diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-23 11:55:23 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-07-07 07:37:00 +0000 |
| commit | 916ddb51dfafe3a3cdb9a4aab967fa4ddba814fb (patch) | |
| tree | 98b4c0bc5ae3c6df867e864c10ec32fdd265ed76 | |
| parent | ec3ba8a1125160838c831c25b3007dac8bfba50b (diff) | |
| download | gnutls-916ddb51dfafe3a3cdb9a4aab967fa4ddba814fb.tar.gz | |
Eliminated access to obsolete priority cache fields
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/algorithms.h | 7 | ||||
| -rw-r--r-- | lib/algorithms/ciphers.c | 16 | ||||
| -rw-r--r-- | lib/algorithms/ciphersuites.c | 47 | ||||
| -rw-r--r-- | lib/algorithms/kx.c | 13 | ||||
| -rw-r--r-- | lib/algorithms/mac.c | 13 | ||||
| -rw-r--r-- | lib/constate.c | 15 | ||||
| -rw-r--r-- | lib/ext/srp.c | 148 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 10 | ||||
| -rw-r--r-- | lib/priority.c | 52 |
9 files changed, 126 insertions, 195 deletions
diff --git a/lib/algorithms.h b/lib/algorithms.h index e6e7146745..4a4f504ced 100644 --- a/lib/algorithms.h +++ b/lib/algorithms.h @@ -316,13 +316,6 @@ gnutls_sign_algorithm_t _gnutls_tls_aid_to_sign(const sign_algorithm_st * const sign_algorithm_st *_gnutls_sign_to_tls_aid(gnutls_sign_algorithm_t sign); -int _gnutls_mac_priority(gnutls_session_t session, - gnutls_mac_algorithm_t algorithm); -int _gnutls_cipher_priority(gnutls_session_t session, - gnutls_cipher_algorithm_t a); -int _gnutls_kx_priority(gnutls_session_t session, - gnutls_kx_algorithm_t algorithm); - unsigned int _gnutls_pk_bits_to_subgroup_bits(unsigned int pk_bits); /* ECC */ diff --git a/lib/algorithms/ciphers.c b/lib/algorithms/ciphers.c index 6143467bcd..04d675acda 100644 --- a/lib/algorithms/ciphers.c +++ b/lib/algorithms/ciphers.c @@ -294,22 +294,6 @@ unsigned gnutls_cipher_get_iv_size(gnutls_cipher_algorithm_t algorithm) return ret; } - - /* returns the priority */ -int -_gnutls_cipher_priority(gnutls_session_t session, - gnutls_cipher_algorithm_t algorithm) -{ - unsigned int i; - for (i = 0; i < session->internals.priorities.cipher.algorithms; - i++) { - if (session->internals.priorities.cipher.priority[i] == - algorithm) - return i; - } - return -1; -} - /** * gnutls_cipher_get_key_size: * @algorithm: is an encryption algorithm diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c index 0bbd87dd19..9ea7371dd8 100644 --- a/lib/algorithms/ciphersuites.c +++ b/lib/algorithms/ciphersuites.c @@ -1567,25 +1567,13 @@ gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache, unsigned int idx, unsigned int *sidx) { - int mac_idx, cipher_idx, kx_idx; unsigned int i, j; - unsigned int total = - pcache->mac.algorithms * pcache->cipher.algorithms * - pcache->kx.algorithms; unsigned max_tls = 0; unsigned max_dtls = 0; - if (idx >= total) + if (idx >= pcache->cs.size) return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - mac_idx = idx % pcache->mac.algorithms; - - idx /= pcache->mac.algorithms; - cipher_idx = idx % pcache->cipher.algorithms; - - idx /= pcache->cipher.algorithms; - kx_idx = idx % pcache->kx.algorithms; - /* find max_tls and max_dtls */ for (j=0;j<pcache->protocol.algorithms;j++) { if (pcache->protocol.priority[j] <= GNUTLS_TLS_VERSION_MAX && @@ -1598,25 +1586,20 @@ gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache, } for (i = 0; i < CIPHER_SUITES_COUNT; i++) { - if (cs_algorithms[i].kx_algorithm == - pcache->kx.priority[kx_idx] - && cs_algorithms[i].block_algorithm == - pcache->cipher.priority[cipher_idx] - && cs_algorithms[i].mac_algorithm == - pcache->mac.priority[mac_idx]) { - *sidx = i; - - if (_gnutls_cipher_exists(cs_algorithms[i].block_algorithm) && - _gnutls_mac_exists(cs_algorithms[i].mac_algorithm)) { - - if (max_tls >= cs_algorithms[i].min_version) { - return 0; - } else if (max_dtls >= cs_algorithms[i].min_dtls_version) { - return 0; - } - } else - break; - } + if (pcache->cs.entry[idx] != &cs_algorithms[i]) + continue; + + *sidx = i; + if (_gnutls_cipher_exists(cs_algorithms[i].block_algorithm) && + _gnutls_mac_exists(cs_algorithms[i].mac_algorithm)) { + if (max_tls >= cs_algorithms[i].min_version) { + return 0; + } else if (max_dtls >= cs_algorithms[i].min_dtls_version) { + return 0; + } + } else + break; } + return GNUTLS_E_UNKNOWN_CIPHER_SUITE; } diff --git a/lib/algorithms/kx.c b/lib/algorithms/kx.c index f03ae84bc7..276f56f118 100644 --- a/lib/algorithms/kx.c +++ b/lib/algorithms/kx.c @@ -146,19 +146,6 @@ mod_auth_st *_gnutls_kx_auth_struct(gnutls_kx_algorithm_t algorithm) } -int -_gnutls_kx_priority(gnutls_session_t session, - gnutls_kx_algorithm_t algorithm) -{ - unsigned int i; - for (i = 0; i < session->internals.priorities.kx.algorithms; i++) { - if (session->internals.priorities.kx.priority[i] == - algorithm) - return i; - } - return -1; -} - /** * gnutls_kx_get_name: * @algorithm: is a key exchange algorithm diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c index f9b3537403..ce2d18c154 100644 --- a/lib/algorithms/mac.c +++ b/lib/algorithms/mac.c @@ -82,19 +82,6 @@ const mac_entry_st *_gnutls_mac_to_entry(gnutls_mac_algorithm_t c) return NULL; } -int -_gnutls_mac_priority(gnutls_session_t session, - gnutls_mac_algorithm_t algorithm) -{ /* actually returns the priority */ - unsigned int i; - for (i = 0; i < session->internals.priorities.mac.algorithms; i++) { - if (session->internals.priorities.mac.priority[i] == - algorithm) - return i; - } - return -1; -} - /** * gnutls_mac_get_name: * @algorithm: is a MAC algorithm diff --git a/lib/constate.c b/lib/constate.c index 6f6df0ddb3..a2d4cdc799 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -247,12 +247,6 @@ _gnutls_set_cipher_suite2(gnutls_session_t session, || _gnutls_mac_is_ok(mac_algo) == 0) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - if (_gnutls_cipher_priority(session, cipher_algo->id) < 0) - return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - - if (_gnutls_mac_priority(session, mac_algo->id) < 0) - return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - if (_gnutls_version_has_selectable_prf(get_version(session))) { if (cs->prf == GNUTLS_MAC_UNKNOWN || _gnutls_mac_is_ok(mac_to_entry(cs->prf)) == 0) @@ -326,12 +320,6 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch) || _gnutls_mac_is_ok(params->mac) == 0) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - if (_gnutls_cipher_priority(session, params->cipher->id) < 0) - return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - - if (_gnutls_mac_priority(session, params->mac->id) < 0) - return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - if (!_gnutls_version_has_explicit_iv(ver) && _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { IV_size = _gnutls_cipher_get_iv_size(params->cipher); @@ -497,9 +485,6 @@ _gnutls_set_kx(gnutls_session_t session, gnutls_kx_algorithm_t algo) } else return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - if (_gnutls_kx_priority(session, algo) < 0) - return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); - return 0; } diff --git a/lib/ext/srp.c b/lib/ext/srp.c index 29ba9c96ac..46072e2a2d 100644 --- a/lib/ext/srp.c +++ b/lib/ext/srp.c @@ -99,6 +99,20 @@ _gnutls_srp_recv_params(gnutls_session_t session, const uint8_t * data, return 0; } +static unsigned have_srp_ciphersuites(gnutls_session_t session) +{ + unsigned j; + unsigned kx; + + for (j = 0; j < session->internals.priorities.cs.size; j++) { + kx = session->internals.priorities.cs.entry[j]->kx_algorithm; + if (kx == GNUTLS_KX_SRP || kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS) + return 1; + } + + return 0; +} + /* returns data_size or a negative number on failure * data is allocated locally */ @@ -111,91 +125,87 @@ _gnutls_srp_send_params(gnutls_session_t session, gnutls_ext_priv_data_t epriv; srp_ext_st *priv = NULL; char *username = NULL, *password = NULL; - - if (_gnutls_kx_priority(session, GNUTLS_KX_SRP) < 0 && - _gnutls_kx_priority(session, GNUTLS_KX_SRP_DSS) < 0 && - _gnutls_kx_priority(session, GNUTLS_KX_SRP_RSA) < 0) { - /* algorithm was not allowed in this session - */ - return 0; - } - - /* this function sends the client extension data (username) */ - if (session->security_parameters.entity == GNUTLS_CLIENT) { - gnutls_srp_client_credentials_t cred = + gnutls_srp_client_credentials_t cred = (gnutls_srp_client_credentials_t) _gnutls_get_cred(session, GNUTLS_CRD_SRP); - if (cred == NULL) - return 0; + if (session->security_parameters.entity != GNUTLS_CLIENT) + return 0; - priv = gnutls_calloc(1, sizeof(*priv)); - if (priv == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + if (cred == NULL) + return 0; - if (cred->username != NULL) { /* send username */ - len = MIN(strlen(cred->username), 255); + if (!have_srp_ciphersuites(session)) { + return 0; + } - ret = - _gnutls_buffer_append_data_prefix(extdata, 8, - cred-> - username, - len); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } + /* this function sends the client extension data (username) */ + priv = gnutls_calloc(1, sizeof(*priv)); + if (priv == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + if (cred->username != NULL) { /* send username */ + len = MIN(strlen(cred->username), 255); + + ret = + _gnutls_buffer_append_data_prefix(extdata, 8, + cred-> + username, + len); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } - priv->username = strdup(cred->username); - if (priv->username == NULL) { - gnutls_assert(); - goto cleanup; - } + priv->username = strdup(cred->username); + if (priv->username == NULL) { + gnutls_assert(); + goto cleanup; + } - priv->password = strdup(cred->password); - if (priv->password == NULL) { - gnutls_assert(); - goto cleanup; - } + priv->password = strdup(cred->password); + if (priv->password == NULL) { + gnutls_assert(); + goto cleanup; + } - epriv = priv; - _gnutls_ext_set_session_data(session, - GNUTLS_EXTENSION_SRP, - epriv); + epriv = priv; + _gnutls_ext_set_session_data(session, + GNUTLS_EXTENSION_SRP, + epriv); - return len + 1; - } else if (cred->get_function != NULL) { - /* Try the callback - */ + return len + 1; + } else if (cred->get_function != NULL) { + /* Try the callback + */ - if (cred-> - get_function(session, &username, &password) < 0 - || username == NULL || password == NULL) { - gnutls_assert(); - return GNUTLS_E_ILLEGAL_SRP_USERNAME; - } + if (cred-> + get_function(session, &username, &password) < 0 + || username == NULL || password == NULL) { + gnutls_assert(); + return GNUTLS_E_ILLEGAL_SRP_USERNAME; + } - len = MIN(strlen(username), 255); + len = MIN(strlen(username), 255); - priv->username = username; - priv->password = password; + priv->username = username; + priv->password = password; - ret = - _gnutls_buffer_append_data_prefix(extdata, 8, - username, - len); - if (ret < 0) { - ret = gnutls_assert_val(ret); - goto cleanup; - } + ret = + _gnutls_buffer_append_data_prefix(extdata, 8, + username, + len); + if (ret < 0) { + ret = gnutls_assert_val(ret); + goto cleanup; + } - epriv = priv; - _gnutls_ext_set_session_data(session, - GNUTLS_EXTENSION_SRP, - epriv); + epriv = priv; + _gnutls_ext_set_session_data(session, + GNUTLS_EXTENSION_SRP, + epriv); - return len + 1; - } + return len + 1; } return 0; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 878696491a..7af4d1e2e6 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -652,14 +652,18 @@ typedef struct ciphersuite_list_st { /* For the external api */ struct gnutls_priority_st { - priority_st cipher; - priority_st mac; - priority_st kx; priority_st protocol; priority_st cert_type; priority_st sign_algo; priority_st supported_ecc; + /* The following are not necessary to be stored in + * the structure; however they are required by the + * external APIs: gnutls_priority_*_list() */ + priority_st _cipher; + priority_st _mac; + priority_st _kx; + /* the supported ciphersuites */ ciphersuite_list_st cs; diff --git a/lib/priority.c b/lib/priority.c index 76c9b80b45..bc6f4eb842 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -563,9 +563,7 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority) } if (session->internals.priorities.protocol.algorithms == 0 || - session->internals.priorities.cipher.algorithms == 0 || - session->internals.priorities.mac.algorithms == 0 || - session->internals.priorities.kx.algorithms == 0) + session->internals.priorities.cs.size == 0) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); ADD_PROFILE_VFLAGS(session, priority->additional_verify_flags); @@ -719,9 +717,9 @@ int check_level(const char *level, gnutls_priority_t priority_cache, (pgroups[i].alias != NULL && strcasecmp(level, pgroups[i].alias) == 0)) { if (pgroups[i].proto_list != NULL) func(&priority_cache->protocol, *pgroups[i].proto_list); - func(&priority_cache->cipher, *pgroups[i].cipher_list); - func(&priority_cache->kx, *pgroups[i].kx_list); - func(&priority_cache->mac, *pgroups[i].mac_list); + func(&priority_cache->_cipher, *pgroups[i].cipher_list); + func(&priority_cache->_kx, *pgroups[i].kx_list); + func(&priority_cache->_mac, *pgroups[i].mac_list); func(&priority_cache->sign_algo, *pgroups[i].sign_list); func(&priority_cache->supported_ecc, *pgroups[i].ecc_list); @@ -1115,13 +1113,13 @@ static void set_ciphersuite_list(gnutls_priority_t priority_cache) priority_cache->cs.size = 0; - for (i = 0; i < priority_cache->kx.algorithms; i++) { - for (j=0;j<priority_cache->cipher.algorithms;j++) { - for (z=0;z<priority_cache->mac.algorithms;z++) { + for (i = 0; i < priority_cache->_kx.algorithms; i++) { + for (j=0;j<priority_cache->_cipher.algorithms;j++) { + for (z=0;z<priority_cache->_mac.algorithms;z++) { ce = cipher_suite_get( - priority_cache->kx.priority[i], - priority_cache->cipher.priority[j], - priority_cache->mac.priority[z]); + priority_cache->_kx.priority[i], + priority_cache->_cipher.priority[j], + priority_cache->_mac.priority[z]); if (ce != NULL && priority_cache->cs.size < MAX_CIPHERSUITE_SIZE) { priority_cache->cs.entry[priority_cache->cs.size++] = ce; @@ -1308,10 +1306,10 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, } else if ((algo = gnutls_mac_get_id(&broken_list[i][1])) != GNUTLS_MAC_UNKNOWN) { - fn(&(*priority_cache)->mac, algo); + fn(&(*priority_cache)->_mac, algo); } else if ((centry = cipher_name_to_entry(&broken_list[i][1])) != NULL) { if (_gnutls_cipher_exists(centry->id)) { - fn(&(*priority_cache)->cipher, centry->id); + fn(&(*priority_cache)->_cipher, centry->id); if (centry->type == CIPHER_BLOCK) (*priority_cache)->have_cbc = 1; } @@ -1319,7 +1317,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, _gnutls_kx_get_id(&broken_list[i][1])) != GNUTLS_KX_UNKNOWN) { if (algo != GNUTLS_KX_INVALID) - fn(&(*priority_cache)->kx, algo); + fn(&(*priority_cache)->_kx, algo); } else if (strncasecmp (&broken_list[i][1], "VERS-", 5) == 0) { if (strncasecmp @@ -1398,16 +1396,16 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, } } else if (strncasecmp (&broken_list[i][1], "MAC-ALL", 7) == 0) { - bulk_fn(&(*priority_cache)->mac, + bulk_fn(&(*priority_cache)->_mac, mac_priority_normal); } else if (strncasecmp (&broken_list[i][1], "CIPHER-ALL", 10) == 0) { - bulk_fn(&(*priority_cache)->cipher, + bulk_fn(&(*priority_cache)->_cipher, cipher_priority_normal); } else if (strncasecmp (&broken_list[i][1], "KX-ALL", 6) == 0) { - bulk_fn(&(*priority_cache)->kx, + bulk_fn(&(*priority_cache)->_kx, kx_priority_secure); } else goto error; @@ -1590,11 +1588,11 @@ int gnutls_priority_kx_list(gnutls_priority_t pcache, const unsigned int **list) { - if (pcache->kx.algorithms == 0) + if (pcache->_kx.algorithms == 0) return 0; - *list = pcache->kx.priority; - return pcache->kx.algorithms; + *list = pcache->_kx.priority; + return pcache->_kx.algorithms; } /** @@ -1612,11 +1610,11 @@ int gnutls_priority_cipher_list(gnutls_priority_t pcache, const unsigned int **list) { - if (pcache->cipher.algorithms == 0) + if (pcache->_cipher.algorithms == 0) return 0; - *list = pcache->cipher.priority; - return pcache->cipher.algorithms; + *list = pcache->_cipher.priority; + return pcache->_cipher.algorithms; } /** @@ -1634,11 +1632,11 @@ int gnutls_priority_mac_list(gnutls_priority_t pcache, const unsigned int **list) { - if (pcache->mac.algorithms == 0) + if (pcache->_mac.algorithms == 0) return 0; - *list = pcache->mac.priority; - return pcache->mac.algorithms; + *list = pcache->_mac.priority; + return pcache->_mac.algorithms; } /** |