrlen; @@ -113,20 +115,19 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) if (ret < 0) { if (errno == EINPROGRESS) { gnutls_assert(); - errno = EAGAIN; // GnuTLS does not handle EINPROGRESS + errno = EAGAIN; // GnuTLS does not handle EINPROGRESS } else if (errno == EOPNOTSUPP) { // fallback from fastopen, e.g. when fastopen is disabled in system - _gnutls_debug_log - ("Fallback from TCP Fast Open... TFO is not enabled at system level\n"); + _gnutls_debug_log( + "Fallback from TCP Fast Open... TFO is not enabled at system level\n"); p->connect_only = 1; goto connect_only; } } } else { - connect_only: - ret = - connect(fd, (struct sockaddr *)&p->connect_addr, - p->connect_addrlen); + connect_only: + ret = connect(fd, (struct sockaddr *)&p->connect_addr, + p->connect_addrlen); if (errno == ENOTCONN || errno == EINPROGRESS) { gnutls_assert(); errno = EAGAIN; @@ -135,40 +136,37 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) if (ret == 0) p->connect_only = 0; } -# elif defined(TCP_FASTOPEN_OSX) +#elif defined(TCP_FASTOPEN_OSX) { - if (__builtin_available - (macOS 10.11, iOS 9.0, tvOS 9.0, watchOS 2.0, *)) { - sa_endpoints_t endpoints = {.sae_dstaddr = - (struct sockaddr *)&p-> - connect_addr,.sae_dstaddrlen = - p->connect_addrlen + if (__builtin_available(macOS 10.11, iOS 9.0, tvOS 9.0, + watchOS 2.0, *)) { + sa_endpoints_t endpoints = { + .sae_dstaddr = + (struct sockaddr *)&p->connect_addr, + .sae_dstaddrlen = p->connect_addrlen }; - ret = - connectx(fd, &endpoints, SAE_ASSOCID_ANY, - CONNECT_RESUME_ON_READ_WRITE | - CONNECT_DATA_IDEMPOTENT, NULL, 0, NULL, - NULL); + ret = connectx(fd, &endpoints, SAE_ASSOCID_ANY, + CONNECT_RESUME_ON_READ_WRITE | + CONNECT_DATA_IDEMPOTENT, + NULL, 0, NULL, NULL); } else { - ret = - connect(fd, (struct sockaddr *)&p->connect_addr, - p->connect_addrlen); + ret = connect(fd, (struct sockaddr *)&p->connect_addr, + p->connect_addrlen); } if (errno == ENOTCONN || errno == EINPROGRESS) { gnutls_assert(); errno = EAGAIN; } } -# else - ret = - connect(fd, (struct sockaddr *)&p->connect_addr, - p->connect_addrlen); +#else + ret = connect(fd, (struct sockaddr *)&p->connect_addr, + p->connect_addrlen); if (errno == ENOTCONN || errno == EINPROGRESS) { gnutls_assert(); errno = EAGAIN; } -# endif +#endif if (ret == 0 || errno != EAGAIN) { /* This has to be called just once, connect info not needed any more */ @@ -177,19 +175,18 @@ tfo_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) return ret; } -#endif /* sendmsg */ +#endif /* sendmsg */ -static -int tfo_recv_timeout(gnutls_transport_ptr_t ptr, unsigned int ms) +static int tfo_recv_timeout(gnutls_transport_ptr_t ptr, unsigned int ms) { tfo_st *p = ptr; - return gnutls_system_recv_timeout((gnutls_transport_ptr_t) (long)p->fd, + return gnutls_system_recv_timeout((gnutls_transport_ptr_t)(long)p->fd, ms); } -static ssize_t -tfo_read(gnutls_transport_ptr_t ptr, void *data, size_t data_size) +static ssize_t tfo_read(gnutls_transport_ptr_t ptr, void *data, + size_t data_size) { tfo_st *p = ptr; @@ -228,13 +225,13 @@ tfo_read(gnutls_transport_ptr_t ptr, void *data, size_t data_size) * * Since: 3.5.3 **/ -void -gnutls_transport_set_fastopen(gnutls_session_t session, - int fd, struct sockaddr *connect_addr, - socklen_t connect_addrlen, unsigned int flags) +void gnutls_transport_set_fastopen(gnutls_session_t session, int fd, + struct sockaddr *connect_addr, + socklen_t connect_addrlen, + unsigned int flags) { if (connect_addrlen > - (socklen_t) sizeof(session->internals.tfo.connect_addr)) { + (socklen_t)sizeof(session->internals.tfo.connect_addr)) { gnutls_assert(); return; } diff --git a/lib/system/keys-dummy.c b/lib/system/keys-dummy.c index d2fb5910c4..750bee2b35 100644 --- a/lib/system/keys-dummy.c +++ b/lib/system/keys-dummy.c @@ -33,13 +33,10 @@ void gnutls_system_key_iter_deinit(gnutls_system_key_iter_t iter) return; } -int -gnutls_system_key_iter_get_info(gnutls_system_key_iter_t * iter, - unsigned cert_type, - char **cert_url, - char **key_url, - char **label, - gnutls_datum_t * der, unsigned int flags) +int gnutls_system_key_iter_get_info(gnutls_system_key_iter_t *iter, + unsigned cert_type, char **cert_url, + char **key_url, char **label, + gnutls_datum_t *der, unsigned int flags) { return GNUTLS_E_UNIMPLEMENTED_FEATURE; } diff --git a/lib/system/keys-win.c b/lib/system/keys-win.c index 27152558ef..3811b81b3b 100644 --- a/lib/system/keys-win.c +++ b/lib/system/keys-win.c @@ -22,8 +22,8 @@ // Before including any Windows header we need to set _WIN32_WINNT to Vista // (or higher) so that the NCRYPT stuff can be used. #if _WIN32_WINNT < 0x600 -# undef _WIN32_WINNT -# define _WIN32_WINNT 0x600 +#undef _WIN32_WINNT +#define _WIN32_WINNT 0x600 #endif #include <config.h> @@ -39,7 +39,7 @@ #include <urls.h> #if !defined(_WIN32) -# error should not be included +#error should not be included #endif #include <wincrypt.h> @@ -47,61 +47,60 @@ #include <winapifamily.h> #ifdef __MINGW32__ -# include <_mingw.h> -# ifdef __MINGW64_VERSION_MAJOR +#include <_mingw.h> +#ifdef __MINGW64_VERSION_MAJOR /* MinGW64 */ -# include <ncrypt.h> -# else +#include <ncrypt.h> +#else /* mingw.org's MinGW */ -# include <security.h> -# define BCRYPT_PAD_PKCS1 0x00000002 -# define BCRYPT_RSA_ALGORITHM L"RSA" -# define BCRYPT_DSA_ALGORITHM L"DSA" -# define BCRYPT_SHA1_ALGORITHM L"SHA1" -# define BCRYPT_SHA256_ALGORITHM L"SHA256" -# define BCRYPT_SHA384_ALGORITHM L"SHA384" -# define BCRYPT_SHA512_ALGORITHM L"SHA512" -# define BCRYPT_ECDSA_P256_ALGORITHM L"ECDSA_P256" -# define BCRYPT_ECDSA_P384_ALGORITHM L"ECDSA_P384" -# define BCRYPT_ECDSA_P521_ALGORITHM L"ECDSA_P521" +#include <security.h> +#define BCRYPT_PAD_PKCS1 0x00000002 +#define BCRYPT_RSA_ALGORITHM L"RSA" +#define BCRYPT_DSA_ALGORITHM L"DSA" +#define BCRYPT_SHA1_ALGORITHM L"SHA1" +#define BCRYPT_SHA256_ALGORITHM L"SHA256" +#define BCRYPT_SHA384_ALGORITHM L"SHA384" +#define BCRYPT_SHA512_ALGORITHM L"SHA512" +#define BCRYPT_ECDSA_P256_ALGORITHM L"ECDSA_P256" +#define BCRYPT_ECDSA_P384_ALGORITHM L"ECDSA_P384" +#define BCRYPT_ECDSA_P521_ALGORITHM L"ECDSA_P521" typedef ULONG_PTR NCRYPT_HANDLE; typedef ULONG_PTR NCRYPT_PROV_HANDLE; typedef ULONG_PTR NCRYPT_KEY_HANDLE; typedef struct _BCRYPT_PKCS1_PADDING_INFO { LPCWSTR pszAlgId; } BCRYPT_PKCS1_PADDING_INFO; -# endif -#else /* non-mingw */ -# include <ncrypt.h> +#endif +#else /* non-mingw */ +#include <ncrypt.h> #endif // MinGW headers may not have these defines #ifndef NCRYPT_SHA1_ALGORITHM -# define NCRYPT_SHA1_ALGORITHM BCRYPT_SHA1_ALGORITHM +#define NCRYPT_SHA1_ALGORITHM BCRYPT_SHA1_ALGORITHM #endif #ifndef NCRYPT_SHA256_ALGORITHM -# define NCRYPT_SHA256_ALGORITHM BCRYPT_SHA256_ALGORITHM +#define NCRYPT_SHA256_ALGORITHM BCRYPT_SHA256_ALGORITHM #endif #ifndef NCRYPT_SHA384_ALGORITHM -# define NCRYPT_SHA384_ALGORITHM BCRYPT_SHA384_ALGORITHM +#define NCRYPT_SHA384_ALGORITHM BCRYPT_SHA384_ALGORITHM #endif #ifndef NCRYPT_SHA512_ALGORITHM -# define NCRYPT_SHA512_ALGORITHM BCRYPT_SHA512_ALGORITHM +#define NCRYPT_SHA512_ALGORITHM BCRYPT_SHA512_ALGORITHM #endif #ifndef NCRYPT_PAD_PKCS1_FLAG -# define NCRYPT_PAD_PKCS1_FLAG 2 +#define NCRYPT_PAD_PKCS1_FLAG 2 #endif #ifndef NCRYPT_ALGORITHM_PROPERTY -# define NCRYPT_ALGORITHM_PROPERTY L"Algorithm Name" +#define NCRYPT_ALGORITHM_PROPERTY L"Algorithm Name" #endif #ifndef CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID -# define CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID 99 +#define CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID 99 #endif #define MAX_WID_SIZE 48 -static -void *memrev(unsigned char *pvData, DWORD cbData); +static void *memrev(unsigned char *pvData, DWORD cbData); struct system_key_iter_st { HCERTSTORE store; @@ -109,57 +108,42 @@ struct system_key_iter_st { }; typedef struct priv_st { - DWORD dwKeySpec; /* CAPI key */ - HCRYPTPROV hCryptProv; /* CAPI keystore */ - NCRYPT_KEY_HANDLE nc; /* CNG Keystore */ + DWORD dwKeySpec; /* CAPI key */ + HCRYPTPROV hCryptProv; /* CAPI keystore */ + NCRYPT_KEY_HANDLE nc; /* CNG Keystore */ gnutls_pk_algorithm_t pk; gnutls_sign_algorithm_t sign_algo; } priv_st; -typedef SECURITY_STATUS(WINAPI * NCryptDeleteKeyFunc) (NCRYPT_KEY_HANDLE hKey, - DWORD dwFlags); - -typedef SECURITY_STATUS(WINAPI * - NCryptOpenStorageProviderFunc) (NCRYPT_PROV_HANDLE * - phProvider, - LPCWSTR pszProviderName, - DWORD dwFlags); - -typedef SECURITY_STATUS(WINAPI * - NCryptOpenKeyFunc) (NCRYPT_PROV_HANDLE hProvider, - NCRYPT_KEY_HANDLE * phKey, - LPCWSTR pszKeyName, - DWORD dwLegacyKeySpec, - DWORD dwFlags); - -typedef SECURITY_STATUS(WINAPI * NCryptGetPropertyFunc) (NCRYPT_HANDLE hObject, - LPCWSTR pszProperty, - PBYTE pbOutput, - DWORD cbOutput, - DWORD * pcbResult, - DWORD dwFlags); - -typedef SECURITY_STATUS(WINAPI * NCryptFreeObjectFunc) (NCRYPT_HANDLE hObject); - -typedef SECURITY_STATUS(WINAPI * NCryptDecryptFunc) (NCRYPT_KEY_HANDLE hKey, - PBYTE pbInput, - DWORD cbInput, - VOID * pPaddingInfo, - PBYTE pbOutput, - DWORD cbOutput, - DWORD * pcbResult, +typedef SECURITY_STATUS(WINAPI *NCryptDeleteKeyFunc)(NCRYPT_KEY_HANDLE hKey, DWORD dwFlags); -typedef SECURITY_STATUS(WINAPI * NCryptSignHashFunc) (NCRYPT_KEY_HANDLE hKey, - VOID * pPaddingInfo, - PBYTE pbHashValue, - DWORD cbHashValue, - PBYTE pbSignature, - DWORD cbSignature, - DWORD * pcbResult, - DWORD dwFlags); +typedef SECURITY_STATUS(WINAPI *NCryptOpenStorageProviderFunc)( + NCRYPT_PROV_HANDLE *phProvider, LPCWSTR pszProviderName, DWORD dwFlags); + +typedef SECURITY_STATUS(WINAPI *NCryptOpenKeyFunc)(NCRYPT_PROV_HANDLE hProvider, + NCRYPT_KEY_HANDLE *phKey, + LPCWSTR pszKeyName, + DWORD dwLegacyKeySpec, + DWORD dwFlags); + +typedef SECURITY_STATUS(WINAPI *NCryptGetPropertyFunc)( + NCRYPT_HANDLE hObject, LPCWSTR pszProperty, PBYTE pbOutput, + DWORD cbOutput, DWORD *pcbResult, DWORD dwFlags); + +typedef SECURITY_STATUS(WINAPI *NCryptFreeObjectFunc)(NCRYPT_HANDLE hObject); + +typedef SECURITY_STATUS(WINAPI *NCryptDecryptFunc)( + NCRYPT_KEY_HANDLE hKey, PBYTE pbInput, DWORD cbInput, + VOID *pPaddingInfo, PBYTE pbOutput, DWORD cbOutput, DWORD *pcbResult, + DWORD dwFlags); + +typedef SECURITY_STATUS(WINAPI *NCryptSignHashFunc)( + NCRYPT_KEY_HANDLE hKey, VOID *pPaddingInfo, PBYTE pbHashValue, + DWORD cbHashValue, PBYTE pbSignature, DWORD cbSignature, + DWORD *pcbResult, DWORD dwFlags); -static int StrCmpW(const WCHAR * str1, const WCHAR * str2) +static int StrCmpW(const WCHAR *str1, const WCHAR *str2) { while (*str1 && (*str1 == *str2)) { str1++; @@ -177,23 +161,23 @@ static NCryptFreeObjectFunc pNCryptFreeObject; static NCryptDecryptFunc pNCryptDecrypt; static NCryptSignHashFunc pNCryptSignHash; #else -# define pNCryptDeleteKey NCryptDeleteKey -# define pNCryptOpenStorageProvider NCryptOpenStorageProvider -# define pNCryptOpenKey NCryptOpenKey -# define pNCryptGetProperty NCryptGetProperty -# define pNCryptFreeObject NCryptFreeObject -# define pNCryptDecrypt NCryptDecrypt -# define pNCryptSignHash NCryptSignHash +#define pNCryptDeleteKey NCryptDeleteKey +#define pNCryptOpenStorageProvider NCryptOpenStorageProvider +#define pNCryptOpenKey NCryptOpenKey +#define pNCryptGetProperty NCryptGetProperty +#define pNCryptFreeObject NCryptFreeObject +#define pNCryptDecrypt NCryptDecrypt +#define pNCryptSignHash NCryptSignHash #endif static unsigned ncrypt_init = 0; static HMODULE ncrypt_lib; -#define WIN_URL SYSTEM_URL"win:" +#define WIN_URL SYSTEM_URL "win:" #define WIN_URL_SIZE 11 -static int -get_id(const char *url, uint8_t * bin, size_t *bin_size, unsigned cert) +static int get_id(const char *url, uint8_t *bin, size_t *bin_size, + unsigned cert) { int ret; unsigned url_size = strlen(url); @@ -201,12 +185,12 @@ get_id(const char *url, uint8_t * bin, size_t *bin_size, unsigned cert) gnutls_datum_t tmp; if (cert != 0) { - if (url_size < sizeof(WIN_URL) - || strncmp(url, WIN_URL, WIN_URL_SIZE) != 0) + if (url_size < sizeof(WIN_URL) || + strncmp(url, WIN_URL, WIN_URL_SIZE) != 0) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); } else { - if (url_size < sizeof(WIN_URL) - || strncmp(url, WIN_URL, WIN_URL_SIZE) != 0) + if (url_size < sizeof(WIN_URL) || + strncmp(url, WIN_URL, WIN_URL_SIZE) != 0) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); } @@ -234,8 +218,7 @@ get_id(const char *url, uint8_t * bin, size_t *bin_size, unsigned cert) } #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) -static -void *memrev(unsigned char *pvData, DWORD cbData) +static void *memrev(unsigned char *pvData, DWORD cbData) { char t; DWORD i; @@ -248,11 +231,10 @@ void *memrev(unsigned char *pvData, DWORD cbData) return pvData; } -static -int capi_sign(gnutls_privkey_t key, void *userdata, - const gnutls_datum_t * raw_data, gnutls_datum_t * signature) +static int capi_sign(gnutls_privkey_t key, void *userdata, + const gnutls_datum_t *raw_data, gnutls_datum_t *signature) { - priv_st *priv = (priv_st *) userdata; + priv_st *priv = (priv_st *)userdata; ALG_ID Algid; HCRYPTHASH hHash = 0; uint8_t digest[MAX_HASH_SIZE]; @@ -290,9 +272,8 @@ int capi_sign(gnutls_privkey_t key, void *userdata, break; default: digest_size = sizeof(digest); - ret = - decode_ber_digest_info(raw_data, &algo, digest, - &digest_size); + ret = decode_ber_digest_info(raw_data, &algo, digest, + &digest_size); if (ret < 0) return gnutls_assert_val(ret); @@ -300,11 +281,11 @@ int capi_sign(gnutls_privkey_t key, void *userdata, case GNUTLS_DIG_SHA1: Algid = CALG_SHA1; break; -# ifdef NCRYPT_SHA224_ALGORITHM +#ifdef NCRYPT_SHA224_ALGORITHM case GNUTLS_DIG_SHA224: Algid = CALG_SHA_224; break; -# endif +#endif case GNUTLS_DIG_SHA256: Algid = CALG_SHA_256; break; @@ -315,8 +296,8 @@ int capi_sign(gnutls_privkey_t key, void *userdata, Algid = CALG_SHA_512; break; default: - return - gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM); + return gnutls_assert_val( + GNUTLS_E_UNKNOWN_HASH_ALGORITHM); } } @@ -336,9 +317,9 @@ int capi_sign(gnutls_privkey_t key, void *userdata, goto fail; } - if (!CryptGetHashParam - (hHash, HP_HASHSIZE, (BYTE *) & size1, &sizesize, 0) - || digest_size != size1) { + if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&size1, &sizesize, + 0) || + digest_size != size1) { gnutls_assert(); _gnutls_debug_log("error in hash size: %d\n", (int)size1); ret = GNUTLS_E_PK_SIGN_FAILED; @@ -359,8 +340,8 @@ int capi_sign(gnutls_privkey_t key, void *userdata, if (signature->data == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - if (!CryptSignHash - (hHash, priv->dwKeySpec, NULL, 0, signature->data, &ret_sig)) { + if (!CryptSignHash(hHash, priv->dwKeySpec, NULL, 0, signature->data, + &ret_sig)) { gnutls_assert(); _gnutls_debug_log("error in signing: %d\n", (int)GetLastError()); @@ -374,18 +355,18 @@ int capi_sign(gnutls_privkey_t key, void *userdata, signature->size = ret_sig; return 0; - fail: +fail: if (hHash != 0) CryptDestroyHash(hHash); gnutls_free(signature->data); return ret; } -static -int capi_decrypt(gnutls_privkey_t key, void *userdata, - const gnutls_datum_t * ciphertext, gnutls_datum_t * plaintext) +static int capi_decrypt(gnutls_privkey_t key, void *userdata, + const gnutls_datum_t *ciphertext, + gnutls_datum_t *plaintext) { - priv_st *priv = (priv_st *) userdata; + priv_st *priv = (priv_st *)userdata; DWORD size = 0; int ret; @@ -404,31 +385,29 @@ int capi_decrypt(gnutls_privkey_t key, void *userdata, } memcpy(plaintext->data, ciphertext->data, size); - if (0 == - CryptDecrypt(priv->hCryptProv, 0, true, 0, plaintext->data, - &size)) { + if (0 == CryptDecrypt(priv->hCryptProv, 0, true, 0, plaintext->data, + &size)) { gnutls_assert(); ret = GNUTLS_E_PK_DECRYPTION_FAILED; goto fail; } return 0; - fail: +fail: gnutls_free(plaintext->data); return ret; } -static -void capi_deinit(gnutls_privkey_t key, void *userdata) +static void capi_deinit(gnutls_privkey_t key, void *userdata) { - priv_st *priv = (priv_st *) userdata; + priv_st *priv = (priv_st *)userdata; CryptReleaseContext(priv->hCryptProv, 0); gnutls_free(priv); } static int capi_info(gnutls_privkey_t key, unsigned int flags, void *userdata) { - priv_st *priv = (priv_st *) userdata; + priv_st *priv = (priv_st *)userdata; if (flags & GNUTLS_PRIVKEY_INFO_PK_ALGO) return priv->pk; @@ -437,18 +416,16 @@ static int capi_info(gnutls_privkey_t key, unsigned int flags, void *userdata) return -1; } -static -int privkey_import_capi(gnutls_privkey_t pkey, const char *url, - priv_st * priv, CRYPT_KEY_PROV_INFO * kpi) +static int privkey_import_capi(gnutls_privkey_t pkey, const char *url, + priv_st *priv, CRYPT_KEY_PROV_INFO *kpi) { HCRYPTPROV hCryptProv = 0; int ret, enc_too = 0; DWORD i, dwErrCode = 0; - if (CryptAcquireContextW(&hCryptProv, - kpi->pwszContainerName, - kpi->pwszProvName, - kpi->dwProvType, kpi->dwFlags)) { + if (CryptAcquireContextW(&hCryptProv, kpi->pwszContainerName, + kpi->pwszProvName, kpi->dwProvType, + kpi->dwFlags)) { for (i = 0; i < kpi->cProvParam; i++) if (!CryptSetProvParam(hCryptProv, kpi->rgProvParam[i].dwParam, @@ -462,20 +439,19 @@ int privkey_import_capi(gnutls_privkey_t pkey, const char *url, } if (ERROR_SUCCESS != dwErrCode) { - _gnutls_debug_log - ("error in getting cryptprov: %d from %s\n", - (int)GetLastError(), url); + _gnutls_debug_log("error in getting cryptprov: %d from %s\n", + (int)GetLastError(), url); ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); goto cleanup; } { BYTE buf[100 + sizeof(PROV_ENUMALGS_EX) * 2]; - PROV_ENUMALGS_EX *pAlgo = (PROV_ENUMALGS_EX *) buf; + PROV_ENUMALGS_EX *pAlgo = (PROV_ENUMALGS_EX *)buf; DWORD len = sizeof(buf); - if (CryptGetProvParam - (hCryptProv, PP_ENUMALGS_EX, buf, &len, CRYPT_FIRST)) { + if (CryptGetProvParam(hCryptProv, PP_ENUMALGS_EX, buf, &len, + CRYPT_FIRST)) { DWORD hash = 0; do { switch (pAlgo->aiAlgid) { @@ -484,10 +460,9 @@ int privkey_import_capi(gnutls_privkey_t pkey, const char *url, enc_too = 1; break; case CALG_DSS_SIGN: - priv->pk = - priv->pk == - GNUTLS_PK_RSA ? - GNUTLS_PK_RSA : GNUTLS_PK_DSA; + priv->pk = priv->pk == GNUTLS_PK_RSA ? + GNUTLS_PK_RSA : + GNUTLS_PK_DSA; break; case CALG_SHA1: hash = 1; @@ -499,18 +474,16 @@ int privkey_import_capi(gnutls_privkey_t pkey, const char *url, break; } - len = sizeof(buf); // reset the buffer size - } while (CryptGetProvParam - (hCryptProv, PP_ENUMALGS_EX, buf, &len, - CRYPT_NEXT)); + len = sizeof(buf); // reset the buffer size + } while (CryptGetProvParam(hCryptProv, PP_ENUMALGS_EX, + buf, &len, CRYPT_NEXT)); if (priv->pk == GNUTLS_PK_DSA) priv->sign_algo = GNUTLS_SIGN_DSA_SHA1; else priv->sign_algo = - (hash > - 1) ? GNUTLS_SIGN_RSA_SHA256 : - GNUTLS_SIGN_RSA_SHA1; + (hash > 1) ? GNUTLS_SIGN_RSA_SHA256 : + GNUTLS_SIGN_RSA_SHA1; } } @@ -518,21 +491,19 @@ int privkey_import_capi(gnutls_privkey_t pkey, const char *url, priv->dwKeySpec = kpi->dwKeySpec; ret = gnutls_privkey_import_ext3(pkey, priv, capi_sign, - (enc_too != - 0) ? capi_decrypt : NULL, + (enc_too != 0) ? capi_decrypt : NULL, capi_deinit, capi_info, 0); - cleanup: +cleanup: if (ret < 0) { if (hCryptProv != 0) CryptReleaseContext(hCryptProv, 0); } return ret; } -#endif /* WINAPI_PARTITION_DESKTOP */ +#endif /* WINAPI_PARTITION_DESKTOP */ -static -int cng_sign(gnutls_privkey_t key, void *userdata, - const gnutls_datum_t * raw_data, gnutls_datum_t * signature) +static int cng_sign(gnutls_privkey_t key, void *userdata, + const gnutls_datum_t *raw_data, gnutls_datum_t *signature) { priv_st *priv = userdata; BCRYPT_PKCS1_PADDING_INFO _info; @@ -550,17 +521,15 @@ int cng_sign(gnutls_privkey_t key, void *userdata, signature->size = 0; if (priv->pk == GNUTLS_PK_RSA) { - flags = BCRYPT_PAD_PKCS1; info = &_info; - if (raw_data->size == 36) { /* TLS 1.0 MD5+SHA1 */ + if (raw_data->size == 36) { /* TLS 1.0 MD5+SHA1 */ _info.pszAlgId = NULL; } else { digest_size = sizeof(digest); - ret = - decode_ber_digest_info(raw_data, &algo, digest, - &digest_size); + ret = decode_ber_digest_info(raw_data, &algo, digest, + &digest_size); if (ret < 0) return gnutls_assert_val(ret); @@ -583,17 +552,16 @@ int cng_sign(gnutls_privkey_t key, void *userdata, _info.pszAlgId = NCRYPT_SHA512_ALGORITHM; break; default: - return - gnutls_assert_val - (GNUTLS_E_UNKNOWN_HASH_ALGORITHM); + return gnutls_assert_val( + GNUTLS_E_UNKNOWN_HASH_ALGORITHM); } data.data = digest; data.size = digest_size; } } - r = pNCryptSignHash(priv->nc, info, data.data, data.size, - NULL, 0, &ret_sig, flags); + r = pNCryptSignHash(priv->nc, info, data.data, data.size, NULL, 0, + &ret_sig, flags); if (FAILED(r)) { gnutls_assert(); _gnutls_debug_log("error in pre-signing: %d\n", @@ -620,14 +588,14 @@ int cng_sign(gnutls_privkey_t key, void *userdata, signature->size = ret_sig; return 0; - fail: +fail: gnutls_free(signature->data); return ret; } -static -int cng_decrypt(gnutls_privkey_t key, void *userdata, - const gnutls_datum_t * ciphertext, gnutls_datum_t * plaintext) +static int cng_decrypt(gnutls_privkey_t key, void *userdata, + const gnutls_datum_t *ciphertext, + gnutls_datum_t *plaintext) { priv_st *priv = userdata; SECURITY_STATUS r; @@ -641,8 +609,8 @@ int cng_decrypt(gnutls_privkey_t key, void *userdata, return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); } - r = pNCryptDecrypt(priv->nc, ciphertext->data, ciphertext->size, - NULL, NULL, 0, &ret_dec, NCRYPT_PAD_PKCS1_FLAG); + r = pNCryptDecrypt(priv->nc, ciphertext->data, ciphertext->size, NULL, + NULL, 0, &ret_dec, NCRYPT_PAD_PKCS1_FLAG); if (FAILED(r)) { gnutls_assert(); return GNUTLS_E_PK_DECRYPTION_FAILED; @@ -655,9 +623,9 @@ int cng_decrypt(gnutls_privkey_t key, void *userdata, return GNUTLS_E_MEMORY_ERROR; } - r = pNCryptDecrypt(priv->nc, ciphertext->data, ciphertext->size, - NULL, plaintext->data, plaintext->size, - &ret_dec, NCRYPT_PAD_PKCS1_FLAG); + r = pNCryptDecrypt(priv->nc, ciphertext->data, ciphertext->size, NULL, + plaintext->data, plaintext->size, &ret_dec, + NCRYPT_PAD_PKCS1_FLAG); if (FAILED(r)) { gnutls_assert(); ret = GNUTLS_E_PK_DECRYPTION_FAILED; @@ -666,13 +634,12 @@ int cng_decrypt(gnutls_privkey_t key, void *userdata, plaintext->size = ret_dec; return 0; - fail: +fail: gnutls_free(plaintext->data); return ret; } -static -void cng_deinit(gnutls_privkey_t key, void *userdata) +static void cng_deinit(gnutls_privkey_t key, void *userdata) { priv_st *priv = userdata; pNCryptFreeObject(priv->nc); @@ -690,10 +657,9 @@ static int cng_info(gnutls_privkey_t key, unsigned int flags, void *userdata) return -1; } -static -int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url, - priv_st * priv, CRYPT_KEY_PROV_INFO * kpi, - NCRYPT_PROV_HANDLE * sctx) +static int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url, + priv_st *priv, CRYPT_KEY_PROV_INFO *kpi, + NCRYPT_PROV_HANDLE *sctx) { SECURITY_STATUS r; NCRYPT_KEY_HANDLE nc = 0; @@ -707,9 +673,8 @@ int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url, goto cleanup; } - r = pNCryptGetProperty(nc, NCRYPT_ALGORITHM_PROPERTY, - (BYTE *) algo_str, sizeof(algo_str), - &algo_str_size, 0); + r = pNCryptGetProperty(nc, NCRYPT_ALGORITHM_PROPERTY, (BYTE *)algo_str, + sizeof(algo_str), &algo_str_size, 0); if (FAILED(r)) { ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); goto cleanup; @@ -739,10 +704,9 @@ int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url, priv->nc = nc; ret = gnutls_privkey_import_ext3(pkey, priv, cng_sign, - (enc_too != - 0) ? cng_decrypt : NULL, + (enc_too != 0) ? cng_decrypt : NULL, cng_deinit, cng_info, 0); - cleanup: +cleanup: if (ret < 0) { if (nc != 0) pNCryptFreeObject(nc); @@ -766,9 +730,10 @@ int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url, -*/ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url) { -#if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) && _WIN32_WINNT < 0x0A00 /*win10 */ +#if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) && \ + _WIN32_WINNT < 0x0A00 /*win10 */ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); -#else /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */ +#else /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */ uint8_t id[MAX_WID_SIZE]; HCERTSTORE store = NULL; size_t id_size; @@ -799,26 +764,24 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url) blob.cbData = id_size; blob.pbData = id; - store = - CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, - CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); + store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); if (store == NULL) { gnutls_assert(); ret = GNUTLS_E_FILE_ERROR; goto cleanup; } - cert = CertFindCertificateInStore(store, - X509_ASN_ENCODING, - 0, - CERT_FIND_KEY_IDENTIFIER, - &blob, NULL); + cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, + CERT_FIND_KEY_IDENTIFIER, &blob, + NULL); if (cert == NULL) { char buf[64]; _gnutls_debug_log("cannot find ID: %s from %s\n", - _gnutls_bin2hex(id, id_size, - buf, sizeof(buf), NULL), url); + _gnutls_bin2hex(id, id_size, buf, sizeof(buf), + NULL), + url); ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); goto cleanup; } @@ -850,7 +813,7 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url) } r = pNCryptOpenStorageProvider(&sctx, kpi->pwszProvName, 0); - if (!FAILED(r)) { /* if this works carry on with CNG */ + if (!FAILED(r)) { /* if this works carry on with CNG */ ret = privkey_import_ncrypt(pkey, url, priv, kpi, &sctx); if (ret < 0) { @@ -858,24 +821,24 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url) goto cleanup; } } else { -# if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) +#if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) /* CAPI is not supported in UWP */ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); -# else /* WINAPI_PARTITION_DESKTOP */ +#else /* WINAPI_PARTITION_DESKTOP */ /* this should be CAPI */ - _gnutls_debug_log - ("error in opening CNG keystore: %x from %ls\n", (int)r, - kpi->pwszProvName); + _gnutls_debug_log( + "error in opening CNG keystore: %x from %ls\n", (int)r, + kpi->pwszProvName); ret = privkey_import_capi(pkey, url, priv, kpi); if (ret < 0) { gnutls_assert(); goto cleanup; } -# endif /* WINAPI_PARTITION_DESKTOP */ +#endif /* WINAPI_PARTITION_DESKTOP */ } ret = 0; - cleanup: +cleanup: if (ret < 0) { gnutls_free(priv); } @@ -889,7 +852,7 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url) CertCloseStore(store, 0); return ret; -#endif /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */ +#endif /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */ } int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url) @@ -913,26 +876,24 @@ int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url) blob.cbData = id_size; blob.pbData = id; - store = - CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, - CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); + store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); if (store == NULL) { gnutls_assert(); ret = GNUTLS_E_FILE_ERROR; goto cleanup; } - cert = CertFindCertificateInStore(store, - X509_ASN_ENCODING, - 0, - CERT_FIND_KEY_IDENTIFIER, - &blob, NULL); + cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, + CERT_FIND_KEY_IDENTIFIER, &blob, + NULL); if (cert == NULL) { char buf[64]; _gnutls_debug_log("cannot find ID: %s from %s\n", - _gnutls_bin2hex(id, id_size, - buf, sizeof(buf), NULL), url); + _gnutls_bin2hex(id, id_size, buf, sizeof(buf), + NULL), + url); ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); goto cleanup; } @@ -947,7 +908,7 @@ int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url) } ret = 0; - cleanup: +cleanup: if (cert != 0) CertFreeCertificateContext(cert); @@ -973,9 +934,8 @@ void gnutls_system_key_iter_deinit(gnutls_system_key_iter_t iter) gnutls_free(iter); } -static -int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, - char **label, gnutls_datum_t * der) +static int get_win_urls(const CERT_CONTEXT *cert, char **cert_url, + char **key_url, char **label, gnutls_datum_t *der) { BOOL r; int ret; @@ -1013,9 +973,9 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, tl_size = sizeof(name); r = CertGetCertificateContextProperty(cert, CERT_FRIENDLY_NAME_PROP_ID, name, &tl_size); - if (r != 0) { /* optional */ - ret = - _gnutls_ucs2_to_utf8(name, tl_size, &tmp_label, bigendian); + if (r != 0) { /* optional */ + ret = _gnutls_ucs2_to_utf8(name, tl_size, &tmp_label, + bigendian); if (ret < 0) { gnutls_assert(); goto fail; @@ -1038,8 +998,8 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, goto fail; } - ret = - _gnutls_buffer_append_printf(&str, WIN_URL "id=%s;type=cert", hex); + ret = _gnutls_buffer_append_printf(&str, WIN_URL "id=%s;type=cert", + hex); if (ret < 0) { gnutls_assert(); goto fail; @@ -1052,9 +1012,8 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, goto fail; } - ret = - _gnutls_buffer_append_escape(&str, tmp_label.data, - tmp_label.size, " "); + ret = _gnutls_buffer_append_escape(&str, tmp_label.data, + tmp_label.size, " "); if (ret < 0) { gnutls_assert(); goto fail; @@ -1071,9 +1030,8 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, *cert_url = (char *)str.data; _gnutls_buffer_init(&str); - ret = - _gnutls_buffer_append_printf(&str, WIN_URL "id=%s;type=privkey", - hex); + ret = _gnutls_buffer_append_printf(&str, WIN_URL "id=%s;type=privkey", + hex); if (ret < 0) { gnutls_assert(); goto fail; @@ -1086,9 +1044,8 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, goto fail; } - ret = - _gnutls_buffer_append_escape(&str, tmp_label.data, - tmp_label.size, " "); + ret = _gnutls_buffer_append_escape(&str, tmp_label.data, + tmp_label.size, " "); if (ret < 0) { gnutls_assert(); goto fail; @@ -1108,7 +1065,7 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, ret = 0; goto cleanup; - fail: +fail: if (der) gnutls_free(der->data); if (cert_url) @@ -1117,7 +1074,7 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, gnutls_free(*key_url); if (label) gnutls_free(*label); - cleanup: +cleanup: _gnutls_buffer_clear(&str); return ret; } @@ -1146,13 +1103,10 @@ int get_win_urls(const CERT_CONTEXT * cert, char **cert_url, char **key_url, * * Since: 3.4.0 **/ -int -gnutls_system_key_iter_get_info(gnutls_system_key_iter_t * iter, - unsigned cert_type, - char **cert_url, - char **key_url, - char **label, - gnutls_datum_t * der, unsigned int flags) +int gnutls_system_key_iter_get_info(gnutls_system_key_iter_t *iter, + unsigned cert_type, char **cert_url, + char **key_url, char **label, + gnutls_datum_t *der, unsigned int flags) { if (ncrypt_init == 0) return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); @@ -1164,33 +1118,30 @@ gnutls_system_key_iter_get_info(gnutls_system_key_iter_t * iter, if (*iter == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - (*iter)->store = - CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, - CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); + (*iter)->store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_CURRENT_USER, + L"MY"); if ((*iter)->store == NULL) { gnutls_free(*iter); *iter = NULL; - return - gnutls_assert_val - (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + return gnutls_assert_val( + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); } (*iter)->cert = - CertEnumCertificatesInStore((*iter)->store, NULL); + CertEnumCertificatesInStore((*iter)->store, NULL); return get_win_urls((*iter)->cert, cert_url, key_url, label, der); } else { if ((*iter)->cert == NULL) - return - gnutls_assert_val - (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + return gnutls_assert_val( + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - (*iter)->cert = - CertEnumCertificatesInStore((*iter)->store, (*iter)->cert); + (*iter)->cert = CertEnumCertificatesInStore((*iter)->store, + (*iter)->cert); return get_win_urls((*iter)->cert, cert_url, key_url, label, der); - } } @@ -1239,23 +1190,20 @@ int gnutls_system_key_delete(const char *cert_url, const char *key_url) blob.cbData = id_size; blob.pbData = id; - store = - CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, - CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); + store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, + CERT_SYSTEM_STORE_CURRENT_USER, L"MY"); if (store != NULL) { do { - cert = CertFindCertificateInStore(store, - X509_ASN_ENCODING, - 0, - CERT_FIND_KEY_IDENTIFIER, - &blob, cert); + cert = CertFindCertificateInStore( + store, X509_ASN_ENCODING, 0, + CERT_FIND_KEY_IDENTIFIER, &blob, cert); if (cert && key_url) { nc_size = sizeof(nc); - r = CertGetCertificateContextProperty(cert, - CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID, - &nc, - &nc_size); + r = CertGetCertificateContextProperty( + cert, + CERT_NCRYPT_KEY_HANDLE_TRANSFER_PROP_ID, + &nc, &nc_size); if (r != 0) { pNCryptDeleteKey(nc, 0); pNCryptFreeObject(nc); @@ -1411,9 +1359,8 @@ int gnutls_system_key_add_x509(gnutls_x509_crt_t crt, goto cleanup; } - ret = - gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size, - sha); + ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size, + sha); gnutls_free(data.data); if (ret < 0) { gnutls_assert(); @@ -1423,11 +1370,9 @@ int gnutls_system_key_add_x509(gnutls_x509_crt_t crt, blob.cbData = sizeof(sha); blob.pbData = sha; - cert = CertFindCertificateInStore(store, - X509_ASN_ENCODING, - 0, - CERT_FIND_SHA1_HASH, - &blob, NULL); + cert = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0, + CERT_FIND_SHA1_HASH, &blob, + NULL); if (cert == NULL) { gnutls_assert(); @@ -1444,7 +1389,7 @@ int gnutls_system_key_add_x509(gnutls_x509_crt_t crt, ret = 0; - cleanup: +cleanup: if (p12 != NULL) gnutls_pkcs12_deinit(p12); if (bag1 != NULL) @@ -1467,53 +1412,51 @@ int _gnutls_system_key_init(void) return gnutls_assert_val(GNUTLS_E_CRYPTO_INIT_FAILED); } - pNCryptDeleteKey = - (NCryptDeleteKeyFunc) GetProcAddress(ncrypt_lib, "NCryptDeleteKey"); + pNCryptDeleteKey = (NCryptDeleteKeyFunc)GetProcAddress( + ncrypt_lib, "NCryptDeleteKey"); if (pNCryptDeleteKey == NULL) { ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto fail; } pNCryptOpenStorageProvider = - (NCryptOpenStorageProviderFunc) GetProcAddress(ncrypt_lib, - "NCryptOpenStorageProvider"); + (NCryptOpenStorageProviderFunc)GetProcAddress( + ncrypt_lib, "NCryptOpenStorageProvider"); if (pNCryptOpenStorageProvider == NULL) { ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto fail; } pNCryptOpenKey = - (NCryptOpenKeyFunc) GetProcAddress(ncrypt_lib, "NCryptOpenKey"); + (NCryptOpenKeyFunc)GetProcAddress(ncrypt_lib, "NCryptOpenKey"); if (pNCryptOpenKey == NULL) { ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto fail; } - pNCryptGetProperty = - (NCryptGetPropertyFunc) GetProcAddress(ncrypt_lib, - "NCryptGetProperty"); + pNCryptGetProperty = (NCryptGetPropertyFunc)GetProcAddress( + ncrypt_lib, "NCryptGetProperty"); if (pNCryptGetProperty == NULL) { ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto fail; } - pNCryptFreeObject = - (NCryptFreeObjectFunc) GetProcAddress(ncrypt_lib, - "NCryptFreeObject"); + pNCryptFreeObject = (NCryptFreeObjectFunc)GetProcAddress( + ncrypt_lib, "NCryptFreeObject"); if (pNCryptFreeObject == NULL) { ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto fail; } pNCryptDecrypt = - (NCryptDecryptFunc) GetProcAddress(ncrypt_lib, "NCryptDecrypt"); + (NCryptDecryptFunc)GetProcAddress(ncrypt_lib, "NCryptDecrypt"); if (pNCryptDecrypt == NULL) { ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto fail; } - pNCryptSignHash = - (NCryptSignHashFunc) GetProcAddress(ncrypt_lib, "NCryptSignHash"); + pNCryptSignHash = (NCryptSignHashFunc)GetProcAddress(ncrypt_lib, + "NCryptSignHash"); if (pNCryptSignHash == NULL) { ret = GNUTLS_E_CRYPTO_INIT_FAILED; goto fail; @@ -1521,7 +1464,7 @@ int _gnutls_system_key_init(void) ncrypt_init = 1; return 0; - fail: +fail: FreeLibrary(ncrypt_lib); return ret; #else diff --git a/lib/system/ktls.c b/lib/system/ktls.c index bb59fab7c0..060194bdf6 100644 --- a/lib/system/ktls.c +++ b/lib/system/ktls.c @@ -25,14 +25,14 @@ #ifdef ENABLE_KTLS -# include <linux/tls.h> -# include <record.h> -# include <sys/socket.h> -# include <netinet/tcp.h> -# include <unistd.h> -# include <errno.h> -# include "ext/session_ticket.h" -# include <sys/sendfile.h> +#include <linux/tls.h> +#include <record.h> +#include <sys/socket.h> +#include <netinet/tcp.h> +#include <unistd.h> +#include <errno.h> +#include "ext/session_ticket.h" +#include <sys/sendfile.h> /** * gnutls_transport_is_ktls_enabled: @@ -67,18 +67,18 @@ void _gnutls_ktls_enable(gnutls_session_t session) session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; } } else { - _gnutls_record_log - ("Unable to set TCP_ULP for read socket: %d\n", errno); + _gnutls_record_log( + "Unable to set TCP_ULP for read socket: %d\n", errno); } if (sockin != sockout) { - if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof("tls")) - == 0) { + if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", + sizeof("tls")) == 0) { session->internals.ktls_enabled |= GNUTLS_KTLS_SEND; } else { - _gnutls_record_log - ("Unable to set TCP_ULP for write socket: %d\n", - errno); + _gnutls_record_log( + "Unable to set TCP_ULP for write socket: %d\n", + errno); } } } @@ -117,203 +117,170 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, if (in & GNUTLS_KTLS_RECV) { switch (cipher) { - case GNUTLS_CIPHER_AES_128_GCM: - { - struct tls12_crypto_info_aes_gcm_128 - crypto_info; - memset(&crypto_info, 0, sizeof(crypto_info)); - - crypto_info.info.cipher_type = - TLS_CIPHER_AES_GCM_128; - assert(cipher_key.size == - TLS_CIPHER_AES_GCM_128_KEY_SIZE); - - /* for TLS 1.2 IV is generated in kernel */ - if (version == GNUTLS_TLS1_2) { - crypto_info.info.version = - TLS_1_2_VERSION; - memcpy(crypto_info.iv, seq_number, - TLS_CIPHER_AES_GCM_128_IV_SIZE); - } else { - crypto_info.info.version = - TLS_1_3_VERSION; - assert(iv.size == - TLS_CIPHER_AES_GCM_128_SALT_SIZE - + + case GNUTLS_CIPHER_AES_128_GCM: { + struct tls12_crypto_info_aes_gcm_128 crypto_info; + memset(&crypto_info, 0, sizeof(crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; + assert(cipher_key.size == + TLS_CIPHER_AES_GCM_128_KEY_SIZE); + + /* for TLS 1.2 IV is generated in kernel */ + if (version == GNUTLS_TLS1_2) { + crypto_info.info.version = TLS_1_2_VERSION; + memcpy(crypto_info.iv, seq_number, + TLS_CIPHER_AES_GCM_128_IV_SIZE); + } else { + crypto_info.info.version = TLS_1_3_VERSION; + assert(iv.size == + TLS_CIPHER_AES_GCM_128_SALT_SIZE + TLS_CIPHER_AES_GCM_128_IV_SIZE); - memcpy(crypto_info.iv, iv.data + + memcpy(crypto_info.iv, + iv.data + TLS_CIPHER_AES_GCM_128_SALT_SIZE, - TLS_CIPHER_AES_GCM_128_IV_SIZE); - } + TLS_CIPHER_AES_GCM_128_IV_SIZE); + } - memcpy(crypto_info.salt, iv.data, - TLS_CIPHER_AES_GCM_128_SALT_SIZE); - memcpy(crypto_info.rec_seq, seq_number, - TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); - memcpy(crypto_info.key, cipher_key.data, - TLS_CIPHER_AES_GCM_128_KEY_SIZE); - - if (setsockopt(sockin, SOL_TLS, TLS_RX, - &crypto_info, - sizeof(crypto_info))) { - session->internals.ktls_enabled &= - ~GNUTLS_KTLS_RECV; - return - gnutls_assert_val - (GNUTLS_E_INTERNAL_ERROR); - } + memcpy(crypto_info.salt, iv.data, + TLS_CIPHER_AES_GCM_128_SALT_SIZE); + memcpy(crypto_info.rec_seq, seq_number, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); + memcpy(crypto_info.key, cipher_key.data, + TLS_CIPHER_AES_GCM_128_KEY_SIZE); + + if (setsockopt(sockin, SOL_TLS, TLS_RX, &crypto_info, + sizeof(crypto_info))) { + session->internals.ktls_enabled &= + ~GNUTLS_KTLS_RECV; + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } - break; - case GNUTLS_CIPHER_AES_256_GCM: - { - struct tls12_crypto_info_aes_gcm_256 - crypto_info; - memset(&crypto_info, 0, sizeof(crypto_info)); - - crypto_info.info.cipher_type = - TLS_CIPHER_AES_GCM_256; - assert(cipher_key.size == - TLS_CIPHER_AES_GCM_256_KEY_SIZE); - - /* for TLS 1.2 IV is generated in kernel */ - if (version == GNUTLS_TLS1_2) { - crypto_info.info.version = - TLS_1_2_VERSION; - memcpy(crypto_info.iv, seq_number, - TLS_CIPHER_AES_GCM_256_IV_SIZE); - } else { - crypto_info.info.version = - TLS_1_3_VERSION; - assert(iv.size == - TLS_CIPHER_AES_GCM_256_SALT_SIZE - + + } break; + case GNUTLS_CIPHER_AES_256_GCM: { + struct tls12_crypto_info_aes_gcm_256 crypto_info; + memset(&crypto_info, 0, sizeof(crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256; + assert(cipher_key.size == + TLS_CIPHER_AES_GCM_256_KEY_SIZE); + + /* for TLS 1.2 IV is generated in kernel */ + if (version == GNUTLS_TLS1_2) { + crypto_info.info.version = TLS_1_2_VERSION; + memcpy(crypto_info.iv, seq_number, + TLS_CIPHER_AES_GCM_256_IV_SIZE); + } else { + crypto_info.info.version = TLS_1_3_VERSION; + assert(iv.size == + TLS_CIPHER_AES_GCM_256_SALT_SIZE + TLS_CIPHER_AES_GCM_256_IV_SIZE); - memcpy(crypto_info.iv, - iv.data + + memcpy(crypto_info.iv, + iv.data + TLS_CIPHER_AES_GCM_256_SALT_SIZE, - TLS_CIPHER_AES_GCM_256_IV_SIZE); - } + TLS_CIPHER_AES_GCM_256_IV_SIZE); + } - memcpy(crypto_info.salt, iv.data, - TLS_CIPHER_AES_GCM_256_SALT_SIZE); - memcpy(crypto_info.rec_seq, seq_number, - TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); - memcpy(crypto_info.key, cipher_key.data, - TLS_CIPHER_AES_GCM_256_KEY_SIZE); - - if (setsockopt(sockin, SOL_TLS, TLS_RX, - &crypto_info, - sizeof(crypto_info))) { - session->internals.ktls_enabled &= - ~GNUTLS_KTLS_RECV; - return - gnutls_assert_val - (GNUTLS_E_INTERNAL_ERROR); - } + memcpy(crypto_info.salt, iv.data, + TLS_CIPHER_AES_GCM_256_SALT_SIZE); + memcpy(crypto_info.rec_seq, seq_number, + TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); + memcpy(crypto_info.key, cipher_key.data, + TLS_CIPHER_AES_GCM_256_KEY_SIZE); + + if (setsockopt(sockin, SOL_TLS, TLS_RX, &crypto_info, + sizeof(crypto_info))) { + session->internals.ktls_enabled &= + ~GNUTLS_KTLS_RECV; + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } - break; - case GNUTLS_CIPHER_AES_128_CCM: - { - struct tls12_crypto_info_aes_ccm_128 - crypto_info; - memset(&crypto_info, 0, sizeof(crypto_info)); - - crypto_info.info.cipher_type = - TLS_CIPHER_AES_CCM_128; - assert(cipher_key.size == - TLS_CIPHER_AES_CCM_128_KEY_SIZE); - - /* for TLS 1.2 IV is generated in kernel */ - if (version == GNUTLS_TLS1_2) { - crypto_info.info.version = - TLS_1_2_VERSION; - memcpy(crypto_info.iv, seq_number, - TLS_CIPHER_AES_CCM_128_IV_SIZE); - } else { - crypto_info.info.version = - TLS_1_3_VERSION; - assert(iv.size == - TLS_CIPHER_AES_CCM_128_SALT_SIZE - + + } break; + case GNUTLS_CIPHER_AES_128_CCM: { + struct tls12_crypto_info_aes_ccm_128 crypto_info; + memset(&crypto_info, 0, sizeof(crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128; + assert(cipher_key.size == + TLS_CIPHER_AES_CCM_128_KEY_SIZE); + + /* for TLS 1.2 IV is generated in kernel */ + if (version == GNUTLS_TLS1_2) { + crypto_info.info.version = TLS_1_2_VERSION; + memcpy(crypto_info.iv, seq_number, + TLS_CIPHER_AES_CCM_128_IV_SIZE); + } else { + crypto_info.info.version = TLS_1_3_VERSION; + assert(iv.size == + TLS_CIPHER_AES_CCM_128_SALT_SIZE + TLS_CIPHER_AES_CCM_128_IV_SIZE); - memcpy(crypto_info.iv, iv.data + + memcpy(crypto_info.iv, + iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE, - TLS_CIPHER_AES_CCM_128_IV_SIZE); - } + TLS_CIPHER_AES_CCM_128_IV_SIZE); + } - memcpy(crypto_info.salt, iv.data, - TLS_CIPHER_AES_CCM_128_SALT_SIZE); - memcpy(crypto_info.rec_seq, seq_number, - TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); - memcpy(crypto_info.key, cipher_key.data, - TLS_CIPHER_AES_CCM_128_KEY_SIZE); - - if (setsockopt(sockin, SOL_TLS, TLS_RX, - &crypto_info, - sizeof(crypto_info))) { - session->internals.ktls_enabled &= - ~GNUTLS_KTLS_RECV; - return - gnutls_assert_val - (GNUTLS_E_INTERNAL_ERROR); - } + memcpy(crypto_info.salt, iv.data, + TLS_CIPHER_AES_CCM_128_SALT_SIZE); + memcpy(crypto_info.rec_seq, seq_number, + TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); + memcpy(crypto_info.key, cipher_key.data, + TLS_CIPHER_AES_CCM_128_KEY_SIZE); + + if (setsockopt(sockin, SOL_TLS, TLS_RX, &crypto_info, + sizeof(crypto_info))) { + session->internals.ktls_enabled &= + ~GNUTLS_KTLS_RECV; + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } - break; - case GNUTLS_CIPHER_CHACHA20_POLY1305: - { - struct tls12_crypto_info_chacha20_poly1305 - crypto_info; - memset(&crypto_info, 0, sizeof(crypto_info)); - - crypto_info.info.cipher_type = - TLS_CIPHER_CHACHA20_POLY1305; - assert(cipher_key.size == - TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); - - /* for TLS 1.2 IV is generated in kernel */ - if (version == GNUTLS_TLS1_2) { - crypto_info.info.version = - TLS_1_2_VERSION; - memcpy(crypto_info.iv, seq_number, - TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); - } else { - crypto_info.info.version = - TLS_1_3_VERSION; - assert(iv.size == - TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE - + + } break; + case GNUTLS_CIPHER_CHACHA20_POLY1305: { + struct tls12_crypto_info_chacha20_poly1305 crypto_info; + memset(&crypto_info, 0, sizeof(crypto_info)); + + crypto_info.info.cipher_type = + TLS_CIPHER_CHACHA20_POLY1305; + assert(cipher_key.size == + TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); + + /* for TLS 1.2 IV is generated in kernel */ + if (version == GNUTLS_TLS1_2) { + crypto_info.info.version = TLS_1_2_VERSION; + memcpy(crypto_info.iv, seq_number, + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); + } else { + crypto_info.info.version = TLS_1_3_VERSION; + assert(iv.size == + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); - memcpy(crypto_info.iv, iv.data + + memcpy(crypto_info.iv, + iv.data + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, - TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); - } + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); + } - memcpy(crypto_info.salt, iv.data, - TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); - memcpy(crypto_info.rec_seq, seq_number, - TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); - memcpy(crypto_info.key, cipher_key.data, - TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); - - if (setsockopt(sockin, SOL_TLS, TLS_RX, - &crypto_info, - sizeof(crypto_info))) { - session->internals.ktls_enabled &= - ~GNUTLS_KTLS_RECV; - return - gnutls_assert_val - (GNUTLS_E_INTERNAL_ERROR); - } + memcpy(crypto_info.salt, iv.data, + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); + memcpy(crypto_info.rec_seq, seq_number, + TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); + memcpy(crypto_info.key, cipher_key.data, + TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); + + if (setsockopt(sockin, SOL_TLS, TLS_RX, &crypto_info, + sizeof(crypto_info))) { + session->internals.ktls_enabled &= + ~GNUTLS_KTLS_RECV; + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } - break; + } break; default: assert(0); } - } ret = gnutls_record_get_state(session, 0, &mac_key, &iv, &cipher_key, @@ -324,210 +291,175 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, if (in & GNUTLS_KTLS_SEND) { switch (cipher) { - case GNUTLS_CIPHER_AES_128_GCM: - { - struct tls12_crypto_info_aes_gcm_128 - crypto_info; - memset(&crypto_info, 0, sizeof(crypto_info)); - - crypto_info.info.cipher_type = - TLS_CIPHER_AES_GCM_128; - - assert(cipher_key.size == - TLS_CIPHER_AES_GCM_128_KEY_SIZE); - - /* for TLS 1.2 IV is generated in kernel */ - if (version == GNUTLS_TLS1_2) { - crypto_info.info.version = - TLS_1_2_VERSION; - memcpy(crypto_info.iv, seq_number, - TLS_CIPHER_AES_GCM_128_IV_SIZE); - } else { - crypto_info.info.version = - TLS_1_3_VERSION; - assert(iv.size == - TLS_CIPHER_AES_GCM_128_SALT_SIZE - + + case GNUTLS_CIPHER_AES_128_GCM: { + struct tls12_crypto_info_aes_gcm_128 crypto_info; + memset(&crypto_info, 0, sizeof(crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; + + assert(cipher_key.size == + TLS_CIPHER_AES_GCM_128_KEY_SIZE); + + /* for TLS 1.2 IV is generated in kernel */ + if (version == GNUTLS_TLS1_2) { + crypto_info.info.version = TLS_1_2_VERSION; + memcpy(crypto_info.iv, seq_number, + TLS_CIPHER_AES_GCM_128_IV_SIZE); + } else { + crypto_info.info.version = TLS_1_3_VERSION; + assert(iv.size == + TLS_CIPHER_AES_GCM_128_SALT_SIZE + TLS_CIPHER_AES_GCM_128_IV_SIZE); - memcpy(crypto_info.iv, - iv.data + + memcpy(crypto_info.iv, + iv.data + TLS_CIPHER_AES_GCM_128_SALT_SIZE, - TLS_CIPHER_AES_GCM_128_IV_SIZE); - } + TLS_CIPHER_AES_GCM_128_IV_SIZE); + } - memcpy(crypto_info.salt, iv.data, - TLS_CIPHER_AES_GCM_128_SALT_SIZE); - memcpy(crypto_info.rec_seq, seq_number, - TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); - memcpy(crypto_info.key, cipher_key.data, - TLS_CIPHER_AES_GCM_128_KEY_SIZE); - - if (setsockopt(sockout, SOL_TLS, TLS_TX, - &crypto_info, - sizeof(crypto_info))) { - session->internals.ktls_enabled &= - ~GNUTLS_KTLS_SEND; - return - gnutls_assert_val - (GNUTLS_E_INTERNAL_ERROR); - } + memcpy(crypto_info.salt, iv.data, + TLS_CIPHER_AES_GCM_128_SALT_SIZE); + memcpy(crypto_info.rec_seq, seq_number, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); + memcpy(crypto_info.key, cipher_key.data, + TLS_CIPHER_AES_GCM_128_KEY_SIZE); + + if (setsockopt(sockout, SOL_TLS, TLS_TX, &crypto_info, + sizeof(crypto_info))) { + session->internals.ktls_enabled &= + ~GNUTLS_KTLS_SEND; + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } - break; - case GNUTLS_CIPHER_AES_256_GCM: - { - struct tls12_crypto_info_aes_gcm_256 - crypto_info; - memset(&crypto_info, 0, sizeof(crypto_info)); - - crypto_info.info.cipher_type = - TLS_CIPHER_AES_GCM_256; - assert(cipher_key.size == - TLS_CIPHER_AES_GCM_256_KEY_SIZE); - - /* for TLS 1.2 IV is generated in kernel */ - if (version == GNUTLS_TLS1_2) { - crypto_info.info.version = - TLS_1_2_VERSION; - memcpy(crypto_info.iv, seq_number, - TLS_CIPHER_AES_GCM_256_IV_SIZE); - } else { - crypto_info.info.version = - TLS_1_3_VERSION; - assert(iv.size == - TLS_CIPHER_AES_GCM_256_SALT_SIZE - + + } break; + case GNUTLS_CIPHER_AES_256_GCM: { + struct tls12_crypto_info_aes_gcm_256 crypto_info; + memset(&crypto_info, 0, sizeof(crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256; + assert(cipher_key.size == + TLS_CIPHER_AES_GCM_256_KEY_SIZE); + + /* for TLS 1.2 IV is generated in kernel */ + if (version == GNUTLS_TLS1_2) { + crypto_info.info.version = TLS_1_2_VERSION; + memcpy(crypto_info.iv, seq_number, + TLS_CIPHER_AES_GCM_256_IV_SIZE); + } else { + crypto_info.info.version = TLS_1_3_VERSION; + assert(iv.size == + TLS_CIPHER_AES_GCM_256_SALT_SIZE + TLS_CIPHER_AES_GCM_256_IV_SIZE); - memcpy(crypto_info.iv, - iv.data + + memcpy(crypto_info.iv, + iv.data + TLS_CIPHER_AES_GCM_256_SALT_SIZE, - TLS_CIPHER_AES_GCM_256_IV_SIZE); - } + TLS_CIPHER_AES_GCM_256_IV_SIZE); + } - memcpy(crypto_info.salt, iv.data, - TLS_CIPHER_AES_GCM_256_SALT_SIZE); - memcpy(crypto_info.rec_seq, seq_number, - TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); - memcpy(crypto_info.key, cipher_key.data, - TLS_CIPHER_AES_GCM_256_KEY_SIZE); - - if (setsockopt(sockout, SOL_TLS, TLS_TX, - &crypto_info, - sizeof(crypto_info))) { - session->internals.ktls_enabled &= - ~GNUTLS_KTLS_SEND; - return - gnutls_assert_val - (GNUTLS_E_INTERNAL_ERROR); - } + memcpy(crypto_info.salt, iv.data, + TLS_CIPHER_AES_GCM_256_SALT_SIZE); + memcpy(crypto_info.rec_seq, seq_number, + TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); + memcpy(crypto_info.key, cipher_key.data, + TLS_CIPHER_AES_GCM_256_KEY_SIZE); + + if (setsockopt(sockout, SOL_TLS, TLS_TX, &crypto_info, + sizeof(crypto_info))) { + session->internals.ktls_enabled &= + ~GNUTLS_KTLS_SEND; + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } - break; - case GNUTLS_CIPHER_AES_128_CCM: - { - struct tls12_crypto_info_aes_ccm_128 - crypto_info; - memset(&crypto_info, 0, sizeof(crypto_info)); - - crypto_info.info.cipher_type = - TLS_CIPHER_AES_CCM_128; - assert(cipher_key.size == - TLS_CIPHER_AES_CCM_128_KEY_SIZE); - - /* for TLS 1.2 IV is generated in kernel */ - if (version == GNUTLS_TLS1_2) { - crypto_info.info.version = - TLS_1_2_VERSION; - memcpy(crypto_info.iv, seq_number, - TLS_CIPHER_AES_CCM_128_IV_SIZE); - } else { - crypto_info.info.version = - TLS_1_3_VERSION; - assert(iv.size == - TLS_CIPHER_AES_CCM_128_SALT_SIZE - + + } break; + case GNUTLS_CIPHER_AES_128_CCM: { + struct tls12_crypto_info_aes_ccm_128 crypto_info; + memset(&crypto_info, 0, sizeof(crypto_info)); + + crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128; + assert(cipher_key.size == + TLS_CIPHER_AES_CCM_128_KEY_SIZE); + + /* for TLS 1.2 IV is generated in kernel */ + if (version == GNUTLS_TLS1_2) { + crypto_info.info.version = TLS_1_2_VERSION; + memcpy(crypto_info.iv, seq_number, + TLS_CIPHER_AES_CCM_128_IV_SIZE); + } else { + crypto_info.info.version = TLS_1_3_VERSION; + assert(iv.size == + TLS_CIPHER_AES_CCM_128_SALT_SIZE + TLS_CIPHER_AES_CCM_128_IV_SIZE); - memcpy(crypto_info.iv, - iv.data + + memcpy(crypto_info.iv, + iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE, - TLS_CIPHER_AES_CCM_128_IV_SIZE); - } + TLS_CIPHER_AES_CCM_128_IV_SIZE); + } - memcpy(crypto_info.salt, iv.data, - TLS_CIPHER_AES_CCM_128_SALT_SIZE); - memcpy(crypto_info.rec_seq, seq_number, - TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); - memcpy(crypto_info.key, cipher_key.data, - TLS_CIPHER_AES_CCM_128_KEY_SIZE); - - if (setsockopt(sockout, SOL_TLS, TLS_TX, - &crypto_info, - sizeof(crypto_info))) { - session->internals.ktls_enabled &= - ~GNUTLS_KTLS_SEND; - return - gnutls_assert_val - (GNUTLS_E_INTERNAL_ERROR); - } + memcpy(crypto_info.salt, iv.data, + TLS_CIPHER_AES_CCM_128_SALT_SIZE); + memcpy(crypto_info.rec_seq, seq_number, + TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); + memcpy(crypto_info.key, cipher_key.data, + TLS_CIPHER_AES_CCM_128_KEY_SIZE); + + if (setsockopt(sockout, SOL_TLS, TLS_TX, &crypto_info, + sizeof(crypto_info))) { + session->internals.ktls_enabled &= + ~GNUTLS_KTLS_SEND; + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } - break; - case GNUTLS_CIPHER_CHACHA20_POLY1305: - { - struct tls12_crypto_info_chacha20_poly1305 - crypto_info; - memset(&crypto_info, 0, sizeof(crypto_info)); - - crypto_info.info.cipher_type = - TLS_CIPHER_CHACHA20_POLY1305; - assert(cipher_key.size == - TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); - - /* for TLS 1.2 IV is generated in kernel */ - if (version == GNUTLS_TLS1_2) { - crypto_info.info.version = - TLS_1_2_VERSION; - memcpy(crypto_info.iv, seq_number, - TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); - } else { - crypto_info.info.version = - TLS_1_3_VERSION; - assert(iv.size == - TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE - + + } break; + case GNUTLS_CIPHER_CHACHA20_POLY1305: { + struct tls12_crypto_info_chacha20_poly1305 crypto_info; + memset(&crypto_info, 0, sizeof(crypto_info)); + + crypto_info.info.cipher_type = + TLS_CIPHER_CHACHA20_POLY1305; + assert(cipher_key.size == + TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); + + /* for TLS 1.2 IV is generated in kernel */ + if (version == GNUTLS_TLS1_2) { + crypto_info.info.version = TLS_1_2_VERSION; + memcpy(crypto_info.iv, seq_number, + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); + } else { + crypto_info.info.version = TLS_1_3_VERSION; + assert(iv.size == + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); - memcpy(crypto_info.iv, - iv.data + + memcpy(crypto_info.iv, + iv.data + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE, - TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); - } + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); + } - memcpy(crypto_info.salt, iv.data, - TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); - memcpy(crypto_info.rec_seq, seq_number, - TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); - memcpy(crypto_info.key, cipher_key.data, - TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); - - if (setsockopt(sockout, SOL_TLS, TLS_TX, - &crypto_info, - sizeof(crypto_info))) { - session->internals.ktls_enabled &= - ~GNUTLS_KTLS_SEND; - return - gnutls_assert_val - (GNUTLS_E_INTERNAL_ERROR); - } + memcpy(crypto_info.salt, iv.data, + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE); + memcpy(crypto_info.rec_seq, seq_number, + TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); + memcpy(crypto_info.key, cipher_key.data, + TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE); + + if (setsockopt(sockout, SOL_TLS, TLS_TX, &crypto_info, + sizeof(crypto_info))) { + session->internals.ktls_enabled &= + ~GNUTLS_KTLS_SEND; + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } - break; + } break; default: assert(0); } // set callback for sending handshake messages - gnutls_handshake_set_read_function(session, - _gnutls_ktls_send_handshake_msg); + gnutls_handshake_set_read_function( + session, _gnutls_ktls_send_handshake_msg); // set callback for sending alert messages gnutls_alert_set_read_function(session, @@ -537,8 +469,8 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, return in; } -ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, - off_t * offset, size_t count) +ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, off_t *offset, + size_t count) { ssize_t ret; int sockin, sockout; @@ -578,7 +510,7 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session, while (data_to_send > 0) { char cmsg[CMSG_SPACE(sizeof(unsigned char))]; struct msghdr msg = { 0 }; - struct iovec msg_iov; /* Vector of data to send/receive into. */ + struct iovec msg_iov; /* Vector of data to send/receive into. */ struct cmsghdr *hdr; msg.msg_control = cmsg; @@ -632,8 +564,8 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, gnutls_handshake_description_t htype, const void *data, size_t data_size) { - return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE, - data, data_size); + return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE, data, + data_size); } int _gnutls_ktls_send_alert_msg(gnutls_session_t session, @@ -642,8 +574,8 @@ int _gnutls_ktls_send_alert_msg(gnutls_session_t session, gnutls_alert_description_t alert_desc) { uint8_t data[2]; - data[0] = (uint8_t) alert_level; - data[1] = (uint8_t) alert_desc; + data[0] = (uint8_t)alert_level; + data[1] = (uint8_t)alert_desc; return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2); } @@ -720,23 +652,23 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, unsigned char record_type; int ret; - ret = _gnutls_ktls_recv_control_msg(session, - &record_type, data, data_size); + ret = _gnutls_ktls_recv_control_msg(session, &record_type, data, + data_size); if (ret > 0) { switch (record_type) { case GNUTLS_CHANGE_CIPHER_SPEC: - return - gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); + return gnutls_assert_val( + GNUTLS_E_UNIMPLEMENTED_FEATURE); break; case GNUTLS_ALERT: session_invalidate(session); ret = 0; break; case GNUTLS_HANDSHAKE: - ret = gnutls_handshake_write(session, - GNUTLS_ENCRYPTION_LEVEL_APPLICATION, - data, ret); + ret = gnutls_handshake_write( + session, GNUTLS_ENCRYPTION_LEVEL_APPLICATION, + data, ret); if (ret < 0) return gnutls_assert_val(ret); @@ -758,7 +690,7 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, return ret; } -#else //ENABLE_KTLS +#else //ENABLE_KTLS gnutls_transport_ktls_enable_flags_t gnutls_transport_is_ktls_enabled(gnutls_session_t session) { @@ -775,8 +707,8 @@ int _gnutls_ktls_set_keys(gnutls_session_t sessioni, return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); } -ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, - off_t * offset, size_t count) +ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, off_t *offset, + size_t count) { return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); } @@ -803,4 +735,4 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); } -#endif //ENABLE_KTLS +#endif //ENABLE_KTLS diff --git a/lib/system/ktls.h b/lib/system/ktls.h index 186612e326..65c5cf149e 100644 --- a/lib/system/ktls.h +++ b/lib/system/ktls.h @@ -1,15 +1,15 @@ #ifndef GNUTLS_LIB_ACCELERATED_KTLS_H -# define GNUTLS_LIB_ACCELERATED_KTLS_H +#define GNUTLS_LIB_ACCELERATED_KTLS_H -# include "gnutls_int.h" +#include "gnutls_int.h" void _gnutls_ktls_enable(gnutls_session_t session); int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in); -ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, - off_t * offset, size_t count); +ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd, off_t *offset, + size_t count); int _gnutls_ktls_send_handshake_msg(gnutls_session_t session, gnutls_record_encryption_level_t level, @@ -24,7 +24,8 @@ int _gnutls_ktls_send_alert_msg(gnutls_session_t session, int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type, const void *data, size_t data_size); -# define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); +#define _gnutls_ktls_send(x, y, z) \ + _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z); int _gnutls_ktls_recv_control_msg(gnutls_session_t session, unsigned char *record_type, void *data, @@ -32,6 +33,7 @@ int _gnutls_ktls_recv_control_msg(gnutls_session_t session, int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, void *data, size_t data_size); -# define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z) +#define _gnutls_ktls_recv(x, y, z) \ + _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z) -#endif /* GNUTLS_LIB_ACCELERATED_KTLS_H */ +#endif /* GNUTLS_LIB_ACCELERATED_KTLS_H */ diff --git a/lib/system/sockets.c b/lib/system/sockets.c index 6367114f30..f8eb62c2c6 100644 --- a/lib/system/sockets.c +++ b/lib/system/sockets.c @@ -32,9 +32,9 @@ #include <sys/types.h> #ifdef _WIN32 -# include <windows.h> -#else /* !_WIN32 */ -# include <poll.h> +#include <windows.h> +#else /* !_WIN32 */ +#include <poll.h> #endif /* System specific socket function wrappers. @@ -44,9 +44,9 @@ /* Do not use the gnulib functions for sending and receiving data. * Using them makes gnutls only working with gnulib applications. */ -# undef send -# undef recv -# undef select +#undef send +#undef recv +#undef select int system_errno(gnutls_transport_ptr p) { @@ -74,14 +74,14 @@ int system_errno(gnutls_transport_ptr p) return ret; } -ssize_t -system_write(gnutls_transport_ptr ptr, const void *data, size_t data_size) +ssize_t system_write(gnutls_transport_ptr ptr, const void *data, + size_t data_size) { return send(GNUTLS_POINTER_TO_INT(ptr), data, data_size, 0); } -ssize_t -system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) +ssize_t system_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec, + int iovec_cnt) { WSABUF bufs[32]; DWORD bytes_sent; @@ -91,28 +91,30 @@ system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) if ((size_t)iovec_cnt > sizeof(bufs) / sizeof(bufs[0])) iovec_cnt = sizeof(bufs) / sizeof(bufs[0]); - while (to_send_cnt < (DWORD) iovec_cnt && to_send_bytes < SSIZE_MAX) { + while (to_send_cnt < (DWORD)iovec_cnt && to_send_bytes < SSIZE_MAX) { bufs[to_send_cnt].buf = iovec[to_send_cnt].iov_base; if (to_send_bytes + iovec[to_send_cnt].iov_len > SSIZE_MAX) { /* Return value limit: successful result value cannot * exceed SSIZE_MAX */ size_t space_left = (size_t)SSIZE_MAX - to_send_bytes; - bufs[to_send_cnt].len = (unsigned long) - (space_left > ULONG_MAX ? ULONG_MAX : space_left); + bufs[to_send_cnt].len = + (unsigned long)(space_left > ULONG_MAX ? + ULONG_MAX : + space_left); to_send_cnt++; break; } -# ifdef _WIN64 +#ifdef _WIN64 if (iovec[to_send_cnt].iov_len > ULONG_MAX) { /* WSASend() limitation */ bufs[to_send_cnt].len = ULONG_MAX; to_send_cnt++; break; } -# endif +#endif bufs[to_send_cnt].len = - (unsigned long)iovec[to_send_cnt].iov_len; + (unsigned long)iovec[to_send_cnt].iov_len; to_send_bytes += iovec[to_send_cnt].iov_len; to_send_cnt++; } @@ -121,23 +123,22 @@ system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) 0, NULL, NULL) != 0) return -1; - return (ssize_t) bytes_sent; + return (ssize_t)bytes_sent; } -#else /* POSIX */ +#else /* POSIX */ int system_errno(gnutls_transport_ptr_t ptr) { -# if defined(_AIX) || defined(AIX) +#if defined(_AIX) || defined(AIX) if (errno == 0) errno = EAGAIN; -# endif +#endif return errno; } -static ssize_t -_system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, - int iovec_cnt, int flags) +static ssize_t _system_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec, + int iovec_cnt, int flags) { struct msghdr hdr; @@ -148,18 +149,17 @@ _system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, return sendmsg(GNUTLS_POINTER_TO_INT(ptr), &hdr, flags); } -# ifdef MSG_NOSIGNAL -ssize_t -system_writev_nosignal(gnutls_transport_ptr_t ptr, const giovec_t * iovec, - int iovec_cnt) +#ifdef MSG_NOSIGNAL +ssize_t system_writev_nosignal(gnutls_transport_ptr_t ptr, + const giovec_t *iovec, int iovec_cnt) { return _system_writev(ptr, iovec, iovec_cnt, MSG_NOSIGNAL); } -# endif +#endif -ssize_t -system_writev(gnutls_transport_ptr_t ptr, const giovec_t * iovec, int iovec_cnt) +ssize_t system_writev(gnutls_transport_ptr_t ptr, const giovec_t *iovec, + int iovec_cnt) { return _system_writev(ptr, iovec, iovec_cnt, 0); } diff --git a/lib/system/threads.c b/lib/system/threads.c index a98cd968c3..bca790a21f 100644 --- a/lib/system/threads.c +++ b/lib/system/threads.c @@ -57,7 +57,7 @@ static int gnutls_system_mutex_init(void **priv) static int gnutls_system_mutex_deinit(void **priv) { - if (glthread_lock_destroy((gl_lock_t *) * priv)) { + if (glthread_lock_destroy((gl_lock_t *)*priv)) { return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR); } free(*priv); @@ -66,7 +66,7 @@ static int gnutls_system_mutex_deinit(void **priv) static int gnutls_system_mutex_lock(void **priv) { - if (glthread_lock_lock((gl_lock_t *) * priv)) { + if (glthread_lock_lock((gl_lock_t *)*priv)) { return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR); } return 0; @@ -74,7 +74,7 @@ static int gnutls_system_mutex_lock(void **priv) static int gnutls_system_mutex_unlock(void **priv) { - if (glthread_lock_unlock((gl_lock_t *) * priv)) { + if (glthread_lock_unlock((gl_lock_t *)*priv)) { return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR); } return 0; |