[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-15-gcc24cc4
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-15-gcc24cc4 |
|
Date: |
Sat, 15 Sep 2012 11:47:25 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=cc24cc4d66e79df77e4d67f796d22700fa5a9df2
The branch, gnutls_3_1_x has been updated
via cc24cc4d66e79df77e4d67f796d22700fa5a9df2 (commit)
via 44f471b27fe91b1927588178318369fb330f3f6e (commit)
from 32619a1eacf11c1bc6e0c86ac2a8399bdac43813 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cc24cc4d66e79df77e4d67f796d22700fa5a9df2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 15 13:47:12 2012 +0200
documented updates
commit 44f471b27fe91b1927588178318369fb330f3f6e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Sep 15 12:25:45 2012 +0200
Added GNUTLS_STATELESS_COMPRESSION flag to gnutls_init().
-----------------------------------------------------------------------
Summary of changes:
NEWS | 8 +++++++-
doc/cha-intro-tls.texi | 4 +++-
lib/gnutls_cipher.c | 3 ++-
lib/gnutls_compress.c | 13 +++++++++++--
lib/gnutls_compress.h | 2 +-
lib/gnutls_int.h | 2 ++
lib/gnutls_state.c | 6 +++++-
lib/includes/gnutls/gnutls.h.in | 3 ++-
8 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/NEWS b/NEWS
index 74b6404..5b845ff 100644
--- a/NEWS
+++ b/NEWS
@@ -4,10 +4,16 @@ See the end for copying conditions.
* Version 3.1.2 (unreleased)
-** lbignutls: Fixed bug in gnutls_x509_trust_list_add_system_trust()
+** libgnutls: Fixed bug in gnutls_x509_trust_list_add_system_trust()
and gnutls_x509_trust_list_add_trust_mem() that prevented the loading
of certificates in the windows platform.
+** libgnutls: Better mingw32 support (patch by LRN).
+
+** libgnutls: Added GNUTLS_STATELESS_COMPRESSION flag to gnutls_init(),
+which provides a tool to counter compression-related attacks where
+parts of the data are controlled by the attacker.
+
** certtool: Prints the number of bits of the public key algorithm
parameter in a private key.
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index 5581fab..8b06475 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -189,7 +189,9 @@ on @xcite{RFC3749}. The supported algorithms are shown
below.
@showenumdesc{gnutls_compression_method_t,Supported compression algorithms}
Note that compression enables attacks such as traffic analysis, or even
-plaintext recovery under certain circumstances.
+plaintext recovery under certain circumstances. To avoid some of these
+attacks GnuTLS allows each record to be compressed independently (i.e.,
+stateless compression), by using a flag to @funcref{gnutls_init}.
@node Weaknesses and countermeasures
@subsection Weaknesses and countermeasures
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index e791003..5266fbe 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -104,7 +104,8 @@ _gnutls_encrypt (gnutls_session_t session, const uint8_t *
headers,
if (comp.data == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- ret = _gnutls_compress( ¶ms->write.compression_state, data,
data_size, comp.data, comp.size);
+ ret = _gnutls_compress(¶ms->write.compression_state, data,
data_size,
+ comp.data, comp.size,
session->internals.stateless_compression);
if (ret < 0)
{
gnutls_free(comp.data);
diff --git a/lib/gnutls_compress.c b/lib/gnutls_compress.c
index 01728ca..9d4380a 100644
--- a/lib/gnutls_compress.c
+++ b/lib/gnutls_compress.c
@@ -330,7 +330,7 @@ _gnutls_comp_deinit (comp_hd_st* handle, int d)
int
_gnutls_compress (comp_hd_st *handle, const uint8_t * plain,
size_t plain_size, uint8_t * compressed,
- size_t max_comp_size)
+ size_t max_comp_size, unsigned int stateless)
{
int compressed_size = GNUTLS_E_COMPRESSION_FAILED;
@@ -349,6 +349,15 @@ _gnutls_compress (comp_hd_st *handle, const uint8_t *
plain,
{
z_stream *zhandle;
int err;
+ int type;
+
+ if (stateless)
+ {
+fprintf(stderr, "FULL FLUSH\n");
+ type = Z_FULL_FLUSH;
+ }
+ else
+ type = Z_SYNC_FLUSH;
zhandle = handle->handle;
@@ -357,7 +366,7 @@ _gnutls_compress (comp_hd_st *handle, const uint8_t * plain,
zhandle->next_out = (Bytef *) compressed;
zhandle->avail_out = max_comp_size;
- err = deflate (zhandle, Z_SYNC_FLUSH);
+ err = deflate (zhandle, type);
if (err != Z_OK || zhandle->avail_in != 0)
return gnutls_assert_val(GNUTLS_E_COMPRESSION_FAILED);
diff --git a/lib/gnutls_compress.h b/lib/gnutls_compress.h
index 151e54f..938c2eb 100644
--- a/lib/gnutls_compress.h
+++ b/lib/gnutls_compress.h
@@ -48,7 +48,7 @@ int _gnutls_decompress (comp_hd_st* handle, uint8_t *
compressed,
size_t compressed_size, uint8_t * plain,
size_t max_plain_size);
int _gnutls_compress (comp_hd_st*, const uint8_t * plain, size_t plain_size,
- uint8_t * compressed, size_t max_comp_size);
+ uint8_t * compressed, size_t max_comp_size, unsigned int
stateless);
struct gnutls_compression_entry
{
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 8da6978..02241a8 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -876,6 +876,8 @@ typedef struct
/* if set it means that the master key was set using
* gnutls_session_set_master() rather than being negotiated. */
unsigned int premaster_set:1;
+ /* Whether stateless compression will be used */
+ unsigned int stateless_compression:1;
unsigned int cb_tls_unique_len;
unsigned char cb_tls_unique[MAX_VERIFY_DATA_SIZE];
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 32ed927..b9354aa 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -293,7 +293,8 @@ _gnutls_handshake_internal_state_clear (gnutls_session_t
session)
* @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
* entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
* also available. The latter flag will enable a non-blocking
- * operation of the DTLS timers.
+ * operation of the DTLS timers. The flag %GNUTLS_STATELESS_COMPRESSION
+ * would disable keeping state across records when compressing.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
@@ -392,6 +393,9 @@ gnutls_init (gnutls_session_t * session, unsigned int flags)
else
(*session)->internals.transport = GNUTLS_STREAM;
+ if (flags & GNUTLS_STATELESS_COMPRESSION)
+ (*session)->internals.stateless_compression = 1;
+
if (flags & GNUTLS_NONBLOCK)
(*session)->internals.dtls.blocking = 0;
else
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index ec67403..51d853e 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -295,13 +295,14 @@ extern "C"
* @GNUTLS_CLIENT: Connection end is a client.
* @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS).
* @GNUTLS_NONBLOCK: Connection should not block (DTLS).
+ * @GNUTLS_STATELESS_COMPRESSION: Compression will be applied independently
on each record.
*
- * Enumeration of different TLS connection end types.
*/
#define GNUTLS_SERVER 1
#define GNUTLS_CLIENT (1<<1)
#define GNUTLS_DATAGRAM (1<<2)
#define GNUTLS_NONBLOCK (1<<3)
+#define GNUTLS_STATELESS_COMPRESSION (1<<4)
/**
* gnutls_alert_level_t:
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-15-gcc24cc4,
Nikos Mavrogiannopoulos <=