]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
only send EtM extension if we have CBC ciphersuites
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 1 Apr 2015 08:42:28 +0000 (10:42 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 1 Apr 2015 08:42:28 +0000 (10:42 +0200)
lib/algorithms.h
lib/algorithms/ciphers.c
lib/ext/etm.c
lib/gnutls_int.h
lib/gnutls_priority.c

index 1ac400125592ee0cb525082456bfa7fabb3acb34..1fe9d4d006af6e51f2748d55122b6eabeb49ebbf 100644 (file)
@@ -183,6 +183,7 @@ const gnutls_cipher_suite_entry_st *ciphersuite_to_entry(const uint8_t suite[2])
 
 /* Functions for ciphers. */
 const cipher_entry_st *cipher_to_entry(gnutls_cipher_algorithm_t c);
+const cipher_entry_st *cipher_name_to_entry(const char *name);
 
 inline static cipher_type_t _gnutls_cipher_type(const cipher_entry_st * e)
 {
index 725a1c9ce5714c33dab269848353f780de2b2e4a..c49f755ddc934b599bc4f66cc44efdfc7b0d5921 100644 (file)
@@ -211,6 +211,19 @@ const cipher_entry_st *cipher_to_entry(gnutls_cipher_algorithm_t c)
        return NULL;
 }
 
+const cipher_entry_st * cipher_name_to_entry(const char *name)
+{
+       GNUTLS_CIPHER_LOOP(
+               if (strcasecmp(p->name, name) == 0) {
+                       if (p->id == GNUTLS_CIPHER_NULL || _gnutls_cipher_exists(p->id))
+                               return p;
+                       break;
+               }
+       );
+
+       return NULL;
+}
+
 /**
  * gnutls_cipher_get_block_size:
  * @algorithm: is an encryption algorithm
index f3a90ee1a9f8dcfa16a40fce47472b0d397a5eab..d77db63eb1dc0d90b937b766407b2dab7c89972d 100644 (file)
@@ -99,7 +99,10 @@ _gnutls_ext_etm_send_params(gnutls_session_t session,
 
        /* this function sends the client extension data */
        if (session->security_parameters.entity == GNUTLS_CLIENT) {
-               return GNUTLS_E_INT_RET_0;
+               if (session->internals.priorities.have_cbc != 0)
+                       return GNUTLS_E_INT_RET_0;
+               else
+                       return 0;
        } else { /* server side */
                const cipher_entry_st *c;
                int ret;
index dd1155a6d35882f8714a817e587c4dcdd19193b6..59cc99fe2b5b0c6d888d426db779b1a215902411 100644 (file)
@@ -666,6 +666,7 @@ struct gnutls_priority_st {
        bool allow_wrong_pms;
        bool no_tickets;
        bool no_etm;
+       bool have_cbc;
        /* Whether stateless compression will be used */
        bool stateless_compression;
        unsigned int additional_verify_flags;
index 515d237441d3b97c316943ffb2fa8a8d7ead6fc7..06e6cf49913aa566db9d53607f7a30f667a04900 100644 (file)
@@ -667,6 +667,8 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
        bulk_rmadd_func *func;
        unsigned profile = 0;
        unsigned i;
+       int j;
+       const cipher_entry_st *centry;
 
        if (add)
                func = _add_priority;
@@ -692,6 +694,15 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
                        }
                        SET_LEVEL(pgroups[i].sec_param); /* set DH params level */
                        priority_cache->no_tickets = pgroups[i].no_tickets;
+                       if (priority_cache->have_cbc == 0) {
+                               for (j=0;(*pgroups[i].cipher_list)[j]!=0;j++) {
+                                       centry = cipher_to_entry((*pgroups[i].cipher_list)[j]);
+                                       if (centry != NULL && centry->type == CIPHER_BLOCK) {
+                                               priority_cache->have_cbc = 1;
+                                               break;
+                                       }
+                               }
+                       }
                        return 1;
                }
        }
@@ -1048,6 +1059,7 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
        rmadd_func *fn;
        bulk_rmadd_func *bulk_fn;
        bulk_rmadd_func *bulk_given_fn;
+       const cipher_entry_st *centry;
 
        if (err_pos)
                *err_pos = priorities;
@@ -1120,11 +1132,11 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
                                    gnutls_mac_get_id(&broken_list[i][1]))
                                   != GNUTLS_MAC_UNKNOWN)
                                fn(&(*priority_cache)->mac, algo);
-                       else if ((algo =
-                                 gnutls_cipher_get_id(&broken_list[i][1]))
-                                != GNUTLS_CIPHER_UNKNOWN)
-                               fn(&(*priority_cache)->cipher, algo);
-                       else if ((algo =
+                       else if ((centry = cipher_name_to_entry(&broken_list[i][1])) != NULL) {
+                               fn(&(*priority_cache)->cipher, centry->id);
+                               if (centry->type == CIPHER_BLOCK)
+                                       (*priority_cache)->have_cbc = 1;
+                       else if ((algo =
                                  gnutls_kx_get_id(&broken_list[i][1])) !=
                                 GNUTLS_KX_UNKNOWN)
                                fn(&(*priority_cache)->kx, algo);