From: Nikos Mavrogiannopoulos Date: Fri, 15 Jan 2010 04:03:03 +0000 (+0100) Subject: Modified extensions (session ticket, oprfi) to store internal data in gnutls internal... X-Git-Tag: gnutls_2_9_10~162 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=24790726540b1389ef39c28c83049dbd6831cb3a;p=thirdparty%2Fgnutls.git Modified extensions (session ticket, oprfi) to store internal data in gnutls internal structure and input data only in the security_parameters extension structure. Session ticket extension will call the user supplied hello function on resumption. (the current API to handle that is inexistant. To be revised) --- diff --git a/lib/ext_oprfi.c b/lib/ext_oprfi.c index b187684878..a20d9b3ab1 100644 --- a/lib/ext_oprfi.c +++ b/lib/ext_oprfi.c @@ -40,7 +40,7 @@ oprfi_recv_server (gnutls_session_t session, uint16_t len; int ret; - if (!session->security_parameters.extensions.oprfi_cb) + if (!session->internals.oprfi_cb) { gnutls_assert (); return 0; @@ -152,7 +152,7 @@ oprfi_send_server (gnutls_session_t session, opaque * data, size_t _data_size) size_t len; if (!session->security_parameters.extensions.oprfi_client || - !session->security_parameters.extensions.oprfi_cb) + !session->internals.oprfi_cb) return 0; /* Allocate buffer for outgoing data. */ @@ -167,8 +167,8 @@ oprfi_send_server (gnutls_session_t session, opaque * data, size_t _data_size) } /* Get outgoing data. */ - ret = session->security_parameters.extensions.oprfi_cb - (session, session->security_parameters.extensions.oprfi_userdata, + ret = session->internals.oprfi_cb + (session, session->internals.oprfi_userdata, session->security_parameters.extensions.oprfi_client_len, session->security_parameters.extensions.oprfi_client, session->security_parameters.extensions.oprfi_server); @@ -249,6 +249,6 @@ void gnutls_oprfi_enable_server (gnutls_session_t session, gnutls_oprfi_callback_func cb, void *userdata) { - session->security_parameters.extensions.oprfi_cb = cb; - session->security_parameters.extensions.oprfi_userdata = userdata; + session->internals.oprfi_cb = cb; + session->internals.oprfi_userdata = userdata; } diff --git a/lib/ext_session_ticket.c b/lib/ext_session_ticket.c index a474ba1cd9..f25c739173 100644 --- a/lib/ext_session_ticket.c +++ b/lib/ext_session_ticket.c @@ -88,7 +88,7 @@ decrypt_ticket (gnutls_session_t session, struct ticket *ticket) /* Check the integrity of ticket using HMAC-SHA-256. */ mac_secret.data = (void*) - session->security_parameters.extensions.session_ticket_key->mac_secret; + session->internals.session_ticket_key->mac_secret; mac_secret.size = MAC_SECRET_SIZE; ret = digest_ticket (&mac_secret, ticket, final); if (ret < 0) @@ -104,7 +104,7 @@ decrypt_ticket (gnutls_session_t session, struct ticket *ticket) } /* Decrypt encrypted_state using 128-bit AES in CBC mode. */ - key.data = (void*)session->security_parameters.extensions.session_ticket_key->key; + key.data = (void*)session->internals.session_ticket_key->key; key.size = KEY_SIZE; IV.data = ticket->IV; IV.size = IV_SIZE; @@ -177,9 +177,9 @@ encrypt_ticket (gnutls_session_t session, struct ticket *ticket) _gnutls_free_datum (&state); /* Encrypt state using 128-bit AES in CBC mode. */ - key.data = (void*)session->security_parameters.extensions.session_ticket_key->key; + key.data = (void*)session->internals.session_ticket_key->key; key.size = KEY_SIZE; - IV.data = session->security_parameters.extensions.session_ticket_IV; + IV.data = session->internals.session_ticket_IV; IV.size = IV_SIZE; ret = _gnutls_cipher_init (&cipher_hd, GNUTLS_CIPHER_AES_128_CBC, &key, &IV); @@ -202,14 +202,13 @@ encrypt_ticket (gnutls_session_t session, struct ticket *ticket) /* Fill the ticket structure to compute MAC. */ memcpy (ticket->key_name, - session->security_parameters.extensions. - session_ticket_key->key_name, KEY_NAME_SIZE); + session->internals.session_ticket_key->key_name, KEY_NAME_SIZE); memcpy (ticket->IV, IV.data, IV.size); ticket->encrypted_state_len = encrypted_state.size; ticket->encrypted_state = encrypted_state.data; mac_secret.data = - (void*)session->security_parameters.extensions.session_ticket_key->mac_secret; + (void*)session->internals.session_ticket_key->mac_secret; mac_secret.size = MAC_SECRET_SIZE; ret = digest_ticket (&mac_secret, ticket, ticket->mac); if (ret < 0) @@ -251,8 +250,7 @@ _gnutls_session_ticket_recv_params (gnutls_session_t session, /* If the key name of the ticket does not match the one that we hold, issue a new ticket. */ if (memcmp (ticket.key_name, - session->security_parameters.extensions. - session_ticket_key->key_name, KEY_NAME_SIZE)) + session->internals.session_ticket_key->key_name, KEY_NAME_SIZE)) { session->internals.session_ticket_renew = 1; return 0; @@ -438,7 +436,7 @@ gnutls_session_ticket_enable_server (gnutls_session_t session, } ret = _gnutls_rnd (GNUTLS_RND_RANDOM, - session->security_parameters.extensions. + session->internals. session_ticket_IV, IV_SIZE); if (ret < 0) { @@ -446,7 +444,7 @@ gnutls_session_ticket_enable_server (gnutls_session_t session, return ret; } - session->security_parameters.extensions.session_ticket_key = + session->internals.session_ticket_key = (struct gnutls_session_ticket_key_st *) key->data; session->internals.session_ticket_enable = 1; return 0; diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c index 338c060e0e..4fe6e49581 100644 --- a/lib/gnutls_constate.c +++ b/lib/gnutls_constate.c @@ -381,6 +381,9 @@ _gnutls_set_write_keys (gnutls_session_t session) } #define CPY_EXTENSIONS \ + gnutls_free(dst->extensions.session_ticket); \ + gnutls_free(dst->extensions.oprfi_client); \ + gnutls_free(dst->extensions.oprfi_server); \ memcpy(&dst->extensions.server_names, &src->extensions, sizeof(src->extensions)); \ memset(&src->extensions, 0, sizeof(src->extensions)) /* avoid duplicate free's */ diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 9ea7bd26d8..2575894d78 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -470,7 +470,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, pos += session_id_len; if (ret == 0) - { /* resumed! */ + { /* resumed using default TLS resumption! */ /* Parse only the safe renegotiation extension * We don't want to parse any other extensions since * we don't want new extension values to overwrite the @@ -585,7 +585,8 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, session->security_parameters.max_record_send_size; resume_copy_required_values (session); - return 0; + + return _gnutls_user_hello_func (session, adv_version); } /* select an appropriate cipher suite diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index df5dc4f429..5799d46bce 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -338,17 +338,11 @@ typedef struct ***/ /* Opaque PRF input. */ - gnutls_oprfi_callback_func oprfi_cb; - const void *oprfi_userdata; opaque *oprfi_client; uint16_t oprfi_client_len; opaque *oprfi_server; uint16_t oprfi_server_len; - /* Session Ticket */ - const struct gnutls_session_ticket_key_st *session_ticket_key; - opaque session_ticket_IV[SESSION_TICKET_IV_SIZE]; - /* Safe renegotiation. */ uint8_t client_verify_data[MAX_VERIFY_DATA_SIZE]; size_t client_verify_data_len; @@ -750,6 +744,14 @@ typedef struct int safe_renegotiation_received:1; int initial_negotiation_completed:1; + /* Oprfi */ + gnutls_oprfi_callback_func oprfi_cb; + const void *oprfi_userdata; + + /* Session Ticket */ + struct gnutls_session_ticket_key_st *session_ticket_key; + opaque session_ticket_IV[SESSION_TICKET_IV_SIZE]; + /* If you add anything here, check _gnutls_handshake_internal_state_clear(). */ } internals_st;