[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-21-gf120c2f
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-21-gf120c2f |
|
Date: |
Sun, 16 Sep 2012 09:25:15 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=f120c2fa302c40c8317a274c30bbcd98f2f62723
The branch, gnutls_3_1_x has been updated
via f120c2fa302c40c8317a274c30bbcd98f2f62723 (commit)
via a551bc7046a5269a3c569ab38452e128c00c347e (commit)
via 8aa370b81025fac972ebdf4cbd0d56cded3892bd (commit)
from 16809623d2e9a10097124fe1153213cd19321695 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f120c2fa302c40c8317a274c30bbcd98f2f62723
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 11:24:01 2012 +0200
corrected prototypes
commit a551bc7046a5269a3c569ab38452e128c00c347e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 11:21:45 2012 +0200
use a %STATELESS_COMPRESSION priority string instead of gnutls_init() flag.
commit 8aa370b81025fac972ebdf4cbd0d56cded3892bd
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Sep 16 11:19:12 2012 +0200
corrected missing parameter
-----------------------------------------------------------------------
Summary of changes:
doc/cha-gtls-app.texi | 5 +++++
doc/cha-intro-tls.texi | 2 +-
lib/gnutls_cipher.c | 2 +-
lib/gnutls_int.h | 4 ++--
lib/gnutls_priority.c | 4 ++++
lib/gnutls_sig.c | 15 +++++++--------
lib/gnutls_state.c | 6 +-----
lib/includes/gnutls/gnutls.h.in | 2 --
lib/system.h | 4 ++--
9 files changed, 23 insertions(+), 21 deletions(-)
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 7345684..7e82a42 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -979,6 +979,11 @@ will prevent the sending of any TLS extensions in client
side. Note
that TLS 1.2 requires extensions to be used, as well as safe
renegotiation thus this option must be used with care.
address@hidden %STATELESS_COMPRESSION @tab
+will disable keeping state across records when compressing. This may
+help to mitigate attacks when compression is used but an attacker
+is in control of input data.
+
@item %SERVER_PRECEDENCE @tab
The ciphersuite will be selected according to server priorities
and not the client's.
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index 8b06475..ca2a81c 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -191,7 +191,7 @@ on @xcite{RFC3749}. The supported algorithms are shown
below.
Note that compression enables attacks such as traffic analysis, or even
plaintext recovery under certain circumstances. To avoid some of these
attacks GnuTLS allows each record to be compressed independently (i.e.,
-stateless compression), by using a flag to @funcref{gnutls_init}.
+stateless compression), by using the "%STATELESS_COMPRESSION" priority string.
@node Weaknesses and countermeasures
@subsection Weaknesses and countermeasures
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 5266fbe..248b376 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -105,7 +105,7 @@ _gnutls_encrypt (gnutls_session_t session, const uint8_t *
headers,
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
ret = _gnutls_compress(¶ms->write.compression_state, data,
data_size,
- comp.data, comp.size,
session->internals.stateless_compression);
+ comp.data, comp.size,
session->internals.priorities.stateless_compression);
if (ret < 0)
{
gnutls_free(comp.data);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index a120426..8c0399e 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -587,6 +587,8 @@ struct gnutls_priority_st
unsigned int ssl3_record_version:1;
unsigned int server_precedence:1;
unsigned int allow_key_usage_violation:1;
+ /* Whether stateless compression will be used */
+ unsigned int stateless_compression:1;
unsigned int additional_verify_flags;
};
@@ -877,8 +879,6 @@ typedef struct
/* if set it means that the master key was set using
* gnutls_session_set_master() rather than being negotiated. */
unsigned int premaster_set:1;
- /* Whether stateless compression will be used */
- unsigned int stateless_compression:1;
unsigned int cb_tls_unique_len;
unsigned char cb_tls_unique[MAX_VERIFY_DATA_SIZE];
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index decd6d5..c5db0a2 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -986,6 +986,10 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
{
(*priority_cache)->no_extensions = 1;
}
+ else if (strcasecmp (&broken_list[i][1], "STATELESS_COMPRESSION") ==
0)
+ {
+ (*priority_cache)->stateless_compression = 1;
+ }
else if (strcasecmp (&broken_list[i][1],
"VERIFY_ALLOW_SIGN_RSA_MD5") == 0)
{
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 4ba1527..c3665c6 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -235,7 +235,8 @@ es_cleanup:
}
static int
-verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
+verify_tls_hash (gnutls_session_t session,
+ gnutls_protocol_t ver, gnutls_pcert_st* cert,
const gnutls_datum_t * hash_concat,
gnutls_datum_t * signature, size_t sha1pos,
gnutls_sign_algorithm_t sign_algo,
@@ -384,11 +385,9 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_pcert_st* cert,
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
}
- ret = verify_tls_hash (ver, cert, &dconcat, signature,
- dconcat.size -
- _gnutls_hash_get_algo_len (hash_algo),
- sign_algo,
- gnutls_sign_get_pk_algorithm (sign_algo));
+ ret = verify_tls_hash (session, ver, cert, &dconcat, signature,
+ dconcat.size - _gnutls_hash_get_algo_len
(hash_algo),
+ sign_algo, gnutls_sign_get_pk_algorithm
(sign_algo));
if (ret < 0)
{
gnutls_assert ();
@@ -433,7 +432,7 @@ _gnutls_handshake_verify_crt_vrfy12 (gnutls_session_t
session,
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
ret =
- verify_tls_hash (ver, cert, &dconcat, signature, 0, sign_algo, pk);
+ verify_tls_hash (session, ver, cert, &dconcat, signature, 0, sign_algo,
pk);
if (ret < 0)
{
gnutls_assert ();
@@ -527,7 +526,7 @@ _gnutls_handshake_verify_crt_vrfy (gnutls_session_t session,
dconcat.size = 20 + 16; /* md5+ sha */
ret =
- verify_tls_hash (ver, cert, &dconcat, signature, 16,
+ verify_tls_hash (session, ver, cert, &dconcat, signature, 16,
GNUTLS_SIGN_UNKNOWN,
gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL));
if (ret < 0)
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index b9354aa..fee5afa 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -293,8 +293,7 @@ _gnutls_handshake_internal_state_clear (gnutls_session_t
session)
* @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
* entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
* also available. The latter flag will enable a non-blocking
- * operation of the DTLS timers. The flag %GNUTLS_STATELESS_COMPRESSION
- * would disable keeping state across records when compressing.
+ * operation of the DTLS timers.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
@@ -393,9 +392,6 @@ gnutls_init (gnutls_session_t * session, unsigned int flags)
else
(*session)->internals.transport = GNUTLS_STREAM;
- if (flags & GNUTLS_STATELESS_COMPRESSION)
- (*session)->internals.stateless_compression = 1;
-
if (flags & GNUTLS_NONBLOCK)
(*session)->internals.dtls.blocking = 0;
else
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 51d853e..5b6651a 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -295,14 +295,12 @@ extern "C"
* @GNUTLS_CLIENT: Connection end is a client.
* @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS).
* @GNUTLS_NONBLOCK: Connection should not block (DTLS).
- * @GNUTLS_STATELESS_COMPRESSION: Compression will be applied independently
on each record.
*
*/
#define GNUTLS_SERVER 1
#define GNUTLS_CLIENT (1<<1)
#define GNUTLS_DATAGRAM (1<<2)
#define GNUTLS_NONBLOCK (1<<3)
-#define GNUTLS_STATELESS_COMPRESSION (1<<4)
/**
* gnutls_alert_level_t:
diff --git a/lib/system.h b/lib/system.h
index 0afbdd2..2902695 100644
--- a/lib/system.h
+++ b/lib/system.h
@@ -71,7 +71,7 @@ struct timespec ts;
int _gnutls_find_config_path(char* path, size_t max_size);
-int gnutls_system_global_init ();
-void gnutls_system_global_deinit ();
+int gnutls_system_global_init (void);
+void gnutls_system_global_deinit (void);
#endif /* SYSTEM_H */
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_1_x, updated. gnutls_3_1_1-21-gf120c2f,
Nikos Mavrogiannopoulos <=