[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-291-g3b9a0c6
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-291-g3b9a0c6 |
|
Date: |
Sat, 12 Mar 2011 22:47:05 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=3b9a0c6c37dc9d68d5bcf190ce614898ae95e015
The branch, master has been updated
via 3b9a0c6c37dc9d68d5bcf190ce614898ae95e015 (commit)
via 69f56b1559f2da632e0a12d1578f4445ed1a095a (commit)
via 752b6530ed906fb7cdb7177c105013491950ddcb (commit)
via 83210dfeb5144d23fc25b949fa63e328492648f9 (commit)
via 14d4edac63b75d772d88c8d8c93955b1bf1e47e8 (commit)
via 3387c6872c26a1e8fbb8cfd12d6a3372795befd4 (commit)
from 1712d9683acf660e4c1b791d8bebbe86dd5e6905 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3b9a0c6c37dc9d68d5bcf190ce614898ae95e015
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 12 23:44:41 2011 +0100
do not print debugging output on non-fatal errors.
commit 69f56b1559f2da632e0a12d1578f4445ed1a095a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 12 23:42:58 2011 +0100
Properly reset the SSL 3.0 MAC algorithm.
commit 752b6530ed906fb7cdb7177c105013491950ddcb
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 12 23:38:50 2011 +0100
cleanups. Introduced gnutls_assert_val_fatal() that only prints
debugging messages on non-fatal errors.
commit 83210dfeb5144d23fc25b949fa63e328492648f9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 12 23:30:45 2011 +0100
Added string for GNUTLS_A_SSL3_NO_CERTIFICATE.
commit 14d4edac63b75d772d88c8d8c93955b1bf1e47e8
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 12 23:27:56 2011 +0100
gnutls_version_has_variable_padding is not really needed. A check for
SSL3.0 is more clear.
commit 3387c6872c26a1e8fbb8cfd12d6a3372795befd4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Mar 12 22:52:07 2011 +0100
Corrected SSL2 client hello handling.
-----------------------------------------------------------------------
Summary of changes:
lib/debug.c | 3 ++
lib/ext_session_ticket.c | 5 +--
lib/gnutls_alert.c | 1 +
lib/gnutls_algorithms.c | 14 ---------
lib/gnutls_algorithms.h | 1 -
lib/gnutls_buffers.c | 69 +++++++++++++++++++++++++++++++++------------
lib/gnutls_cipher.c | 4 +-
lib/gnutls_cipher_int.c | 2 +-
lib/gnutls_constate.c | 6 ++--
lib/gnutls_errors.h | 1 +
lib/gnutls_handshake.c | 13 ++------
lib/gnutls_hash_int.c | 19 ++++++++++++
lib/gnutls_hash_int.h | 2 +
lib/gnutls_record.c | 14 ++------
lib/gnutls_v2_compat.c | 2 +
lib/x509/verify-high.c | 4 +-
16 files changed, 95 insertions(+), 65 deletions(-)
diff --git a/lib/debug.c b/lib/debug.c
index f5eb466..14ec82f 100644
--- a/lib/debug.c
+++ b/lib/debug.c
@@ -75,6 +75,9 @@ _gnutls_handshake2str (gnutls_handshake_description_t
handshake)
case GNUTLS_HANDSHAKE_CLIENT_HELLO:
return "CLIENT HELLO";
break;
+ case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
+ return "SSL2 CLIENT HELLO";
+ break;
case GNUTLS_HANDSHAKE_SERVER_HELLO:
return "SERVER HELLO";
break;
diff --git a/lib/ext_session_ticket.c b/lib/ext_session_ticket.c
index d74be83..5f141c7 100644
--- a/lib/ext_session_ticket.c
+++ b/lib/ext_session_ticket.c
@@ -716,10 +716,7 @@ _gnutls_recv_new_session_ticket (gnutls_session_t session)
GNUTLS_HANDSHAKE_NEW_SESSION_TICKET,
MANDATORY_PACKET, &buf);
if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ return gnutls_assert_val_fatal(ret);
p = buf.data;
data_size = buf.length;
diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c
index 3a3c4f5..b173057 100644
--- a/lib/gnutls_alert.c
+++ b/lib/gnutls_alert.c
@@ -61,6 +61,7 @@ static const gnutls_alert_entry sup_alerts[] = {
{GNUTLS_A_PROTOCOL_VERSION, N_("Error in protocol version")},
{GNUTLS_A_INSUFFICIENT_SECURITY, N_("Insufficient security")},
{GNUTLS_A_USER_CANCELED, N_("User canceled")},
+ {GNUTLS_A_SSL3_NO_CERTIFICATE, N_("No certificate (SSL 3.0)")},
{GNUTLS_A_INTERNAL_ERROR, N_("Internal error")},
{GNUTLS_A_NO_RENEGOTIATION, N_("No renegotiation is allowed")},
{GNUTLS_A_CERTIFICATE_UNOBTAINABLE,
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index f636f6a..f5063f1 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -1459,20 +1459,6 @@ _gnutls_version_has_explicit_iv (gnutls_protocol_t
version)
}
}
-/* This function determines if the version specified can have
- non-minimal padding. */
-int
-_gnutls_version_has_variable_padding (gnutls_protocol_t version)
-{
- switch (version)
- {
- case GNUTLS_SSL3:
- return 0;
- default:
- return 1;
- }
-}
-
/* Type to KX mappings */
gnutls_kx_algorithm_t
_gnutls_map_kx_get_kx (gnutls_credentials_type_t type, int server)
diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h
index 38e70bc..5c867b8 100644
--- a/lib/gnutls_algorithms.h
+++ b/lib/gnutls_algorithms.h
@@ -47,7 +47,6 @@ int _gnutls_version_has_selectable_prf (gnutls_protocol_t
version);
int _gnutls_version_has_selectable_sighash (gnutls_protocol_t version);
int _gnutls_version_has_extensions (gnutls_protocol_t version);
int _gnutls_version_has_explicit_iv (gnutls_protocol_t version);
-int _gnutls_version_has_variable_padding (gnutls_protocol_t version);
/* Functions for MACs. */
int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm);
diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c
index c66f112..50ca2d7 100644
--- a/lib/gnutls_buffers.c
+++ b/lib/gnutls_buffers.c
@@ -745,15 +745,14 @@ parse_handshake_header (gnutls_session_t session,
mbuffer_st* bufel, gnutls_hand
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
dataptr = _mbuffer_get_udata_ptr(bufel);
-
/* if reading a client hello of SSLv2 */
if (!IS_DTLS(session) && htype == GNUTLS_HANDSHAKE_CLIENT_HELLO &&
bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
{
- hsk->length = _mbuffer_get_udata_size(bufel) - SSL2_HEADERS; /* we've
read the first byte */
-
handshake_header_size = SSL2_HEADERS; /* we've already read one byte */
+ hsk->length = _mbuffer_get_udata_size(bufel) - handshake_header_size;
/* we've read the first byte */
+
if (dataptr[0] != GNUTLS_HANDSHAKE_CLIENT_HELLO)
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
@@ -892,6 +891,17 @@ int ret;
return 0;
}
+/* returns non-zero on match and zero on mismatch
+ */
+inline static int cmp_hsk_types(gnutls_handshake_description_t expected,
gnutls_handshake_description_t recvd)
+{
+ if ((expected != GNUTLS_HANDSHAKE_CLIENT_HELLO || recvd !=
GNUTLS_HANDSHAKE_CLIENT_HELLO_V2) &&
+ (expected != recvd))
+ return 0;
+
+ return 1;
+}
+
#define LAST_ELEMENT (session->internals.handshake_recv_buffer_size-1)
/* returns the last stored handshake packet.
@@ -929,7 +939,7 @@ handshake_buffer_st* recv_buf =
session->internals.handshake_recv_buffer;
{
if (session->internals.handshake_recv_buffer_size > 0 &&
recv_buf[0].length == recv_buf[0].data.length)
{
- if (recv_buf[0].htype != htype)
+ if (cmp_hsk_types(htype, recv_buf[0].htype) == 0)
{
hsk->htype = recv_buf[LAST_ELEMENT].htype;
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET);
@@ -940,15 +950,15 @@ handshake_buffer_st* recv_buf =
session->internals.handshake_recv_buffer;
return 0;
}
else
- return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
}
/* This is a receive function for the gnutls handshake
* protocol. Makes sure that we have received all data.
*/
-ssize_t
-_gnutls_handshake_io_recv_int (gnutls_session_t session,
+static int
+parse_record_buffered_msgs (gnutls_session_t session,
gnutls_handshake_description_t htype,
handshake_buffer_st * hsk)
{
@@ -958,19 +968,9 @@ _gnutls_handshake_io_recv_int (gnutls_session_t session,
size_t data_size;
handshake_buffer_st* recv_buf = session->internals.handshake_recv_buffer;
- ret = get_last_packet(session, htype, hsk);
- if (ret >= 0)
- return ret;
-
- /* if we don't have a complete message waiting for us, try
- * receiving more */
- ret = _gnutls_recv_in_buffers(session, GNUTLS_HANDSHAKE, htype);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
bufel = _mbuffer_head_get_first(&session->internals.record_buffer, &msg);
if (bufel == NULL)
- return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
if (!IS_DTLS(session))
{
@@ -1018,7 +1018,8 @@ _gnutls_handshake_io_recv_int (gnutls_session_t session,
_mbuffer_head_remove_bytes(&session->internals.record_buffer,
data_size+header_size);
- if (htype != recv_buf[0].htype)
+
+ if (cmp_hsk_types(htype, recv_buf[0].htype) == 0)
{ /* an unexpected packet */
hsk->htype = recv_buf[0].htype;
return
gnutls_assert_val(GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET);
@@ -1117,6 +1118,36 @@ next:
}
}
+/* This is a receive function for the gnutls handshake
+ * protocol. Makes sure that we have received all data.
+ */
+ssize_t
+_gnutls_handshake_io_recv_int (gnutls_session_t session,
+ gnutls_handshake_description_t htype,
+ handshake_buffer_st * hsk)
+{
+ int ret;
+
+ ret = get_last_packet(session, htype, hsk);
+ if (ret >= 0)
+ return ret;
+
+ /* try using the already existing records before
+ * trying to receive.
+ */
+ ret = parse_record_buffered_msgs(session, htype, hsk);
+ if (ret >= 0)
+ return ret;
+
+ /* if we don't have a complete message waiting for us, try
+ * receiving more */
+ ret = _gnutls_recv_in_buffers(session, GNUTLS_HANDSHAKE, htype);
+ if (ret < 0)
+ return gnutls_assert_val_fatal(ret);
+
+ return parse_record_buffered_msgs(session, htype, hsk);
+}
+
/* Buffer for handshake packets. Keeps the packets in order
* for finished messages to use them. Used in HMAC calculation
* and finished messages.
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index deef202..6225cb1 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -550,7 +550,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
return gnutls_assert_val(ret);
pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
-
+
if ((int) pad > (int) ciphertext.size - tag_size)
{
gnutls_assert ();
@@ -567,7 +567,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
/* Check the pading bytes (TLS 1.x)
*/
- if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
+ if (ver != GNUTLS_SSL3 && pad_failed == 0)
for (i = 2; i < pad; i++)
{
if (ciphertext.data[ciphertext.size - i] !=
diff --git a/lib/gnutls_cipher_int.c b/lib/gnutls_cipher_int.c
index e766504..0ca4408 100644
--- a/lib/gnutls_cipher_int.c
+++ b/lib/gnutls_cipher_int.c
@@ -255,7 +255,7 @@ int ret = 0;
if (ret < 0)
return gnutls_assert_val(ret);
- _gnutls_hash_reset (&handle->mac);
+ _gnutls_mac_reset_ssl3 (&handle->mac);
}
else
{
diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c
index 33548e0..2ec6ab8 100644
--- a/lib/gnutls_constate.c
+++ b/lib/gnutls_constate.c
@@ -291,7 +291,7 @@ _gnutls_set_keys (gnutls_session_t session,
record_parameters_st * params,
}
static int
-_gnutls_init_record_state (record_parameters_st * params, int ver, int d,
+_gnutls_init_record_state (record_parameters_st * params, gnutls_protocol_t
ver, int d,
record_state_st * state)
{
int ret;
@@ -402,7 +402,7 @@ _gnutls_epoch_set_keys (gnutls_session_t session, uint16_t
epoch)
gnutls_compression_method_t comp_algo;
record_parameters_st *params;
int ret;
- int ver = gnutls_protocol_get_version (session);
+ gnutls_protocol_t ver = gnutls_protocol_get_version (session);
ret = _gnutls_epoch_get (session, epoch, ¶ms);
if (ret < 0)
@@ -675,7 +675,7 @@ epoch_get_slot (gnutls_session_t session, uint16_t epoch)
if (epoch_index >= MAX_EPOCH_INDEX)
{
- _gnutls_dtls_log("Epoch %d out of range (idx: %d, max: %d)\n",
(int)epoch, (int)epoch_index, MAX_EPOCH_INDEX);
+ _gnutls_handshake_log("Epoch %d out of range (idx: %d, max: %d)\n",
(int)epoch, (int)epoch_index, MAX_EPOCH_INDEX);
gnutls_assert ();
return NULL;
}
diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h
index 2138555..43f3c49 100644
--- a/lib/gnutls_errors.h
+++ b/lib/gnutls_errors.h
@@ -100,5 +100,6 @@ int gnutls_assert_val_int (int val, const char *file, int
line)
}
#define gnutls_assert_val(x) gnutls_assert_val_int(x, __FILE__, __LINE__)
+#define gnutls_assert_val_fatal(x) (((x)!=GNUTLS_E_AGAIN &&
(x)!=GNUTLS_E_INTERRUPTED)?gnutls_assert_val_int(x, __FILE__, __LINE__):(x))
#endif /* GNUTLS_ERRORS_H */
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index a95b207..883e38a 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1045,8 +1045,7 @@ _gnutls_server_select_comp_method (gnutls_session_t
session,
return x;
}
- memset (&session->internals.compression_method, 0,
- sizeof (gnutls_compression_method_t));
+ session->internals.compression_method = 0;
for (j = 0; j < datalen; j++)
{
@@ -1284,7 +1283,7 @@ _gnutls_handshake_hash_add_recvd (gnutls_session_t
session,
if ((session->security_parameters.entity == GNUTLS_SERVER
|| recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO)
&& (session->security_parameters.entity == GNUTLS_CLIENT
- || recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO))
+ || (recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO && recv_type !=
GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)))
{
if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
{
@@ -1342,7 +1341,7 @@ _gnutls_recv_handshake (gnutls_session_t session,
_gnutls_audit_log("Received unexpected handshake message '%s' (%d).
Expected '%s' (%d)\n",
_gnutls_handshake2str(hsk.htype), (int)hsk.htype,
_gnutls_handshake2str(type), (int)type);
- return gnutls_assert_val(ret);
+ return gnutls_assert_val_fatal(ret);
}
ret = _gnutls_handshake_hash_add_recvd (session, hsk.htype,
@@ -2226,7 +2225,6 @@ _gnutls_recv_hello_verify_request (gnutls_session_t
session,
{
ssize_t len = datalen;
size_t pos = 0;
- int ret;
uint8_t cookie_len;
unsigned int nb_verifs;
@@ -2571,10 +2569,7 @@ gnutls_handshake (gnutls_session_t session)
_gnutls_epoch_alloc (session, session->security_parameters.epoch_next,
NULL);
if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ return gnutls_assert_val(ret);
}
if (session->security_parameters.entity == GNUTLS_CLIENT)
diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c
index e925042..94d6ffe 100644
--- a/lib/gnutls_hash_int.c
+++ b/lib/gnutls_hash_int.c
@@ -322,6 +322,25 @@ _gnutls_mac_init_ssl3 (digest_hd_st * ret,
gnutls_mac_algorithm_t algorithm,
return 0;
}
+void
+_gnutls_mac_reset_ssl3 (digest_hd_st * handle)
+{
+ opaque ipad[48];
+ int padsize;
+
+ padsize = get_padsize (handle->algorithm);
+
+ memset (ipad, 0x36, padsize);
+
+ _gnutls_hash_reset(handle);
+
+ if (handle->keysize > 0)
+ _gnutls_hash (handle, handle->key, handle->keysize);
+ _gnutls_hash (handle, ipad, padsize);
+
+ return;
+}
+
int
_gnutls_mac_output_ssl3 (digest_hd_st * handle, void *digest)
{
diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h
index d0bcf14..75a8bb8 100644
--- a/lib/gnutls_hash_int.h
+++ b/lib/gnutls_hash_int.h
@@ -165,6 +165,8 @@ int _gnutls_ssl3_hash_md5 (const void *first, int first_len,
const void *second, int second_len,
int ret_len, opaque * ret);
+void _gnutls_mac_reset_ssl3 (digest_hd_st * handle);
+
int _gnutls_mac_deinit_ssl3_handshake (digest_hd_st * handle, void *digest,
opaque * key, uint32_t key_size);
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index e7a7036..f721438 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -349,17 +349,11 @@ _gnutls_send_int (gnutls_session_t session,
content_type_t type,
ret = _gnutls_epoch_get (session, epoch_rel, &record_params);
if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
+ return gnutls_assert_val(ret);
/* Safeguard against processing data with an incomplete cipher state. */
if (!record_params->initialized)
- {
- gnutls_assert ();
- return GNUTLS_E_INVALID_REQUEST;
- }
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
record_state = &record_params->write;
@@ -782,7 +776,7 @@ record_read_headers (gnutls_session_t session,
record->length = (((headers[0] & 0x7f) << 8)) | headers[1];
/* SSL 2.0 headers */
- record->header_size = 2;
+ record->header_size = record->packet_size = 2;
record->type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello
*/
@@ -952,7 +946,7 @@ begin:
ret = recv_headers(session, type, htype, &record);
if (ret < 0)
{
- gnutls_assert();
+ gnutls_assert_val_fatal(ret);
goto recv_error;
}
diff --git a/lib/gnutls_v2_compat.c b/lib/gnutls_v2_compat.c
index abc17b7..9d78287 100644
--- a/lib/gnutls_v2_compat.c
+++ b/lib/gnutls_v2_compat.c
@@ -42,6 +42,7 @@
#include "gnutls_extensions.h"
#include "gnutls_auth.h"
#include "gnutls_v2_compat.h"
+#include "gnutls_constate.h"
/* This selects the best supported ciphersuite from the ones provided */
static int
@@ -250,6 +251,7 @@ _gnutls_read_client_hello_v2 (gnutls_session_t session,
opaque * data,
}
session->internals.compression_method = GNUTLS_COMP_NULL;
+ _gnutls_epoch_set_compression (session, EPOCH_NEXT,
session->internals.compression_method);
return 0;
}
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 51252a1..d9a7112 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -251,10 +251,10 @@ uint32_t hash;
*
* Returns the new size of the list or a negative number on error.
*/
-int shorten_clist(gnutls_x509_trust_list_t list,
+static int shorten_clist(gnutls_x509_trust_list_t list,
gnutls_x509_crt_t* certificate_list, int clist_size)
{
-int i, j, ret;
+int i, ret;
uint32_t hash;
gnutls_datum_t dn;
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-291-g3b9a0c6,
Nikos Mavrogiannopoulos <=