return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
- if (ver == GNUTLS_TLS1_2)
+ if (_gnutls_version_has_selectable_sighash(ver))
{
/* read supported hashes */
int hash_num;
session->internals.ignore_rdn_sequence == 0)
size += cred->x509_rdn_sequence.size;
- if (ver == GNUTLS_TLS1_2)
+ if (_gnutls_version_has_selectable_sighash(ver))
/* Need at least one byte to announce the number of supported hash
functions (see below). */
size += 1;
pdata[2] = DSA_SIGN; /* only these for now */
pdata += CERTTYPE_SIZE;
- if (ver == GNUTLS_TLS1_2)
+ if (_gnutls_version_has_selectable_sighash(ver))
{
/* Supported hashes (nothing for now -- FIXME). */
*pdata = 0;
return 1;
}
+
+/* This function determines if the version specified has a
+ cipher-suite selected PRF hash function instead of the old
+ hardcoded MD5+SHA1. */
+int
+_gnutls_version_has_selectable_prf (gnutls_protocol_t version)
+{
+ return version == GNUTLS_TLS1_2;
+}
+
+/* This function determines if the version specified has selectable
+ signature/hash functions for certificate authentification. */
+int
+_gnutls_version_has_selectable_sighash (gnutls_protocol_t version)
+{
+ return version == GNUTLS_TLS1_2;
+}
+
+/* This function determines if the version specified has support for
+ TLS extensions. */
+int
+_gnutls_version_has_extensions (gnutls_protocol_t version)
+{
+ switch(version) {
+ case GNUTLS_TLS1_0:
+ case GNUTLS_TLS1_1:
+ case GNUTLS_TLS1_2:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+/* This function determines if the version specified has explicit IVs
+ (for CBC attack prevention). */
+int
+_gnutls_version_has_explicit_iv (gnutls_protocol_t version)
+{
+ switch(version) {
+ case GNUTLS_TLS1_1:
+ case GNUTLS_TLS1_2:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+/* This function determines if the version specified can have
+ non-minimal padding. */
+int _gnutls_version_has_variable_padding (gnutls_protocol_t version)
+{
+ switch(version) {
+ case GNUTLS_TLS1_0:
+ case GNUTLS_TLS1_1:
+ case GNUTLS_TLS1_2:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
/* Type to KX mappings */
gnutls_kx_algorithm_t
_gnutls_map_kx_get_kx (gnutls_credentials_type_t type, int server)
int _gnutls_version_get_minor (gnutls_protocol_t ver);
gnutls_protocol_t _gnutls_version_get (int major, int minor);
+/* Functions for feature checks */
+int _gnutls_version_has_selectable_prf (gnutls_protocol_t version);
+int _gnutls_version_has_selectable_sighash (gnutls_protocol_t version);
+int _gnutls_version_has_extensions (gnutls_protocol_t version);
+int _gnutls_version_has_explicit_iv (gnutls_protocol_t version);
+int _gnutls_version_has_variable_padding (gnutls_protocol_t version);
+
/* Functions for MACs. */
int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm);
gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm (const char *oid);
*pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
length += *pad;
- if (session->security_parameters.version >= GNUTLS_TLS1_1)
+ if (_gnutls_version_has_explicit_iv(session->security_parameters.version))
length += blocksize; /* for the IV */
break;
write_sequence_number), 8);
_gnutls_hmac (&td, &type, 1);
- if (ver >= GNUTLS_TLS1)
+ if (_gnutls_version_has_variable_padding(ver))
{ /* TLS 1.0 or higher */
_gnutls_hmac (&td, &major, 1);
_gnutls_hmac (&td, &minor, 1);
data_ptr = cipher_data;
if (block_algo == CIPHER_BLOCK &&
- session->security_parameters.version >= GNUTLS_TLS1_1)
+ _gnutls_version_has_explicit_iv(session->security_parameters.version))
{
/* copy the random IV.
*/
/* ignore the IV in TLS 1.1.
*/
- if (session->security_parameters.version >= GNUTLS_TLS1_1)
+ if (_gnutls_version_has_explicit_iv(session->security_parameters.version))
{
ciphertext.size -= blocksize;
ciphertext.data += blocksize;
/* Check the pading bytes (TLS 1.x)
*/
- if (ver >= GNUTLS_TLS1 && pad_failed == 0)
+ if (_gnutls_version_has_variable_padding(ver) && pad_failed == 0)
for (i = 2; i < pad; i++)
{
if (ciphertext.data[ciphertext.size - i] !=
read_sequence_number), 8);
_gnutls_hmac (&td, &type, 1);
- if (ver >= GNUTLS_TLS1)
+ if (_gnutls_version_has_variable_padding(ver))
{ /* TLS 1.x */
_gnutls_hmac (&td, &major, 1);
_gnutls_hmac (&td, &minor, 1);
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
int rc;
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
rc =
_gnutls_hash_copy (&td_md5,
return rc;
}
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
_gnutls_hash_deinit (&td_md5, concat);
_gnutls_hash_deinit (&td_sha, &concat[16]);
/* Parse the extensions (if any)
*/
- if (neg_version >= GNUTLS_TLS1)
+ if (_gnutls_version_has_extensions(neg_version))
{
ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
&data[pos], len);
return ret;
}
- if (neg_version >= GNUTLS_TLS1)
+ if (_gnutls_version_has_extensions(neg_version))
{
ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS,
&data[pos], len);
/* Parse extensions.
*/
- if (version >= GNUTLS_TLS1)
+ if (_gnutls_version_has_extensions(version))
{
ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY,
&data[pos], len);
/* Generate and copy TLS extensions.
*/
- if (hver >= GNUTLS_TLS1)
+ if (_gnutls_version_has_extensions(hver))
{
extdatalen =
_gnutls_gen_extensions (session, extdata, sizeof (extdata));
switch (cert->subject_pk_algorithm)
{
case GNUTLS_PK_RSA:
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
digest_hd_st td_md5;
opaque concat[36];
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
if (ret < 0)
if (ret < 0)
{
gnutls_assert ();
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
_gnutls_hash_deinit (&td_md5, NULL);
return ret;
}
GNUTLS_RANDOM_SIZE);
_gnutls_hash (&td_sha, params->data, params->size);
- if (ver < GNUTLS_TLS1_2)
+ if (!_gnutls_version_has_selectable_prf(ver))
{
_gnutls_hash_deinit (&td_md5, concat);
_gnutls_hash_deinit (&td_sha, &concat[16]);
memcpy (s_seed, label, label_size);
memcpy (&s_seed[label_size], seed, seed_size);
- if (ver >= GNUTLS_TLS1_2)
+ if (_gnutls_version_has_selectable_prf(ver))
{
result =
_gnutls_P_hash (GNUTLS_MAC_SHA1, secret, secret_size,