From 8dc91fb453dfd3d06c1fc2f35fda3507af483074 Mon Sep 17 00:00:00 2001 From: William Smith Date: Sun, 13 Jan 2013 20:20:54 -0500 Subject: [PATCH] ssl/tls: add proper const attributes to functions, context members Add proper const attribute to function arguments and SSL context structure members. const attribute is added to function arguments and variables in order to allow compiler checks with -Wbad-function-cast, -Wcast-qual and -Wwrite-strings warnings options. --- include/tropicssl/ssl.h | 30 +++++++++++++++--------------- library/ssl_tls.c | 38 +++++++++++++++++++------------------- programs/ssl/ssl_client1.c | 2 +- programs/ssl/ssl_client2.c | 3 ++- programs/ssl/ssl_server.c | 8 ++++---- programs/test/ssl_test.c | 6 +++--- 6 files changed, 44 insertions(+), 43 deletions(-) diff --git a/include/tropicssl/ssl.h b/include/tropicssl/ssl.h index ca9df72..73d8b45 100644 --- a/include/tropicssl/ssl.h +++ b/include/tropicssl/ssl.h @@ -194,9 +194,9 @@ struct _ssl_context { * Callbacks (RNG, debug, I/O) */ int (*f_rng) (void *); - void (*f_dbg) (void *, int, char *); + void (*f_dbg) (void *, int, const char *); int (*f_recv) (void *, unsigned char *, int); - int (*f_send) (void *, unsigned char *, int); + int (*f_send) (void *, const unsigned char *, int); void *p_rng; /*!< context for the RNG function */ void *p_dbg; /*!< context for the debug function */ @@ -245,7 +245,7 @@ struct _ssl_context { x509_cert *own_cert; /*!< own X.509 certificate */ x509_cert *ca_chain; /*!< own trusted CA chain */ x509_cert *peer_cert; /*!< peer X.509 cert chain */ - char *peer_cn; /*!< expected peer CN */ + const char *peer_cn; /*!< expected peer CN */ int endpoint; /*!< 0: client, 1: server */ int authmode; /*!< verification mode */ @@ -260,7 +260,7 @@ struct _ssl_context { sha1_context fin_sha1; /*!< Finished SHA-1 checksum */ int do_crypt; /*!< en(de)cryption flag */ - int *ciphers; /*!< allowed ciphersuites */ + const int *ciphers; /*!< allowed ciphersuites */ int pmslen; /*!< premaster length */ int keylen; /*!< symmetric key length */ int minlen; /*!< min. ciphertext length */ @@ -290,7 +290,7 @@ struct _ssl_context { extern "C" { #endif - extern int ssl_default_ciphers[]; + extern const int ssl_default_ciphers[]; /** * \brief Initialize an SSL context @@ -345,7 +345,7 @@ extern "C" { * \param p_dbg debug parameter */ void ssl_set_dbg(ssl_context * ssl, - void (*f_dbg) (void *, int, char *), void *p_dbg); + void (*f_dbg) (void *, int, const char *), void *p_dbg); /** * \brief Set the underlying BIO read and write callbacks @@ -358,7 +358,7 @@ extern "C" { */ void ssl_set_bio(ssl_context * ssl, int (*f_recv) (void *, unsigned char *, int), - void *p_recv, int (*f_send) (void *, unsigned char *, + void *p_recv, int (*f_send) (void *, const unsigned char *, int), void *p_send); /** @@ -389,7 +389,7 @@ extern "C" { * \param ssl SSL context * \param ciphers 0-terminated list of allowed ciphers */ - void ssl_set_ciphers(ssl_context * ssl, int *ciphers); + void ssl_set_ciphers(ssl_context * ssl, const int *ciphers); /** * \brief Set the data required to verify peer certificate @@ -401,7 +401,7 @@ extern "C" { * \note TODO: add two more parameters: depth and crl */ void ssl_set_ca_chain(ssl_context * ssl, x509_cert * ca_chain, - char *peer_cn); + const char *peer_cn); /** * \brief Set own certificate and private key @@ -423,7 +423,7 @@ extern "C" { * * \return 0 if successful */ - int ssl_set_dh_param(ssl_context * ssl, char *dhm_P, char *dhm_G); + int ssl_set_dh_param(ssl_context * ssl, const char *dhm_P, const char *dhm_G); /** * \brief Set hostname for ServerName TLS Extension @@ -434,7 +434,7 @@ extern "C" { * * \return 0 if successful */ - int ssl_set_hostname(ssl_context * ssl, char *hostname); + int ssl_set_hostname(ssl_context * ssl, const char *hostname); /** * \brief Return the number of data bytes available to read @@ -443,7 +443,7 @@ extern "C" { * * \return how many bytes are available in the read buffer */ - int ssl_get_bytes_avail(ssl_context * ssl); + int ssl_get_bytes_avail(const ssl_context * ssl); /** * \brief Return the result of the certificate verification @@ -456,7 +456,7 @@ extern "C" { * BADCERT_CN_MISMATCH * BADCERT_NOT_TRUSTED */ - int ssl_get_verify_result(ssl_context * ssl); + int ssl_get_verify_result(const ssl_context * ssl); /** * \brief Return the name of the current cipher @@ -465,7 +465,7 @@ extern "C" { * * \return a string containing the cipher name */ - char *ssl_get_cipher(ssl_context * ssl); + const char *ssl_get_cipher(const ssl_context * ssl); /** * \brief Perform the SSL handshake @@ -503,7 +503,7 @@ extern "C" { * it must be called later with the *same* arguments, * until it returns a positive value. */ - int ssl_write(ssl_context * ssl, unsigned char *buf, int len); + int ssl_write(ssl_context * ssl, const unsigned char *buf, int len); /** * \brief Notify the peer that the connection is being closed diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b889ee5..2112e43 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -59,7 +59,7 @@ /* * Key material generation */ -static int tls1_prf(unsigned char *secret, int slen, char *label, +static int tls1_prf(unsigned char *secret, int slen, const char *label, unsigned char *random, int rlen, unsigned char *dstbuf, int dlen) { @@ -1351,7 +1351,7 @@ static void ssl_calc_finished(ssl_context * ssl, unsigned char *buf, int from, md5_context * md5, sha1_context * sha1) { int len = 12; - char *sender; + const char *sender; unsigned char padbuf[48]; unsigned char md5sum[16]; unsigned char sha1sum[20]; @@ -1378,17 +1378,17 @@ static void ssl_calc_finished(ssl_context * ssl, unsigned char *buf, int from, sha1->state, sizeof(sha1->state)); if (ssl->minor_ver == SSL_MINOR_VERSION_0) { - sender = (from == SSL_IS_CLIENT) ? (char *)"CLNT" - : (char *)"SRVR"; + sender = (from == SSL_IS_CLIENT) ? "CLNT" + : "SRVR"; memset(padbuf, 0x36, 48); - md5_update(md5, (unsigned char *)sender, 4); + md5_update(md5, (const unsigned char *)sender, 4); md5_update(md5, ssl->session->master, 48); md5_update(md5, padbuf, 48); md5_finish(md5, md5sum); - sha1_update(sha1, (unsigned char *)sender, 4); + sha1_update(sha1, (const unsigned char *)sender, 4); sha1_update(sha1, ssl->session->master, 48); sha1_update(sha1, padbuf, 40); sha1_finish(sha1, sha1sum); @@ -1410,7 +1410,7 @@ static void ssl_calc_finished(ssl_context * ssl, unsigned char *buf, int from, len += 24; } else { sender = (from == SSL_IS_CLIENT) - ? (char *)"client finished" : (char *)"server finished"; + ? "client finished" : "server finished"; md5_finish(md5, padbuf); sha1_finish(sha1, padbuf + 16); @@ -1586,7 +1586,7 @@ void ssl_set_rng(ssl_context * ssl, int (*f_rng) (void *), void *p_rng) } void ssl_set_dbg(ssl_context * ssl, - void (*f_dbg) (void *, int, char *), void *p_dbg) + void (*f_dbg) (void *, int, const char *), void *p_dbg) { ssl->f_dbg = f_dbg; ssl->p_dbg = p_dbg; @@ -1594,7 +1594,7 @@ void ssl_set_dbg(ssl_context * ssl, void ssl_set_bio(ssl_context * ssl, int (*f_recv) (void *, unsigned char *, int), void *p_recv, - int (*f_send) (void *, unsigned char *, int), void *p_send) + int (*f_send) (void *, const unsigned char *, int), void *p_send) { ssl->f_recv = f_recv; ssl->f_send = f_send; @@ -1617,12 +1617,12 @@ void ssl_set_session(ssl_context * ssl, int resume, int timeout, ssl->session = session; } -void ssl_set_ciphers(ssl_context * ssl, int *ciphers) +void ssl_set_ciphers(ssl_context * ssl, const int *ciphers) { ssl->ciphers = ciphers; } -void ssl_set_ca_chain(ssl_context * ssl, x509_cert * ca_chain, char *peer_cn) +void ssl_set_ca_chain(ssl_context * ssl, x509_cert * ca_chain, const char *peer_cn) { ssl->ca_chain = ca_chain; ssl->peer_cn = peer_cn; @@ -1635,7 +1635,7 @@ void ssl_set_own_cert(ssl_context * ssl, x509_cert * own_cert, ssl->rsa_key = rsa_key; } -int ssl_set_dh_param(ssl_context * ssl, char *dhm_P, char *dhm_G) +int ssl_set_dh_param(ssl_context * ssl, const char *dhm_P, const char *dhm_G) { int ret; @@ -1652,7 +1652,7 @@ int ssl_set_dh_param(ssl_context * ssl, char *dhm_P, char *dhm_G) return (0); } -int ssl_set_hostname(ssl_context * ssl, char *hostname) +int ssl_set_hostname(ssl_context * ssl, const char *hostname) { if (hostname == NULL) return (TROPICSSL_ERR_SSL_BAD_INPUT_DATA); @@ -1660,7 +1660,7 @@ int ssl_set_hostname(ssl_context * ssl, char *hostname) ssl->hostname_len = strlen(hostname); ssl->hostname = (unsigned char *)malloc(ssl->hostname_len + 1); - memcpy(ssl->hostname, (unsigned char *)hostname, ssl->hostname_len); + memcpy(ssl->hostname, hostname, ssl->hostname_len); return (0); } @@ -1668,17 +1668,17 @@ int ssl_set_hostname(ssl_context * ssl, char *hostname) /* * SSL get accessors */ -int ssl_get_bytes_avail(ssl_context * ssl) +int ssl_get_bytes_avail(const ssl_context * ssl) { return (ssl->in_offt == NULL ? 0 : ssl->in_msglen); } -int ssl_get_verify_result(ssl_context * ssl) +int ssl_get_verify_result(const ssl_context * ssl) { return (ssl->verify_result); } -char *ssl_get_cipher(ssl_context * ssl) +const char *ssl_get_cipher(const ssl_context * ssl) { switch (ssl->session->cipher) { #if defined(TROPICSSL_ARC4_C) @@ -1726,7 +1726,7 @@ char *ssl_get_cipher(ssl_context * ssl) return ("unknown"); } -int ssl_default_ciphers[] = { +const int ssl_default_ciphers[] = { #if defined(TROPICSSL_DHM_C) #if defined(TROPICSSL_AES_C) SSL_EDH_RSA_AES_256_SHA, @@ -1843,7 +1843,7 @@ int ssl_read(ssl_context * ssl, unsigned char *buf, int len) /* * Send application data to be encrypted by the SSL layer */ -int ssl_write(ssl_context * ssl, unsigned char *buf, int len) +int ssl_write(ssl_context * ssl, const unsigned char *buf, int len) { int ret, n; diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index f661bec..3526790 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -56,7 +56,7 @@ #define DEBUG_LEVEL 0 -void my_debug(void *ctx, int level, char *str) +static void my_debug(void *ctx, int level, const char *str) { if (level < DEBUG_LEVEL) { fprintf((FILE *) ctx, "%s", str); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 39784a0..89e19e6 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -58,7 +58,7 @@ #define DEBUG_LEVEL 0 -void my_debug(void *ctx, int level, char *str) +static void my_debug(void *ctx, int level, const char *str) { if (level < DEBUG_LEVEL) { fprintf((FILE *) ctx, "%s", str); @@ -162,6 +162,7 @@ int main(void) ssl_set_authmode(&ssl, SSL_VERIFY_OPTIONAL); ssl_set_rng(&ssl, havege_rand, &hs); + ssl_set_dbg(&ssl, my_debug, stdout); ssl_set_bio(&ssl, net_recv, &server_fd, net_send, &server_fd); ssl_set_ciphers(&ssl, ssl_default_ciphers); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 0e62182..278f1dd 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -60,7 +60,7 @@ * long time, so a precomputed value is provided below. * You may run dh_genprime to generate a new value. */ -char *my_dhm_P = +static const char *my_dhm_P = "E4004C1F94182000103D883A448B3F80" "2CE4B44A83301270002C20D0321CFD00" "11CCEF784C26A400F43DFB901BCA7538" @@ -69,12 +69,12 @@ char *my_dhm_P = "FFA1D0B601EB2800F489AA512C4B248C" "01F76949A60BB7F00A40B1EAB64BDD48" "E8A700D60B7F1200FA8E77B0A979DABF"; -char *my_dhm_G = "4"; +static const char *my_dhm_G = "4"; /* * Sorted by order of preference */ -int my_ciphers[] = { +static const int my_ciphers[] = { SSL_EDH_RSA_AES_256_SHA, SSL_EDH_RSA_CAMELLIA_256_SHA, SSL_EDH_RSA_DES_168_SHA, @@ -90,7 +90,7 @@ int my_ciphers[] = { #define DEBUG_LEVEL 0 -void my_debug(void *ctx, int level, char *str) +static void my_debug(void *ctx, int level, const char *str) { if (level < DEBUG_LEVEL) { fprintf((FILE *) ctx, "%s", str); diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c index 4038c32..4ea9b8e 100644 --- a/programs/test/ssl_test.c +++ b/programs/test/ssl_test.c @@ -75,8 +75,8 @@ /* * server-specific data */ -char *dhm_G = "4"; -char *dhm_P = +static const char *dhm_G = "4"; +static const char *dhm_P = "E4004C1F94182000103D883A448B3F802CE4B44A83301270002C20D0321CFD00" "11CCEF784C26A400F43DFB901BCA7538F2C6B176001CF5A0FD16D2C48B1D0C1C" "F6AC8E1DA6BCC3B4E1F96B0564965300FFA1D0B601EB2800F489AA512C4B248C" @@ -127,7 +127,7 @@ unsigned long int lcppm5(unsigned long int *state) return (u); } -void my_debug(void *ctx, int level, char *str) +static void my_debug(void *ctx, int level, const char *str) { if (level < ((struct options *)ctx)->debug_level) fprintf(stderr, "%s", str); -- 2.11.4.GIT