[SCM] GNU gnutls branch, master, updated. gnutls_3_1

gnutls-commit
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-72-g5ba6e25

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-72-g5ba6e25
Date:	Sun, 16 Sep 2012 09:21:58 +0000
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=5ba6e25952cd7bc775e670a0706a051fbeaab0c7

The branch, master has been updated
       via  5ba6e25952cd7bc775e670a0706a051fbeaab0c7 (commit)
       via  8e1fe856b3b6a4c0b6f01b4d7f8d4e2f9af0ebd3 (commit)
      from  4d92572fb63e09209be3d6ed1ff47661c6b4adbe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5ba6e25952cd7bc775e670a0706a051fbeaab0c7
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Sep 16 11:21:45 2012 +0200

    use a %STATELESS_COMPRESSION priority string instead of gnutls_init() flag.

commit 8e1fe856b3b6a4c0b6f01b4d7f8d4e2f9af0ebd3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Sun Sep 16 11:19:12 2012 +0200

    corrected missing parameter

-----------------------------------------------------------------------

Summary of changes:
 doc/cha-gtls-app.texi           |    5 +++++
 doc/cha-intro-tls.texi          |    2 +-
 lib/gnutls_cipher.c             |    2 +-
 lib/gnutls_int.h                |    4 ++--
 lib/gnutls_priority.c           |    4 ++++
 lib/gnutls_sig.c                |   15 +++++++--------
 lib/gnutls_state.c              |    6 +-----
 lib/includes/gnutls/gnutls.h.in |    2 --
 8 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 7345684..7e82a42 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -979,6 +979,11 @@ will prevent the sending of any TLS extensions in client 
side. Note
 that TLS 1.2 requires extensions to be used, as well as safe
 renegotiation thus this option must be used with care.
 
address@hidden %STATELESS_COMPRESSION @tab
+will disable keeping state across records when compressing. This may
+help to mitigate attacks when compression is used but an attacker
+is in control of input data.
+
 @item %SERVER_PRECEDENCE @tab
 The ciphersuite will be selected according to server priorities
 and not the client's.
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index e68058a..21b8533 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -191,7 +191,7 @@ on @xcite{RFC3749}. The supported algorithms are shown 
below.
 Note that compression enables attacks such as traffic analysis, or even
 plaintext recovery under certain circumstances. To avoid some of these
 attacks GnuTLS allows each record to be compressed independently (i.e.,
-stateless compression), by using a flag to @funcref{gnutls_init}.
+stateless compression), by using the "%STATELESS_COMPRESSION" priority string.
 
 @node Weaknesses and countermeasures
 @subsection Weaknesses and countermeasures
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 5266fbe..248b376 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -105,7 +105,7 @@ _gnutls_encrypt (gnutls_session_t session, const uint8_t * 
headers,
         return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
       
       ret = _gnutls_compress(&params->write.compression_state, data, 
data_size, 
-                             comp.data, comp.size, 
session->internals.stateless_compression);
+                             comp.data, comp.size, 
session->internals.priorities.stateless_compression);
       if (ret < 0)
         {
           gnutls_free(comp.data);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 11c099d..c781439 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -589,6 +589,8 @@ struct gnutls_priority_st
   unsigned int ssl3_record_version:1;
   unsigned int server_precedence:1;
   unsigned int allow_key_usage_violation:1;
+  /* Whether stateless compression will be used */
+  unsigned int stateless_compression:1;
   unsigned int additional_verify_flags;
 };
 
@@ -882,8 +884,6 @@ typedef struct
   /* if set it means that the master key was set using
    * gnutls_session_set_master() rather than being negotiated. */
   unsigned int premaster_set:1;
-  /* Whether stateless compression will be used */
-  unsigned int stateless_compression:1;
 
   unsigned int cb_tls_unique_len;
   unsigned char cb_tls_unique[MAX_VERIFY_DATA_SIZE];
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index decd6d5..c5db0a2 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -986,6 +986,10 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
             {
               (*priority_cache)->no_extensions = 1;
             }
+          else if (strcasecmp (&broken_list[i][1], "STATELESS_COMPRESSION") == 
0)
+            {
+              (*priority_cache)->stateless_compression = 1;
+            }
           else if (strcasecmp (&broken_list[i][1],
                                "VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
             {
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 4ba1527..c3665c6 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -235,7 +235,8 @@ es_cleanup:
 }
 
 static int
-verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
+verify_tls_hash (gnutls_session_t session,
+                 gnutls_protocol_t ver, gnutls_pcert_st* cert,
                  const gnutls_datum_t * hash_concat,
                  gnutls_datum_t * signature, size_t sha1pos,
                  gnutls_sign_algorithm_t sign_algo,
@@ -384,11 +385,9 @@ _gnutls_handshake_verify_data (gnutls_session_t session, 
gnutls_pcert_st* cert,
       dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
     }
 
-  ret = verify_tls_hash (ver, cert, &dconcat, signature,
-                            dconcat.size -
-                            _gnutls_hash_get_algo_len (hash_algo),
-                            sign_algo,
-                            gnutls_sign_get_pk_algorithm (sign_algo));
+  ret = verify_tls_hash (session, ver, cert, &dconcat, signature,
+                            dconcat.size - _gnutls_hash_get_algo_len 
(hash_algo),
+                            sign_algo, gnutls_sign_get_pk_algorithm 
(sign_algo));
   if (ret < 0)
     {
       gnutls_assert ();
@@ -433,7 +432,7 @@ _gnutls_handshake_verify_crt_vrfy12 (gnutls_session_t 
session,
   dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
 
   ret =
-    verify_tls_hash (ver, cert, &dconcat, signature, 0, sign_algo, pk);
+    verify_tls_hash (session, ver, cert, &dconcat, signature, 0, sign_algo, 
pk);
   if (ret < 0)
     {
       gnutls_assert ();
@@ -527,7 +526,7 @@ _gnutls_handshake_verify_crt_vrfy (gnutls_session_t session,
   dconcat.size = 20 + 16;       /* md5+ sha */
 
   ret =
-    verify_tls_hash (ver, cert, &dconcat, signature, 16,
+    verify_tls_hash (session, ver, cert, &dconcat, signature, 16,
                      GNUTLS_SIGN_UNKNOWN,
                      gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL));
   if (ret < 0)
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 26d0ed9..c9c09ce 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -293,8 +293,7 @@ _gnutls_handshake_internal_state_clear (gnutls_session_t 
session)
  * @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
  * entity, the flags %GNUTLS_DATAGRAM and  %GNUTLS_NONBLOCK are
  * also available. The latter flag will enable a non-blocking
- * operation of the DTLS timers. The flag %GNUTLS_STATELESS_COMPRESSION
- * would disable keeping state across records when compressing.
+ * operation of the DTLS timers. 
  *
  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
  **/
@@ -394,9 +393,6 @@ gnutls_init (gnutls_session_t * session, unsigned int flags)
   else
     (*session)->internals.transport = GNUTLS_STREAM;
   
-  if (flags & GNUTLS_STATELESS_COMPRESSION)
-    (*session)->internals.stateless_compression = 1;
-  
   if (flags & GNUTLS_NONBLOCK)
     (*session)->internals.dtls.blocking = 0;
   else
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 52bd311..ef00c5b 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -295,14 +295,12 @@ extern "C"
    * @GNUTLS_CLIENT: Connection end is a client.
    * @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS).
    * @GNUTLS_NONBLOCK: Connection should not block (DTLS).
-   * @GNUTLS_STATELESS_COMPRESSION: Compression will be applied independently 
on each record.
    *
    */
 #define GNUTLS_SERVER 1
 #define GNUTLS_CLIENT (1<<1)
 #define GNUTLS_DATAGRAM (1<<2)
 #define GNUTLS_NONBLOCK (1<<3)
-#define GNUTLS_STATELESS_COMPRESSION (1<<4)
 
 /**
  * gnutls_alert_level_t:


hooks/post-receive
-- 
GNU gnutls
[Prev in Thread]
Current Thread
[Next in Thread]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_0-72-g5ba6e25, Nikos Mavrogiannopoulos <=
Prev by Date: [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-8-g6220817
Next by Date: [SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-21-gf120c2f
Previous by thread: [SCM] GNU gnutls branch, gnutls_3_0_x-2, updated. gnutls_3_0_23-8-g6220817
Next by thread: [SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-21-gf120c2f
Index(es):
- Date
- Thread