diff options
| author | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2016-12-14 17:51:56 +0300 |
|---|---|---|
| committer | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2016-12-14 19:48:39 +0300 |
| commit | a59c0ce7fb1ee34bf05e0936fd46d306d86b71f1 (patch) | |
| tree | 5c8ceba8863d93670a78958e402a088b583b6245 | |
| parent | 90e82f8c37a5cc8ff1647bb088642ab50a89f936 (diff) | |
| download | gnutls-a59c0ce7fb1ee34bf05e0936fd46d306d86b71f1.tar.gz | |
Rework setting next cipher suite
Only update cipher_suite if all internal check succeed and next epoch
will use this ciphe suite. Also while we are at at, actually check for
_gnutls_set_cipher_suite() return value.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| -rw-r--r-- | lib/constate.c | 7 | ||||
| -rw-r--r-- | lib/constate.h | 4 | ||||
| -rw-r--r-- | lib/handshake.c | 55 |
3 files changed, 26 insertions, 40 deletions
diff --git a/lib/constate.c b/lib/constate.c index 07140c8748..41071eaa69 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -231,8 +231,8 @@ _gnutls_init_record_state(record_parameters_st * params, } int -_gnutls_epoch_set_cipher_suite(gnutls_session_t session, - int epoch_rel, const uint8_t suite[2]) +_gnutls_set_cipher_suite(gnutls_session_t session, + const uint8_t suite[2]) { const cipher_entry_st *cipher_algo; const mac_entry_st *mac_algo; @@ -240,7 +240,7 @@ _gnutls_epoch_set_cipher_suite(gnutls_session_t session, const gnutls_cipher_suite_entry_st *cs; int ret; - ret = _gnutls_epoch_get(session, epoch_rel, ¶ms); + ret = _gnutls_epoch_get(session, EPOCH_NEXT, ¶ms); if (ret < 0) return gnutls_assert_val(ret); @@ -274,6 +274,7 @@ _gnutls_epoch_set_cipher_suite(gnutls_session_t session, session->security_parameters.prf_mac = GNUTLS_MAC_MD5_SHA1; } + memcpy(session->security_parameters.cipher_suite, suite, 2); params->cipher = cipher_algo; params->mac = mac_algo; diff --git a/lib/constate.h b/lib/constate.h index bfec4534bb..9f0128b7e1 100644 --- a/lib/constate.h +++ b/lib/constate.h @@ -23,8 +23,8 @@ #ifndef GNUTLS_CONSTATE_H #define GNUTLS_CONSTATE_H -int _gnutls_epoch_set_cipher_suite(gnutls_session_t session, int epoch_rel, - const uint8_t suite[2]); +int _gnutls_set_cipher_suite(gnutls_session_t session, + const uint8_t suite[2]); int _gnutls_epoch_set_compression(gnutls_session_t session, int epoch_rel, gnutls_compression_method_t comp_algo); int _gnutls_epoch_get_compression(gnutls_session_t session, int epoch_rel); diff --git a/lib/handshake.c b/lib/handshake.c index 4b73842403..eefd816af4 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -135,17 +135,14 @@ static int resume_copy_required_values(gnutls_session_t session) * That is because the client must see these in our * hello message. */ - memcpy(session->security_parameters.cipher_suite, - session->internals.resumed_security_parameters.cipher_suite, - 2); session->security_parameters.compression_method = session->internals.resumed_security_parameters. compression_method; - ret = _gnutls_epoch_set_cipher_suite(session, EPOCH_NEXT, - session->internals. - resumed_security_parameters. - cipher_suite); + ret = _gnutls_set_cipher_suite(session, + session->internals. + resumed_security_parameters. + cipher_suite); if (ret < 0) return gnutls_assert_val(ret); @@ -987,17 +984,9 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data, session, _gnutls_cipher_suite_get_name (&data[j])); - memcpy(session-> - security_parameters. - cipher_suite, - &cipher_suites[i], 2); - _gnutls_epoch_set_cipher_suite - (session, EPOCH_NEXT, - session->security_parameters. - cipher_suite); - + retval = _gnutls_set_cipher_suite + (session, &data[j]); - retval = 0; goto finish; } } @@ -1013,17 +1002,9 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data, session, _gnutls_cipher_suite_get_name (&data[j])); - memcpy(session-> - security_parameters. - cipher_suite, - &cipher_suites[i], 2); - _gnutls_epoch_set_cipher_suite - (session, EPOCH_NEXT, - session->security_parameters. - cipher_suite); - + retval = _gnutls_set_cipher_suite + (session, &data[j]); - retval = 0; goto finish; } } @@ -1546,6 +1527,7 @@ set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2]) uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE]; int cipher_suite_size; int i; + int ret; z = 1; cipher_suite_size = @@ -1572,10 +1554,9 @@ set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2]) return GNUTLS_E_UNKNOWN_CIPHER_SUITE; } - memcpy(session->security_parameters.cipher_suite, suite, 2); - _gnutls_epoch_set_cipher_suite(session, EPOCH_NEXT, - session->security_parameters. - cipher_suite); + ret = _gnutls_set_cipher_suite(session, suite); + if (ret < 0) + return gnutls_assert_val(ret); _gnutls_handshake_log("HSK[%p]: Selected cipher suite: %s\n", session, @@ -1668,6 +1649,7 @@ client_check_if_resuming(gnutls_session_t session, uint8_t * session_id, int session_id_len) { char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1]; + int ret; _gnutls_handshake_log("HSK[%p]: SessionID length: %d\n", session, session_id_len); @@ -1693,15 +1675,17 @@ client_check_if_resuming(gnutls_session_t session, session->security_parameters.client_random, GNUTLS_RANDOM_SIZE); - memcpy(session->security_parameters.cipher_suite, - session->internals.resumed_security_parameters.cipher_suite, 2); session->security_parameters.compression_method = session->internals.resumed_security_parameters.compression_method; - _gnutls_epoch_set_cipher_suite - (session, EPOCH_NEXT, + ret = _gnutls_set_cipher_suite + (session, session->internals.resumed_security_parameters. cipher_suite); + if (ret < 0) { + gnutls_assert(); + goto no_resume; + } _gnutls_epoch_set_compression(session, EPOCH_NEXT, session->internals. resumed_security_parameters. @@ -1711,6 +1695,7 @@ client_check_if_resuming(gnutls_session_t session, return 0; } else { +no_resume: /* keep the new session id */ session->internals.resumed = RESUME_FALSE; /* we are not resuming */ session->security_parameters.session_id_size = |