diff options
author | Jonathan Bastien-Filiatrault <joe@x2a.org> | 2009-08-18 22:55:30 -0400 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2009-08-19 16:03:04 +0200 |
commit | 63a331df6aa0ec8d6fa89a68aec0b36607dbc481 (patch) | |
tree | 7502b5c4d36dfa6642fab0ce6aa23a38452e5d11 | |
parent | 3843924ec2294102b90847c7a6510c7415bfbead (diff) | |
download | gnutls-63a331df6aa0ec8d6fa89a68aec0b36607dbc481.tar.gz |
Replace explicit version checks with feature checks
Signed-off-by: Simon Josefsson <simon@josefsson.org>
-rw-r--r-- | lib/auth_cert.c | 6 | ||||
-rw-r--r-- | lib/gnutls_algorithms.c | 61 | ||||
-rw-r--r-- | lib/gnutls_algorithms.h | 7 | ||||
-rw-r--r-- | lib/gnutls_cipher.c | 12 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 12 | ||||
-rw-r--r-- | lib/gnutls_sig.c | 8 | ||||
-rw-r--r-- | lib/gnutls_state.c | 2 |
7 files changed, 88 insertions, 20 deletions
diff --git a/lib/auth_cert.c b/lib/auth_cert.c index c0e7547e85..a5244c85f0 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -1352,7 +1352,7 @@ _gnutls_proc_cert_cert_req (gnutls_session_t session, opaque * data, return GNUTLS_E_UNKNOWN_PK_ALGORITHM; } - if (ver == GNUTLS_TLS1_2) + if (_gnutls_version_has_selectable_sighash(ver)) { /* read supported hashes */ int hash_num; @@ -1526,7 +1526,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t session, opaque ** data) session->internals.ignore_rdn_sequence == 0) size += cred->x509_rdn_sequence.size; - if (ver == GNUTLS_TLS1_2) + if (_gnutls_version_has_selectable_sighash(ver)) /* Need at least one byte to announce the number of supported hash functions (see below). */ size += 1; @@ -1546,7 +1546,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t session, opaque ** data) pdata[2] = DSA_SIGN; /* only these for now */ pdata += CERTTYPE_SIZE; - if (ver == GNUTLS_TLS1_2) + if (_gnutls_version_has_selectable_sighash(ver)) { /* Supported hashes (nothing for now -- FIXME). */ *pdata = 0; diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 6be0849310..08054c4617 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -1178,6 +1178,67 @@ _gnutls_version_is_supported (gnutls_session_t session, return 1; } + +/* This function determines if the version specified has a + cipher-suite selected PRF hash function instead of the old + hardcoded MD5+SHA1. */ +int +_gnutls_version_has_selectable_prf (gnutls_protocol_t version) +{ + return version == GNUTLS_TLS1_2; +} + +/* This function determines if the version specified has selectable + signature/hash functions for certificate authentification. */ +int +_gnutls_version_has_selectable_sighash (gnutls_protocol_t version) +{ + return version == GNUTLS_TLS1_2; +} + +/* This function determines if the version specified has support for + TLS extensions. */ +int +_gnutls_version_has_extensions (gnutls_protocol_t version) +{ + switch(version) { + case GNUTLS_TLS1_0: + case GNUTLS_TLS1_1: + case GNUTLS_TLS1_2: + return 1; + default: + return 0; + } +} + +/* This function determines if the version specified has explicit IVs + (for CBC attack prevention). */ +int +_gnutls_version_has_explicit_iv (gnutls_protocol_t version) +{ + switch(version) { + case GNUTLS_TLS1_1: + case GNUTLS_TLS1_2: + return 1; + default: + return 0; + } +} + +/* This function determines if the version specified can have + non-minimal padding. */ +int _gnutls_version_has_variable_padding (gnutls_protocol_t version) +{ + switch(version) { + case GNUTLS_TLS1_0: + case GNUTLS_TLS1_1: + case GNUTLS_TLS1_2: + return 1; + default: + return 0; + } +} + /* Type to KX mappings */ gnutls_kx_algorithm_t _gnutls_map_kx_get_kx (gnutls_credentials_type_t type, int server) diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index 2c55f24d51..0e2f2b7fcd 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -38,6 +38,13 @@ int _gnutls_version_get_major (gnutls_protocol_t ver); int _gnutls_version_get_minor (gnutls_protocol_t ver); gnutls_protocol_t _gnutls_version_get (int major, int minor); +/* Functions for feature checks */ +int _gnutls_version_has_selectable_prf (gnutls_protocol_t version); +int _gnutls_version_has_selectable_sighash (gnutls_protocol_t version); +int _gnutls_version_has_extensions (gnutls_protocol_t version); +int _gnutls_version_has_explicit_iv (gnutls_protocol_t version); +int _gnutls_version_has_variable_padding (gnutls_protocol_t version); + /* Functions for MACs. */ int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm); gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm (const char *oid); diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index 8defc2bff6..565a0002f0 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -275,7 +275,7 @@ calc_enc_length (gnutls_session_t session, int data_size, *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd; length += *pad; - if (session->security_parameters.version >= GNUTLS_TLS1_1) + if (_gnutls_version_has_explicit_iv(session->security_parameters.version)) length += blocksize; /* for the IV */ break; @@ -344,7 +344,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, write_sequence_number), 8); _gnutls_hmac (&td, &type, 1); - if (ver >= GNUTLS_TLS1) + if (_gnutls_version_has_variable_padding(ver)) { /* TLS 1.0 or higher */ _gnutls_hmac (&td, &major, 1); _gnutls_hmac (&td, &minor, 1); @@ -376,7 +376,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, data_ptr = cipher_data; if (block_algo == CIPHER_BLOCK && - session->security_parameters.version >= GNUTLS_TLS1_1) + _gnutls_version_has_explicit_iv(session->security_parameters.version)) { /* copy the random IV. */ @@ -497,7 +497,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, /* ignore the IV in TLS 1.1. */ - if (session->security_parameters.version >= GNUTLS_TLS1_1) + if (_gnutls_version_has_explicit_iv(session->security_parameters.version)) { ciphertext.size -= blocksize; ciphertext.data += blocksize; @@ -527,7 +527,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, /* Check the pading bytes (TLS 1.x) */ - if (ver >= GNUTLS_TLS1 && pad_failed == 0) + if (_gnutls_version_has_variable_padding(ver) && pad_failed == 0) for (i = 2; i < pad; i++) { if (ciphertext.data[ciphertext.size - i] != @@ -554,7 +554,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session, read_sequence_number), 8); _gnutls_hmac (&td, &type, 1); - if (ver >= GNUTLS_TLS1) + if (_gnutls_version_has_variable_padding(ver)) { /* TLS 1.x */ _gnutls_hmac (&td, &major, 1); _gnutls_hmac (&td, &minor, 1); diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 1b8512830c..840084e0bb 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -206,7 +206,7 @@ _gnutls_finished (gnutls_session_t session, int type, void *ret) gnutls_protocol_t ver = gnutls_protocol_get_version (session); int rc; - if (ver < GNUTLS_TLS1_2) + if (!_gnutls_version_has_selectable_prf(ver)) { rc = _gnutls_hash_copy (&td_md5, @@ -227,7 +227,7 @@ _gnutls_finished (gnutls_session_t session, int type, void *ret) return rc; } - if (ver < GNUTLS_TLS1_2) + if (!_gnutls_version_has_selectable_prf(ver)) { _gnutls_hash_deinit (&td_md5, concat); _gnutls_hash_deinit (&td_sha, &concat[16]); @@ -440,7 +440,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, /* Parse the extensions (if any) */ - if (neg_version >= GNUTLS_TLS1) + if (_gnutls_version_has_extensions(neg_version)) { ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION, &data[pos], len); @@ -459,7 +459,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, return ret; } - if (neg_version >= GNUTLS_TLS1) + if (_gnutls_version_has_extensions(neg_version)) { ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, &data[pos], len); @@ -1584,7 +1584,7 @@ _gnutls_read_server_hello (gnutls_session_t session, /* Parse extensions. */ - if (version >= GNUTLS_TLS1) + if (_gnutls_version_has_extensions(version)) { ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, &data[pos], len); @@ -1884,7 +1884,7 @@ _gnutls_send_client_hello (gnutls_session_t session, int again) /* Generate and copy TLS extensions. */ - if (hver >= GNUTLS_TLS1) + if (_gnutls_version_has_extensions(hver)) { extdatalen = _gnutls_gen_extensions (session, extdata, sizeof (extdata)); diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 81f5aa355b..3da00609f1 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -153,7 +153,7 @@ _gnutls_tls_sign_params (gnutls_session_t session, gnutls_cert * cert, switch (cert->subject_pk_algorithm) { case GNUTLS_PK_RSA: - if (ver < GNUTLS_TLS1_2) + if (!_gnutls_version_has_selectable_prf(ver)) { digest_hd_st td_md5; @@ -444,7 +444,7 @@ _gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert, opaque concat[36]; gnutls_protocol_t ver = gnutls_protocol_get_version (session); - if (ver < GNUTLS_TLS1_2) + if (!_gnutls_version_has_selectable_prf(ver)) { ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5); if (ret < 0) @@ -464,7 +464,7 @@ _gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert, if (ret < 0) { gnutls_assert (); - if (ver < GNUTLS_TLS1_2) + if (!_gnutls_version_has_selectable_prf(ver)) _gnutls_hash_deinit (&td_md5, NULL); return ret; } @@ -475,7 +475,7 @@ _gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert, GNUTLS_RANDOM_SIZE); _gnutls_hash (&td_sha, params->data, params->size); - if (ver < GNUTLS_TLS1_2) + if (!_gnutls_version_has_selectable_prf(ver)) { _gnutls_hash_deinit (&td_md5, concat); _gnutls_hash_deinit (&td_sha, &concat[16]); diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 5b5f7a775b..e1bfc66fec 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -903,7 +903,7 @@ _gnutls_PRF (gnutls_session_t session, memcpy (s_seed, label, label_size); memcpy (&s_seed[label_size], seed, seed_size); - if (ver >= GNUTLS_TLS1_2) + if (_gnutls_version_has_selectable_prf(ver)) { result = _gnutls_P_hash (GNUTLS_MAC_SHA1, secret, secret_size, |