[PATCH] tls: Refactor compression method ID check
by Andrew Zaborowski
When validating the Client Hello message we look up the compression
method IDs passed by the client in our look-up table. After this is
done check that at least one ID was found in the table, rather than
use memchr() before that lookup to make sure it contains the only ID
that we support. This should be less confusing to static analysis.
---
ell/tls.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/ell/tls.c b/ell/tls.c
index 827c128..c65fd0d 100644
--- a/ell/tls.c
+++ b/ell/tls.c
@@ -1719,12 +1719,6 @@ static void tls_handle_client_hello(struct l_tls *tls,
/* Select a compression method */
/* CompressionMethod.null must be present in the vector */
- if (!memchr(compression_methods, 0, compression_methods_size)) {
- TLS_DISCONNECT(TLS_ALERT_HANDSHAKE_FAIL, 0,
- "No common compression methods");
- goto cleanup;
- }
-
while (compression_methods_size) {
tls->pending.compression_method =
tls_find_compression_method(*compression_methods);
@@ -1736,6 +1730,12 @@ static void tls_handle_client_hello(struct l_tls *tls,
compression_methods_size--;
}
+ if (!compression_methods_size) {
+ TLS_DISCONNECT(TLS_ALERT_HANDSHAKE_FAIL, 0,
+ "No common compression methods");
+ goto cleanup;
+ }
+
TLS_DEBUG("Negotiated %s", tls->pending.compression_method->name);
if (!tls_send_server_hello(tls, extensions_offered))
--
2.27.0
1 month, 3 weeks
[PATCH 1/3] util: Add a constant time version of l_memeq
by Andrew Zaborowski
---
ell/ell.sym | 1 +
ell/util.c | 12 ++++++++++++
ell/util.h | 1 +
3 files changed, 14 insertions(+)
diff --git a/ell/ell.sym b/ell/ell.sym
index aa0c046..9938216 100644
--- a/ell/ell.sym
+++ b/ell/ell.sym
@@ -21,6 +21,7 @@ global:
l_util_debug;
l_util_get_debugfs_path;
l_memeq;
+ l_secure_memeq;
/* test */
l_test_init;
l_test_run;
diff --git a/ell/util.c b/ell/util.c
index 6896bc8..5b443a9 100644
--- a/ell/util.c
+++ b/ell/util.c
@@ -652,3 +652,15 @@ LIB_EXPORT bool l_memeq(const void *field, size_t size, uint8_t byte)
return true;
}
+
+LIB_EXPORT bool l_secure_memeq(const void *field, size_t size, uint8_t byte)
+{
+ const volatile uint8_t *mem = field;
+ size_t i;
+ bool diff = false;
+
+ for (i = 0; i < size; i++)
+ diff |= mem[i] != byte;
+
+ return !diff;
+}
diff --git a/ell/util.h b/ell/util.h
index 11708c2..b112878 100644
--- a/ell/util.h
+++ b/ell/util.h
@@ -412,6 +412,7 @@ static inline int l_secure_memcmp(const void *a, const void *b,
}
bool l_memeq(const void *field, size_t size, uint8_t byte);
+bool l_secure_memeq(const void *field, size_t size, uint8_t byte);
static inline bool l_memeqzero(const void *field, size_t size)
{
--
2.27.0
1 month, 4 weeks
[PATCH 1/3] acd: check fd return to satisfy static analysis
by James Prestwood
---
ell/acd.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ell/acd.c b/ell/acd.c
index 6381747..d5c5024 100644
--- a/ell/acd.c
+++ b/ell/acd.c
@@ -129,6 +129,9 @@ static int acd_send_packet(struct l_acd *acd, uint32_t source_ip)
int n;
int fd = l_io_get_fd(acd->io);
+ if (fd < 0)
+ return fd;
+
memset(&dest, 0, sizeof(dest));
memset(&p, 0, sizeof(p));
@@ -260,9 +263,13 @@ static bool acd_read_handler(struct l_io *io, void *user_data)
int source_conflict;
int target_conflict;
bool probe;
+ int fd = l_io_get_fd(acd->io);
+
+ if (fd < 0)
+ return true;
memset(&arp, 0, sizeof(arp));
- len = read(l_io_get_fd(acd->io), &arp, sizeof(arp));
+ len = read(fd, &arp, sizeof(arp));
if (len < 0)
return false;
--
2.26.2
2 months
[PATCH] config: Stop config if it cannot find the required program
by Tedd Ho-Jeong An
From: Tedd Ho-Jeong An <tedd.an(a)intel.com>
This patch stops the config and displays an error message if the
config cannot find the required program like xxd or openssl when
the maintainer mode is enabled.
---
configure.ac | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/configure.ac b/configure.ac
index 9924aac..a815f6f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -126,7 +126,13 @@ AM_CONDITIONAL(GLIB, test "${enable_glib}" = "yes")
if (test "$USE_MAINTAINER_MODE" = "yes"); then
AC_CHECK_PROG(have_openssl, [openssl], [yes], [no])
+ if (test "${have_openssl}" != "yes"); then
+ AC_MSG_ERROR(openssl is required)
+ fi
AC_CHECK_PROG(have_xxd, [xxd], [yes], [no])
+ if (test "${have_xxd}" != "yes"); then
+ AC_MSG_ERROR(xxd is required)
+ fi
fi
AM_CONDITIONAL(DBUS_TESTS, test "${little_endian}" = "yes")
--
2.29.2
2 months
