aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-01-19 13:37:39 +0000
committerlloyd <[email protected]>2012-01-19 13:37:39 +0000
commit0ac2549aba9a3265a8108b475dffb380dbb07715 (patch)
treeac71301adf5c6b337bf70c476f8c5a1dab6befbd
parente3d14f1bacde5f23d63ccc5860d5c13c81f70b3a (diff)
Support SSLv3 client auth on the client side.
Add getters for major and minor protocoll version on TLS_Session. Add Certificate_Type code points for ECC certs.
-rw-r--r--src/tls/cert_req.cpp2
-rw-r--r--src/tls/cert_ver.cpp24
-rw-r--r--src/tls/tls_client.cpp18
-rw-r--r--src/tls/tls_magic.h12
-rw-r--r--src/tls/tls_messages.h2
-rw-r--r--src/tls/tls_session.h10
6 files changed, 53 insertions, 15 deletions
diff --git a/src/tls/cert_req.cpp b/src/tls/cert_req.cpp
index ce1941a0a..0168e4b7d 100644
--- a/src/tls/cert_req.cpp
+++ b/src/tls/cert_req.cpp
@@ -45,7 +45,7 @@ MemoryVector<byte> Certificate_Req::serialize() const
append_tls_length_value(buf, types, 1);
- for(size_t i = 0; i 1= names.size(); ++i)
+ for(size_t i = 0; i != names.size(); ++i)
{
DER_Encoder encoder;
encoder.encode(names[i]);
diff --git a/src/tls/cert_ver.cpp b/src/tls/cert_ver.cpp
index 5a20e3029..2c2ec9b2a 100644
--- a/src/tls/cert_ver.cpp
+++ b/src/tls/cert_ver.cpp
@@ -1,6 +1,6 @@
/*
* Certificate Verify Message
-* (C) 2004-2011 Jack Lloyd
+* (C) 2004,2006,2011,2012 Jack Lloyd
*
* Released under the terms of the Botan license
*/
@@ -23,6 +23,8 @@ namespace Botan {
Certificate_Verify::Certificate_Verify(Record_Writer& writer,
TLS_Handshake_Hash& hash,
RandomNumberGenerator& rng,
+ Version_Code version,
+ const SecureVector<byte>& master_secret,
const Private_Key* priv_key)
{
BOTAN_ASSERT_NONNULL(priv_key);
@@ -34,7 +36,10 @@ Certificate_Verify::Certificate_Verify(Record_Writer& writer,
padding = "EMSA3(TLS.Digest.0)";
else if(priv_key->algo_name() == "DSA")
{
- padding = "EMSA1(SHA-1)";
+ if(version == SSL_V3)
+ padding = "Raw";
+ else
+ padding = "EMSA1(SHA-1)";
format = DER_SEQUENCE;
}
else
@@ -43,7 +48,20 @@ Certificate_Verify::Certificate_Verify(Record_Writer& writer,
PK_Signer signer(*priv_key, padding, format);
- signature = signer.sign_message(hash.final(), rng);
+ if(version == SSL_V3)
+ {
+ SecureVector<byte> md5_sha = hash.final_ssl3(master_secret);
+
+ signature = signer.sign_message(&md5_sha[16], md5_sha.size()-16, rng);
+ }
+ else if(version == TLS_V10 || version == TLS_V11)
+ {
+ signature = signer.sign_message(hash.get_contents(), rng);
+ }
+ else
+ throw TLS_Exception(PROTOCOL_VERSION,
+ "Unknown TLS version in certificate verification");
+
send(writer, hash);
}
diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp
index 7abcdf644..ca4a56007 100644
--- a/src/tls/tls_client.cpp
+++ b/src/tls/tls_client.cpp
@@ -333,6 +333,11 @@ void TLS_Client::process_handshake_msg(Handshake_Type type,
state->kex_pub, state->version,
state->client_hello->version());
+ state->keys = SessionKeys(state->suite, state->version,
+ state->client_kex->pre_master_secret(),
+ state->client_hello->random(),
+ state->server_hello->random());
+
if(state->received_handshake_msg(CERTIFICATE_REQUEST) &&
!state->client_certs->empty())
{
@@ -341,15 +346,14 @@ void TLS_Client::process_handshake_msg(Handshake_Type type,
"tls-client",
state->client_hello->sni_hostname());
- state->client_verify = new Certificate_Verify(writer, state->hash,
- rng, private_key);
+ state->client_verify = new Certificate_Verify(writer,
+ state->hash,
+ rng,
+ state->version,
+ state->keys.master_secret(),
+ private_key);
}
- state->keys = SessionKeys(state->suite, state->version,
- state->client_kex->pre_master_secret(),
- state->client_hello->random(),
- state->server_hello->random());
-
writer.send(CHANGE_CIPHER_SPEC, 1);
writer.activate(state->suite, state->keys, CLIENT);
diff --git a/src/tls/tls_magic.h b/src/tls/tls_magic.h
index 51fe91e8b..231ac363f 100644
--- a/src/tls/tls_magic.h
+++ b/src/tls/tls_magic.h
@@ -101,10 +101,14 @@ enum Alert_Type {
};
enum Certificate_Type {
- RSA_CERT = 1,
- DSS_CERT = 2,
- DH_RSA_CERT = 3,
- DH_DSS_CERT = 4
+ RSA_CERT = 1,
+ DSS_CERT = 2,
+ DH_RSA_CERT = 3,
+ DH_DSS_CERT = 4,
+
+ ECDSA_CERT = 64,
+ ECDH_RSA_CERT = 65,
+ ECDH_ECDSA_CERT = 66
};
enum Ciphersuite_Code {
diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h
index 6c2749e42..ee05031c0 100644
--- a/src/tls/tls_messages.h
+++ b/src/tls/tls_messages.h
@@ -302,6 +302,8 @@ class Certificate_Verify : public Handshake_Message
Certificate_Verify(Record_Writer& writer,
TLS_Handshake_Hash& hash,
RandomNumberGenerator& rng,
+ Version_Code version,
+ const SecureVector<byte>& master_secret,
const Private_Key* key);
Certificate_Verify(const MemoryRegion<byte>& buf) { deserialize(buf); }
diff --git a/src/tls/tls_session.h b/src/tls/tls_session.h
index b4b3861ed..f1352a0e0 100644
--- a/src/tls/tls_session.h
+++ b/src/tls/tls_session.h
@@ -68,6 +68,16 @@ class BOTAN_DLL TLS_Session
{ return static_cast<Version_Code>(m_version); }
/**
+ * Get the major version of the saved session
+ */
+ byte major_version() const { return get_byte(0, m_version); }
+
+ /**
+ * Get the minor version of the saved session
+ */
+ byte minor_version() const { return get_byte(0, m_version); }
+
+ /**
* Get the ciphersuite of the saved session
*/
u16bit ciphersuite() const { return m_ciphersuite; }