Replace explicit version checks with feature checks

Signed-off-by: Simon Josefsson <simon@josefsson.org>

7 files changed, 88 insertions, 20 deletions

diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index c0e7547e85..a5244c85f0 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -1352,7 +1352,7 @@ _gnutls_proc_cert_cert_req (gnutls_session_t session, opaque * data,
       return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
     }
 
-  if (ver == GNUTLS_TLS1_2)
+  if (_gnutls_version_has_selectable_sighash(ver))
     {
       /* read supported hashes */
       int hash_num;
@@ -1526,7 +1526,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t session, opaque ** data)
       session->internals.ignore_rdn_sequence == 0)
     size += cred->x509_rdn_sequence.size;
 
-  if (ver == GNUTLS_TLS1_2)
+  if (_gnutls_version_has_selectable_sighash(ver))
     /* Need at least one byte to announce the number of supported hash
        functions (see below).  */
     size += 1;
@@ -1546,7 +1546,7 @@ _gnutls_gen_cert_server_cert_req (gnutls_session_t session, opaque ** data)
   pdata[2] = DSA_SIGN;		/* only these for now */
   pdata += CERTTYPE_SIZE;
 
-  if (ver == GNUTLS_TLS1_2)
+  if (_gnutls_version_has_selectable_sighash(ver))
     {
       /* Supported hashes (nothing for now -- FIXME). */
       *pdata = 0;
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 6be0849310..08054c4617 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -1178,6 +1178,67 @@ _gnutls_version_is_supported (gnutls_session_t session,
     return 1;
 }
 
+
+/* This function determines if the version specified has a
+   cipher-suite selected PRF hash function instead of the old
+   hardcoded MD5+SHA1. */
+int
+_gnutls_version_has_selectable_prf (gnutls_protocol_t version)
+{
+  return version == GNUTLS_TLS1_2;
+}
+
+/* This function determines if the version specified has selectable
+   signature/hash functions for certificate authentification. */
+int
+_gnutls_version_has_selectable_sighash (gnutls_protocol_t version)
+{
+  return version == GNUTLS_TLS1_2;
+}
+
+/* This function determines if the version specified has support for
+   TLS extensions. */
+int
+_gnutls_version_has_extensions (gnutls_protocol_t version)
+{
+  switch(version) {
+  case GNUTLS_TLS1_0:
+  case GNUTLS_TLS1_1:
+  case GNUTLS_TLS1_2:
+    return 1;
+  default:
+    return 0;
+  }
+}
+
+/* This function determines if the version specified has explicit IVs
+   (for CBC attack prevention). */
+int
+_gnutls_version_has_explicit_iv (gnutls_protocol_t version)
+{
+  switch(version) {
+  case GNUTLS_TLS1_1:
+  case GNUTLS_TLS1_2:
+    return 1;
+  default:
+    return 0;
+  }
+}
+
+/* This function determines if the version specified can have
+   non-minimal padding. */
+int _gnutls_version_has_variable_padding (gnutls_protocol_t version)
+{
+  switch(version) {
+  case GNUTLS_TLS1_0:
+  case GNUTLS_TLS1_1:
+  case GNUTLS_TLS1_2:
+    return 1;
+  default:
+    return 0;
+  }
+}
+
 /* Type to KX mappings */
 gnutls_kx_algorithm_t
 _gnutls_map_kx_get_kx (gnutls_credentials_type_t type, int server)
diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h
index 2c55f24d51..0e2f2b7fcd 100644
--- a/lib/gnutls_algorithms.h
+++ b/lib/gnutls_algorithms.h
@@ -38,6 +38,13 @@ int _gnutls_version_get_major (gnutls_protocol_t ver);
 int _gnutls_version_get_minor (gnutls_protocol_t ver);
 gnutls_protocol_t _gnutls_version_get (int major, int minor);
 
+/* Functions for feature checks */
+int _gnutls_version_has_selectable_prf (gnutls_protocol_t version);
+int _gnutls_version_has_selectable_sighash (gnutls_protocol_t version);
+int _gnutls_version_has_extensions (gnutls_protocol_t version);
+int _gnutls_version_has_explicit_iv (gnutls_protocol_t version);
+int _gnutls_version_has_variable_padding (gnutls_protocol_t version);
+
 /* Functions for MACs. */
 int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm);
 gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm (const char *oid);
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 8defc2bff6..565a0002f0 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -275,7 +275,7 @@ calc_enc_length (gnutls_session_t session, int data_size,
       *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
 
       length += *pad;
-      if (session->security_parameters.version >= GNUTLS_TLS1_1)
+      if (_gnutls_version_has_explicit_iv(session->security_parameters.version))
 	length += blocksize;	/* for the IV */
 
       break;
@@ -344,7 +344,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
 				write_sequence_number), 8);
 
       _gnutls_hmac (&td, &type, 1);
-      if (ver >= GNUTLS_TLS1)
+      if (_gnutls_version_has_variable_padding(ver))
 	{			/* TLS 1.0 or higher */
 	  _gnutls_hmac (&td, &major, 1);
 	  _gnutls_hmac (&td, &minor, 1);
@@ -376,7 +376,7 @@ _gnutls_compressed2ciphertext (gnutls_session_t session,
 
   data_ptr = cipher_data;
   if (block_algo == CIPHER_BLOCK &&
-      session->security_parameters.version >= GNUTLS_TLS1_1)
+      _gnutls_version_has_explicit_iv(session->security_parameters.version))
     {
       /* copy the random IV.
        */
@@ -497,7 +497,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
 
       /* ignore the IV in TLS 1.1.
        */
-      if (session->security_parameters.version >= GNUTLS_TLS1_1)
+      if (_gnutls_version_has_explicit_iv(session->security_parameters.version))
 	{
 	  ciphertext.size -= blocksize;
 	  ciphertext.data += blocksize;
@@ -527,7 +527,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
 
       /* Check the pading bytes (TLS 1.x)
        */
-      if (ver >= GNUTLS_TLS1 && pad_failed == 0)
+      if (_gnutls_version_has_variable_padding(ver) && pad_failed == 0)
 	for (i = 2; i < pad; i++)
 	  {
 	    if (ciphertext.data[ciphertext.size - i] !=
@@ -554,7 +554,7 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
 				read_sequence_number), 8);
 
       _gnutls_hmac (&td, &type, 1);
-      if (ver >= GNUTLS_TLS1)
+      if (_gnutls_version_has_variable_padding(ver))
 	{			/* TLS 1.x */
 	  _gnutls_hmac (&td, &major, 1);
 	  _gnutls_hmac (&td, &minor, 1);
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 1b8512830c..840084e0bb 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -206,7 +206,7 @@ _gnutls_finished (gnutls_session_t session, int type, void *ret)
   gnutls_protocol_t ver = gnutls_protocol_get_version (session);
   int rc;
 
-  if (ver < GNUTLS_TLS1_2)
+  if (!_gnutls_version_has_selectable_prf(ver))
     {
       rc =
 	_gnutls_hash_copy (&td_md5,
@@ -227,7 +227,7 @@ _gnutls_finished (gnutls_session_t session, int type, void *ret)
       return rc;
     }
 
-  if (ver < GNUTLS_TLS1_2)
+  if (!_gnutls_version_has_selectable_prf(ver))
     {
       _gnutls_hash_deinit (&td_md5, concat);
       _gnutls_hash_deinit (&td_sha, &concat[16]);
@@ -440,7 +440,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data,
 
   /* Parse the extensions (if any)
    */
-  if (neg_version >= GNUTLS_TLS1)
+  if (_gnutls_version_has_extensions(neg_version))
     {
       ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
 				      &data[pos], len);
@@ -459,7 +459,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data,
       return ret;
     }
 
-  if (neg_version >= GNUTLS_TLS1)
+  if (_gnutls_version_has_extensions(neg_version))
     {
       ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS,
 				      &data[pos], len);
@@ -1584,7 +1584,7 @@ _gnutls_read_server_hello (gnutls_session_t session,
 
   /* Parse extensions.
    */
-  if (version >= GNUTLS_TLS1)
+  if (_gnutls_version_has_extensions(version))
     {
       ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY,
 				      &data[pos], len);
@@ -1884,7 +1884,7 @@ _gnutls_send_client_hello (gnutls_session_t session, int again)
 
       /* Generate and copy TLS extensions.
        */
-      if (hver >= GNUTLS_TLS1)
+      if (_gnutls_version_has_extensions(hver))
 	{
 	  extdatalen =
 	    _gnutls_gen_extensions (session, extdata, sizeof (extdata));
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 81f5aa355b..3da00609f1 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -153,7 +153,7 @@ _gnutls_tls_sign_params (gnutls_session_t session, gnutls_cert * cert,
   switch (cert->subject_pk_algorithm)
     {
     case GNUTLS_PK_RSA:
-      if (ver < GNUTLS_TLS1_2)
+      if (!_gnutls_version_has_selectable_prf(ver))
 	{
 	  digest_hd_st td_md5;
 
@@ -444,7 +444,7 @@ _gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert,
   opaque concat[36];
   gnutls_protocol_t ver = gnutls_protocol_get_version (session);
 
-  if (ver < GNUTLS_TLS1_2)
+  if (!_gnutls_version_has_selectable_prf(ver))
     {
       ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
       if (ret < 0)
@@ -464,7 +464,7 @@ _gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert,
   if (ret < 0)
     {
       gnutls_assert ();
-      if (ver < GNUTLS_TLS1_2)
+      if (!_gnutls_version_has_selectable_prf(ver))
 	_gnutls_hash_deinit (&td_md5, NULL);
       return ret;
     }
@@ -475,7 +475,7 @@ _gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert,
 		GNUTLS_RANDOM_SIZE);
   _gnutls_hash (&td_sha, params->data, params->size);
 
-  if (ver < GNUTLS_TLS1_2)
+  if (!_gnutls_version_has_selectable_prf(ver))
     {
       _gnutls_hash_deinit (&td_md5, concat);
       _gnutls_hash_deinit (&td_sha, &concat[16]);
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 5b5f7a775b..e1bfc66fec 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -903,7 +903,7 @@ _gnutls_PRF (gnutls_session_t session,
   memcpy (s_seed, label, label_size);
   memcpy (&s_seed[label_size], seed, seed_size);
 
-  if (ver >= GNUTLS_TLS1_2)
+  if (_gnutls_version_has_selectable_prf(ver))
     {
       result =
 	_gnutls_P_hash (GNUTLS_MAC_SHA1, secret, secret_size,