diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-11-14 13:56:52 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-11-15 13:48:37 +0100 |
| commit | e1cd3313acb4c15ffc0f009c89a859e1f9b3bed4 (patch) | |
| tree | 0901e4a012cbcc0ae3c59975914b46b1b4443da2 /lib | |
| parent | 048dc3177c0f542c66e55472e4d5db1c1d2f3e0e (diff) | |
| download | gnutls-e1cd3313acb4c15ffc0f009c89a859e1f9b3bed4.tar.gz | |
anti_replay: moved new add function into anti_replay structure
The new function was not sharing anything with the existing
gnutls_db_* backend, and moving it to anti_replay structure
is more clean and allows for deviations from the old API
conventions (e.g., now we can pass pointers for efficiency
and pass the expiration time as part of the call).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/db.c | 23 | ||||
| -rw-r--r-- | lib/ext/pre_shared_key.c | 2 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 1 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 13 | ||||
| -rw-r--r-- | lib/libgnutls.map | 3 | ||||
| -rw-r--r-- | lib/tls13/anti_replay.c | 59 | ||||
| -rw-r--r-- | lib/tls13/anti_replay.h | 2 |
7 files changed, 65 insertions, 38 deletions
@@ -56,29 +56,6 @@ gnutls_db_set_retrieve_function(gnutls_session_t session, } /** - * gnutls_db_set_add_function: - * @session: is a #gnutls_session_t type. - * @add_func: is the function. - * - * Sets the function that will be used to store an entry if it is not - * already present in the resumed sessions database. This function returns 0 - * if the entry is successfully stored, and a negative error code - * otherwise. In particular, if the entry is found in the database, - * it returns %GNUTLS_E_DB_ENTRY_EXISTS. - * - * The first argument to @add_func will be null unless - * gnutls_db_set_ptr() has been called. - * - * Since: 3.6.5 - **/ -void -gnutls_db_set_add_function(gnutls_session_t session, - gnutls_db_add_func add_func) -{ - session->internals.db_add_func = add_func; -} - -/** * gnutls_db_set_remove_function: * @session: is a #gnutls_session_t type. * @rem_func: is the function. diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index bc7fc8aa95..c42bd1646b 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -621,7 +621,7 @@ static int server_recv_params(gnutls_session_t session, } else { if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) { if (session->internals.anti_replay) { - ret = _gnutls_anti_replay_check(session, + ret = _gnutls_anti_replay_check(session->internals.anti_replay, ticket_age, &ticket_creation_time, &binder_recvd); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index e34bea85b8..16881d8827 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1216,7 +1216,6 @@ typedef struct { gnutls_db_store_func db_store_func; gnutls_db_retr_func db_retrieve_func; gnutls_db_remove_func db_remove_func; - gnutls_db_add_func db_add_func; void *db_ptr; /* post client hello callback (server side only) diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 2af09bb24a..789e374315 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -1783,8 +1783,6 @@ typedef int (*gnutls_db_store_func) (void *, gnutls_datum_t key, gnutls_datum_t data); typedef int (*gnutls_db_remove_func) (void *, gnutls_datum_t key); typedef gnutls_datum_t(*gnutls_db_retr_func) (void *, gnutls_datum_t key); -typedef int (*gnutls_db_add_func) (void *, gnutls_datum_t key, - gnutls_datum_t data); void gnutls_db_set_cache_expiration(gnutls_session_t session, int seconds); unsigned gnutls_db_get_default_cache_expiration(void); @@ -1796,8 +1794,6 @@ void gnutls_db_set_remove_function(gnutls_session_t session, gnutls_db_remove_func rem_func); void gnutls_db_set_store_function(gnutls_session_t session, gnutls_db_store_func store_func); -void gnutls_db_set_add_function(gnutls_session_t session, - gnutls_db_add_func add_func); void gnutls_db_set_ptr(gnutls_session_t session, void *ptr); void *gnutls_db_get_ptr(gnutls_session_t session); int gnutls_db_check_entry(gnutls_session_t session, @@ -3002,6 +2998,15 @@ void gnutls_anti_replay_set_window(gnutls_anti_replay_t anti_replay, void gnutls_anti_replay_enable(gnutls_session_t session, gnutls_anti_replay_t anti_replay); +typedef int (*gnutls_db_add_func) (void *, time_t exp_time, const gnutls_datum_t *key, + const gnutls_datum_t *data); + +void gnutls_anti_replay_set_add_function(gnutls_anti_replay_t, + gnutls_db_add_func add_func); + +void gnutls_anti_replay_set_ptr(gnutls_anti_replay_t, void *ptr); + + /* FIPS140-2 related functions */ unsigned gnutls_fips140_mode_enabled(void); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 3cfc0c450b..06181f04ee 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1255,7 +1255,8 @@ GNUTLS_3_6_5 gnutls_record_send_early_data; gnutls_record_recv_early_data; gnutls_db_check_entry_expire_time; - gnutls_db_set_add_function; + gnutls_anti_replay_set_add_function; + gnutls_anti_replay_set_ptr; gnutls_anti_replay_init; gnutls_anti_replay_deinit; gnutls_anti_replay_set_window; diff --git a/lib/tls13/anti_replay.c b/lib/tls13/anti_replay.c index 5ae9926afd..a99266928c 100644 --- a/lib/tls13/anti_replay.c +++ b/lib/tls13/anti_replay.c @@ -32,6 +32,8 @@ struct gnutls_anti_replay_st { uint32_t window; struct timespec start_time; + gnutls_db_add_func db_add_func; + void *db_ptr; }; /** @@ -121,13 +123,13 @@ gnutls_anti_replay_enable(gnutls_session_t session, } int -_gnutls_anti_replay_check(gnutls_session_t session, +_gnutls_anti_replay_check(gnutls_anti_replay_t anti_replay, uint32_t client_ticket_age, struct timespec *ticket_creation_time, gnutls_datum_t *id) { - gnutls_anti_replay_t anti_replay = session->internals.anti_replay; struct timespec now; + time_t window; uint32_t server_ticket_age, diff; gnutls_datum_t key = { NULL, 0 }; gnutls_datum_t entry = { NULL, 0 }; @@ -176,7 +178,7 @@ _gnutls_anti_replay_check(gnutls_session_t session, /* Check if the ClientHello is stored in the database. */ - if (!session->internals.db_add_func) + if (!anti_replay->db_add_func) return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED); /* Create a key for database lookup, prefixing window start @@ -198,20 +200,21 @@ _gnutls_anti_replay_check(gnutls_session_t session, /* Create an entry to be stored on database if the lookup * failed. This is formatted so that - * gnutls_db_entry_is_expired() work. + * gnutls_db_check_entry_expire_time() work. */ p = entry_buffer; _gnutls_write_uint32(PACKED_SESSION_MAGIC, p); p += 4; _gnutls_write_uint32(now.tv_sec, p); p += 4; - _gnutls_write_uint32(anti_replay->window / 1000, p); + window = anti_replay->window / 1000; + _gnutls_write_uint32(window, p); p += 4; entry.data = entry_buffer; entry.size = p - entry_buffer; - ret = session->internals.db_add_func(session->internals.db_ptr, - key, entry); + ret = anti_replay->db_add_func(anti_replay->db_ptr, + (uint64_t)now.tv_sec+(uint64_t)window, &key, &entry); if (ret < 0) { _gnutls_handshake_log("anti_replay: duplicate ClientHello found\n"); return gnutls_assert_val(GNUTLS_E_EARLY_DATA_REJECTED); @@ -219,3 +222,45 @@ _gnutls_anti_replay_check(gnutls_session_t session, return 0; } + +/** + * gnutls_anti_replay_set_ptr: + * @anti_replay: is a #gnutls_anti_replay_t type. + * @ptr: is the pointer + * + * Sets the pointer that will be provided to db add function + * as the first argument. + **/ +void gnutls_anti_replay_set_ptr(gnutls_anti_replay_t anti_replay, void *ptr) +{ + anti_replay->db_ptr = ptr; +} + +/** + * gnutls_anti_replay_set_add_function: + * @anti_replay: is a #gnutls_anti_replay_t type. + * @add_func: is the function. + * + * Sets the function that will be used to store an entry if it is not + * already present in the resumed sessions database. This function returns 0 + * if the entry is successfully stored, and a negative error code + * otherwise. In particular, if the entry is found in the database, + * it returns %GNUTLS_E_DB_ENTRY_EXISTS. + * + * The arguments to the @add_func are: + * - %ptr: the pointer set with gnutls_anti_replay_set_ptr() + * - %exp_time: the expiration time of the entry + * - %key: a pointer to the key + * - %data: a pointer to data to store + * + * The data set by this function can be examined using + * gnutls_db_check_entry_expire_time() and gnutls_db_check_entry_time(). + * + * Since: 3.6.5 + **/ +void +gnutls_anti_replay_set_add_function(gnutls_anti_replay_t anti_replay, + gnutls_db_add_func add_func) +{ + anti_replay->db_add_func = add_func; +} diff --git a/lib/tls13/anti_replay.h b/lib/tls13/anti_replay.h index e44186c910..8d9bea4b5c 100644 --- a/lib/tls13/anti_replay.h +++ b/lib/tls13/anti_replay.h @@ -20,7 +20,7 @@ * */ -int _gnutls_anti_replay_check(gnutls_session_t session, +int _gnutls_anti_replay_check(gnutls_anti_replay_t, uint32_t client_ticket_age, struct timespec *ticket_creation_time, gnutls_datum_t *id); |