From 3aea821a6ce36bd14f2a3a41598db698d031fadc Mon Sep 17 00:00:00 2001 From: Nikos Date: Sun, 16 Mar 2008 17:37:44 +0200 Subject: several fixes in the cipher (register) interface and added hash. --- lib/gnutls_cipher.c | 66 +++++------ lib/gnutls_cipher_int.c | 16 +-- lib/gnutls_cipher_int.h | 2 +- lib/gnutls_constate.c | 12 +- lib/gnutls_handshake.c | 89 +++++++-------- lib/gnutls_hash_int.c | 292 +++++++++++++++++++++++++++-------------------- lib/gnutls_hash_int.h | 37 +++--- lib/gnutls_int.h | 5 +- lib/gnutls_sig.c | 129 ++++++++++----------- lib/gnutls_srp.c | 37 +++--- lib/gnutls_state.c | 35 +++--- lib/gnutls_ui.c | 14 ++- lib/x509/pkcs12.c | 22 ++-- lib/x509/privkey.c | 11 +- lib/x509/privkey_pkcs8.c | 36 +++--- lib/x509/sign.c | 24 ++-- lib/x509/verify.c | 24 ++-- lib/x509/x509.c | 11 +- 18 files changed, 459 insertions(+), 403 deletions(-) diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index c8bc72314b..cd3cdb1c27 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -193,29 +193,32 @@ _gnutls_decrypt (gnutls_session_t session, opaque * ciphertext, return ret; } -inline static mac_hd_t -mac_init (gnutls_mac_algorithm_t mac, opaque * secret, int secret_size, +inline static int +mac_init (digest_hd_st* td, gnutls_mac_algorithm_t mac, opaque * secret, int secret_size, int ver) { - mac_hd_t td; +int ret = 0; if (mac == GNUTLS_MAC_NULL) - return GNUTLS_MAC_FAILED; + { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } if (ver == GNUTLS_SSL3) { /* SSL 3.0 */ - td = _gnutls_mac_init_ssl3 (mac, secret, secret_size); + ret = _gnutls_mac_init_ssl3 (td, mac, secret, secret_size); } else { /* TLS 1.x */ - td = _gnutls_hmac_init (mac, secret, secret_size); + ret = _gnutls_hmac_init (td, mac, secret, secret_size); } - return td; + return ret; } inline static void -mac_deinit (mac_hd_t td, opaque * res, int ver) +mac_deinit (digest_hd_st *td, opaque * res, int ver) { if (ver == GNUTLS_SSL3) { /* SSL 3.0 */ @@ -298,7 +301,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, uint16_t c_length; uint8_t pad; int length, ret; - mac_hd_t td; + digest_hd_st td; uint8_t type = _type; uint8_t major, minor; int hash_size = @@ -320,34 +323,33 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, /* Initialize MAC */ - td = mac_init (session->security_parameters.write_mac_algorithm, + ret = mac_init (&td, session->security_parameters.write_mac_algorithm, session->connection_state.write_mac_secret.data, session->connection_state.write_mac_secret.size, ver); - if (td == GNUTLS_MAC_FAILED - && session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) + if (ret < 0 && session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) { gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; + return ret; } c_length = _gnutls_conv_uint16 (compressed.size); - if (td != GNUTLS_MAC_FAILED) + if (session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) { /* actually when the algorithm in not the NULL one */ - _gnutls_hmac (td, + _gnutls_hmac (&td, UINT64DATA (session->connection_state. write_sequence_number), 8); - _gnutls_hmac (td, &type, 1); + _gnutls_hmac (&td, &type, 1); if (ver >= GNUTLS_TLS1) { /* TLS 1.0 or higher */ - _gnutls_hmac (td, &major, 1); - _gnutls_hmac (td, &minor, 1); + _gnutls_hmac (&td, &major, 1); + _gnutls_hmac (&td, &minor, 1); } - _gnutls_hmac (td, &c_length, 2); - _gnutls_hmac (td, compressed.data, compressed.size); - mac_deinit (td, MAC, ver); + _gnutls_hmac (&td, &c_length, 2); + _gnutls_hmac (&td, compressed.data, compressed.size); + mac_deinit (&td, MAC, ver); } @@ -424,7 +426,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, uint16_t c_length; uint8_t pad; int length; - mac_hd_t td; + digest_hd_st td; uint16_t blocksize; int ret, i, pad_failed = 0; uint8_t major, minor; @@ -442,11 +444,11 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, /* initialize MAC */ - td = mac_init (session->security_parameters.read_mac_algorithm, + ret = mac_init (&td, session->security_parameters.read_mac_algorithm, session->connection_state.read_mac_secret.data, session->connection_state.read_mac_secret.size, ver); - if (td == GNUTLS_MAC_FAILED + if (ret < 0 && session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) { gnutls_assert (); @@ -537,24 +539,24 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, /* Pass the type, version, length and compressed through * MAC. */ - if (td != GNUTLS_MAC_FAILED) + if (session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) { - _gnutls_hmac (td, + _gnutls_hmac (&td, UINT64DATA (session->connection_state. read_sequence_number), 8); - _gnutls_hmac (td, &type, 1); + _gnutls_hmac (&td, &type, 1); if (ver >= GNUTLS_TLS1) { /* TLS 1.x */ - _gnutls_hmac (td, &major, 1); - _gnutls_hmac (td, &minor, 1); + _gnutls_hmac (&td, &major, 1); + _gnutls_hmac (&td, &minor, 1); } - _gnutls_hmac (td, &c_length, 2); + _gnutls_hmac (&td, &c_length, 2); if (length > 0) - _gnutls_hmac (td, ciphertext.data, length); + _gnutls_hmac (&td, ciphertext.data, length); - mac_deinit (td, MAC, ver); + mac_deinit (&td, MAC, ver); } /* This one was introduced to avoid a timing attack against the TLS diff --git a/lib/gnutls_cipher_int.c b/lib/gnutls_cipher_int.c index 11b8488722..af3060e668 100644 --- a/lib/gnutls_cipher_int.c +++ b/lib/gnutls_cipher_int.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2004, 2005 Free Software Foundation + * Copyright (C) 2000, 2004, 2005, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -29,10 +29,10 @@ #include #include -#define SR(x) if ( (x)<0 ) { \ +#define SR(x, cleanup) if ( (x)<0 ) { \ gnutls_assert(); \ err = GNUTLS_E_INTERNAL_ERROR; \ - goto cc_cleanup; \ + goto cleanup; \ } int @@ -44,14 +44,14 @@ _gnutls_cipher_init (cipher_hd_st* handle, gnutls_cipher_algorithm_t cipher, /* check if a cipher has been registered */ - cc = _gnutls_get_registered_cipher( cipher); + cc = _gnutls_get_crypto_cipher( cipher); if (cc != NULL) { handle->registered = 1; handle->hd.rh.cc = cc; - SR( cc->init(&handle->hd.rh.ctx) ); - SR(cc->setkey( handle->hd.rh.ctx, key->data, key->size)); + SR( cc->init(&handle->hd.rh.ctx), cc_cleanup ); + SR(cc->setkey( handle->hd.rh.ctx, key->data, key->size), cc_cleanup); if (iv->data && iv->size && cc->setiv) - SR(cc->setiv( handle->hd.rh.ctx, iv->data, iv->size)); + SR(cc->setiv( handle->hd.rh.ctx, iv->data, iv->size), cc_cleanup); return 0; } @@ -167,7 +167,7 @@ _gnutls_cipher_deinit (cipher_hd_st* handle) { if (handle != GNUTLS_CIPHER_FAILED) { - if (handle->registered) { + if (handle->registered && handle->hd.rh.ctx != NULL) { return handle->hd.rh.cc->deinit( handle->hd.rh.ctx); } gc_cipher_close (handle); diff --git a/lib/gnutls_cipher_int.h b/lib/gnutls_cipher_int.h index b97a0c862f..fa46c94bfb 100644 --- a/lib/gnutls_cipher_int.h +++ b/lib/gnutls_cipher_int.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c index e3e43ba13f..cbe7a15e74 100644 --- a/lib/gnutls_constate.c +++ b/lib/gnutls_constate.c @@ -568,8 +568,7 @@ _gnutls_read_connection_state_init (gnutls_session_t session) if (session->connection_state.read_mac_secret.data != NULL) _gnutls_free_datum (&session->connection_state.read_mac_secret); - if (session->connection_state.read_cipher_state != NULL) - _gnutls_cipher_deinit (&session->connection_state.read_cipher_state); + _gnutls_cipher_deinit (&session->connection_state.read_cipher_state); if (session->connection_state.read_compression_state != NULL) _gnutls_comp_deinit (session->connection_state.read_compression_state, 1); @@ -591,7 +590,7 @@ _gnutls_read_connection_state_init (gnutls_session_t session) session->security_parameters.read_bulk_cipher_algorithm, &session->cipher_specs.client_write_key, &session->cipher_specs.client_write_IV); - if (rc < 0) && session->security_parameters. + if (rc < 0 && session->security_parameters. read_bulk_cipher_algorithm != GNUTLS_CIPHER_NULL) { gnutls_assert (); @@ -751,8 +750,7 @@ _gnutls_write_connection_state_init (gnutls_session_t session) if (session->connection_state.write_mac_secret.data != NULL) _gnutls_free_datum (&session->connection_state.write_mac_secret); - if (session->connection_state.write_cipher_state != NULL) - _gnutls_cipher_deinit (&session->connection_state.write_cipher_state); + _gnutls_cipher_deinit (&session->connection_state.write_cipher_state); if (session->connection_state.write_compression_state != NULL) _gnutls_comp_deinit (session->connection_state. @@ -771,7 +769,7 @@ _gnutls_write_connection_state_init (gnutls_session_t session) /* initialize cipher session */ rc = _gnutls_cipher_init ( - &connection_state.write_cipher_state, + &session->connection_state.write_cipher_state, session->security_parameters. write_bulk_cipher_algorithm, &session->cipher_specs. @@ -808,7 +806,7 @@ _gnutls_write_connection_state_init (gnutls_session_t session) break; case GNUTLS_CLIENT: - rc = _gnutls_cipher_init (&connection_state.write_cipher_state, + rc = _gnutls_cipher_init (&session->connection_state.write_cipher_state, session->security_parameters. write_bulk_cipher_algorithm, &session->cipher_specs. diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 987b268213..71e6484afc 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -71,10 +71,8 @@ int _gnutls_server_select_comp_method (gnutls_session_t session, inline static void _gnutls_handshake_hash_buffers_clear (gnutls_session_t session) { - _gnutls_hash_deinit (session->internals.handshake_mac_handle_md5, NULL); - _gnutls_hash_deinit (session->internals.handshake_mac_handle_sha, NULL); - session->internals.handshake_mac_handle_md5 = NULL; - session->internals.handshake_mac_handle_sha = NULL; + _gnutls_hash_deinit (&session->internals.handshake_mac_handle_md5, NULL); + _gnutls_hash_deinit (&session->internals.handshake_mac_handle_sha, NULL); _gnutls_handshake_buffer_clear (session); } @@ -146,23 +144,24 @@ static int _gnutls_ssl3_finished (gnutls_session_t session, int type, opaque * ret) { const int siz = SSL_MSG_LEN; - mac_hd_t td_md5; - mac_hd_t td_sha; + digest_hd_st td_md5; + digest_hd_st td_sha; const char *mesg; + int rc; - td_md5 = _gnutls_hash_copy (session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) + rc = _gnutls_hash_copy (&td_md5, &session->internals.handshake_mac_handle_md5); + if (rc < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return rc; } - td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) + rc = _gnutls_hash_copy (&td_sha, &session->internals.handshake_mac_handle_sha); + if (rc < 0) { gnutls_assert (); - _gnutls_hash_deinit (td_md5, NULL); - return GNUTLS_E_HASH_FAILED; + _gnutls_hash_deinit (&td_md5, NULL); + return rc; } if (type == GNUTLS_SERVER) @@ -174,13 +173,13 @@ _gnutls_ssl3_finished (gnutls_session_t session, int type, opaque * ret) mesg = SSL3_CLIENT_MSG; } - _gnutls_hash (td_md5, mesg, siz); - _gnutls_hash (td_sha, mesg, siz); + _gnutls_hash (&td_md5, mesg, siz); + _gnutls_hash (&td_sha, mesg, siz); - _gnutls_mac_deinit_ssl3_handshake (td_md5, ret, + _gnutls_mac_deinit_ssl3_handshake (&td_md5, ret, session->security_parameters. master_secret, TLS_MASTER_SIZE); - _gnutls_mac_deinit_ssl3_handshake (td_sha, &ret[16], + _gnutls_mac_deinit_ssl3_handshake (&td_sha, &ret[16], session->security_parameters. master_secret, TLS_MASTER_SIZE); @@ -199,37 +198,38 @@ _gnutls_finished (gnutls_session_t session, int type, void *ret) opaque concat[36]; size_t len; const char *mesg; - mac_hd_t td_md5 = NULL; - mac_hd_t td_sha; + digest_hd_st td_md5; + digest_hd_st td_sha; gnutls_protocol_t ver = gnutls_protocol_get_version (session); + int rc; if (ver < GNUTLS_TLS1_2) { - td_md5 = _gnutls_hash_copy (session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) + rc = _gnutls_hash_copy (&td_md5, &session->internals.handshake_mac_handle_md5); + if (rc < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return rc; } } - td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) + rc = _gnutls_hash_copy (&td_sha, &session->internals.handshake_mac_handle_sha); + if (rc < 0) { gnutls_assert (); - _gnutls_hash_deinit (td_md5, NULL); - return GNUTLS_E_HASH_FAILED; + _gnutls_hash_deinit (&td_md5, NULL); + return rc; } if (ver < GNUTLS_TLS1_2) { - _gnutls_hash_deinit (td_md5, concat); - _gnutls_hash_deinit (td_sha, &concat[16]); + _gnutls_hash_deinit (&td_md5, concat); + _gnutls_hash_deinit (&td_sha, &concat[16]); len = 20 + 16; } else { - _gnutls_hash_deinit (td_sha, concat); + _gnutls_hash_deinit (&td_sha, concat); len = 20; } @@ -483,8 +483,7 @@ _gnutls_handshake_hash_pending (gnutls_session_t session) int ret; opaque *data; - if (session->internals.handshake_mac_handle_sha == NULL || - session->internals.handshake_mac_handle_md5 == NULL) + if (session->internals.handshake_mac_handle_init == 0) { gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; @@ -500,8 +499,8 @@ _gnutls_handshake_hash_pending (gnutls_session_t session) if (siz > 0) { - _gnutls_hash (session->internals.handshake_mac_handle_sha, data, siz); - _gnutls_hash (session->internals.handshake_mac_handle_md5, data, siz); + _gnutls_hash (&session->internals.handshake_mac_handle_sha, data, siz); + _gnutls_hash (&session->internals.handshake_mac_handle_md5, data, siz); } _gnutls_handshake_buffer_empty (session); @@ -888,9 +887,9 @@ _gnutls_handshake_hash_add_sent (gnutls_session_t session, if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST) { - _gnutls_hash (session->internals.handshake_mac_handle_sha, dataptr, + _gnutls_hash (&session->internals.handshake_mac_handle_sha, dataptr, datalen); - _gnutls_hash (session->internals.handshake_mac_handle_md5, dataptr, + _gnutls_hash (&session->internals.handshake_mac_handle_md5, dataptr, datalen); } @@ -2109,27 +2108,25 @@ inline static int _gnutls_handshake_hash_init (gnutls_session_t session) { - if (session->internals.handshake_mac_handle_md5 == NULL) + if (session->internals.handshake_mac_handle_init == 0) { - session->internals.handshake_mac_handle_md5 = - _gnutls_hash_init (GNUTLS_MAC_MD5); + int ret = + _gnutls_hash_init (&session->internals.handshake_mac_handle_md5, GNUTLS_MAC_MD5); - if (session->internals.handshake_mac_handle_md5 == GNUTLS_HASH_FAILED) + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; + return ret; } - } - if (session->internals.handshake_mac_handle_sha == NULL) - { - session->internals.handshake_mac_handle_sha = - _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (session->internals.handshake_mac_handle_sha == GNUTLS_HASH_FAILED) + ret = _gnutls_hash_init(&session->internals.handshake_mac_handle_sha, GNUTLS_MAC_SHA1); + if (ret < 0) { gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } + + session->internals.handshake_mac_handle_init = 1; } return 0; diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index a20d0ea8c9..21d0fe078d 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2004, 2005, 2007 Free Software Foundation + * Copyright (C) 2000, 2001, 2004, 2005, 2007, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -65,30 +65,38 @@ static inline Gc_hash _gnutls_mac2gc (gnutls_mac_algorithm_t mac) return -1; } -GNUTLS_HASH_HANDLE -_gnutls_hash_init (gnutls_mac_algorithm_t algorithm) +int +_gnutls_hash_init (digest_hd_st* dig, gnutls_mac_algorithm_t algorithm) { - mac_hd_t ret; int result; - - ret = gnutls_malloc (sizeof (mac_hd_st)); - if (ret == NULL) - { - gnutls_assert (); - return GNUTLS_HASH_FAILED; + gnutls_crypto_digest_st * cc = NULL; + + dig->algorithm = algorithm; + + /* check if a digest has been registered + */ + cc = _gnutls_get_crypto_digest( algorithm); + if (cc != NULL) { + dig->registered = 1; + dig->hd.rh.cc = cc; + if (cc->init(& dig->hd.rh.ctx) < 0) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; } + return 0; + } + + dig->registered = 0; - ret->algorithm = algorithm; - result = gc_hash_open (_gnutls_mac2gc (algorithm), 0, &ret->handle); + result = gc_hash_open (_gnutls_mac2gc (algorithm), 0, &dig->hd.gc); if (result) { gnutls_assert (); - gnutls_free (ret); - ret = GNUTLS_HASH_FAILED; + return GNUTLS_E_HASH_FAILED; } - return ret; + return 0; } int @@ -103,100 +111,126 @@ _gnutls_hash_get_algo_len (gnutls_mac_algorithm_t algorithm) } int -_gnutls_hash (GNUTLS_HASH_HANDLE handle, const void *text, size_t textlen) +_gnutls_hash (const digest_hd_st* handle, const void *text, size_t textlen) { - if (textlen > 0) - gc_hash_write (handle->handle, textlen, text); + if (textlen > 0) { + if (handle->registered) { + return handle->hd.rh.cc->hash( handle->hd.rh.ctx, text, textlen); + } + gc_hash_write (handle->hd.gc, textlen, text); + } return 0; } -GNUTLS_HASH_HANDLE -_gnutls_hash_copy (GNUTLS_HASH_HANDLE handle) +int _gnutls_hash_copy (digest_hd_st* dst, digest_hd_st* src) { - GNUTLS_HASH_HANDLE ret; int result; - ret = gnutls_malloc (sizeof (mac_hd_st)); - - if (ret == NULL) - return GNUTLS_HASH_FAILED; + dst->algorithm = src->algorithm; + dst->key = NULL; /* it's a hash anyway */ + dst->keysize = 0; - ret->algorithm = handle->algorithm; - ret->key = NULL; /* it's a hash anyway */ - ret->keysize = 0; + if (src->registered) { + return src->hd.rh.cc->copy( &dst->hd.rh.ctx, src->hd.rh.ctx); + } - result = gc_hash_clone (handle->handle, &ret->handle); + result = gc_hash_clone (src->hd.gc, &dst->hd.gc); if (result) { - gnutls_free (ret); - return GNUTLS_HASH_FAILED; + return GNUTLS_E_HASH_FAILED; } - return ret; + return 0; } void -_gnutls_hash_deinit (GNUTLS_HASH_HANDLE handle, void *digest) +_gnutls_hash_deinit (digest_hd_st* handle, void *digest) { const opaque *mac; int maclen; maclen = _gnutls_hash_get_algo_len (handle->algorithm); - mac = gc_hash_read (handle->handle); + if (handle->registered && handle->hd.rh.ctx != NULL) { + handle->hd.rh.cc->output( handle->hd.rh.ctx, digest, maclen); + handle->hd.rh.cc->deinit( handle->hd.rh.ctx); + return; + } + + mac = gc_hash_read (handle->hd.gc); if (digest != NULL) memcpy (digest, mac, maclen); - gc_hash_close (handle->handle); - - gnutls_free (handle); + gc_hash_close (handle->hd.gc); } -mac_hd_t -_gnutls_hmac_init (gnutls_mac_algorithm_t algorithm, +int _gnutls_hmac_init (digest_hd_st *dig, gnutls_mac_algorithm_t algorithm, const void *key, int keylen) { - mac_hd_t ret; int result; + gnutls_crypto_digest_st * cc = NULL; - ret = gnutls_malloc (sizeof (mac_hd_st)); - if (ret == NULL) - return GNUTLS_MAC_FAILED; + dig->algorithm = algorithm; + dig->key = key; + dig->keysize = keylen; - result = gc_hash_open (_gnutls_mac2gc (algorithm), GC_HMAC, &ret->handle); + /* check if a digest has been registered + */ + cc = _gnutls_get_crypto_mac( algorithm); + if (cc != NULL) { + dig->registered = 1; + + dig->hd.rh.cc = cc; + if (cc->init(&dig->hd.rh.ctx) < 0) { + gnutls_assert(); + return GNUTLS_E_HASH_FAILED; + } + + if (cc->setkey( dig->hd.rh.ctx, key, keylen) < 0) { + gnutls_assert(); + cc->deinit(dig->hd.rh.ctx); + return GNUTLS_E_HASH_FAILED; + } + + return 0; + } + + dig->registered = 0; + + result = gc_hash_open (_gnutls_mac2gc (algorithm), GC_HMAC, &dig->hd.gc); if (result) { - gnutls_free (ret); - return GNUTLS_MAC_FAILED; + return GNUTLS_E_HASH_FAILED; } - gc_hash_hmac_setkey (ret->handle, keylen, key); - - ret->algorithm = algorithm; - ret->key = key; - ret->keysize = keylen; + gc_hash_hmac_setkey (dig->hd.gc, keylen, key); - return ret; + return 0; } void -_gnutls_hmac_deinit (mac_hd_t handle, void *digest) +_gnutls_hmac_deinit (digest_hd_st* handle, void *digest) { const opaque *mac; int maclen; maclen = _gnutls_hash_get_algo_len (handle->algorithm); - mac = gc_hash_read (handle->handle); + if (handle->registered && handle->hd.rh.ctx != NULL) { + handle->hd.rh.cc->output( handle->hd.rh.ctx, digest, maclen); + handle->hd.rh.cc->deinit( handle->hd.rh.ctx); + return; + } + + mac = gc_hash_read (handle->hd.gc); if (digest != NULL) memcpy (digest, mac, maclen); - gc_hash_close (handle->handle); + gc_hash_close (handle->hd.gc); - gnutls_free (handle); } inline static int @@ -213,45 +247,46 @@ get_padsize (gnutls_mac_algorithm_t algorithm) } } -mac_hd_t -_gnutls_mac_init_ssl3 (gnutls_mac_algorithm_t algorithm, void *key, +int _gnutls_mac_init_ssl3 (digest_hd_st* ret, gnutls_mac_algorithm_t algorithm, void *key, int keylen) { - mac_hd_t ret; opaque ipad[48]; - int padsize; + int padsize, result; padsize = get_padsize (algorithm); if (padsize == 0) { gnutls_assert (); - return GNUTLS_MAC_FAILED; + return GNUTLS_E_HASH_FAILED; } memset (ipad, 0x36, padsize); - ret = _gnutls_hash_init (algorithm); - if (ret != GNUTLS_HASH_FAILED) + result = _gnutls_hash_init (ret, algorithm); + if (result < 0) { - ret->key = key; - ret->keysize = keylen; - - if (keylen > 0) - _gnutls_hash (ret, key, keylen); - _gnutls_hash (ret, ipad, padsize); + gnutls_assert(); + return result; } - return ret; + ret->key = key; + ret->keysize = keylen; + + if (keylen > 0) + _gnutls_hash (ret, key, keylen); + _gnutls_hash (ret, ipad, padsize); + + return 0; } void -_gnutls_mac_deinit_ssl3 (mac_hd_t handle, void *digest) +_gnutls_mac_deinit_ssl3 (digest_hd_st* handle, void *digest) { opaque ret[MAX_HASH_SIZE]; - mac_hd_t td; + digest_hd_st td; opaque opad[48]; int padsize; - int block; + int block, rc; padsize = get_padsize (handle->algorithm); if (padsize == 0) @@ -262,32 +297,37 @@ _gnutls_mac_deinit_ssl3 (mac_hd_t handle, void *digest) memset (opad, 0x5C, padsize); - td = _gnutls_hash_init (handle->algorithm); - if (td != GNUTLS_MAC_FAILED) + rc = _gnutls_hash_init (&td, handle->algorithm); + if (rc < 0) { - if (handle->keysize > 0) - _gnutls_hash (td, handle->key, handle->keysize); + gnutls_assert(); + return; + } - _gnutls_hash (td, opad, padsize); - block = _gnutls_hmac_get_algo_len (handle->algorithm); - _gnutls_hash_deinit (handle, ret); /* get the previous hash */ - _gnutls_hash (td, ret, block); + if (handle->keysize > 0) + _gnutls_hash (&td, handle->key, handle->keysize); - _gnutls_hash_deinit (td, digest); - } + _gnutls_hash (&td, opad, padsize); + block = _gnutls_hmac_get_algo_len (handle->algorithm); + _gnutls_hash_deinit (handle, ret); /* get the previous hash */ + _gnutls_hash (&td, ret, block); + + _gnutls_hash_deinit (&td, digest); + + return; } void -_gnutls_mac_deinit_ssl3_handshake (mac_hd_t handle, +_gnutls_mac_deinit_ssl3_handshake (digest_hd_st* handle, void *digest, opaque * key, uint32_t key_size) { opaque ret[MAX_HASH_SIZE]; - mac_hd_t td; + digest_hd_st td; opaque opad[48]; opaque ipad[48]; int padsize; - int block; + int block, rc; padsize = get_padsize (handle->algorithm); if (padsize == 0) @@ -299,52 +339,57 @@ _gnutls_mac_deinit_ssl3_handshake (mac_hd_t handle, memset (opad, 0x5C, padsize); memset (ipad, 0x36, padsize); - td = _gnutls_hash_init (handle->algorithm); - if (td != GNUTLS_HASH_FAILED) + rc = _gnutls_hash_init (&td, handle->algorithm); + if (rc < 0) { - if (key_size > 0) - _gnutls_hash (td, key, key_size); + gnutls_assert(); + return; + } - _gnutls_hash (td, opad, padsize); - block = _gnutls_hmac_get_algo_len (handle->algorithm); + if (key_size > 0) + _gnutls_hash (&td, key, key_size); - if (key_size > 0) - _gnutls_hash (handle, key, key_size); - _gnutls_hash (handle, ipad, padsize); - _gnutls_hash_deinit (handle, ret); /* get the previous hash */ + _gnutls_hash (&td, opad, padsize); + block = _gnutls_hmac_get_algo_len (handle->algorithm); - _gnutls_hash (td, ret, block); + if (key_size > 0) + _gnutls_hash (handle, key, key_size); + _gnutls_hash (handle, ipad, padsize); + _gnutls_hash_deinit (handle, ret); /* get the previous hash */ - _gnutls_hash_deinit (td, digest); - } + _gnutls_hash (&td, ret, block); + + _gnutls_hash_deinit (&td, digest); + + return; } static int ssl3_sha (int i, opaque * secret, int secret_len, opaque * rnd, int rnd_len, void *digest) { - int j; + int j, ret; opaque text1[26]; - GNUTLS_HASH_HANDLE td; + digest_hd_st td; for (j = 0; j < i + 1; j++) { text1[j] = 65 + i; /* A==65 */ } - td = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (td == NULL) + ret = _gnutls_hash_init (&td, GNUTLS_MAC_SHA1); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (td, text1, i + 1); - _gnutls_hash (td, secret, secret_len); - _gnutls_hash (td, rnd, rnd_len); + _gnutls_hash (&td, text1, i + 1); + _gnutls_hash (&td, secret, secret_len); + _gnutls_hash (&td, rnd, rnd_len); - _gnutls_hash_deinit (td, digest); + _gnutls_hash_deinit (&td, digest); return 0; } @@ -353,29 +398,29 @@ ssl3_md5 (int i, opaque * secret, int secret_len, opaque * rnd, int rnd_len, void *digest) { opaque tmp[MAX_HASH_SIZE]; - mac_hd_t td; + digest_hd_st td; int ret; - td = _gnutls_hash_init (GNUTLS_MAC_MD5); - if (td == NULL) + ret = _gnutls_hash_init (&td, GNUTLS_MAC_MD5); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (td, secret, secret_len); + _gnutls_hash (&td, secret, secret_len); ret = ssl3_sha (i, secret, secret_len, rnd, rnd_len, tmp); if (ret < 0) { gnutls_assert (); - _gnutls_hash_deinit (td, digest); + _gnutls_hash_deinit (&td, digest); return ret; } - _gnutls_hash (td, tmp, _gnutls_hash_get_algo_len (GNUTLS_MAC_SHA1)); + _gnutls_hash (&td, tmp, _gnutls_hash_get_algo_len (GNUTLS_MAC_SHA1)); - _gnutls_hash_deinit (td, digest); + _gnutls_hash_deinit (&td, digest); return 0; } @@ -385,20 +430,21 @@ _gnutls_ssl3_hash_md5 (void *first, int first_len, opaque * ret) { opaque digest[MAX_HASH_SIZE]; - mac_hd_t td; + digest_hd_st td; int block = _gnutls_hash_get_algo_len (GNUTLS_MAC_MD5); + int rc; - td = _gnutls_hash_init (GNUTLS_MAC_MD5); - if (td == NULL) + rc = _gnutls_hash_init (&td, GNUTLS_MAC_MD5); + if (rc < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return rc; } - _gnutls_hash (td, first, first_len); - _gnutls_hash (td, second, second_len); + _gnutls_hash (&td, first, first_len); + _gnutls_hash (&td, second, second_len); - _gnutls_hash_deinit (td, digest); + _gnutls_hash_deinit (&td, digest); if (ret_len > block) { diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h index 3e1b75e693..7f156f6a33 100644 --- a/lib/gnutls_hash_int.h +++ b/lib/gnutls_hash_int.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation + * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008 Free Software Foundation * * Author: Nikos Mavrogiannopoulos * @@ -26,37 +26,46 @@ # define GNUTLS_HASH_INT_H #include +#include +#include /* for message digests */ +typedef struct { + gnutls_crypto_mac_st* cc; + void* ctx; +} digest_reg_hd; + typedef struct { - gc_hash_handle handle; + int registered; /* true or false(0) */ + union { + gc_hash_handle gc; /* when not registered */ + digest_reg_hd rh; /* when registered */ + } hd; gnutls_mac_algorithm_t algorithm; const void *key; int keysize; -} mac_hd_st; -typedef mac_hd_st *mac_hd_t; -typedef mac_hd_t GNUTLS_HASH_HANDLE; +} digest_hd_st; #define GNUTLS_HASH_FAILED NULL #define GNUTLS_MAC_FAILED NULL -mac_hd_t _gnutls_hmac_init (gnutls_mac_algorithm_t algorithm, +int _gnutls_hmac_init (digest_hd_st*, gnutls_mac_algorithm_t algorithm, const void *key, int keylen); #define _gnutls_hmac_get_algo_len _gnutls_hash_get_algo_len #define _gnutls_hmac _gnutls_hash -void _gnutls_hmac_deinit (mac_hd_t handle, void *digest); +void _gnutls_hmac_deinit (digest_hd_st* handle, void *digest); -mac_hd_t _gnutls_mac_init_ssl3 (gnutls_mac_algorithm_t algorithm, void *key, +int _gnutls_mac_init_ssl3 (digest_hd_st*, gnutls_mac_algorithm_t algorithm, void *key, int keylen); -void _gnutls_mac_deinit_ssl3 (mac_hd_t handle, void *digest); +void _gnutls_mac_deinit_ssl3 (digest_hd_st* handle, void *digest); -GNUTLS_HASH_HANDLE _gnutls_hash_init (gnutls_mac_algorithm_t algorithm); +int _gnutls_hash_init (digest_hd_st*, gnutls_mac_algorithm_t algorithm); int _gnutls_hash_get_algo_len (gnutls_mac_algorithm_t algorithm); -int _gnutls_hash (GNUTLS_HASH_HANDLE handle, const void *text, +int _gnutls_hash (const digest_hd_st* handle, const void *text, size_t textlen); -void _gnutls_hash_deinit (GNUTLS_HASH_HANDLE handle, void *digest); +void _gnutls_hash_deinit (digest_hd_st* handle, void *digest); int _gnutls_ssl3_generate_random (void *secret, int secret_len, void *rnd, int random_len, int bytes, @@ -64,9 +73,9 @@ int _gnutls_ssl3_generate_random (void *secret, int secret_len, int _gnutls_ssl3_hash_md5 (void *first, int first_len, void *second, int second_len, int ret_len, opaque * ret); -void _gnutls_mac_deinit_ssl3_handshake (mac_hd_t handle, void *digest, +void _gnutls_mac_deinit_ssl3_handshake (digest_hd_st* handle, void *digest, opaque * key, uint32_t key_size); -GNUTLS_HASH_HANDLE _gnutls_hash_copy (GNUTLS_HASH_HANDLE handle); +int _gnutls_hash_copy (digest_hd_st* dst_handle, digest_hd_st * src_handle); #endif /* GNUTLS_HASH_INT_H */ diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b4dbdba26d..e37237d33c 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -437,8 +437,9 @@ typedef struct gnutls_buffer application_data_buffer; /* holds data to be delivered to application layer */ gnutls_buffer handshake_hash_buffer; /* used to keep the last received handshake * message */ - mac_hd_t handshake_mac_handle_sha; /* hash of the handshake messages */ - mac_hd_t handshake_mac_handle_md5; /* hash of the handshake messages */ + digest_hd_st handshake_mac_handle_sha; /* hash of the handshake messages */ + digest_hd_st handshake_mac_handle_md5; /* hash of the handshake messages */ + int handshake_mac_handle_init; /* 1 when the previous two were initialized */ gnutls_buffer handshake_data_buffer; /* this is a buffer that holds the current handshake message */ gnutls_buffer ia_data_buffer; /* holds inner application data (TLS/IA) */ diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index fdfe75aa43..1c931e8a56 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -55,15 +55,15 @@ _gnutls_tls_sign_hdata (gnutls_session_t session, gnutls_datum_t dconcat; int ret; opaque concat[36]; - mac_hd_t td_md5; - mac_hd_t td_sha; + digest_hd_st td_md5; + digest_hd_st td_sha; gnutls_protocol_t ver = gnutls_protocol_get_version (session); - td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) + ret = _gnutls_hash_copy (&td_sha, &session->internals.handshake_mac_handle_sha); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } if (ver == GNUTLS_SSL3) @@ -75,30 +75,29 @@ _gnutls_tls_sign_hdata (gnutls_session_t session, return ret; } - _gnutls_mac_deinit_ssl3_handshake (td_sha, &concat[16], + _gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16], session->security_parameters. master_secret, TLS_MASTER_SIZE); } else - _gnutls_hash_deinit (td_sha, &concat[16]); + _gnutls_hash_deinit (&td_sha, &concat[16]); switch (cert->subject_pk_algorithm) { case GNUTLS_PK_RSA: - td_md5 = - _gnutls_hash_copy (session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) + ret = _gnutls_hash_copy (&td_md5, &session->internals.handshake_mac_handle_md5); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } if (ver == GNUTLS_SSL3) - _gnutls_mac_deinit_ssl3_handshake (td_md5, concat, + _gnutls_mac_deinit_ssl3_handshake (&td_md5, concat, session->security_parameters. master_secret, TLS_MASTER_SIZE); else - _gnutls_hash_deinit (td_md5, concat); + _gnutls_hash_deinit (&td_md5, concat); dconcat.data = concat; dconcat.size = 36; @@ -132,43 +131,45 @@ _gnutls_tls_sign_params (gnutls_session_t session, gnutls_cert * cert, { gnutls_datum_t dconcat; int ret; - mac_hd_t td_sha; + digest_hd_st td_sha; opaque concat[36]; gnutls_protocol_t ver = gnutls_protocol_get_version (session); - td_sha = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (td_sha == NULL) + ret = _gnutls_hash_init (&td_sha, GNUTLS_MAC_SHA1); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (td_sha, session->security_parameters.client_random, + _gnutls_hash (&td_sha, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash (td_sha, session->security_parameters.server_random, + _gnutls_hash (&td_sha, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash (td_sha, params->data, params->size); + _gnutls_hash (&td_sha, params->data, params->size); switch (cert->subject_pk_algorithm) { case GNUTLS_PK_RSA: if (ver < GNUTLS_TLS1_2) { - mac_hd_t td_md5 = _gnutls_hash_init (GNUTLS_MAC_MD5); - if (td_md5 == NULL) + digest_hd_st td_md5; + + ret =_gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (td_md5, session->security_parameters.client_random, + _gnutls_hash (&td_md5, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash (td_md5, session->security_parameters.server_random, + _gnutls_hash (&td_md5, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash (td_md5, params->data, params->size); + _gnutls_hash (&td_md5, params->data, params->size); - _gnutls_hash_deinit (td_md5, concat); - _gnutls_hash_deinit (td_sha, &concat[16]); + _gnutls_hash_deinit (&td_md5, concat); + _gnutls_hash_deinit (&td_sha, &concat[16]); dconcat.size = 36; } @@ -179,28 +180,28 @@ _gnutls_tls_sign_params (gnutls_session_t session, gnutls_cert * cert, memcpy (concat, "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14", 15); - _gnutls_hash_deinit (td_sha, &concat[15]); + _gnutls_hash_deinit (&td_sha, &concat[15]); dconcat.size = 35; #else /* No parameters field. */ memcpy (concat, "\x30\x1f\x30\x07\x06\x05\x2b\x0e\x03\x02\x1a\x04\x14", 13); - _gnutls_hash_deinit (td_sha, &concat[13]); + _gnutls_hash_deinit (&td_sha, &concat[13]); dconcat.size = 33; #endif } dconcat.data = concat; break; case GNUTLS_PK_DSA: - _gnutls_hash_deinit (td_sha, concat); + _gnutls_hash_deinit (&td_sha, concat); dconcat.data = concat; dconcat.size = 20; break; default: gnutls_assert (); - _gnutls_hash_deinit (td_sha, NULL); + _gnutls_hash_deinit (&td_sha, NULL); return GNUTLS_E_INTERNAL_ERROR; } ret = _gnutls_tls_sign (session, cert, pkey, &dconcat, signature); @@ -369,23 +370,23 @@ _gnutls_verify_sig_hdata (gnutls_session_t session, gnutls_cert * cert, { int ret; opaque concat[36]; - mac_hd_t td_md5; - mac_hd_t td_sha; + digest_hd_st td_md5; + digest_hd_st td_sha; gnutls_datum_t dconcat; gnutls_protocol_t ver = gnutls_protocol_get_version (session); - td_md5 = _gnutls_hash_copy (session->internals.handshake_mac_handle_md5); - if (td_md5 == NULL) + ret = _gnutls_hash_copy (&td_md5, &session->internals.handshake_mac_handle_md5); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha); - if (td_sha == NULL) + ret = _gnutls_hash_copy (&td_sha, &session->internals.handshake_mac_handle_sha); + if (ret < 0) { gnutls_assert (); - _gnutls_hash_deinit (td_md5, NULL); + _gnutls_hash_deinit (&td_md5, NULL); return GNUTLS_E_HASH_FAILED; } @@ -398,17 +399,17 @@ _gnutls_verify_sig_hdata (gnutls_session_t session, gnutls_cert * cert, return ret; } - _gnutls_mac_deinit_ssl3_handshake (td_md5, concat, + _gnutls_mac_deinit_ssl3_handshake (&td_md5, concat, session->security_parameters. master_secret, TLS_MASTER_SIZE); - _gnutls_mac_deinit_ssl3_handshake (td_sha, &concat[16], + _gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16], session->security_parameters. master_secret, TLS_MASTER_SIZE); } else { - _gnutls_hash_deinit (td_md5, concat); - _gnutls_hash_deinit (td_sha, &concat[16]); + _gnutls_hash_deinit (&td_md5, concat); + _gnutls_hash_deinit (&td_sha, &concat[16]); } dconcat.data = concat; @@ -435,46 +436,46 @@ _gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert, { gnutls_datum_t dconcat; int ret; - mac_hd_t td_md5 = NULL; - mac_hd_t td_sha; + digest_hd_st td_md5; + digest_hd_st td_sha; opaque concat[36]; gnutls_protocol_t ver = gnutls_protocol_get_version (session); if (ver < GNUTLS_TLS1_2) { - td_md5 = _gnutls_hash_init (GNUTLS_MAC_MD5); - if (td_md5 == NULL) + ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (td_md5, session->security_parameters.client_random, + _gnutls_hash (&td_md5, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash (td_md5, session->security_parameters.server_random, + _gnutls_hash (&td_md5, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash (td_md5, params->data, params->size); + _gnutls_hash (&td_md5, params->data, params->size); } - td_sha = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (td_sha == NULL) + ret = _gnutls_hash_init (&td_sha, GNUTLS_MAC_SHA1); + if (ret < 0) { gnutls_assert (); - if (td_md5) - _gnutls_hash_deinit (td_md5, NULL); - return GNUTLS_E_HASH_FAILED; + if (ver < GNUTLS_TLS1_2) + _gnutls_hash_deinit (&td_md5, NULL); + return ret; } - _gnutls_hash (td_sha, session->security_parameters.client_random, + _gnutls_hash (&td_sha, session->security_parameters.client_random, TLS_RANDOM_SIZE); - _gnutls_hash (td_sha, session->security_parameters.server_random, + _gnutls_hash (&td_sha, session->security_parameters.server_random, TLS_RANDOM_SIZE); - _gnutls_hash (td_sha, params->data, params->size); + _gnutls_hash (&td_sha, params->data, params->size); if (ver < GNUTLS_TLS1_2) { - _gnutls_hash_deinit (td_md5, concat); - _gnutls_hash_deinit (td_sha, &concat[16]); + _gnutls_hash_deinit (&td_md5, concat); + _gnutls_hash_deinit (&td_sha, &concat[16]); dconcat.size = 36; } else @@ -484,14 +485,14 @@ _gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert, memcpy (concat, "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14", 15); - _gnutls_hash_deinit (td_sha, &concat[15]); + _gnutls_hash_deinit (&td_sha, &concat[15]); dconcat.size = 35; #else /* No parameters field. */ memcpy (concat, "\x30\x1f\x30\x07\x06\x05\x2b\x0e\x03\x02\x1a\x04\x14", 13); - _gnutls_hash_deinit (td_sha, &concat[13]); + _gnutls_hash_deinit (&td_sha, &concat[13]); dconcat.size = 33; #endif } diff --git a/lib/gnutls_srp.c b/lib/gnutls_srp.c index bc1206be9b..84eb1fd151 100644 --- a/lib/gnutls_srp.c +++ b/lib/gnutls_srp.c @@ -172,7 +172,7 @@ _gnutls_calc_srp_u (mpi_t A, mpi_t B, mpi_t n) size_t b_size, a_size; opaque *holder, hd[MAX_HASH_SIZE]; size_t holder_size, hash_size, n_size; - GNUTLS_HASH_HANDLE td; + digest_hd_st td; int ret; mpi_t res; @@ -197,15 +197,15 @@ _gnutls_calc_srp_u (mpi_t A, mpi_t B, mpi_t n) _gnutls_mpi_print (&holder[n_size - a_size], &a_size, A); _gnutls_mpi_print (&holder[n_size + n_size - b_size], &b_size, B); - td = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (td == NULL) + ret = _gnutls_hash_init (&td, GNUTLS_MAC_SHA1); + if (ret < 0) { gnutls_free (holder); gnutls_assert (); return NULL; } - _gnutls_hash (td, holder, holder_size); - _gnutls_hash_deinit (td, hd); + _gnutls_hash (&td, holder, holder_size); + _gnutls_hash_deinit (&td, hd); /* convert the bytes of hd to integer */ @@ -301,32 +301,33 @@ _gnutls_calc_srp_sha (const char *username, const char *password, opaque * salt, int salt_size, size_t * size, void *digest) { - GNUTLS_HASH_HANDLE td; + digest_hd_st td; opaque res[MAX_HASH_SIZE]; - + int ret; + *size = 20; - td = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (td == NULL) + ret = _gnutls_hash_init (&td, GNUTLS_MAC_SHA1); + if (ret < 0) { return GNUTLS_E_MEMORY_ERROR; } - _gnutls_hash (td, username, strlen (username)); - _gnutls_hash (td, ":", 1); - _gnutls_hash (td, password, strlen (password)); + _gnutls_hash (&td, username, strlen (username)); + _gnutls_hash (&td, ":", 1); + _gnutls_hash (&td, password, strlen (password)); - _gnutls_hash_deinit (td, res); + _gnutls_hash_deinit (&td, res); - td = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (td == NULL) + ret = _gnutls_hash_init (&td, GNUTLS_MAC_SHA1); + if (ret < 0) { return GNUTLS_E_MEMORY_ERROR; } - _gnutls_hash (td, salt, salt_size); - _gnutls_hash (td, res, 20); /* 20 bytes is the output of sha1 */ + _gnutls_hash (&td, salt, salt_size); + _gnutls_hash (&td, res, 20); /* 20 bytes is the output of sha1 */ - _gnutls_hash_deinit (td, digest); + _gnutls_hash_deinit (&td, digest); return 0; } diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 5524af8120..df84deb6ca 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -376,10 +376,8 @@ gnutls_deinit (gnutls_session_t session) gnutls_credentials_clear (session); _gnutls_selected_certs_deinit (session); - if (session->connection_state.read_cipher_state != NULL) - _gnutls_cipher_deinit (&session->connection_state.read_cipher_state); - if (session->connection_state.write_cipher_state != NULL) - _gnutls_cipher_deinit (&session->connection_state.write_cipher_state); + _gnutls_cipher_deinit (&session->connection_state.read_cipher_state); + _gnutls_cipher_deinit (&session->connection_state.write_cipher_state); if (session->connection_state.read_compression_state != NULL) _gnutls_comp_deinit (session->connection_state.read_compression_state, 1); @@ -730,17 +728,18 @@ _gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm, const void *secret, int secret_size, const void *seed, int seed_size, void *result) { - mac_hd_t td1; + digest_hd_st td1; + int ret; - td1 = _gnutls_hmac_init (algorithm, secret, secret_size); - if (td1 == GNUTLS_MAC_FAILED) + ret = _gnutls_hmac_init (&td1, algorithm, secret, secret_size); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; + return ret; } - _gnutls_hmac (td1, seed, seed_size); - _gnutls_hmac_deinit (td1, result); + _gnutls_hmac (&td1, seed, seed_size); + _gnutls_hmac_deinit (&td1, result); return 0; } @@ -757,7 +756,7 @@ _gnutls_P_hash (gnutls_mac_algorithm_t algorithm, int total_bytes, opaque * ret) { - mac_hd_t td2; + digest_hd_st td2; int i, times, how, blocksize, A_size; opaque final[20], Atmp[MAX_SEED_SIZE]; int output_bytes, result; @@ -786,11 +785,11 @@ _gnutls_P_hash (gnutls_mac_algorithm_t algorithm, for (i = 0; i < times; i++) { - td2 = _gnutls_hmac_init (algorithm, secret, secret_size); - if (td2 == GNUTLS_MAC_FAILED) + result = _gnutls_hmac_init (&td2, algorithm, secret, secret_size); + if (result < 0) { gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; + return result; } /* here we calculate A(i+1) */ @@ -799,15 +798,15 @@ _gnutls_P_hash (gnutls_mac_algorithm_t algorithm, A_size, Atmp)) < 0) { gnutls_assert (); - _gnutls_hmac_deinit (td2, final); + _gnutls_hmac_deinit (&td2, final); return result; } A_size = blocksize; - _gnutls_hmac (td2, Atmp, A_size); - _gnutls_hmac (td2, seed, seed_size); - _gnutls_hmac_deinit (td2, final); + _gnutls_hmac (&td2, Atmp, A_size); + _gnutls_hmac (&td2, seed, seed_size); + _gnutls_hmac_deinit (&td2, final); if ((1 + i) * blocksize < total_bytes) { diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 84046b09cb..277dfe441c 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -543,7 +543,7 @@ gnutls_fingerprint (gnutls_digest_algorithm_t algo, const gnutls_datum_t * data, void *result, size_t * result_size) { - GNUTLS_HASH_HANDLE td; + digest_hd_st td; int hash_len = _gnutls_hash_get_algo_len (HASH2MAC (algo)); if (hash_len < 0 || (unsigned) hash_len > *result_size || result == NULL) @@ -555,13 +555,15 @@ gnutls_fingerprint (gnutls_digest_algorithm_t algo, if (result) { - td = _gnutls_hash_init (HASH2MAC (algo)); - if (td == NULL) - return GNUTLS_E_HASH_FAILED; + int ret = _gnutls_hash_init (&td, HASH2MAC (algo)); + if (ret < 0) { + gnutls_assert(); + return ret; + } - _gnutls_hash (td, data->data, data->size); + _gnutls_hash (&td, data->data, data->size); - _gnutls_hash_deinit (td, result); + _gnutls_hash_deinit (&td, result); } return 0; diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 64f4881ca7..e5e443c09f 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -857,7 +857,7 @@ gnutls_pkcs12_generate_mac (gnutls_pkcs12_t pkcs12, const char *pass) opaque salt[8], key[20]; int result; const int iter = 1; - mac_hd_t td1 = NULL; + digest_hd_st td1; gnutls_datum_t tmp = { NULL, 0 }; opaque sha_mac[20]; @@ -922,18 +922,17 @@ gnutls_pkcs12_generate_mac (gnutls_pkcs12_t pkcs12, const char *pass) /* MAC the data */ - td1 = _gnutls_hmac_init (GNUTLS_MAC_SHA1, key, sizeof (key)); - if (td1 == GNUTLS_MAC_FAILED) + result = _gnutls_hmac_init (&td1, GNUTLS_MAC_SHA1, key, sizeof (key)); + if (result < 0) { gnutls_assert (); - result = GNUTLS_E_INTERNAL_ERROR; goto cleanup; } - _gnutls_hmac (td1, tmp.data, tmp.size); + _gnutls_hmac (&td1, tmp.data, tmp.size); _gnutls_free_datum (&tmp); - _gnutls_hmac_deinit (td1, sha_mac); + _gnutls_hmac_deinit (&td1, sha_mac); result = @@ -990,7 +989,7 @@ gnutls_pkcs12_verify_mac (gnutls_pkcs12_t pkcs12, const char *pass) int result; unsigned int iter; int len; - mac_hd_t td1 = NULL; + digest_hd_st td1; gnutls_datum_t tmp = { NULL, 0 }, salt = { NULL, 0}; @@ -1048,18 +1047,17 @@ gnutls_pkcs12_verify_mac (gnutls_pkcs12_t pkcs12, const char *pass) /* MAC the data */ - td1 = _gnutls_hmac_init (GNUTLS_MAC_SHA1, key, sizeof (key)); - if (td1 == GNUTLS_MAC_FAILED) + result = _gnutls_hmac_init (&td1, GNUTLS_MAC_SHA1, key, sizeof (key)); + if (result < 0) { gnutls_assert (); - result = GNUTLS_E_INTERNAL_ERROR; goto cleanup; } - _gnutls_hmac (td1, tmp.data, tmp.size); + _gnutls_hmac (&td1, tmp.data, tmp.size); _gnutls_free_datum (&tmp); - _gnutls_hmac_deinit (td1, sha_mac); + _gnutls_hmac_deinit (&td1, sha_mac); len = sizeof (sha_mac_orig); result = diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index a52b7c7b84..074b43ef98 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -1417,7 +1417,7 @@ gnutls_x509_privkey_get_key_id (gnutls_x509_privkey_t key, size_t * output_data_size) { int result; - GNUTLS_HASH_HANDLE hd; + digest_hd_st hd; gnutls_datum_t der = { NULL, 0 }; if (key == NULL || key->crippled) @@ -1457,17 +1457,16 @@ gnutls_x509_privkey_get_key_id (gnutls_x509_privkey_t key, else return GNUTLS_E_INTERNAL_ERROR; - hd = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (hd == GNUTLS_HASH_FAILED) + result = _gnutls_hash_init (&hd, GNUTLS_MAC_SHA1); + if (result < 0) { gnutls_assert (); - result = GNUTLS_E_INTERNAL_ERROR; goto cleanup; } - _gnutls_hash (hd, der.data, der.size); + _gnutls_hash (&hd, der.data, der.size); - _gnutls_hash_deinit (hd, output_data); + _gnutls_hash_deinit (&hd, output_data); *output_data_size = 20; result = 0; diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 4ca8f0ea58..7304a7569f 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -1442,7 +1442,8 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn, int data_size; opaque *data = NULL, *key = NULL; gnutls_datum_t dkey, d_iv; - cipher_hd_t ch = NULL; + cipher_hd_st ch; + int ch_init = 0; int key_size; data_size = 0; @@ -1520,19 +1521,20 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn, d_iv.data = (opaque *) enc_params->iv; d_iv.size = enc_params->iv_size; - ch = _gnutls_cipher_init (enc_params->cipher, &dkey, &d_iv); + result = _gnutls_cipher_init (&ch, enc_params->cipher, &dkey, &d_iv); gnutls_afree (key); key = NULL; - if (ch == NULL) + if (result < 0) { gnutls_assert (); - result = GNUTLS_E_DECRYPTION_FAILED; goto error; } + + ch_init = 1; - result = _gnutls_cipher_decrypt (ch, data, data_size); + result = _gnutls_cipher_decrypt (&ch, data, data_size); if (result < 0) { gnutls_assert (); @@ -1546,15 +1548,15 @@ decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn, else decrypted_data->size = data_size; - _gnutls_cipher_deinit (ch); + _gnutls_cipher_deinit (&ch); return 0; error: gnutls_free (data); gnutls_afree (key); - if (ch != NULL) - _gnutls_cipher_deinit (ch); + if (ch_init != 0) + _gnutls_cipher_deinit (&ch); return result; } @@ -1937,7 +1939,8 @@ encrypt_data (const gnutls_datum_t * plain, int data_size; opaque *data = NULL; gnutls_datum_t d_iv; - cipher_hd_t ch = NULL; + cipher_hd_st ch; + int ch_init = 0; opaque pad, pad_size; pad_size = _gnutls_cipher_get_block_size (enc_params->cipher); @@ -1968,16 +1971,17 @@ encrypt_data (const gnutls_datum_t * plain, d_iv.data = (opaque *) enc_params->iv; d_iv.size = enc_params->iv_size; - ch = _gnutls_cipher_init (enc_params->cipher, key, &d_iv); + result = _gnutls_cipher_init (&ch, enc_params->cipher, key, &d_iv); - if (ch == GNUTLS_CIPHER_FAILED) + if (result < 0) { gnutls_assert (); - result = GNUTLS_E_ENCRYPTION_FAILED; goto error; } - result = _gnutls_cipher_encrypt (ch, data, data_size); + ch_init = 1; + + result = _gnutls_cipher_encrypt (&ch, data, data_size); if (result < 0) { gnutls_assert (); @@ -1987,14 +1991,14 @@ encrypt_data (const gnutls_datum_t * plain, encrypted->data = data; encrypted->size = data_size; - _gnutls_cipher_deinit (ch); + _gnutls_cipher_deinit (&ch); return 0; error: gnutls_free (data); - if (ch != NULL) - _gnutls_cipher_deinit (ch); + if (ch_init != 0) + _gnutls_cipher_deinit (&ch); return result; } diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 47fd6ed31a..ff87573614 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -133,18 +133,18 @@ pkcs1_rsa_sign (gnutls_digest_algorithm_t hash, const gnutls_datum_t * text, { int ret; opaque _digest[MAX_HASH_SIZE]; - GNUTLS_HASH_HANDLE hd; + digest_hd_st hd; gnutls_datum_t digest, info; - hd = _gnutls_hash_init (HASH2MAC (hash)); - if (hd == NULL) + ret = _gnutls_hash_init (&hd, HASH2MAC (hash)); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (hd, text->data, text->size); - _gnutls_hash_deinit (hd, _digest); + _gnutls_hash (&hd, text->data, text->size); + _gnutls_hash_deinit (&hd, _digest); digest.data = _digest; digest.size = _gnutls_hash_get_algo_len (HASH2MAC (hash)); @@ -177,18 +177,18 @@ dsa_sign (const gnutls_datum_t * text, { int ret; opaque _digest[MAX_HASH_SIZE]; - GNUTLS_HASH_HANDLE hd; + digest_hd_st hd; gnutls_datum_t digest; - hd = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (hd == NULL) + ret = _gnutls_hash_init (&hd, GNUTLS_MAC_SHA1); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (hd, text->data, text->size); - _gnutls_hash_deinit (hd, _digest); + _gnutls_hash (&hd, text->data, text->size); + _gnutls_hash_deinit (&hd, _digest); digest.data = _digest; digest.size = 20; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 26abb56d25..c2217fa2cc 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -542,7 +542,7 @@ _pkcs1_rsa_verify_sig (const gnutls_datum_t * text, int ret; opaque digest[MAX_HASH_SIZE], md[MAX_HASH_SIZE]; int digest_size; - GNUTLS_HASH_HANDLE hd; + digest_hd_st hd; gnutls_datum_t decrypted; ret = @@ -573,15 +573,15 @@ _pkcs1_rsa_verify_sig (const gnutls_datum_t * text, return GNUTLS_E_ASN1_GENERIC_ERROR; } - hd = _gnutls_hash_init (hash); - if (hd == NULL) + ret = _gnutls_hash_init (&hd, hash); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (hd, text->data, text->size); - _gnutls_hash_deinit (hd, md); + _gnutls_hash (&hd, text->data, text->size); + _gnutls_hash_deinit (&hd, md); if (memcmp (md, digest, digest_size) != 0) { @@ -602,17 +602,17 @@ dsa_verify_sig (const gnutls_datum_t * text, int ret; opaque _digest[MAX_HASH_SIZE]; gnutls_datum_t digest; - GNUTLS_HASH_HANDLE hd; + digest_hd_st hd; - hd = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (hd == NULL) + ret = _gnutls_hash_init (&hd, GNUTLS_MAC_SHA1); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_HASH_FAILED; + return ret; } - _gnutls_hash (hd, text->data, text->size); - _gnutls_hash_deinit (hd, _digest); + _gnutls_hash (&hd, text->data, text->size); + _gnutls_hash_deinit (&hd, _digest); digest.data = _digest; digest.size = 20; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index d9b17b7e54..bab2e1135b 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -2028,7 +2028,7 @@ rsadsa_get_key_id (gnutls_x509_crt_t crt, int pk, int params_size = MAX_PUBLIC_PARAMS_SIZE; int i, result = 0; gnutls_datum_t der = { NULL, 0 }; - GNUTLS_HASH_HANDLE hd; + digest_hd_st hd; result = _gnutls_x509_crt_get_mpis (crt, params, ¶ms_size); if (result < 0) @@ -2058,17 +2058,16 @@ rsadsa_get_key_id (gnutls_x509_crt_t crt, int pk, else return GNUTLS_E_INTERNAL_ERROR; - hd = _gnutls_hash_init (GNUTLS_MAC_SHA1); - if (hd == GNUTLS_HASH_FAILED) + result = _gnutls_hash_init (&hd, GNUTLS_MAC_SHA1); + if (result < 0) { gnutls_assert (); - result = GNUTLS_E_INTERNAL_ERROR; goto cleanup; } - _gnutls_hash (hd, der.data, der.size); + _gnutls_hash (&hd, der.data, der.size); - _gnutls_hash_deinit (hd, output_data); + _gnutls_hash_deinit (&hd, output_data); *output_data_size = 20; result = 0; -- cgit v1.2.1