From b3d4e6b0852e9d1ba2020e890d8a19c488b82374 Mon Sep 17 00:00:00 2001 From: Simon Rozman Date: Mon, 3 Oct 2016 12:45:55 +0200 Subject: [PATCH] ID 4. Possibility of method_tls class initialization list optimization from security audit fixed --- lib/TLS/include/Method.h | 2 +- lib/TLS/include/TLS.h | 53 ++++++++++++++++++++++++++++++++++++++++ lib/TLS/src/Method.cpp | 27 ++++++-------------- 3 files changed, 62 insertions(+), 20 deletions(-) diff --git a/lib/TLS/include/Method.h b/lib/TLS/include/Method.h index 44ea934..7b71689 100644 --- a/lib/TLS/include/Method.h +++ b/lib/TLS/include/Method.h @@ -461,7 +461,7 @@ namespace eap winstd::crypt_hash m_hash_handshake_msgs_sha1; ///< Running SHA-1 hash of handshake messages winstd::crypt_hash m_hash_handshake_msgs_sha256; ///< Running SHA-256 hash of handshake messages - bool m_handshake[tls_handshake_type_max]; ///< Handshake flags (map od handshake messages received) + tls_handshake_flags m_handshake; ///< Handshake flags (map od handshake messages received) enum { phase_unknown = -1, ///< Unknown phase diff --git a/lib/TLS/include/TLS.h b/lib/TLS/include/TLS.h index a4176ac..88cce47 100644 --- a/lib/TLS/include/TLS.h +++ b/lib/TLS/include/TLS.h @@ -96,12 +96,19 @@ namespace eap /// EAP-TLS packet /// class packet_tls; + + /// + /// TLS map of handshake messages received + /// + class tls_handshake_flags; } #pragma once #include +#include + namespace eap { @@ -615,4 +622,50 @@ namespace eap public: unsigned char m_flags; ///< Packet flags }; + + + class tls_handshake_flags + { + public: + /// + /// Constructs an empty set of flags + /// + inline tls_handshake_flags() + { + memset(m_flags, 0, sizeof(m_flags)); + } + + /// + /// Empty set of flags + /// + inline void clear() + { + memset(m_flags, 0, sizeof(m_flags)); + } + + /// + /// Set particular flag + /// + /// \param[in] type TLS handshake message to set its flag + /// + inline void set(_In_ tls_handshake_type_t type) + { + assert(tls_handshake_type_min <= type && type < tls_handshake_type_max); + m_flags[type] = true; + } + + /// + /// Get particular flag + /// + /// \param[in] type TLS handshake message to get its flag + /// + inline bool operator[](_In_ tls_handshake_type_t type) const + { + assert(tls_handshake_type_min <= type && type < tls_handshake_type_max); + return m_flags[type]; + } + + protected: + bool m_flags[tls_handshake_type_max]; ///< Set of flags + }; } diff --git a/lib/TLS/src/Method.cpp b/lib/TLS/src/Method.cpp index f2397d8..d339a93 100644 --- a/lib/TLS/src/Method.cpp +++ b/lib/TLS/src/Method.cpp @@ -65,6 +65,10 @@ eap::method_tls::method_tls(_In_ module &module, _In_ config_method_tls &cfg, _I m_cred(cred), m_user_ctx(NULL), #if EAP_TLS < EAP_TLS_SCHANNEL + m_tls_version(tls_version_1_2), +#ifdef _DEBUG + m_alg_prf(0), +#endif m_session_resumed(false), m_phase(phase_unknown), m_seq_num_client(0), @@ -74,12 +78,6 @@ eap::method_tls::method_tls(_In_ module &module, _In_ config_method_tls &cfg, _I #endif method(module, cfg, cred) { -#if EAP_TLS < EAP_TLS_SCHANNEL - m_tls_version = tls_version_1_2; -#ifdef _DEBUG - memset(m_handshake, 0, sizeof(m_handshake)); -#endif -#endif } @@ -111,6 +109,7 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) : m_hash_handshake_msgs_md5 (std::move(other.m_hash_handshake_msgs_md5 )), m_hash_handshake_msgs_sha1 (std::move(other.m_hash_handshake_msgs_sha1 )), m_hash_handshake_msgs_sha256(std::move(other.m_hash_handshake_msgs_sha256)), + m_handshake (std::move(other.m_handshake )), m_phase (std::move(other.m_phase )), m_seq_num_client (std::move(other.m_seq_num_client )), m_seq_num_server (std::move(other.m_seq_num_server )), @@ -123,12 +122,6 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) : #endif method (std::move(other )) { -#if EAP_TLS < EAP_TLS_SCHANNEL - memcpy(m_handshake, other.m_handshake, sizeof(m_handshake)); -#ifdef _DEBUG - memset(other.m_handshake, 0, sizeof(m_handshake)); -#endif -#endif } @@ -162,14 +155,10 @@ eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other) m_hash_handshake_msgs_md5 = std::move(other.m_hash_handshake_msgs_md5 ); m_hash_handshake_msgs_sha1 = std::move(other.m_hash_handshake_msgs_sha1 ); m_hash_handshake_msgs_sha256 = std::move(other.m_hash_handshake_msgs_sha256); + m_handshake = std::move(other.m_handshake ); m_phase = std::move(other.m_phase ); m_seq_num_client = std::move(other.m_seq_num_client ); m_seq_num_server = std::move(other.m_seq_num_server ); - - memcpy(m_handshake, other.m_handshake, sizeof(m_handshake)); -#ifdef _DEBUG - memset(other.m_handshake, 0, sizeof(m_handshake)); -#endif #else m_sc_target_name = std::move(other.m_sc_target_name ); m_sc_cred = std::move(other.m_sc_cred ); @@ -310,7 +299,7 @@ void eap::method_tls::process_request_packet( m_key_mppe_server.clear(); } else { // Process the packet. - memset(m_handshake, 0, sizeof(m_handshake)); + m_handshake.clear(); m_packet_res.m_data.clear(); process_packet(m_packet_req.m_data.data(), m_packet_req.m_data.size()); } @@ -1103,7 +1092,7 @@ void eap::method_tls::process_handshake(_In_bytecount_(size_msg) const void *_ms if (type < tls_handshake_type_max) { // Set the flag this handshake message was received. - m_handshake[type] = true; + m_handshake.set(type); } if (type != tls_handshake_type_hello_request) {