* SPDX-License-Identifier: GPL-3.0-or-later
*/
-#include <assert.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
static tst_ctx_t * tst_key_create(const char *secret, size_t secret_len, uv_loop_t *loop)
{
const size_t hash_len = sizeof(time_t) + secret_len;
- if (secret_len &&
- (!secret || hash_len > UINT16_MAX || hash_len < secret_len)) {
- assert(!EINVAL);
+ if (!kr_assume(!secret_len || (secret && hash_len >= secret_len && hash_len <= UINT16_MAX))) {
return NULL;
/* reasonable secret_len is best enforced in config API */
}
- if (!tst_key_invariants()) {
- assert(!EFAULT);
+ if (!kr_assume(tst_key_invariants()))
return NULL;
- }
#if !TLS_SESSION_RESUMPTION_SYNC
if (secret_len) {
kr_log_error("[tls] session ticket: secrets were not enabled at compile-time (your GnuTLS version is not supported)\n");
gnutls_datum_t key_tmp = { NULL, 0 };
int err = gnutls_session_ticket_key_generate(&key_tmp);
if (err) return kr_error(err);
- if (key_tmp.size != SESSION_KEY_SIZE) {
- assert(!EFAULT);
+ if (!kr_assume(key_tmp.size == SESSION_KEY_SIZE))
return kr_error(EFAULT);
- }
memcpy(ctx->key, key_tmp.data, SESSION_KEY_SIZE);
gnutls_memset(key_tmp.data, 0, SESSION_KEY_SIZE);
free(key_tmp.data);
/** Recompute the session ticket key, if epoch has changed or forced. */
static int tst_key_update(tst_ctx_t *ctx, time_t epoch, bool force_update)
{
- if (!ctx || ctx->hash_len < sizeof(epoch)) {
- assert(!EINVAL);
+ if (!kr_assume(ctx && ctx->hash_len >= sizeof(epoch)))
return kr_error(EINVAL);
- }
/* documented limitation: time_t and endianess must match
* on instances sharing a secret */
if (!force_update && memcmp(ctx->hash_data, &epoch, sizeof(epoch)) == 0) {
}
/* Otherwise, deterministic variant of secret rotation, if supported. */
#if !TLS_SESSION_RESUMPTION_SYNC
- assert(false);
+ (void)!kr_assume(!ENOTSUP);
return kr_error(ENOTSUP);
#else
int err = gnutls_hash_fast(TST_HASH, ctx->hash_data,
/** Free all resources of the key (securely). */
static void tst_key_destroy(uv_handle_t *timer)
{
- assert(timer);
+ if (!kr_assume(timer))
+ return;
tst_ctx_t *ctx = timer->data;
- assert(ctx);
- gnutls_memset(ctx, 0, offsetof(tst_ctx_t, hash_data) + ctx->hash_len);
+ if (kr_assume(ctx))
+ gnutls_memset(ctx, 0, offsetof(tst_ctx_t, hash_data) + ctx->hash_len);
free(ctx);
}
* for gnutls_session_ticket_enable_server() doesn't say. */
int err = tst_key_update(stst, epoch, force_update);
if (err) {
- assert(err != kr_error(EINVAL));
- kr_log_error("[tls] session ticket: failed rotation, err = %d\n", err);
+ kr_log_error("[tls] session ticket: failed rotation, %s\n",
+ kr_strerror(err));
+ if (!kr_assume(err != kr_error(EINVAL)))
+ return;
}
/* Reschedule. */
const time_t tv_sec_next = (epoch + 1) * TST_KEY_LIFETIME;
const uint64_t remain_ms = (tv_sec_next - now.tv_sec - 1) * (uint64_t)1000
+ ms_until_second + 1;
/* ^ +1 because we don't want to wake up half a millisecond before the epoch! */
- assert(remain_ms < (TST_KEY_LIFETIME + 1 /*rounding tolerance*/) * 1000);
+ if (!kr_assume(remain_ms < (TST_KEY_LIFETIME + 1 /*rounding tolerance*/) * 1000))
+ return;
kr_log_verbose("[tls] session ticket: epoch %"PRIu64
", scheduling rotation check in %"PRIu64" ms\n",
(uint64_t)epoch, remain_ms);
err = uv_timer_start(timer, &tst_timer_callback, remain_ms, 0);
- if (err) {
- assert(false);
- kr_log_error("[tls] session ticket: failed to schedule, err = %d\n", err);
+ if (!kr_assume(err == 0)) {
+ kr_log_error("[tls] session ticket: failed to schedule, %s\n",
+ uv_strerror(err));
+ return;
}
}
void tls_session_ticket_enable(struct tls_session_ticket_ctx *ctx, gnutls_session_t session)
{
- assert(ctx && session);
+ if (!kr_assume(ctx && session))
+ return;
const gnutls_datum_t gd = {
.size = SESSION_KEY_SIZE,
.data = ctx->key,
tst_ctx_t * tls_session_ticket_ctx_create(uv_loop_t *loop, const char *secret,
size_t secret_len)
{
- assert(loop && (!secret_len || secret));
+ if (!kr_assume(loop && (!secret_len || secret)))
+ return NULL;
#if GNUTLS_VERSION_NUMBER < 0x030500
/* We would need different SESSION_KEY_SIZE; avoid assert. */
return NULL;
projects / thirdparty / knot-resolver.git / commitdiff
