diff options
Diffstat (limited to 'lib/tls13')
| -rw-r--r-- | lib/tls13/anti_replay.c | 49 | ||||
| -rw-r--r-- | lib/tls13/anti_replay.h | 9 | ||||
| -rw-r--r-- | lib/tls13/certificate.c | 216 | ||||
| -rw-r--r-- | lib/tls13/certificate.h | 4 | ||||
| -rw-r--r-- | lib/tls13/certificate_request.c | 169 | ||||
| -rw-r--r-- | lib/tls13/certificate_request.h | 6 | ||||
| -rw-r--r-- | lib/tls13/certificate_verify.c | 62 | ||||
| -rw-r--r-- | lib/tls13/certificate_verify.h | 4 | ||||
| -rw-r--r-- | lib/tls13/early_data.c | 18 | ||||
| -rw-r--r-- | lib/tls13/early_data.h | 4 | ||||
| -rw-r--r-- | lib/tls13/encrypted_extensions.c | 21 | ||||
| -rw-r--r-- | lib/tls13/encrypted_extensions.h | 4 | ||||
| -rw-r--r-- | lib/tls13/finished.c | 45 | ||||
| -rw-r--r-- | lib/tls13/finished.h | 9 | ||||
| -rw-r--r-- | lib/tls13/hello_retry.c | 45 | ||||
| -rw-r--r-- | lib/tls13/hello_retry.h | 4 | ||||
| -rw-r--r-- | lib/tls13/key_update.c | 38 | ||||
| -rw-r--r-- | lib/tls13/key_update.h | 6 | ||||
| -rw-r--r-- | lib/tls13/post_handshake.c | 71 | ||||
| -rw-r--r-- | lib/tls13/psk_ext_parser.c | 10 | ||||
| -rw-r--r-- | lib/tls13/psk_ext_parser.h | 17 | ||||
| -rw-r--r-- | lib/tls13/session_ticket.c | 110 | ||||
| -rw-r--r-- | lib/tls13/session_ticket.h | 15 |
23 files changed, 411 insertions, 525 deletions
diff --git a/lib/tls13/anti_replay.c b/lib/tls13/anti_replay.c index 7b41c29241..2f041348eb 100644 --- a/lib/tls13/anti_replay.c +++ b/lib/tls13/anti_replay.c @@ -49,7 +49,7 @@ struct gnutls_anti_replay_st { * * Since: 3.6.5 **/ -int gnutls_anti_replay_init(gnutls_anti_replay_t * anti_replay) +int gnutls_anti_replay_init(gnutls_anti_replay_t *anti_replay) { *anti_replay = gnutls_calloc(1, sizeof(struct gnutls_anti_replay_st)); if (!*anti_replay) @@ -78,9 +78,8 @@ int gnutls_anti_replay_init(gnutls_anti_replay_t * anti_replay) * * Since: 3.6.5 */ -void -gnutls_anti_replay_set_window(gnutls_anti_replay_t anti_replay, - unsigned int window) +void gnutls_anti_replay_set_window(gnutls_anti_replay_t anti_replay, + unsigned int window) { anti_replay->window = window; } @@ -108,9 +107,8 @@ void gnutls_anti_replay_deinit(gnutls_anti_replay_t anti_replay) * * Since: 3.6.5 **/ -void -gnutls_anti_replay_enable(gnutls_session_t session, - gnutls_anti_replay_t anti_replay) +void gnutls_anti_replay_enable(gnutls_session_t session, + gnutls_anti_replay_t anti_replay) { if (unlikely(session->security_parameters.entity != GNUTLS_SERVER)) { gnutls_assert(); @@ -120,11 +118,10 @@ gnutls_anti_replay_enable(gnutls_session_t session, session->internals.anti_replay = anti_replay; } -int -_gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay, - uint32_t client_ticket_age, - struct timespec *ticket_creation_time, - gnutls_datum_t * id) +int _gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay, + uint32_t client_ticket_age, + struct timespec *ticket_creation_time, + gnutls_datum_t *id) { struct timespec now; time_t window; @@ -132,7 +129,7 @@ _gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay, gnutls_datum_t key = { NULL, 0 }; gnutls_datum_t entry = { NULL, 0 }; unsigned char key_buffer[MAX_HASH_SIZE + 12]; - unsigned char entry_buffer[12]; /* magic + timestamp + expire_time */ + unsigned char entry_buffer[12]; /* magic + timestamp + expire_time */ unsigned char *p; int ret; @@ -153,8 +150,8 @@ _gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay, */ if (_gnutls_timespec_cmp(ticket_creation_time, &anti_replay->start_time) < 0) { - _gnutls_handshake_log - ("anti_replay: ticket is created before recording has started\n"); + _gnutls_handshake_log( + "anti_replay: ticket is created before recording has started\n"); return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED); } @@ -169,9 +166,9 @@ _gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay, * data. */ if (server_ticket_age - client_ticket_age > anti_replay->window) { - _gnutls_handshake_log - ("anti_replay: server ticket age: %u, client ticket age: %u\n", - server_ticket_age, client_ticket_age); + _gnutls_handshake_log( + "anti_replay: server ticket age: %u, client ticket age: %u\n", + server_ticket_age, client_ticket_age); return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED); } @@ -186,8 +183,7 @@ _gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay, * the key becomes 44+ octets. */ p = key_buffer; - _gnutls_write_uint32((uint64_t) anti_replay->start_time.tv_sec >> 32, - p); + _gnutls_write_uint32((uint64_t)anti_replay->start_time.tv_sec >> 32, p); p += 4; _gnutls_write_uint32(anti_replay->start_time.tv_sec & 0xFFFFFFFF, p); p += 4; @@ -214,11 +210,11 @@ _gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay, entry.size = p - entry_buffer; ret = anti_replay->db_add_func(anti_replay->db_ptr, - (uint64_t) now.tv_sec + - (uint64_t) window, &key, &entry); + (uint64_t)now.tv_sec + (uint64_t)window, + &key, &entry); if (ret < 0) { - _gnutls_handshake_log - ("anti_replay: duplicate ClientHello found\n"); + _gnutls_handshake_log( + "anti_replay: duplicate ClientHello found\n"); return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED); } @@ -260,9 +256,8 @@ void gnutls_anti_replay_set_ptr(gnutls_anti_replay_t anti_replay, void *ptr) * * Since: 3.6.5 **/ -void -gnutls_anti_replay_set_add_function(gnutls_anti_replay_t anti_replay, - gnutls_db_add_func add_func) +void gnutls_anti_replay_set_add_function(gnutls_anti_replay_t anti_replay, + gnutls_db_add_func add_func) { anti_replay->db_add_func = add_func; } diff --git a/lib/tls13/anti_replay.h b/lib/tls13/anti_replay.h index e3ff48aa26..5ee91b08b0 100644 --- a/lib/tls13/anti_replay.h +++ b/lib/tls13/anti_replay.h @@ -21,11 +21,10 @@ */ #ifndef GNUTLS_LIB_TLS13_ANTI_REPLAY_H -# define GNUTLS_LIB_TLS13_ANTI_REPLAY_H +#define GNUTLS_LIB_TLS13_ANTI_REPLAY_H -int _gnutls_anti_replay_check(gnutls_anti_replay_t, - uint32_t client_ticket_age, +int _gnutls_anti_replay_check(gnutls_anti_replay_t, uint32_t client_ticket_age, struct timespec *ticket_creation_time, - gnutls_datum_t * id); + gnutls_datum_t *id); -#endif /* GNUTLS_LIB_TLS13_ANTI_REPLAY_H */ +#endif /* GNUTLS_LIB_TLS13_ANTI_REPLAY_H */ diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c index e071a74aaa..d5fc847c51 100644 --- a/lib/tls13/certificate.c +++ b/lib/tls13/certificate.c @@ -31,14 +31,14 @@ #include "ext/compress_certificate.h" #include "ext/status_request.h" -static int parse_cert_extension(void *ctx, unsigned tls_id, - const uint8_t * data, unsigned data_size); -static int parse_cert_list(gnutls_session_t session, uint8_t * data, +static int parse_cert_extension(void *ctx, unsigned tls_id, const uint8_t *data, + unsigned data_size); +static int parse_cert_list(gnutls_session_t session, uint8_t *data, size_t data_size); -static int compress_certificate(gnutls_buffer_st * buf, unsigned cert_pos_mark, +static int compress_certificate(gnutls_buffer_st *buf, unsigned cert_pos_mark, gnutls_compression_method_t comp_method); static int decompress_certificate(gnutls_session_t session, - gnutls_buffer_st * buf); + gnutls_buffer_st *buf); int _gnutls13_recv_certificate(gnutls_session_t session) { @@ -59,31 +59,27 @@ int _gnutls13_recv_certificate(gnutls_session_t session) optional = 1; } - ret = - _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_PKT, 0, - &buf); + ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_PKT, + 0, &buf); if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) { /* check if we received compressed certificate */ - err = - _gnutls_recv_handshake(session, - GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT, - 0, &buf); + err = _gnutls_recv_handshake( + session, GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT, 0, + &buf); if (err >= 0) { /* fail if we receive unsolicited compressed certificate */ - if (! - (session-> - internals.hsk_flags & HSK_COMP_CRT_REQ_SENT)) - return - gnutls_assert_val - (GNUTLS_E_UNEXPECTED_PACKET); + if (!(session->internals.hsk_flags & + HSK_COMP_CRT_REQ_SENT)) + return gnutls_assert_val( + GNUTLS_E_UNEXPECTED_PACKET); decompress_cert = 1; ret = err; } } if (ret < 0) { - if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET - && session->internals.send_cert_req) + if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET && + session->internals.send_cert_req) return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND); return gnutls_assert_val(ret); @@ -117,10 +113,10 @@ int _gnutls13_recv_certificate(gnutls_session_t session) } if (context.size != - session->internals.post_handshake_cr_context.size - || memcmp(context.data, - session->internals.post_handshake_cr_context.data, - context.size) != 0) { + session->internals.post_handshake_cr_context.size || + memcmp(context.data, + session->internals.post_handshake_cr_context.data, + context.size) != 0) { ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; gnutls_assert(); goto cleanup; @@ -157,7 +153,7 @@ int _gnutls13_recv_certificate(gnutls_session_t session) session->internals.hsk_flags |= HSK_CRT_VRFY_EXPECTED; ret = 0; - cleanup: +cleanup: _gnutls_buffer_clear(&buf); return ret; @@ -170,8 +166,7 @@ struct ocsp_req_ctx_st { gnutls_certificate_credentials_t cred; }; -static -int append_status_request(void *_ctx, gnutls_buffer_st * buf) +static int append_status_request(void *_ctx, gnutls_buffer_st *buf) { struct ocsp_req_ctx_st *ctx = _ctx; gnutls_session_t session = ctx->session; @@ -184,41 +179,39 @@ int append_status_request(void *_ctx, gnutls_buffer_st * buf) /* The global ocsp callback function can only be used to return * a single certificate request */ - if (session->internals.selected_ocsp_length == 1 - && ctx->cert_index != 0) + if (session->internals.selected_ocsp_length == 1 && + ctx->cert_index != 0) return 0; if (session->internals.selected_ocsp_length > 0) { if (ctx->cert_index < session->internals.selected_ocsp_length) { - if ((session->internals. - selected_ocsp[ctx->cert_index].exptime != 0 - && gnutls_time(0) >= - session->internals.selected_ocsp[ctx-> - cert_index].exptime) - || session->internals. - selected_ocsp[ctx->cert_index].response.data == - NULL) { + if ((session->internals.selected_ocsp[ctx->cert_index] + .exptime != 0 && + gnutls_time(0) >= + session->internals + .selected_ocsp[ctx->cert_index] + .exptime) || + session->internals.selected_ocsp[ctx->cert_index] + .response.data == NULL) { return 0; } - resp.data = - session->internals.selected_ocsp[ctx-> - cert_index].response. - data; - resp.size = - session->internals.selected_ocsp[ctx-> - cert_index].response. - size; + resp.data = session->internals + .selected_ocsp[ctx->cert_index] + .response.data; + resp.size = session->internals + .selected_ocsp[ctx->cert_index] + .response.size; ret = 0; } else { return 0; } } else if (session->internals.selected_ocsp_func) { if (ctx->cert_index == 0) { - ret = - session->internals.selected_ocsp_func(session, - session->internals.selected_ocsp_func_ptr, - &resp); + ret = session->internals.selected_ocsp_func( + session, + session->internals.selected_ocsp_func_ptr, + &resp); free_resp = 1; } else { return 0; @@ -245,7 +238,7 @@ int append_status_request(void *_ctx, gnutls_buffer_st * buf) } ret = 0; - cleanup: +cleanup: if (free_resp) gnutls_free(resp.data); return ret; @@ -268,8 +261,8 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) comp_method = gnutls_compress_certificate_get_selected_method(session); compress_cert = comp_method != GNUTLS_COMP_UNKNOWN; - h_type = compress_cert ? GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT - : GNUTLS_HANDSHAKE_CERTIFICATE_PKT; + h_type = compress_cert ? GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT : + GNUTLS_HANDSHAKE_CERTIFICATE_PKT; if (again == 0) { if (!session->internals.initial_negotiation_completed && @@ -280,8 +273,8 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) session->internals.resumed) return 0; - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); + cred = (gnutls_certificate_credentials_t)_gnutls_get_cred( + session, GNUTLS_CRD_CERTIFICATE); if (cred == NULL) { gnutls_assert(); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; @@ -305,9 +298,12 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) cert_pos_mark = buf.length; if (session->security_parameters.entity == GNUTLS_CLIENT) { - ret = _gnutls_buffer_append_data_prefix(&buf, 8, - session->internals.post_handshake_cr_context.data, - session->internals.post_handshake_cr_context.size); + ret = _gnutls_buffer_append_data_prefix( + &buf, 8, + session->internals.post_handshake_cr_context + .data, + session->internals.post_handshake_cr_context + .size); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -330,11 +326,9 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) } for (i = 0; i < (unsigned)apr_cert_list_length; i++) { - ret = _gnutls_buffer_append_data_prefix(&buf, 24, - apr_cert_list - [i].cert.data, - apr_cert_list - [i].cert.size); + ret = _gnutls_buffer_append_data_prefix( + &buf, 24, apr_cert_list[i].cert.data, + apr_cert_list[i].cert.size); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -342,13 +336,12 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) #ifdef ENABLE_OCSP if ((session->internals.selected_ocsp_length > 0 || session->internals.selected_ocsp_func) && - (((session-> - internals.hsk_flags & HSK_OCSP_REQUESTED) - && IS_SERVER(session)) - || - ((session-> - internals.hsk_flags & HSK_CLIENT_OCSP_REQUESTED) - && !IS_SERVER(session)))) { + (((session->internals.hsk_flags & + HSK_OCSP_REQUESTED) && + IS_SERVER(session)) || + ((session->internals.hsk_flags & + HSK_CLIENT_OCSP_REQUESTED) && + !IS_SERVER(session)))) { /* append status response if available */ ret = _gnutls_extv_append_init(&buf); if (ret < 0) { @@ -361,19 +354,16 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) ctx.cert_index = i; ctx.session = session; ctx.cred = cred; - ret = - _gnutls_extv_append(&buf, - STATUS_REQUEST_TLS_ID, - &ctx, - append_status_request); + ret = _gnutls_extv_append( + &buf, STATUS_REQUEST_TLS_ID, &ctx, + append_status_request); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = - _gnutls_extv_append_final(&buf, - ext_pos_mark, 0); + ret = _gnutls_extv_append_final( + &buf, ext_pos_mark, 0); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -393,9 +383,8 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) &buf.data[pos_mark]); if (compress_cert) { - ret = - compress_certificate(&buf, cert_pos_mark, - comp_method); + ret = compress_certificate(&buf, cert_pos_mark, + comp_method); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -407,7 +396,7 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) return _gnutls_send_handshake(session, bufel, h_type); - cleanup: +cleanup: _gnutls_buffer_clear(&buf); return ret; } @@ -419,7 +408,7 @@ typedef struct crt_cert_ctx_st { } crt_cert_ctx_st; static int parse_cert_extension(void *_ctx, unsigned tls_id, - const uint8_t * data, unsigned data_size) + const uint8_t *data, unsigned data_size) { crt_cert_ctx_st *ctx = _ctx; gnutls_session_t session = ctx->session; @@ -427,8 +416,8 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id, if (tls_id == STATUS_REQUEST_TLS_ID) { #ifdef ENABLE_OCSP - if (!_gnutls_hello_ext_is_present - (session, ext_mod_status_request.gid)) { + if (!_gnutls_hello_ext_is_present(session, + ext_mod_status_request.gid)) { gnutls_assert(); goto unexpected; } @@ -436,9 +425,8 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id, _gnutls_handshake_log("Found OCSP response on cert %d\n", ctx->idx); - ret = - _gnutls_parse_ocsp_response(session, data, data_size, - ctx->ocsp); + ret = _gnutls_parse_ocsp_response(session, data, data_size, + ctx->ocsp); if (ret < 0) return gnutls_assert_val(ret); #endif @@ -448,14 +436,14 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id, return 0; - unexpected: +unexpected: _gnutls_debug_log("received unexpected certificate extension (%d)\n", (int)tls_id); return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); } -static int -parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) +static int parse_cert_list(gnutls_session_t session, uint8_t *data, + size_t data_size) { int ret; size_t len; @@ -470,16 +458,15 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) gnutls_datum_t *peer_ocsp = NULL; unsigned nentries = 0; - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); + cred = (gnutls_certificate_credentials_t)_gnutls_get_cred( + session, GNUTLS_CRD_CERTIFICATE); if (cred == NULL) { gnutls_assert(); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - if ((ret = - _gnutls_auth_info_init(session, GNUTLS_CRD_CERTIFICATE, - sizeof(cert_auth_info_st), 1)) < 0) { + if ((ret = _gnutls_auth_info_init(session, GNUTLS_CRD_CERTIFICATE, + sizeof(cert_auth_info_st), 1)) < 0) { gnutls_assert(); return ret; } @@ -509,9 +496,8 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) DECR_LEN(data_size, 3); len = _gnutls_read_uint24(p); if (len == 0) - return - gnutls_assert_val - (GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + return gnutls_assert_val( + GNUTLS_E_UNEXPECTED_PACKET_LENGTH); DECR_LEN(data_size, len); p += len + 3; @@ -579,8 +565,8 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) ctx.ocsp = &peer_ocsp[j]; ctx.idx = j; - ret = - _gnutls_extv_parse(&ctx, parse_cert_extension, p, len + 2); + ret = _gnutls_extv_parse(&ctx, parse_cert_extension, p, + len + 2); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -609,7 +595,7 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) return 0; - cleanup: +cleanup: for (j = 0; j < npeer_certs; j++) gnutls_free(peer_certs[j].data); @@ -618,12 +604,10 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) gnutls_free(peer_certs); gnutls_free(peer_ocsp); return ret; - } -static int -compress_certificate(gnutls_buffer_st * buf, unsigned cert_pos_mark, - gnutls_compression_method_t comp_method) +static int compress_certificate(gnutls_buffer_st *buf, unsigned cert_pos_mark, + gnutls_compression_method_t comp_method) { int ret, method_num; size_t comp_bound; @@ -642,9 +626,8 @@ compress_certificate(gnutls_buffer_st * buf, unsigned cert_pos_mark, comp.data = gnutls_malloc(comp_bound); if (comp.data == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - ret = - _gnutls_compress(comp_method, comp.data, comp_bound, plain.data, - plain.size); + ret = _gnutls_compress(comp_method, comp.data, comp_bound, plain.data, + plain.size); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -668,13 +651,13 @@ compress_certificate(gnutls_buffer_st * buf, unsigned cert_pos_mark, goto cleanup; } - cleanup: +cleanup: gnutls_free(comp.data); return ret; } -static int -decompress_certificate(gnutls_session_t session, gnutls_buffer_st * buf) +static int decompress_certificate(gnutls_session_t session, + gnutls_buffer_st *buf) { int ret; size_t method_num, plain_exp_len; @@ -686,8 +669,8 @@ decompress_certificate(gnutls_session_t session, gnutls_buffer_st * buf) return gnutls_assert_val(ret); comp_method = _gnutls_compress_certificate_num2method(method_num); - if (!_gnutls_compress_certificate_is_method_enabled - (session, comp_method)) + if (!_gnutls_compress_certificate_is_method_enabled(session, + comp_method)) return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ret = _gnutls_buffer_pop_prefix24(buf, &plain_exp_len, 0); @@ -701,9 +684,8 @@ decompress_certificate(gnutls_session_t session, gnutls_buffer_st * buf) plain.data = gnutls_malloc(plain_exp_len); if (plain.data == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - ret = - _gnutls_decompress(comp_method, plain.data, plain_exp_len, - comp.data, comp.size); + ret = _gnutls_decompress(comp_method, plain.data, plain_exp_len, + comp.data, comp.size); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -723,7 +705,7 @@ decompress_certificate(gnutls_session_t session, gnutls_buffer_st * buf) goto cleanup; } - cleanup: +cleanup: gnutls_free(plain.data); return ret; } diff --git a/lib/tls13/certificate.h b/lib/tls13/certificate.h index a0505d560b..6f46cc2dd6 100644 --- a/lib/tls13/certificate.h +++ b/lib/tls13/certificate.h @@ -21,9 +21,9 @@ */ #ifndef GNUTLS_LIB_TLS13_CERTIFICATE_H -# define GNUTLS_LIB_TLS13_CERTIFICATE_H +#define GNUTLS_LIB_TLS13_CERTIFICATE_H int _gnutls13_recv_certificate(gnutls_session_t session); int _gnutls13_send_certificate(gnutls_session_t session, unsigned again); -#endif /* GNUTLS_LIB_TLS13_CERTIFICATE_H */ +#endif /* GNUTLS_LIB_TLS13_CERTIFICATE_H */ diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c index 1dd92628b5..8a8a1499af 100644 --- a/lib/tls13/certificate_request.c +++ b/lib/tls13/certificate_request.c @@ -42,13 +42,12 @@ typedef struct crt_req_ctx_st { unsigned got_sig_algo; gnutls_pk_algorithm_t pk_algos[MAX_ALGOS]; unsigned pk_algos_length; - const uint8_t *rdn; /* pointer inside the message buffer */ + const uint8_t *rdn; /* pointer inside the message buffer */ unsigned rdn_size; } crt_req_ctx_st; static unsigned is_algo_in_list(gnutls_pk_algorithm_t algo, - gnutls_pk_algorithm_t * list, - unsigned list_size) + gnutls_pk_algorithm_t *list, unsigned list_size) { unsigned j; @@ -59,9 +58,8 @@ static unsigned is_algo_in_list(gnutls_pk_algorithm_t algo, return 0; } -static -int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t * data, - unsigned data_size) +static int parse_cert_extension(void *_ctx, unsigned tls_id, + const uint8_t *data, unsigned data_size) { crt_req_ctx_st *ctx = _ctx; gnutls_session_t session = ctx->session; @@ -78,28 +76,25 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t * data, unsigned i; if (ctx->got_sig_algo) - return - gnutls_assert_val - (GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); + return gnutls_assert_val( + GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); ctx->got_sig_algo = 1; if (data_size < 2) - return - gnutls_assert_val - (GNUTLS_E_TLS_PACKET_DECODING_ERROR); + return gnutls_assert_val( + GNUTLS_E_TLS_PACKET_DECODING_ERROR); v = _gnutls_read_uint16(data); if (v != data_size - 2) - return - gnutls_assert_val - (GNUTLS_E_TLS_PACKET_DECODING_ERROR); + return gnutls_assert_val( + GNUTLS_E_TLS_PACKET_DECODING_ERROR); data += 2; data_size -= 2; - ret = - _gnutls_sign_algorithm_parse_data(session, data, data_size); + ret = _gnutls_sign_algorithm_parse_data(session, data, + data_size); if (ret < 0) return gnutls_assert_val(ret); @@ -117,8 +112,8 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t * data, sizeof(ctx->pk_algos) / sizeof(ctx->pk_algos[0])) break; - if (is_algo_in_list - (se->pk, ctx->pk_algos, ctx->pk_algos_length)) + if (is_algo_in_list(se->pk, ctx->pk_algos, + ctx->pk_algos_length)) continue; ctx->pk_algos[ctx->pk_algos_length++] = se->pk; @@ -126,31 +121,28 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t * data, #ifdef ENABLE_OCSP } else if (tls_id == ext_mod_status_request.tls_id) { if (data_size != 0) - return - gnutls_assert_val - (GNUTLS_E_TLS_PACKET_DECODING_ERROR); + return gnutls_assert_val( + GNUTLS_E_TLS_PACKET_DECODING_ERROR); /* we are now allowed to send OCSP staples */ session->internals.hsk_flags |= HSK_CLIENT_OCSP_REQUESTED; #endif } else if (tls_id == EXTID_CERTIFICATE_AUTHORITIES) { if (data_size < 3) { - return - gnutls_assert_val - (GNUTLS_E_TLS_PACKET_DECODING_ERROR); + return gnutls_assert_val( + GNUTLS_E_TLS_PACKET_DECODING_ERROR); } v = _gnutls_read_uint16(data); if (v != data_size - 2) - return - gnutls_assert_val - (GNUTLS_E_TLS_PACKET_DECODING_ERROR); + return gnutls_assert_val( + GNUTLS_E_TLS_PACKET_DECODING_ERROR); ctx->rdn = data + 2; ctx->rdn_size = v; } else if (tls_id == ext_mod_compress_certificate.tls_id) { - ret = _gnutls_compress_certificate_recv_params(session, - data, data_size); + ret = _gnutls_compress_certificate_recv_params(session, data, + data_size); if (ret < 0) { return gnutls_assert_val(ret); } @@ -160,7 +152,7 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t * data, } int _gnutls13_recv_certificate_request_int(gnutls_session_t session, - gnutls_buffer_st * buf) + gnutls_buffer_st *buf) { int ret; crt_req_ctx_st ctx; @@ -178,9 +170,8 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, if (!session->internals.initial_negotiation_completed) { if (buf->data[0] != 0) { /* The context field must be empty during handshake */ - return - gnutls_assert_val - (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + return gnutls_assert_val( + GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); } /* buf->length is positive */ @@ -194,10 +185,9 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, return gnutls_assert_val(ret); gnutls_free(session->internals.post_handshake_cr_context.data); - ret = - _gnutls_set_datum(&session-> - internals.post_handshake_cr_context, - context.data, context.size); + ret = _gnutls_set_datum( + &session->internals.post_handshake_cr_context, + context.data, context.size); if (ret < 0) return gnutls_assert_val(ret); } @@ -205,9 +195,8 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, memset(&ctx, 0, sizeof(ctx)); ctx.session = session; - ret = - _gnutls_extv_parse(&ctx, parse_cert_extension, buf->data, - buf->length); + ret = _gnutls_extv_parse(&ctx, parse_cert_extension, buf->data, + buf->length); if (ret < 0) return gnutls_assert_val(ret); @@ -230,14 +219,13 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, if (apr_cert_list_length > 0) { gnutls_sign_algorithm_t algo; - algo = - _gnutls_session_get_sign_algo(session, &apr_cert_list[0], - apr_pkey, 0, - GNUTLS_KX_UNKNOWN); + algo = _gnutls_session_get_sign_algo(session, &apr_cert_list[0], + apr_pkey, 0, + GNUTLS_KX_UNKNOWN); if (algo == GNUTLS_SIGN_UNKNOWN) { - _gnutls_handshake_log - ("HSK[%p]: rejecting client auth because of no suitable signature algorithm\n", - session); + _gnutls_handshake_log( + "HSK[%p]: rejecting client auth because of no suitable signature algorithm\n", + session); _gnutls_selected_certs_deinit(session); return gnutls_assert_val(0); } @@ -260,10 +248,8 @@ int _gnutls13_recv_certificate_request(gnutls_session_t session) if (unlikely(session->security_parameters.entity != GNUTLS_CLIENT)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - ret = - _gnutls_recv_handshake(session, - GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, 1, - &buf); + ret = _gnutls_recv_handshake( + session, GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST, 1, &buf); if (ret < 0) return gnutls_assert_val(ret); @@ -279,8 +265,7 @@ int _gnutls13_recv_certificate_request(gnutls_session_t session) return ret; } -static -int write_certificate_authorities(void *ctx, gnutls_buffer_st * buf) +static int write_certificate_authorities(void *ctx, gnutls_buffer_st *buf) { gnutls_session_t session = ctx; gnutls_certificate_credentials_t cred; @@ -288,8 +273,8 @@ int write_certificate_authorities(void *ctx, gnutls_buffer_st * buf) if (session->internals.ignore_rdn_sequence != 0) return 0; - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); + cred = (gnutls_certificate_credentials_t)_gnutls_get_cred( + session, GNUTLS_CRD_CERTIFICATE); if (cred == NULL) { gnutls_assert(); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; @@ -298,15 +283,12 @@ int write_certificate_authorities(void *ctx, gnutls_buffer_st * buf) if (cred->tlist->x509_rdn_sequence.size == 0) return 0; - return - _gnutls_buffer_append_data_prefix(buf, 16, - cred->tlist->x509_rdn_sequence. - data, - cred->tlist->x509_rdn_sequence. - size); + return _gnutls_buffer_append_data_prefix( + buf, 16, cred->tlist->x509_rdn_sequence.data, + cred->tlist->x509_rdn_sequence.size); } -static int append_empty_ext(void *ctx, gnutls_buffer_st * buf) +static int append_empty_ext(void *ctx, gnutls_buffer_st *buf) { return GNUTLS_E_INT_RET_0; } @@ -329,38 +311,40 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again) if (session->internals.send_cert_req == 0) return 0; - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); + cred = (gnutls_certificate_credentials_t)_gnutls_get_cred( + session, GNUTLS_CRD_CERTIFICATE); if (cred == NULL) - return - gnutls_assert_val - (GNUTLS_E_INSUFFICIENT_CREDENTIALS); + return gnutls_assert_val( + GNUTLS_E_INSUFFICIENT_CREDENTIALS); ret = _gnutls_buffer_init_handshake_mbuffer(&buf); if (ret < 0) return gnutls_assert_val(ret); - if (session->internals.initial_negotiation_completed) { /* reauth */ + if (session->internals + .initial_negotiation_completed) { /* reauth */ ret = gnutls_rnd(GNUTLS_RND_NONCE, rnd, sizeof(rnd)); if (ret < 0) { gnutls_assert(); goto cleanup; } - gnutls_free(session-> - internals.post_handshake_cr_context.data); - ret = - _gnutls_set_datum(&session-> - internals.post_handshake_cr_context, - rnd, sizeof(rnd)); + gnutls_free(session->internals.post_handshake_cr_context + .data); + ret = _gnutls_set_datum( + &session->internals.post_handshake_cr_context, + rnd, sizeof(rnd)); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = _gnutls_buffer_append_data_prefix(&buf, 8, - session->internals.post_handshake_cr_context.data, - session->internals.post_handshake_cr_context.size); + ret = _gnutls_buffer_append_data_prefix( + &buf, 8, + session->internals.post_handshake_cr_context + .data, + session->internals.post_handshake_cr_context + .size); } else { ret = _gnutls_buffer_append_prefix(&buf, 8, 0); } @@ -377,26 +361,25 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again) } init_pos = ret; - ret = _gnutls_extv_append(&buf, ext_mod_sig.tls_id, session, - (extv_append_func) - _gnutls_sign_algorithm_write_params); + ret = _gnutls_extv_append( + &buf, ext_mod_sig.tls_id, session, + (extv_append_func)_gnutls_sign_algorithm_write_params); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = - _gnutls_extv_append(&buf, EXTID_CERTIFICATE_AUTHORITIES, - session, write_certificate_authorities); + ret = _gnutls_extv_append(&buf, EXTID_CERTIFICATE_AUTHORITIES, + session, + write_certificate_authorities); if (ret < 0) { gnutls_assert(); goto cleanup; } #ifdef ENABLE_OCSP /* We always advertise our support for OCSP stapling */ - ret = - _gnutls_extv_append(&buf, ext_mod_status_request.tls_id, - session, append_empty_ext); + ret = _gnutls_extv_append(&buf, ext_mod_status_request.tls_id, + session, append_empty_ext); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -404,11 +387,10 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again) session->internals.hsk_flags |= HSK_CLIENT_OCSP_REQUESTED; #endif - ret = - _gnutls_extv_append(&buf, - ext_mod_compress_certificate.tls_id, - session, (extv_append_func) - _gnutls_compress_certificate_send_params); + ret = _gnutls_extv_append( + &buf, ext_mod_compress_certificate.tls_id, session, + (extv_append_func) + _gnutls_compress_certificate_send_params); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -428,8 +410,7 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again) return _gnutls_send_handshake(session, bufel, GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST); - cleanup: +cleanup: _gnutls_buffer_clear(&buf); return ret; - } diff --git a/lib/tls13/certificate_request.h b/lib/tls13/certificate_request.h index 3f0c9e29f0..226047d932 100644 --- a/lib/tls13/certificate_request.h +++ b/lib/tls13/certificate_request.h @@ -21,13 +21,13 @@ */ #ifndef GNUTLS_LIB_TLS13_CERTIFICATE_REQUEST_H -# define GNUTLS_LIB_TLS13_CERTIFICATE_REQUEST_H +#define GNUTLS_LIB_TLS13_CERTIFICATE_REQUEST_H int _gnutls13_recv_certificate_request(gnutls_session_t session); int _gnutls13_recv_certificate_request_int(gnutls_session_t session, - gnutls_buffer_st * buf); + gnutls_buffer_st *buf); int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again); -#endif /* GNUTLS_LIB_TLS13_CERTIFICATE_REQUEST_H */ +#endif /* GNUTLS_LIB_TLS13_CERTIFICATE_REQUEST_H */ diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c index fdb9f6da0d..1cca457ec1 100644 --- a/lib/tls13/certificate_verify.c +++ b/lib/tls13/certificate_verify.c @@ -31,14 +31,10 @@ #include "tls13/certificate_verify.h" #define SRV_CTX "TLS 1.3, server CertificateVerify" -static const gnutls_datum_t srv_ctx = { - (void *)SRV_CTX, sizeof(SRV_CTX) - 1 -}; +static const gnutls_datum_t srv_ctx = { (void *)SRV_CTX, sizeof(SRV_CTX) - 1 }; #define CLI_CTX "TLS 1.3, client CertificateVerify" -static const gnutls_datum_t cli_ctx = { - (void *)CLI_CTX, sizeof(CLI_CTX) - 1 -}; +static const gnutls_datum_t cli_ctx = { (void *)CLI_CTX, sizeof(CLI_CTX) - 1 }; int _gnutls13_recv_certificate_verify(gnutls_session_t session) { @@ -50,7 +46,7 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) unsigned vflags; gnutls_pcert_st peer_cert; cert_auth_info_t info = - _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); + _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); bool server = 0; gnutls_certificate_type_t cert_type; @@ -64,16 +60,15 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) if (session->security_parameters.entity == GNUTLS_SERVER) server = 1; - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); + cred = (gnutls_certificate_credentials_t)_gnutls_get_cred( + session, GNUTLS_CRD_CERTIFICATE); if (unlikely(cred == NULL)) return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); if (unlikely(info == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - ret = - _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, - 0, &buf); + ret = _gnutls_recv_handshake( + session, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY, 0, &buf); if (ret < 0) return gnutls_assert_val(ret); @@ -127,8 +122,8 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) goto cleanup; } - vflags = - cred->verify_flags | session->internals.additional_verify_flags; + vflags = cred->verify_flags | + session->internals.additional_verify_flags; ret = _gnutls13_handshake_verify_data(session, vflags, &peer_cert, server ? (&cli_ctx) : (&srv_ctx), @@ -145,7 +140,7 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) } ret = 0; - cleanup: +cleanup: gnutls_pcert_deinit(&peer_cert); _gnutls_buffer_clear(&buf); return ret; @@ -184,9 +179,8 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) if (apr_cert_list_length == 0) { if (server) { - return - gnutls_assert_val - (GNUTLS_E_INSUFFICIENT_CREDENTIALS); + return gnutls_assert_val( + GNUTLS_E_INSUFFICIENT_CREDENTIALS); } else { /* for client, this means either we * didn't get a cert request or we are @@ -197,15 +191,13 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) } if (server) { - algo = - _gnutls_session_get_sign_algo(session, - &apr_cert_list[0], - apr_pkey, 0, - GNUTLS_KX_UNKNOWN); + algo = _gnutls_session_get_sign_algo(session, + &apr_cert_list[0], + apr_pkey, 0, + GNUTLS_KX_UNKNOWN); if (algo == GNUTLS_SIGN_UNKNOWN) - return - gnutls_assert_val - (GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY); + return gnutls_assert_val( + GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY); gnutls_sign_algorithm_set_server(session, algo); } else { @@ -213,16 +205,15 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) * determined from Certificate Request */ algo = gnutls_sign_algorithm_get_client(session); if (unlikely(algo == GNUTLS_SIGN_UNKNOWN)) - return - gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + return gnutls_assert_val( + GNUTLS_E_INTERNAL_ERROR); } se = _gnutls_sign_to_entry(algo); - ret = - _gnutls13_handshake_sign_data(session, &apr_cert_list[0], - apr_pkey, server ? (&srv_ctx) - : (&cli_ctx), &sig, se); + ret = _gnutls13_handshake_sign_data( + session, &apr_cert_list[0], apr_pkey, + server ? (&srv_ctx) : (&cli_ctx), &sig, se); if (ret < 0) return gnutls_assert_val(ret); @@ -238,9 +229,8 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) goto cleanup; } - ret = - _gnutls_buffer_append_data_prefix(&buf, 16, sig.data, - sig.size); + ret = _gnutls_buffer_append_data_prefix(&buf, 16, sig.data, + sig.size); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -254,7 +244,7 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) return _gnutls_send_handshake(session, bufel, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY); - cleanup: +cleanup: gnutls_free(sig.data); _gnutls_buffer_clear(&buf); return ret; diff --git a/lib/tls13/certificate_verify.h b/lib/tls13/certificate_verify.h index ece2df3f77..9d4ce3135f 100644 --- a/lib/tls13/certificate_verify.h +++ b/lib/tls13/certificate_verify.h @@ -21,9 +21,9 @@ */ #ifndef GNUTLS_LIB_TLS13_CERTIFICATE_VERIFY_H -# define GNUTLS_LIB_TLS13_CERTIFICATE_VERIFY_H +#define GNUTLS_LIB_TLS13_CERTIFICATE_VERIFY_H int _gnutls13_recv_certificate_verify(gnutls_session_t session); int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again); -#endif /* GNUTLS_LIB_TLS13_CERTIFICATE_VERIFY_H */ +#endif /* GNUTLS_LIB_TLS13_CERTIFICATE_VERIFY_H */ diff --git a/lib/tls13/early_data.c b/lib/tls13/early_data.c index 5dc74c325e..4be998825c 100644 --- a/lib/tls13/early_data.c +++ b/lib/tls13/early_data.c @@ -33,12 +33,10 @@ int _gnutls13_send_early_data(gnutls_session_t session) return 0; while (session->internals.early_data_presend_buffer.length > 0) { - ret = - gnutls_record_send(session, - session->internals. - early_data_presend_buffer.data, - session->internals. - early_data_presend_buffer.length); + ret = gnutls_record_send( + session, + session->internals.early_data_presend_buffer.data, + session->internals.early_data_presend_buffer.length); if (ret < 0) return gnutls_assert_val(ret); @@ -85,10 +83,8 @@ int _gnutls13_recv_end_of_early_data(gnutls_session_t session) return 0; if (!(session->internals.flags & GNUTLS_NO_END_OF_EARLY_DATA)) { - ret = - _gnutls_recv_handshake(session, - GNUTLS_HANDSHAKE_END_OF_EARLY_DATA, - 0, &buf); + ret = _gnutls_recv_handshake( + session, GNUTLS_HANDSHAKE_END_OF_EARLY_DATA, 0, &buf); if (ret < 0) return gnutls_assert_val(ret); @@ -102,7 +98,7 @@ int _gnutls13_recv_end_of_early_data(gnutls_session_t session) session->internals.hsk_flags &= ~HSK_EARLY_DATA_IN_FLIGHT; ret = 0; - cleanup: +cleanup: _gnutls_buffer_clear(&buf); return ret; diff --git a/lib/tls13/early_data.h b/lib/tls13/early_data.h index 004365605f..6fef12c107 100644 --- a/lib/tls13/early_data.h +++ b/lib/tls13/early_data.h @@ -21,10 +21,10 @@ */ #ifndef GNUTLS_LIB_TLS13_EARLY_DATA_H -# define GNUTLS_LIB_TLS13_EARLY_DATA_H +#define GNUTLS_LIB_TLS13_EARLY_DATA_H int _gnutls13_send_end_of_early_data(gnutls_session_t session, unsigned again); int _gnutls13_recv_end_of_early_data(gnutls_session_t session); int _gnutls13_send_early_data(gnutls_session_t session); -#endif /* GNUTLS_LIB_TLS13_EARLY_DATA_H */ +#endif /* GNUTLS_LIB_TLS13_EARLY_DATA_H */ diff --git a/lib/tls13/encrypted_extensions.c b/lib/tls13/encrypted_extensions.c index 9821913fad..651f789123 100644 --- a/lib/tls13/encrypted_extensions.c +++ b/lib/tls13/encrypted_extensions.c @@ -32,19 +32,16 @@ int _gnutls13_recv_encrypted_extensions(gnutls_session_t session) int ret; gnutls_buffer_st buf; - ret = - _gnutls_recv_handshake(session, - GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS, 0, - &buf); + ret = _gnutls_recv_handshake( + session, GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS, 0, &buf); if (ret < 0) return gnutls_assert_val(ret); _gnutls_handshake_log("HSK[%p]: parsing encrypted extensions\n", session); - ret = - _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_EE, - GNUTLS_EXT_ANY, buf.data, - buf.length); + ret = _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_EE, + GNUTLS_EXT_ANY, buf.data, + buf.length); _gnutls_buffer_clear(&buf); if (ret < 0) @@ -65,10 +62,8 @@ int _gnutls13_send_encrypted_extensions(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - ret = - _gnutls_gen_hello_extensions(session, &buf, - GNUTLS_EXT_FLAG_EE, - GNUTLS_EXT_ANY); + ret = _gnutls_gen_hello_extensions( + session, &buf, GNUTLS_EXT_FLAG_EE, GNUTLS_EXT_ANY); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -80,7 +75,7 @@ int _gnutls13_send_encrypted_extensions(gnutls_session_t session, return _gnutls_send_handshake(session, bufel, GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS); - cleanup: +cleanup: _gnutls_buffer_clear(&buf); return ret; } diff --git a/lib/tls13/encrypted_extensions.h b/lib/tls13/encrypted_extensions.h index 83b77672ca..8b0e6d5a88 100644 --- a/lib/tls13/encrypted_extensions.h +++ b/lib/tls13/encrypted_extensions.h @@ -21,10 +21,10 @@ */ #ifndef GNUTLS_LIB_TLS13_ENCRYPTED_EXTENSIONS_H -# define GNUTLS_LIB_TLS13_ENCRYPTED_EXTENSIONS_H +#define GNUTLS_LIB_TLS13_ENCRYPTED_EXTENSIONS_H int _gnutls13_recv_encrypted_extensions(gnutls_session_t session); int _gnutls13_send_encrypted_extensions(gnutls_session_t session, unsigned again); -#endif /* GNUTLS_LIB_TLS13_ENCRYPTED_EXTENSIONS_H */ +#endif /* GNUTLS_LIB_TLS13_ENCRYPTED_EXTENSIONS_H */ diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c index e447e9e50e..91e940702d 100644 --- a/lib/tls13/finished.c +++ b/lib/tls13/finished.c @@ -28,30 +28,26 @@ #include "mbuffers.h" #include "secrets.h" -int _gnutls13_compute_finished(const mac_entry_st * prf, - const uint8_t * base_key, - gnutls_buffer_st * handshake_hash_buffer, +int _gnutls13_compute_finished(const mac_entry_st *prf, const uint8_t *base_key, + gnutls_buffer_st *handshake_hash_buffer, void *out) { int ret; uint8_t fkey[MAX_HASH_SIZE]; uint8_t ts_hash[MAX_HASH_SIZE]; - ret = _tls13_expand_secret2(prf, - "finished", 8, - NULL, 0, base_key, prf->output_size, fkey); + ret = _tls13_expand_secret2(prf, "finished", 8, NULL, 0, base_key, + prf->output_size, fkey); if (ret < 0) return gnutls_assert_val(ret); - ret = gnutls_hash_fast(MAC_TO_DIG(prf->id), - handshake_hash_buffer->data, + ret = gnutls_hash_fast(MAC_TO_DIG(prf->id), handshake_hash_buffer->data, handshake_hash_buffer->length, ts_hash); if (ret < 0) return gnutls_assert_val(ret); - ret = gnutls_hmac_fast(prf->id, - fkey, prf->output_size, - ts_hash, prf->output_size, out); + ret = gnutls_hmac_fast(prf->id, fkey, prf->output_size, ts_hash, + prf->output_size, out); if (ret < 0) return gnutls_assert_val(ret); @@ -83,18 +79,16 @@ int _gnutls13_recv_finished(gnutls_session_t session) base_key = session->key.proto.tls13.ap_ckey; } - ret = _gnutls13_compute_finished(session->security_parameters.prf, - base_key, - &session-> - internals.handshake_hash_buffer, - verifier); + ret = _gnutls13_compute_finished( + session->security_parameters.prf, base_key, + &session->internals.handshake_hash_buffer, verifier); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = - _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED, 0, &buf); + ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED, 0, + &buf); if (ret < 0) return gnutls_assert_val(ret); @@ -106,7 +100,7 @@ int _gnutls13_recv_finished(gnutls_session_t session) goto cleanup; } #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) -# warning This is unsafe for production builds +#warning This is unsafe for production builds #else if (gnutls_memcmp(verifier, buf.data, buf.length) != 0) { gnutls_assert(); @@ -116,7 +110,7 @@ int _gnutls13_recv_finished(gnutls_session_t session) #endif ret = 0; - cleanup: +cleanup: _gnutls_buffer_clear(&buf); return ret; @@ -150,12 +144,9 @@ int _gnutls13_send_finished(gnutls_session_t session, unsigned again) base_key = session->key.proto.tls13.ap_skey; } - ret = - _gnutls13_compute_finished(session->security_parameters.prf, - base_key, - &session-> - internals.handshake_hash_buffer, - verifier); + ret = _gnutls13_compute_finished( + session->security_parameters.prf, base_key, + &session->internals.handshake_hash_buffer, verifier); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -178,7 +169,7 @@ int _gnutls13_send_finished(gnutls_session_t session, unsigned again) return _gnutls_send_handshake(session, bufel, GNUTLS_HANDSHAKE_FINISHED); - cleanup: +cleanup: _mbuffer_xfree(&bufel); return ret; } diff --git a/lib/tls13/finished.h b/lib/tls13/finished.h index 3628d163e2..94a015f6f3 100644 --- a/lib/tls13/finished.h +++ b/lib/tls13/finished.h @@ -21,13 +21,12 @@ */ #ifndef GNUTLS_LIB_TLS13_FINISHED_H -# define GNUTLS_LIB_TLS13_FINISHED_H +#define GNUTLS_LIB_TLS13_FINISHED_H -int _gnutls13_compute_finished(const mac_entry_st * prf, - const uint8_t * base_key, - gnutls_buffer_st * handshake_hash_buffer, +int _gnutls13_compute_finished(const mac_entry_st *prf, const uint8_t *base_key, + gnutls_buffer_st *handshake_hash_buffer, void *out); int _gnutls13_recv_finished(gnutls_session_t session); int _gnutls13_send_finished(gnutls_session_t session, unsigned again); -#endif /* GNUTLS_LIB_TLS13_FINISHED_H */ +#endif /* GNUTLS_LIB_TLS13_FINISHED_H */ diff --git a/lib/tls13/hello_retry.c b/lib/tls13/hello_retry.c index 00a0360aff..b4b91c84fa 100644 --- a/lib/tls13/hello_retry.c +++ b/lib/tls13/hello_retry.c @@ -39,8 +39,8 @@ int _gnutls13_send_hello_retry_request(gnutls_session_t session, unsigned again) if (again == 0) { ver = get_version(session); - if (unlikely - (ver == NULL || session->security_parameters.cs == NULL)) + if (unlikely(ver == NULL || + session->security_parameters.cs == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ret = _gnutls_buffer_init_handshake_mbuffer(&buf); @@ -51,26 +51,23 @@ int _gnutls13_send_hello_retry_request(gnutls_session_t session, unsigned again) if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_buffer_append_data(&buf, - HRR_RANDOM, + ret = _gnutls_buffer_append_data(&buf, HRR_RANDOM, GNUTLS_RANDOM_SIZE); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = _gnutls_buffer_append_data_prefix(&buf, 8, - session->security_parameters.session_id, - session->security_parameters.session_id_size); + ret = _gnutls_buffer_append_data_prefix( + &buf, 8, session->security_parameters.session_id, + session->security_parameters.session_id_size); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = - _gnutls_buffer_append_data(&buf, - session->security_parameters. - cs->id, 2); + ret = _gnutls_buffer_append_data( + &buf, session->security_parameters.cs->id, 2); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -83,9 +80,8 @@ int _gnutls13_send_hello_retry_request(gnutls_session_t session, unsigned again) goto cleanup; } - ret = _gnutls_gen_hello_extensions(session, &buf, - GNUTLS_EXT_FLAG_HRR, - GNUTLS_EXT_ANY); + ret = _gnutls_gen_hello_extensions( + session, &buf, GNUTLS_EXT_FLAG_HRR, GNUTLS_EXT_ANY); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -102,14 +98,13 @@ int _gnutls13_send_hello_retry_request(gnutls_session_t session, unsigned again) return _gnutls_send_handshake(session, bufel, GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST); - cleanup: +cleanup: _gnutls_buffer_clear(&buf); return ret; } -int -_gnutls13_recv_hello_retry_request(gnutls_session_t session, - gnutls_buffer_st * buf) +int _gnutls13_recv_hello_retry_request(gnutls_session_t session, + gnutls_buffer_st *buf) { int ret; uint8_t tmp[2]; @@ -182,18 +177,16 @@ _gnutls13_recv_hello_retry_request(gnutls_session_t session, } /* figure version first */ - ret = - _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_HRR, - GNUTLS_EXT_VERSION_NEG, - buf->data, buf->length); + ret = _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_HRR, + GNUTLS_EXT_VERSION_NEG, buf->data, + buf->length); if (ret < 0) return gnutls_assert_val(ret); /* parse the rest of extensions */ - ret = - _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_HRR, - GNUTLS_EXT_ANY, buf->data, - buf->length); + ret = _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_HRR, + GNUTLS_EXT_ANY, buf->data, + buf->length); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/tls13/hello_retry.h b/lib/tls13/hello_retry.h index 95f0400358..aec3fe5271 100644 --- a/lib/tls13/hello_retry.h +++ b/lib/tls13/hello_retry.h @@ -21,9 +21,9 @@ */ #ifndef GNUTLS_LIB_TLS13_HELLO_RETRY_H -# define GNUTLS_LIB_TLS13_HELLO_RETRY_H +#define GNUTLS_LIB_TLS13_HELLO_RETRY_H int _gnutls13_send_hello_retry_request(gnutls_session_t session, unsigned again); -#endif /* GNUTLS_LIB_TLS13_HELLO_RETRY_H */ +#endif /* GNUTLS_LIB_TLS13_HELLO_RETRY_H */ diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c index 7a1641e880..41243651b5 100644 --- a/lib/tls13/key_update.c +++ b/lib/tls13/key_update.c @@ -44,8 +44,9 @@ static inline int set_ktls_keys(gnutls_session_t session, session->internals.ktls_enabled = 0; session->internals.invalid_connection = true; session->internals.resumable = false; - _gnutls_audit_log(session, - "invalidating session: KTLS - couldn't update keys\n"); + _gnutls_audit_log( + session, + "invalidating session: KTLS - couldn't update keys\n"); return GNUTLS_E_INTERNAL_ERROR; } return 0; @@ -55,9 +56,9 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) { int ret; - ret = - _tls13_update_secret(session, session->key.proto.tls13.temp_secret, - session->key.proto.tls13.temp_secret_size); + ret = _tls13_update_secret(session, + session->key.proto.tls13.temp_secret, + session->key.proto.tls13.temp_secret_size); if (ret < 0) return gnutls_assert_val(ret); @@ -80,11 +81,11 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) if (ret < 0) return gnutls_assert_val(ret); - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) - && stage == STAGE_UPD_OURS) + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && + stage == STAGE_UPD_OURS) ret = set_ktls_keys(session, GNUTLS_KTLS_SEND); - else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) - && stage == STAGE_UPD_PEERS) + else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && + stage == STAGE_UPD_PEERS) ret = set_ktls_keys(session, GNUTLS_KTLS_RECV); } if (ret < 0) @@ -93,7 +94,7 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) return 0; } -int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st * buf) +int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st *buf) { int ret; struct timespec now; @@ -106,16 +107,16 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st * buf) /* Roll over the counter if the time window has elapsed */ if (session->internals.key_update_count == 0 || timespec_sub_ms(&now, &session->internals.last_key_update) > - KEY_UPDATES_WINDOW) { + KEY_UPDATES_WINDOW) { session->internals.last_key_update = now; session->internals.key_update_count = 0; } if (unlikely(++session->internals.key_update_count > KEY_UPDATES_PER_WINDOW)) { - _gnutls_debug_log - ("reached maximum number of key updates per %d milliseconds (%d)\n", - KEY_UPDATES_WINDOW, KEY_UPDATES_PER_WINDOW); + _gnutls_debug_log( + "reached maximum number of key updates per %d milliseconds (%d)\n", + KEY_UPDATES_WINDOW, KEY_UPDATES_PER_WINDOW); return gnutls_assert_val(GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS); } @@ -150,10 +151,10 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st * buf) */ if (session->internals.rsend_state == RECORD_SEND_NORMAL) session->internals.rsend_state = - RECORD_SEND_KEY_UPDATE_1; + RECORD_SEND_KEY_UPDATE_1; else if (session->internals.rsend_state == RECORD_SEND_CORKED) session->internals.rsend_state = - RECORD_SEND_CORKED_TO_KU; + RECORD_SEND_CORKED_TO_KU; break; default: @@ -166,7 +167,7 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st * buf) } int _gnutls13_send_key_update(gnutls_session_t session, unsigned again, - unsigned flags /* GNUTLS_KU_* */ ) + unsigned flags /* GNUTLS_KU_* */) { int ret; mbuffer_st *bufel = NULL; @@ -195,13 +196,12 @@ int _gnutls13_send_key_update(gnutls_session_t session, unsigned again, gnutls_assert(); goto cleanup; } - } return _gnutls_send_handshake(session, bufel, GNUTLS_HANDSHAKE_KEY_UPDATE); - cleanup: +cleanup: _mbuffer_xfree(&bufel); return ret; } diff --git a/lib/tls13/key_update.h b/lib/tls13/key_update.h index ad29c34b89..326af381bc 100644 --- a/lib/tls13/key_update.h +++ b/lib/tls13/key_update.h @@ -21,10 +21,10 @@ */ #ifndef GNUTLS_LIB_TLS13_KEY_UPDATE_H -# define GNUTLS_LIB_TLS13_KEY_UPDATE_H +#define GNUTLS_LIB_TLS13_KEY_UPDATE_H -int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st * buf); +int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st *buf); int _gnutls13_send_key_update(gnutls_session_t session, unsigned again, unsigned flags); -#endif /* GNUTLS_LIB_TLS13_KEY_UPDATE_H */ +#endif /* GNUTLS_LIB_TLS13_KEY_UPDATE_H */ diff --git a/lib/tls13/post_handshake.c b/lib/tls13/post_handshake.c index fa42b2c126..fa7768e6f8 100644 --- a/lib/tls13/post_handshake.c +++ b/lib/tls13/post_handshake.c @@ -52,14 +52,13 @@ #include "tls13/finished.h" #undef AGAIN -#define AGAIN(x) ((x)==(REAUTH_STATE)) +#define AGAIN(x) ((x) == (REAUTH_STATE)) /* * _gnutls13_reauth_client * This function performs the client side of the post-handshake authentication */ -static -int _gnutls13_reauth_client(gnutls_session_t session) +static int _gnutls13_reauth_client(gnutls_session_t session) { int ret = 0; size_t tmp; @@ -78,44 +77,35 @@ int _gnutls13_reauth_client(gnutls_session_t session) /* restore handshake transcript */ _gnutls_buffer_reset(&session->internals.handshake_hash_buffer); - ret = - gnutls_buffer_append_data(&session-> - internals.handshake_hash_buffer, - session-> - internals.post_handshake_hash_buffer. - data, - session-> - internals.post_handshake_hash_buffer.length); + ret = gnutls_buffer_append_data( + &session->internals.handshake_hash_buffer, + session->internals.post_handshake_hash_buffer.data, + session->internals.post_handshake_hash_buffer.length); if (ret < 0) return gnutls_assert_val(ret); /* append the previously received certificate request message, to the * transcript. */ - ret = - gnutls_buffer_append_data(&session-> - internals.handshake_hash_buffer, - session->internals. - reauth_buffer.data, - session->internals. - reauth_buffer.length); + ret = gnutls_buffer_append_data( + &session->internals.handshake_hash_buffer, + session->internals.reauth_buffer.data, + session->internals.reauth_buffer.length); if (ret < 0) return gnutls_assert_val(ret); session->internals.handshake_hash_buffer_prev_len = - session->internals.handshake_hash_buffer.length; + session->internals.handshake_hash_buffer.length; /* skip the reauth buffer handshake message headers */ - ret = - _gnutls_buffer_pop_prefix32(&session-> - internals.reauth_buffer, &tmp, - 0); + ret = _gnutls_buffer_pop_prefix32( + &session->internals.reauth_buffer, &tmp, 0); if (ret < 0) return gnutls_assert_val(ret); FALLTHROUGH; case REAUTH_STATE1: - ret = _gnutls13_recv_certificate_request_int(session, - &session->internals.reauth_buffer); + ret = _gnutls13_recv_certificate_request_int( + session, &session->internals.reauth_buffer); REAUTH_STATE = REAUTH_STATE1; IMED_RET("recv certificate request", ret, 0); FALLTHROUGH; @@ -125,9 +115,8 @@ int _gnutls13_reauth_client(gnutls_session_t session) IMED_RET("send certificate", ret, 0); FALLTHROUGH; case REAUTH_STATE3: - ret = - _gnutls13_send_certificate_verify(session, - AGAIN(REAUTH_STATE3)); + ret = _gnutls13_send_certificate_verify(session, + AGAIN(REAUTH_STATE3)); REAUTH_STATE = REAUTH_STATE3; IMED_RET("send certificate verify", ret, 0); FALLTHROUGH; @@ -151,8 +140,7 @@ int _gnutls13_reauth_client(gnutls_session_t session) * _gnutls13_reauth_server * This function does the server stuff of the post-handshake authentication. */ -static -int _gnutls13_reauth_server(gnutls_session_t session) +static int _gnutls13_reauth_server(gnutls_session_t session) { int ret = 0; @@ -161,8 +149,8 @@ int _gnutls13_reauth_server(gnutls_session_t session) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); if (session->internals.send_cert_req == 0) { - _gnutls_debug_log - ("You need to call gnutls_certificate_server_set_request to enable post handshake auth\n"); + _gnutls_debug_log( + "You need to call gnutls_certificate_server_set_request to enable post handshake auth\n"); return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); } @@ -170,25 +158,20 @@ int _gnutls13_reauth_server(gnutls_session_t session) case REAUTH_STATE0: /* restore handshake transcript */ _gnutls_buffer_reset(&session->internals.handshake_hash_buffer); - ret = - gnutls_buffer_append_data(&session-> - internals.handshake_hash_buffer, - session-> - internals.post_handshake_hash_buffer. - data, - session-> - internals.post_handshake_hash_buffer.length); + ret = gnutls_buffer_append_data( + &session->internals.handshake_hash_buffer, + session->internals.post_handshake_hash_buffer.data, + session->internals.post_handshake_hash_buffer.length); if (ret < 0) return gnutls_assert_val(ret); session->internals.handshake_hash_buffer_prev_len = - session->internals.handshake_hash_buffer.length; + session->internals.handshake_hash_buffer.length; FALLTHROUGH; case REAUTH_STATE1: - ret = - _gnutls13_send_certificate_request(session, - AGAIN(REAUTH_STATE1)); + ret = _gnutls13_send_certificate_request(session, + AGAIN(REAUTH_STATE1)); REAUTH_STATE = REAUTH_STATE1; IMED_RET("send certificate request", ret, 0); FALLTHROUGH; diff --git a/lib/tls13/psk_ext_parser.c b/lib/tls13/psk_ext_parser.c index 68ac0ea50b..4f6682b905 100644 --- a/lib/tls13/psk_ext_parser.c +++ b/lib/tls13/psk_ext_parser.c @@ -27,7 +27,7 @@ /* Returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when no identities * are present, or 0, on success. */ -int _gnutls13_psk_ext_parser_init(psk_ext_parser_st * p, +int _gnutls13_psk_ext_parser_init(psk_ext_parser_st *p, const unsigned char *data, size_t len) { if (!p || !data || !len) @@ -62,7 +62,7 @@ int _gnutls13_psk_ext_parser_init(psk_ext_parser_st * p, * Returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when no more identities * are present, or 0, on success. */ -int _gnutls13_psk_ext_iter_next_identity(psk_ext_iter_st * iter, +int _gnutls13_psk_ext_iter_next_identity(psk_ext_iter_st *iter, struct psk_st *psk) { if (iter->identities_len == 0) @@ -91,8 +91,8 @@ int _gnutls13_psk_ext_iter_next_identity(psk_ext_iter_st * iter, * Returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when no more identities * are present, or 0, on success. */ -int _gnutls13_psk_ext_iter_next_binder(psk_ext_iter_st * iter, - gnutls_datum_t * binder) +int _gnutls13_psk_ext_iter_next_binder(psk_ext_iter_st *iter, + gnutls_datum_t *binder) { if (iter->binders_len == 0) return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; @@ -103,7 +103,7 @@ int _gnutls13_psk_ext_iter_next_binder(psk_ext_iter_st * iter, return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); iter->binders_data++; - binder->data = (uint8_t *) iter->binders_data; + binder->data = (uint8_t *)iter->binders_data; DECR_LEN(iter->binders_len, binder->size); iter->binders_data += binder->size; diff --git a/lib/tls13/psk_ext_parser.h b/lib/tls13/psk_ext_parser.h index 65c617f43d..1a37757117 100644 --- a/lib/tls13/psk_ext_parser.h +++ b/lib/tls13/psk_ext_parser.h @@ -21,7 +21,7 @@ */ #ifndef GNUTLS_LIB_TLS13_PSK_EXT_PARSER_H -# define GNUTLS_LIB_TLS13_PSK_EXT_PARSER_H +#define GNUTLS_LIB_TLS13_PSK_EXT_PARSER_H struct psk_ext_parser_st { const unsigned char *identities_data; @@ -40,19 +40,18 @@ struct psk_st { uint32_t ob_ticket_age; }; -int _gnutls13_psk_ext_parser_init(psk_ext_parser_st * p, +int _gnutls13_psk_ext_parser_init(psk_ext_parser_st *p, const unsigned char *data, size_t len); -inline static -void _gnutls13_psk_ext_iter_init(psk_ext_iter_st * iter, - const psk_ext_parser_st * p) +inline static void _gnutls13_psk_ext_iter_init(psk_ext_iter_st *iter, + const psk_ext_parser_st *p) { memcpy(iter, p, sizeof(*p)); } -int _gnutls13_psk_ext_iter_next_identity(psk_ext_iter_st * iter, +int _gnutls13_psk_ext_iter_next_identity(psk_ext_iter_st *iter, struct psk_st *psk); -int _gnutls13_psk_ext_iter_next_binder(psk_ext_iter_st * iter, - gnutls_datum_t * binder); +int _gnutls13_psk_ext_iter_next_binder(psk_ext_iter_st *iter, + gnutls_datum_t *binder); -#endif /* GNUTLS_LIB_TLS13_PSK_EXT_PARSER_H */ +#endif /* GNUTLS_LIB_TLS13_PSK_EXT_PARSER_H */ diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c index 546f90257a..b60822056f 100644 --- a/lib/tls13/session_ticket.c +++ b/lib/tls13/session_ticket.c @@ -33,9 +33,8 @@ #include "session_pack.h" #include "db.h" -static int -pack_ticket(gnutls_session_t session, tls13_ticket_st * ticket, - gnutls_datum_t * packed) +static int pack_ticket(gnutls_session_t session, tls13_ticket_st *ticket, + gnutls_datum_t *packed) { uint8_t *p; gnutls_datum_t state; @@ -45,9 +44,8 @@ pack_ticket(gnutls_session_t session, tls13_ticket_st * ticket, if (ret < 0) return gnutls_assert_val(ret); - packed->size = 2 + 4 + 4 + - 1 + ticket->prf->output_size + - 1 + ticket->nonce_size + 2 + state.size + 12; + packed->size = 2 + 4 + 4 + 1 + ticket->prf->output_size + 1 + + ticket->nonce_size + 2 + state.size + 12; packed->data = gnutls_malloc(packed->size); if (!packed->data) { @@ -80,7 +78,7 @@ pack_ticket(gnutls_session_t session, tls13_ticket_st * ticket, memcpy(p, state.data, state.size); p += state.size; - _gnutls_write_uint32((uint64_t) ticket->creation_time.tv_sec >> 32, p); + _gnutls_write_uint32((uint64_t)ticket->creation_time.tv_sec >> 32, p); p += 4; _gnutls_write_uint32(ticket->creation_time.tv_sec & 0xFFFFFFFF, p); p += 4; @@ -88,14 +86,13 @@ pack_ticket(gnutls_session_t session, tls13_ticket_st * ticket, ret = 0; - cleanup: +cleanup: gnutls_free(state.data); return ret; } -static int -unpack_ticket(gnutls_session_t session, gnutls_datum_t * packed, - tls13_ticket_st * data) +static int unpack_ticket(gnutls_session_t session, gnutls_datum_t *packed, + tls13_ticket_st *data) { uint32_t age_add, lifetime; struct timespec creation_time; @@ -194,8 +191,8 @@ unpack_ticket(gnutls_session_t session, gnutls_datum_t * packed, return 0; } -static int -generate_session_ticket(gnutls_session_t session, tls13_ticket_st * ticket) +static int generate_session_ticket(gnutls_session_t session, + tls13_ticket_st *ticket) { int ret; gnutls_datum_t packed = { NULL, 0 }; @@ -206,14 +203,13 @@ generate_session_ticket(gnutls_session_t session, tls13_ticket_st * ticket) if (session->internals.resumed) { /* If we are resuming ensure that we don't extend the lifetime * of the ticket past the original session expiration time */ - if (now.tv_sec >= - session->security_parameters.timestamp + - session->internals.expire_time) - return GNUTLS_E_INT_RET_0; /* don't send ticket */ + if (now.tv_sec >= session->security_parameters.timestamp + + session->internals.expire_time) + return GNUTLS_E_INT_RET_0; /* don't send ticket */ else ticket->lifetime = - session->security_parameters.timestamp + - session->internals.expire_time - now.tv_sec; + session->security_parameters.timestamp + + session->internals.expire_time - now.tv_sec; } else { /* Set ticket lifetime to the default expiration time */ ticket->lifetime = session->internals.expire_time; @@ -222,15 +218,14 @@ generate_session_ticket(gnutls_session_t session, tls13_ticket_st * ticket) /* Generate a random 32-bit ticket nonce */ ticket->nonce_size = 4; - if ((ret = gnutls_rnd(GNUTLS_RND_NONCE, - ticket->nonce, ticket->nonce_size)) < 0) + if ((ret = gnutls_rnd(GNUTLS_RND_NONCE, ticket->nonce, + ticket->nonce_size)) < 0) return gnutls_assert_val(ret); - if ((ret = - gnutls_rnd(GNUTLS_RND_NONCE, &ticket->age_add, - sizeof(uint32_t))) < 0) + if ((ret = gnutls_rnd(GNUTLS_RND_NONCE, &ticket->age_add, + sizeof(uint32_t))) < 0) return gnutls_assert_val(ret); - /* This is merely to produce the same binder value on + /* This is merely to produce the same binder value on * different endian architectures. */ #ifdef WORDS_BIGENDIAN ticket->age_add = bswap_32(ticket->age_add); @@ -260,7 +255,7 @@ generate_session_ticket(gnutls_session_t session, tls13_ticket_st * ticket) return 0; } -static int append_nst_extension(void *ctx, gnutls_buffer_st * buf) +static int append_nst_extension(void *ctx, gnutls_buffer_st *buf) { gnutls_session_t session = ctx; int ret; @@ -268,9 +263,8 @@ static int append_nst_extension(void *ctx, gnutls_buffer_st * buf) if (!(session->internals.flags & GNUTLS_ENABLE_EARLY_DATA)) return 0; - ret = _gnutls_buffer_append_prefix(buf, 32, - session->security_parameters. - max_early_data_size); + ret = _gnutls_buffer_append_prefix( + buf, 32, session->security_parameters.max_early_data_size); if (ret < 0) gnutls_assert(); @@ -321,39 +315,32 @@ int _gnutls13_send_session_ticket(gnutls_session_t session, unsigned nr, goto cleanup; } - ret = - _gnutls_buffer_append_prefix(&buf, 32, - ticket.lifetime); + ret = _gnutls_buffer_append_prefix(&buf, 32, + ticket.lifetime); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = - _gnutls_buffer_append_prefix(&buf, 32, - ticket.age_add); + ret = _gnutls_buffer_append_prefix(&buf, 32, + ticket.age_add); if (ret < 0) { gnutls_assert(); goto cleanup; } /* append ticket_nonce */ - ret = - _gnutls_buffer_append_data_prefix(&buf, 8, - ticket.nonce, - ticket.nonce_size); + ret = _gnutls_buffer_append_data_prefix( + &buf, 8, ticket.nonce, ticket.nonce_size); if (ret < 0) { gnutls_assert(); goto cleanup; } /* append ticket */ - ret = - _gnutls_buffer_append_data_prefix(&buf, 16, - ticket. - ticket.data, - ticket. - ticket.size); + ret = _gnutls_buffer_append_data_prefix( + &buf, 16, ticket.ticket.data, + ticket.ticket.size); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -369,10 +356,9 @@ int _gnutls13_send_session_ticket(gnutls_session_t session, unsigned nr, } init_pos = ret; - ret = - _gnutls_extv_append(&buf, ext_mod_early_data.tls_id, - session, (extv_append_func) - append_nst_extension); + ret = _gnutls_extv_append( + &buf, ext_mod_early_data.tls_id, session, + (extv_append_func)append_nst_extension); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -386,9 +372,9 @@ int _gnutls13_send_session_ticket(gnutls_session_t session, unsigned nr, bufel = _gnutls_buffer_to_mbuffer(&buf); - ret = _gnutls_send_handshake2(session, bufel, - GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, - 1); + ret = _gnutls_send_handshake2( + session, bufel, + GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, 1); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -402,7 +388,7 @@ int _gnutls13_send_session_ticket(gnutls_session_t session, unsigned nr, return ret; - cleanup: +cleanup: _gnutls_free_datum(&ticket.ticket); _mbuffer_xfree(&bufel); _gnutls_buffer_clear(&buf); @@ -416,17 +402,16 @@ static int parse_nst_extension(void *ctx, unsigned tls_id, gnutls_session_t session = ctx; if (tls_id == ext_mod_early_data.tls_id) { if (data_size < 4) - return - gnutls_assert_val - (GNUTLS_E_TLS_PACKET_DECODING_ERROR); + return gnutls_assert_val( + GNUTLS_E_TLS_PACKET_DECODING_ERROR); session->security_parameters.max_early_data_size = - _gnutls_read_uint32(data); + _gnutls_read_uint32(data); } return 0; } int _gnutls13_recv_session_ticket(gnutls_session_t session, - gnutls_buffer_st * buf) + gnutls_buffer_st *buf) { int ret; uint8_t value; @@ -476,9 +461,8 @@ int _gnutls13_recv_session_ticket(gnutls_session_t session, return gnutls_assert_val(ret); /* Extensions */ - ret = - _gnutls_extv_parse(session, parse_nst_extension, buf->data, - buf->length); + ret = _gnutls_extv_parse(session, parse_nst_extension, buf->data, + buf->length); if (ret < 0) return gnutls_assert_val(ret); @@ -493,8 +477,8 @@ int _gnutls13_recv_session_ticket(gnutls_session_t session, * and the KDF ID associated to it. */ int _gnutls13_unpack_session_ticket(gnutls_session_t session, - gnutls_datum_t * data, - tls13_ticket_st * ticket_data) + gnutls_datum_t *data, + tls13_ticket_st *ticket_data) { int ret; gnutls_datum_t decrypted = { NULL, 0 }; diff --git a/lib/tls13/session_ticket.h b/lib/tls13/session_ticket.h index e28d77d7e7..1b14518b4e 100644 --- a/lib/tls13/session_ticket.h +++ b/lib/tls13/session_ticket.h @@ -21,25 +21,24 @@ */ #ifndef GNUTLS_LIB_TLS13_SESSION_TICKET_H -# define GNUTLS_LIB_TLS13_SESSION_TICKET_H +#define GNUTLS_LIB_TLS13_SESSION_TICKET_H int _gnutls13_recv_session_ticket(gnutls_session_t session, - gnutls_buffer_st * buf); + gnutls_buffer_st *buf); int _gnutls13_send_session_ticket(gnutls_session_t session, unsigned nr, unsigned again); static inline bool _gnutls13_can_send_session_ticket(gnutls_session_t session) { return session->key.stek_initialized && - !(session->internals.flags & GNUTLS_NO_TICKETS); + !(session->internals.flags & GNUTLS_NO_TICKETS); } int _gnutls13_unpack_session_ticket(gnutls_session_t session, - gnutls_datum_t * data, - tls13_ticket_st * ticket_data); + gnutls_datum_t *data, + tls13_ticket_st *ticket_data); -inline static -void tls13_ticket_deinit(tls13_ticket_st * ticket) +inline static void tls13_ticket_deinit(tls13_ticket_st *ticket) { zeroize_temp_key(&ticket->resumption_master_secret, sizeof(ticket->resumption_master_secret)); @@ -48,4 +47,4 @@ void tls13_ticket_deinit(tls13_ticket_st * ticket) memset(ticket, 0, sizeof(tls13_ticket_st)); } -#endif /* GNUTLS_LIB_TLS13_SESSION_TICKET_H */ +#endif /* GNUTLS_LIB_TLS13_SESSION_TICKET_H */ |