diff options
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | configure.in | 67 | ||||
-rw-r--r-- | doc/tex/ex3.tex | 4 | ||||
-rw-r--r-- | lib/auth_anon.c | 16 | ||||
-rw-r--r-- | lib/auth_dhe_rsa.c | 8 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 5 | ||||
-rw-r--r-- | lib/gnutls_anon_cred.c | 24 | ||||
-rw-r--r-- | lib/gnutls_dh.c | 7 | ||||
-rw-r--r-- | lib/gnutls_dh.h | 4 | ||||
-rw-r--r-- | lib/gnutls_int.h | 7 | ||||
-rw-r--r-- | lib/gnutls_int_compat.c | 10 | ||||
-rw-r--r-- | lib/gnutls_record.c | 3 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 75 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 4 | ||||
-rw-r--r-- | src/common.h | 4 | ||||
-rw-r--r-- | src/serv.c | 4 |
16 files changed, 120 insertions, 128 deletions
@@ -2,8 +2,10 @@ Version ?.?.? - gnutls_check_pending() was renamed to gnutls_record_check_pending() - Key exchange methods changed so they do not depend on the Certificate type (GNUTLS_KX_X509PKI_* renamed to GNUTLS_KX_*) -- Renamed gnutls_x509pki_s/get_dh_bits() to gnutls_dh_s/get_dhe_bits() -- Renamed gnutls_anon_server/client_get_dh_bits() to gnutls_dh_get_dha_bits() +- Combined gnutls_x509pki_(set/get)_dh_bits() and gnutls_anon_server/client_get_dh_bits() + to gnutls_dh_(set/get)_bits() +- gnutls_anon_set_server_cred() was deprecated by gnutls_dh_set_bits() +- gnutls_x509pki_set_trust_(file/mem) can now be called multiple times Version 0.3.3 - Added gnutls_x509pki_verify_certificate() diff --git a/configure.in b/configure.in index af29e4a556..5db8e962d6 100644 --- a/configure.in +++ b/configure.in @@ -137,6 +137,39 @@ AC_MSG_RESULT([*** AC_C_CONST AC_C_INLINE +if test $ac_cv_c_compiler_gnu != no; then + + if test x$opt_profiler_mode = xyes; then + CFLAGS="${CFLAGS} -O0 -fprofile-arcs -finstrument-functions -ftest-coverage" + AC_CHECK_LIB(fnccheck, main, + LIBS="$LIBS -lfnccheck", + AC_MSG_ERROR("You must install libfnccheck in order to enable profiling. http://www710.univ-lyon1.fr/~yperret/fnccheck/profiler.html") + ) + fi + + if test x$opt_maintainer_mode = xyes; then + + CFLAGS="${CFLAGS} -O0 -ggdb3 -Wall -Wpointer-arith -Wstrict-prototypes" # -Werror + else + CFLAGS="${CFLAGS} -O2" + fi + + if test x$opt_dmalloc_mode = xyes; then + AC_CHECK_LIB( dmalloc, main) + AC_DEFINE(USE_DMALLOC) + fi + + AC_MSG_CHECKING([whether we have GNU assembler]) + + GAS=`as --version < /dev/null|grep GNU` + if test "$GAS"; then + CFLAGS="${CFLAGS} -pipe" + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no) + fi +fi + AC_MSG_RESULT([*** *** Detecting C library capabilities... @@ -212,40 +245,6 @@ LIBGNUTLS_CFLAGS="$LIBGCRYPT_CFLAGS -I${includedir}" AC_SUBST(LIBGNUTLS_LIBS) AC_SUBST(LIBGNUTLS_CFLAGS) -if test $ac_cv_c_compiler_gnu != no; then - CFLAGS="" - - - if test x$opt_profiler_mode = xyes; then - CFLAGS="${CFLAGS} -O0 -fprofile-arcs -finstrument-functions -ftest-coverage" - AC_CHECK_LIB(fnccheck, main, - LIBS="$LIBS -lfnccheck", - AC_MSG_ERROR("You must install libfnccheck in order to enable profiling. http://www710.univ-lyon1.fr/~yperret/fnccheck/profiler.html") - ) - fi - - if test x$opt_maintainer_mode = xyes; then - - CFLAGS="${CFLAGS} -O0 -ggdb3 -Wall -Wpointer-arith -Wstrict-prototypes" # -Werror - else - CFLAGS="${CFLAGS} -O2" - fi - - if test x$opt_dmalloc_mode = xyes; then - AC_CHECK_LIB( dmalloc, main) - AC_DEFINE(USE_DMALLOC) - fi - - AC_MSG_CHECKING([whether we have GNU assembler]) - - GAS=`as --version < /dev/null|grep GNU` - if test "$GAS"; then - CFLAGS="${CFLAGS} -pipe" - AC_MSG_RESULT(yes) - else - AC_MSG_RESULT(no) - fi -fi AC_CONFIG_FILES(lib/gnutls.h.in) diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex index 10f4c3bb70..761a532b7e 100644 --- a/doc/tex/ex3.tex +++ b/doc/tex/ex3.tex @@ -33,7 +33,7 @@ int print_info(GNUTLS_STATE state) switch (cred) { case GNUTLS_ANON: printf("- Anonymous DH using prime of %d bits\n", - gnutls_dh_get_dha_bits(state)); + gnutls_dh_get_bits(state)); break; case GNUTLS_X509PKI: /* in case of X509 PKI @@ -63,7 +63,7 @@ int print_info(GNUTLS_STATE state) */ if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { printf("\n- Ephemeral DH using prime of %d bits\n", - gnutls_dh_get_dhe_bits(state)); + gnutls_dh_get_bits(state)); } /* if the certificate list is available, then diff --git a/lib/auth_anon.c b/lib/auth_anon.c index ff5e21740d..cda1f4d78f 100644 --- a/lib/auth_anon.c +++ b/lib/auth_anon.c @@ -72,14 +72,8 @@ int gen_anon_server_kx( GNUTLS_STATE state, opaque** data) { uint8 *data_p; uint8 *data_g; uint8 *data_X; - const GNUTLS_ANON_SERVER_CREDENTIALS cred; - cred = _gnutls_get_cred( state->gnutls_key, GNUTLS_ANON, NULL); - if (cred==NULL) { - bits = DEFAULT_BITS; /* default */ - } else { - bits = cred->dh_bits; - } + bits = _gnutls_dh_get_bits( state); g = gnutls_get_dh_params(&p, bits); if (g==NULL || p==NULL) { @@ -265,14 +259,8 @@ int proc_anon_client_kx( GNUTLS_STATE state, opaque* data, int data_size) { size_t _n_Y; MPI g, p; int bits, ret; - const GNUTLS_ANON_SERVER_CREDENTIALS cred; - cred = _gnutls_get_cred( state->gnutls_key, GNUTLS_ANON, NULL); - if (cred==NULL) { - bits = DEFAULT_BITS; /* default */ - } else { - bits = cred->dh_bits; - } + bits = _gnutls_dh_get_bits( state); DECR_LEN( data_size, 2); n_Y = READuint16( &data[0]); diff --git a/lib/auth_dhe_rsa.c b/lib/auth_dhe_rsa.c index 23fd18938a..520ac7e6f8 100644 --- a/lib/auth_dhe_rsa.c +++ b/lib/auth_dhe_rsa.c @@ -69,9 +69,7 @@ static int gen_dhe_rsa_server_kx(GNUTLS_STATE state, opaque ** data) gnutls_datum signature, ddata; X509PKI_AUTH_INFO info; - bits = state->gnutls_internals.dhe_bits; - if (bits < MIN_BITS) - bits = DEFAULT_BITS; /* default */ + bits = _gnutls_dh_get_bits( state); /* find the appropriate certificate */ if ((ret = @@ -361,9 +359,7 @@ static int proc_dhe_rsa_client_kx(GNUTLS_STATE state, opaque * data, MPI g, p; int bits, ret; - bits = state->gnutls_internals.dhe_bits; - if (bits < MIN_BITS) - bits = DEFAULT_BITS; /* default */ + bits = _gnutls_dh_get_bits( state); DECR_LEN( data_size, 2); n_Y = READuint16(&data[0]); diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index e7df75c9e5..9590db553a 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -205,10 +205,11 @@ int gnutls_anon_set_client_cred( GNUTLS_ANON_SERVER_CREDENTIALS res, int dh_bits */ void gnutls_x509pki_free_sc( GNUTLS_X509PKI_CREDENTIALS sc); int gnutls_x509pki_allocate_sc( GNUTLS_X509PKI_CREDENTIALS *sc, int ncerts); -int gnutls_x509pki_set_key_file( GNUTLS_X509PKI_CREDENTIALS res, char *CERTFILE, char* KEYFILE); -int gnutls_x509pki_set_trust_file( GNUTLS_X509PKI_CREDENTIALS res, char* CAFILE, char* CRLFILE); +int gnutls_x509pki_set_trust_file( GNUTLS_X509PKI_CREDENTIALS res, char* CAFILE, char* CRLFILE); int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum *CA, const gnutls_datum *CRL); + +int gnutls_x509pki_set_key_file( GNUTLS_X509PKI_CREDENTIALS res, char *CERTFILE, char* KEYFILE); int gnutls_x509pki_set_key_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum* CERT, const gnutls_datum* KEY); #define gnutls_x509pki_free_server_sc gnutls_x509pki_free_sc diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index f74f96f0b7..189b203689 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -26,6 +26,8 @@ #include "gnutls_num.h" #include "gnutls_gcry.h" +const static int anon_tmp; + /** * gnutls_anon_free_server_sc - Used to free an allocated GNUTLS_ANON_SERVER_CREDENTIALS structure * @sc: is an &GNUTLS_ANON_SERVER_CREDENTIALS structure. @@ -35,7 +37,7 @@ * the structure. **/ void gnutls_anon_free_server_sc( GNUTLS_ANON_SERVER_CREDENTIALS sc) { - gnutls_free(sc); + return; } /** @@ -47,26 +49,10 @@ void gnutls_anon_free_server_sc( GNUTLS_ANON_SERVER_CREDENTIALS sc) { * the structure. **/ int gnutls_anon_allocate_server_sc( GNUTLS_ANON_SERVER_CREDENTIALS *sc) { - *sc = gnutls_malloc(sizeof( ANON_SERVER_CREDENTIALS_INT)); - - if (*sc==NULL) return GNUTLS_E_MEMORY_ERROR; + *sc = &anon_tmp; return 0; } -/** - * gnutls_anon_set_server_cred - Used to set the number of bits to use in DH, in a GNUTLS_ANON_SERVER_CREDENTIALS structure - * @res: is an &GNUTLS_ANON_SERVER_CREDENTIALS structure. - * @dh_bits: is the number of bits in DH key exchange - * - * Used to set the number of bits to use in an anonymous Diffie-Hellman, - * key exchange. - * - **/ - -int gnutls_anon_set_server_cred( GNUTLS_ANON_SERVER_CREDENTIALS res, int dh_bits) { - res->dh_bits = dh_bits; - return 0; -} /** * gnutls_anon_free_client_sc - Used to free an allocated GNUTLS_ANON_CLIENT_CREDENTIALS structure @@ -80,7 +66,6 @@ void gnutls_anon_free_client_sc( GNUTLS_ANON_CLIENT_CREDENTIALS sc) { return; } -const static int anon_tmp; /** * gnutls_allocate_anon_client_sc - Used to allocate an GNUTLS_ANON_CLIENT CREDENTIALS structure @@ -96,6 +81,5 @@ int gnutls_anon_allocate_client_sc( GNUTLS_ANON_CLIENT_CREDENTIALS *sc) { */ *sc = (void*) &anon_tmp; - if (*sc==NULL) return GNUTLS_E_MEMORY_ERROR; return 0; } diff --git a/lib/gnutls_dh.c b/lib/gnutls_dh.c index c4f66a3308..001e68b354 100644 --- a/lib/gnutls_dh.c +++ b/lib/gnutls_dh.c @@ -96,3 +96,10 @@ MPI gnutls_calc_dh_key(MPI f, MPI x, MPI prime) gcry_mpi_powm(k, f, x, prime); return k; } + +/* returns the bits the user requested for DH key exchange. + */ +int _gnutls_dh_get_bits(GNUTLS_STATE state) +{ + return state->gnutls_internals.dh_bits; +} diff --git a/lib/gnutls_dh.h b/lib/gnutls_dh.h index 50a3d5dc2a..6b871743a4 100644 --- a/lib/gnutls_dh.h +++ b/lib/gnutls_dh.h @@ -25,5 +25,5 @@ int _gnutls_dh_generate_prime(MPI *ret_g, MPI* ret_n, int bits); void _gnutls_dh_clear_mpis(void); int _gnutls_dh_calc_mpis(void); - -#define DEFAULT_BITS 1024 +int _gnutls_dh_get_bits( GNUTLS_STATE); +void gnutls_dh_set_bits( GNUTLS_STATE state, int bits); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index ef86412e0e..d1d8e58abe 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -500,8 +500,11 @@ typedef struct { x509pki_client_cert_callback_func* client_cert_callback; x509pki_server_cert_callback_func* server_cert_callback; - /* how may bits to use for DHE? */ - int dhe_bits; + /* bits to use for DHE and DHA + * use _gnutls_dh_get_bits() and gnutls_dh_set_bits() + * to access it. + */ + int dh_bits; int max_handshake_data_buffer_size; diff --git a/lib/gnutls_int_compat.c b/lib/gnutls_int_compat.c index 825df05de2..e095895e96 100644 --- a/lib/gnutls_int_compat.c +++ b/lib/gnutls_int_compat.c @@ -4,6 +4,10 @@ * with previous versions. */ +int gnutls_anon_set_server_cred( GNUTLS_ANON_SERVER_CREDENTIALS res, int dh_bits) { + return 0; +} + /* used in 0.3.x */ int gnutls_check_pending( GNUTLS_STATE state) { return gnutls_record_check_pending( state); @@ -11,17 +15,17 @@ int gnutls_check_pending( GNUTLS_STATE state) { /* used in 0.3.x */ void gnutls_x509pki_set_dh_bits(GNUTLS_STATE state, int bits) { - gnutls_dh_set_dhe_bits( state, bits); + gnutls_dh_set_bits( state, bits); } /* used in 0.3.x */ int gnutls_anon_server_get_dh_bits(GNUTLS_STATE state) { - return gnutls_dh_get_dha_bits( state); + return gnutls_dh_get_bits( state); } /* used in 0.3.x */ int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state) { - return gnutls_dh_get_dha_bits( state); + return gnutls_dh_get_bits( state); } diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index ec658d195f..15b080f478 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -36,6 +36,7 @@ #include "gnutls_datum.h" #include "ext_max_record.h" #include <gnutls_alert.h> +#include <gnutls_dh.h> /** * gnutls_protocol_get_version - Returns the version of the currently used protocol @@ -142,6 +143,8 @@ int default_protocol_list[] = { GNUTLS_TLS1, 0 }; (*state)->gnutls_internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */ + gnutls_dh_set_bits( (*state), MIN_BITS); + gnutls_transport_set_lowat((*state), DEFAULT_LOWAT); /* the default for tcp */ gnutls_handshake_set_max_data_buffer_size( (*state), MAX_HANDSHAKE_DATA_BUFFER_SIZE); diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 5ade2f25c3..94a68678b1 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -55,23 +55,52 @@ const char *gnutls_srp_server_get_username(GNUTLS_STATE state) /* ANON */ /** - * gnutls_dh_get_dha_bits - This function returns the bits used in anonymous DH authentication + * gnutls_dh_set_bits - Used to set the bits for a DH ciphersuite + * @state: is a &GNUTLS_STATE structure. + * @bits: is the number of bits + * + * This function sets the number of bits, for use in an + * Diffie Hellman key exchange. This is used both in DHE and + * DH anonymous cipher suites. + * + **/ +void gnutls_dh_set_bits(GNUTLS_STATE state, int bits) +{ + state->gnutls_internals.dh_bits = bits; +} + +/** + * gnutls_dh_get_bits - This function returns the bits used in DH authentication * @state: is a gnutls state * - * This function will return the bits used in the anonymous Diffie Hellman authentication + * This function will return the bits used in the last Diffie Hellman authentication * with the peer. Returns a negative value in case of an error. * **/ -int gnutls_dh_get_dha_bits(GNUTLS_STATE state) +int gnutls_dh_get_bits(GNUTLS_STATE state) { - ANON_SERVER_AUTH_INFO info; - - CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_UNKNOWN_ERROR; - return info->dh_bits; + switch( gnutls_auth_get_type( state)) { + case GNUTLS_ANON: { + ANON_SERVER_AUTH_INFO info; + + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_UNKNOWN_ERROR; + return info->dh_bits; + } + case GNUTLS_X509PKI: { + X509PKI_AUTH_INFO info; + + info = _gnutls_get_auth_info(state); + if (info == NULL) + return GNUTLS_E_UNKNOWN_ERROR; + + return info->dh_bits; + } + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } } /* X509PKI */ @@ -103,30 +132,6 @@ const gnutls_datum *gnutls_x509pki_get_peer_certificate_list(GNUTLS_STATE state, /** - * gnutls_dh_get_dhe_bits - This function returns the number of bits used in a DHE handshake - * @state: is a gnutls state - * - * This function will return the number of bits used in a Diffie Hellman Handshake. This will only - * occur in case of DHE_* ciphersuites. The return value may be zero if no applicable ciphersuite was - * used. - * Returns a negative value in case of an error. - * - **/ -int gnutls_dh_get_dhe_bits(GNUTLS_STATE state) -{ - X509PKI_AUTH_INFO info; - - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_UNKNOWN_ERROR; - return info->dh_bits; -} - - - -/** * gnutls_x509pki_get_certificate_request_status - This function returns the certificate request status * @state: is a gnutls state * diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index d1c1cef3c2..6a38a188f7 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -55,8 +55,8 @@ const char* gnutls_srp_server_get_username( GNUTLS_STATE state); int gnutls_dh_get_dha_bits( GNUTLS_STATE state); -void gnutls_dh_set_dhe_bits( GNUTLS_STATE state, int bits); -int gnutls_dh_get_dhe_bits( GNUTLS_STATE); +void gnutls_dh_set_bits( GNUTLS_STATE state, int bits); +int gnutls_dh_get_bits( GNUTLS_STATE); /* X509PKI */ diff --git a/src/common.h b/src/common.h index cd7df27c2e..9ce146067e 100644 --- a/src/common.h +++ b/src/common.h @@ -30,7 +30,7 @@ GNUTLS_KXAlgorithm kx; switch(cred) { case GNUTLS_ANON: printf("- Anonymous DH using prime of %d bits\n", - gnutls_dh_get_dha_bits( state)); + gnutls_dh_get_bits( state)); break; case GNUTLS_X509PKI: /* in case of X509 PKI @@ -60,7 +60,7 @@ GNUTLS_KXAlgorithm kx; */ if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { printf("\n- Ephemeral DH using prime of %d bits\n", - gnutls_dh_get_dhe_bits( state)); + gnutls_dh_get_bits( state)); } if (cert_list_size > 0) { diff --git a/src/serv.c b/src/serv.c index 4605047a53..5a18c786e9 100644 --- a/src/serv.c +++ b/src/serv.c @@ -133,7 +133,7 @@ void peer_print_info( GNUTLS_STATE state) if (gnutls_kx_get_algo(state) == GNUTLS_KX_ANON_DH) { sprintf(tmp2, "<p> Connect using anonymous DH (prime of %d bits)</p>\n", - gnutls_dh_get_dha_bits( state)); + gnutls_dh_get_bits( state)); } /* print state information */ @@ -147,7 +147,7 @@ void peer_print_info( GNUTLS_STATE state) if (gnutls_kx_get_algo(state) == GNUTLS_KX_DHE_RSA || gnutls_kx_get_algo(state) == GNUTLS_KX_DHE_DSS) { sprintf(tmp2, "Ephemeral DH using prime of <b>%d</b> bits.<br>\n", - gnutls_dh_get_dhe_bits( state)); + gnutls_dh_get_bits( state)); } tmp = |