Commit graph

258 commits

Author SHA1 Message Date
Aaron Jones
939d7ec7fe
GNUTLS: Apply whole-file const correctness 2016-09-17 00:56:54 +00:00
Aaron Jones
9c7dda22e8
GNUTLS: Improve rb_ssl_get_cipher()
* Add debugging assertions.

* Reduce the buffer size in line with the other backends.

* Ask for the cipher name directly instead of constructing it ourselves
  from the key exchange / authentication algorithm, symmetric encryption
  algorithm, and message authentication code algorithm.
2016-09-17 00:56:54 +00:00
Aaron Jones
dd59642de1
GNUTLS: Improve rb_get_ssl_info()
Explicitly ignore the snprintf return value and properly indent
the following line.

Also add a 'v' before the version strings so it reads as e.g.:
  library (v3.3.8), compiled (v3.3.8)
2016-09-17 00:56:54 +00:00
Aaron Jones
67d31a2755
GNUTLS: Improve rb_get_ssl_certfp()
* Give function parameters const correctness.

* Use similar variable names as the other backends -- this will reduce
  the diff between them.

* Check for more kinds of errors in retrieving the peer's certificate.

* Log failure to generate fingerprints, like the MbedTLS backend does.
2016-09-17 00:56:54 +00:00
Aaron Jones
9986455edc
GNUTLS: Log PRNG initialisation 2016-09-17 00:56:53 +00:00
Aaron Jones
2b5bf0bada
GNUTLS: Improve rb_connect_tcp_ssl() and rb_ssl_start_connected()
Use the variable name instead of its type as an argument to a sizeof
allocation. This will prevent possible future errors being introduced
when the type of the variable is changed, but the sizeof argument is
not updated.
2016-09-17 00:56:53 +00:00
Aaron Jones
f4726edf7a
GNUTLS: Fix up rb_ssl_listen()
Declare and assign variables at the same time; give function
parameters const correctness.
2016-09-17 00:56:53 +00:00
Aaron Jones
4369f1fa55
GNUTLS: Improve rb_ssl_connect_common()
This is the same as the previous commit for rb_ssl_accept_common().
2016-09-17 00:56:53 +00:00
Aaron Jones
8ebebff4b4
GNUTLS: Improve rb_ssl_accept_common()
* Add more debugging assertions

* Cancel timeouts and callbacks when handshake succeeds or hard fails

* Differentiate between kernel and library errors

* Increase F->handshake_count on handshake success

  I'm still not exactly sure what this is even used for. It may be
  removed from all backends at a later time if I find it's not being
  used for anything important, as right now it can only have the values
  0 or 1.
2016-09-17 00:56:53 +00:00
Aaron Jones
8099d352c9
GNUTLS: Store error codes properly
This is similar to commit db12df5c16 for
the MbedTLS backend.

The difference is, GNUTLS will not accept positive values as input to
gnutls_strerror(), so we invert the sign bit after retrieving the value
too, not just when storing it.

Also add a forgotten ssl_errno assignment to rb_ssl_connect_common().
2016-09-17 00:56:53 +00:00
Aaron Jones
c6600fe290
GNUTLS: Add rb_ssl_strerror() function in line with other backends 2016-09-17 00:56:53 +00:00
Aaron Jones
d70129a0d6
GNUTLS: Rework rb_init_ssl() and rb_setup_ssl_server()
I did my best to remove all possible memory leaks in the latter.
It's ugly.
2016-09-17 00:56:53 +00:00
Aaron Jones
2d01971d05
GNUTLS: Send do_ssl_handshake() to the depths from whence it came 2016-09-17 00:56:53 +00:00
Aaron Jones
4fc76590b9
GNUTLS: Rework datum loading code 2016-09-17 00:56:53 +00:00
Aaron Jones
25ecd3cc86
GNUTLS: Raise minimum group size for Diffie-Hellman-Merkle key exchange
A 2048-bit long P should really be the minimum these days.
2016-09-17 00:56:53 +00:00
Aaron Jones
5797027e9f
GNUTLS: Add dedicated socket send/recv functions
This avoids a compiler warning regarding casting a file descriptor to a
pointer (as input to gnutls_transport_set_ptr()), and also ensures that
the pointer is valid for the lifetime of the session.
2016-09-17 00:56:53 +00:00
Aaron Jones
3f32d48dab
GNUTLS: Break off TLS setup from callbacks to a dedicated function
This is in line with the other backends; eventually those callbacks
will be moved to a library-agnostic section.
2016-09-17 00:56:52 +00:00
Aaron Jones
4618ec248e
GNUTLS: Improve the connect callback logic 2016-09-17 00:56:52 +00:00
Aaron Jones
77119a5031
GNUTLS: Improve the accept callback logic 2016-09-17 00:56:52 +00:00
Aaron Jones
a41a1d20db
GNUTLS: Fix the SSL_P(x) macro
It previously assumed there was an "F" variable in the scope it was
used in. It now uses its input "x" variable.
2016-09-17 00:56:52 +00:00
Aaron Jones
5103d939d0
GNUTLS: Rename the timeout callback in line with the other backends 2016-09-17 00:56:52 +00:00
Aaron Jones
992aa93b80
GNUTLS: Tidy up rb_init_ssl() and improve its error logging 2016-09-17 00:56:52 +00:00
Aaron Jones
6cc08ecf90
GNUTLS: Move `struct ssl_connect' definition to the top of the file 2016-09-17 00:56:52 +00:00
Aaron Jones
fde101b9b2
GNUTLS: Tidy up the cert authentication callback 2016-09-17 00:56:52 +00:00
Aaron Jones
75d7d47a7e
GNUTLS: Tidy up headers 2016-09-17 00:56:52 +00:00
Aaron Jones
d9e6ff7349
GNUTLS: Tidy up unit-scope variables and give them clearer names 2016-09-17 00:56:11 +00:00
Aaron Jones
4d89c83c32
GNUTLS: Shut down sessions properly
If gnutls_bye() fails with a fatal error, we would reattempt it again
and again, even though this may then go on to e.g. cause a segmentation
fault.

Now we just keep retrying if it was interrupted, in line with the other
backends, up to a maximum of 3 retries.
2016-09-17 00:55:40 +00:00
Aaron Jones
a3a25a4c8a
MbedTLS: A few more minor changes
Yeah, I know, I said I was happy with it and wouldn't be changing it.
However, the new GNUTLS backend I'm working on has prompted this.

E.g. MbedTLS error codes and GNUTLS error codes are both negative ints,
     but GNUTLS will not tolerate positive input values. Let's treat
     both backends the same.
2016-09-17 00:11:46 +00:00
Aaron Jones
159d901e71
MbedTLS & OpenSSL: Purely cosmetic changes.
This further reduces the diff between the backends.
It does not change any of the logic in either backend.
2016-09-16 11:17:29 +00:00
William Pitcock
de78e5906a Merge pull request #219 from aaronmdjones/openssl219
Improve the OpenSSL backend
2016-09-15 21:50:48 -07:00
Aaron Jones
92c04c6b9d
OpenSSL: Final round of const correctness
I'm happy with the state of this backend now.
I don't anticipate making any further changes.
2016-09-15 20:14:01 +00:00
Aaron Jones
5feb292aa9
OpenSSL: Indicate successful RNG initialisation 2016-09-15 20:12:22 +00:00
Aaron Jones
5bb5226edc
OpenSSL: Simplify the RNG code 2016-09-15 20:12:22 +00:00
Aaron Jones
15e2cab1e5
OpenSSL: Add another debugging assert 2016-09-15 20:12:22 +00:00
Aaron Jones
01ce1c508d
OpenSSL: Add a debugging assert for timeouts 2016-09-15 20:12:22 +00:00
Aaron Jones
b4a0b60dff
OpenSSL: Cast sockaddr len variable appropriately 2016-09-15 20:12:22 +00:00
Aaron Jones
d9c825c4de
OpenSSL: Correct closing comment
[ci skip]
2016-09-15 20:12:21 +00:00
Aaron Jones
06c588e535
OpenSSL: Apply consistent coding style
[ci skip]
2016-09-15 20:12:21 +00:00
Aaron Jones
767fad345f
OpenSSL: Properly wrap long lines.
[ci skip]
2016-09-15 20:12:21 +00:00
Aaron Jones
a8db009575
OpenSSL: Modify rb_ssl_strerror() in line with other backends 2016-09-15 20:12:21 +00:00
Aaron Jones
45d05d8882
OpenSSL: Improve error logging in rb_setup_ssl_server() 2016-09-15 20:12:21 +00:00
Aaron Jones
bd8097c459
OpenSSL: Tweak connection shutdown logic 2016-09-15 20:12:21 +00:00
Aaron Jones
485b5b8084
OpenSSL: Import the callback/handshake logic from the MbedTLS backend 2016-09-15 20:12:21 +00:00
Aaron Jones
9114e3a2dc
OpenSSL: Improve rb_setup_ssl_server()
* Move file/data assignments to the top of the function

* Don't attempt to set a hardcoded P-384 ECDH key if we have the new
  SSL_CTX_set1_curves_list() function (OpenSSL 1.0.2+)

* Rename variables consistent with other backends and wrap the function
  arguments.

* Disable OpenSSL's disabling of TLS 1/n-1 record splitting.
  In other words, enable TLS 1/n-1 record splitting.

* Other misc cleanups.
2016-09-15 20:12:21 +00:00
Aaron Jones
47d51fe3ac
OpenSSL: Use C99 __func__ declaration instead of writing function names 2016-09-15 20:12:21 +00:00
Aaron Jones
cc04fbe3f9
OpenSSL: Fix up rb_init_ssl() to use proper define from openssl_ratbox.h 2016-09-15 20:12:21 +00:00
Aaron Jones
62fc0eab03
OpenSSL: Rename error functions consistent with other backends. 2016-09-15 20:12:21 +00:00
Aaron Jones
4e9441a1cb
OpenSSL: Add generic direction enum for negotiation setup.
Also define an SSL_P(x) macro as in other backends and use that to refer
to the client session context.
2016-09-15 20:12:21 +00:00
Aaron Jones
e569720fe1
OpenSSL: Misc code cleanups
Make use of C99 for loop initialisers, declarations with immediate
rvalues, etc.
2016-09-15 20:12:20 +00:00
Aaron Jones
a61e06e1d1
OpenSSL: Add const-correctness to function and variable declarations. 2016-09-15 20:12:20 +00:00