diff options
| author | lloyd <[email protected]> | 2012-08-06 12:22:59 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2012-08-06 12:22:59 +0000 |
| commit | adde1ee09300a4dd7a42a6f8e819b8f92ca4a2bd (patch) | |
| tree | 28325f295b58a621349ec2ae797c87beec2e6887 | |
| parent | 8120cce3f345a212c1f81226441d71cd75aa3cbc (diff) | |
Make the handshake hash private
| -rw-r--r-- | src/tls/msg_cert_verify.cpp | 10 | ||||
| -rw-r--r-- | src/tls/msg_client_kex.cpp | 2 | ||||
| -rw-r--r-- | src/tls/msg_finished.cpp | 6 | ||||
| -rw-r--r-- | src/tls/msg_server_kex.cpp | 2 | ||||
| -rw-r--r-- | src/tls/tls_client.cpp | 14 | ||||
| -rw-r--r-- | src/tls/tls_handshake_state.h | 7 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 28 |
7 files changed, 36 insertions, 33 deletions
diff --git a/src/tls/msg_cert_verify.cpp b/src/tls/msg_cert_verify.cpp index c3ad38322..2d283edca 100644 --- a/src/tls/msg_cert_verify.cpp +++ b/src/tls/msg_cert_verify.cpp @@ -34,7 +34,7 @@ Certificate_Verify::Certificate_Verify(Handshake_IO& io, if(state->version() == Protocol_Version::SSL_V3) { - secure_vector<byte> md5_sha = state->hash.final_ssl3( + secure_vector<byte> md5_sha = state->hash().final_ssl3( state->session_keys().master_secret()); if(priv_key->algo_name() == "DSA") @@ -44,10 +44,10 @@ Certificate_Verify::Certificate_Verify(Handshake_IO& io, } else { - m_signature = signer.sign_message(state->hash.get_contents(), rng); + m_signature = signer.sign_message(state->hash().get_contents(), rng); } - state->hash.update(io.send(*this)); + state->hash().update(io.send(*this)); } /* @@ -103,14 +103,14 @@ bool Certificate_Verify::verify(const X509_Certificate& cert, if(state->version() == Protocol_Version::SSL_V3) { - secure_vector<byte> md5_sha = state->hash.final_ssl3( + secure_vector<byte> md5_sha = state->hash().final_ssl3( state->session_keys().master_secret()); return verifier.verify_message(&md5_sha[16], md5_sha.size()-16, &m_signature[0], m_signature.size()); } - return verifier.verify_message(state->hash.get_contents(), m_signature); + return verifier.verify_message(state->hash().get_contents(), m_signature); } } diff --git a/src/tls/msg_client_kex.cpp b/src/tls/msg_client_kex.cpp index 1677f3f39..16aa2e5a5 100644 --- a/src/tls/msg_client_kex.cpp +++ b/src/tls/msg_client_kex.cpp @@ -259,7 +259,7 @@ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io, pub_key->algo_name()); } - state->hash.update(io.send(*this)); + state->hash().update(io.send(*this)); } /* diff --git a/src/tls/msg_finished.cpp b/src/tls/msg_finished.cpp index 24b41c370..390f05300 100644 --- a/src/tls/msg_finished.cpp +++ b/src/tls/msg_finished.cpp @@ -26,7 +26,7 @@ std::vector<byte> finished_compute_verify(const Handshake_State* state, const byte SSL_CLIENT_LABEL[] = { 0x43, 0x4C, 0x4E, 0x54 }; const byte SSL_SERVER_LABEL[] = { 0x53, 0x52, 0x56, 0x52 }; - Handshake_Hash hash = state->hash; // don't modify state + Handshake_Hash hash = state->hash(); // don't modify state std::vector<byte> ssl3_finished; @@ -55,7 +55,7 @@ std::vector<byte> finished_compute_verify(const Handshake_State* state, else input += std::make_pair(TLS_SERVER_LABEL, sizeof(TLS_SERVER_LABEL)); - input += state->hash.final(state->version(), state->ciphersuite().mac_algo()); + input += state->hash().final(state->version(), state->ciphersuite().mac_algo()); return unlock(prf->derive_key(12, state->session_keys().master_secret(), input)); } @@ -71,7 +71,7 @@ Finished::Finished(Handshake_IO& io, Connection_Side side) { m_verification_data = finished_compute_verify(state, side); - state->hash.update(io.send(*this)); + state->hash().update(io.send(*this)); } /* diff --git a/src/tls/msg_server_kex.cpp b/src/tls/msg_server_kex.cpp index f3721a2b5..b3c4e9017 100644 --- a/src/tls/msg_server_kex.cpp +++ b/src/tls/msg_server_kex.cpp @@ -135,7 +135,7 @@ Server_Key_Exchange::Server_Key_Exchange(Handshake_IO& io, m_signature = signer.signature(rng); } - state->hash.update(io.send(*this)); + state->hash().update(io.send(*this)); } /** diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index d1b076498..57195e1f9 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -88,7 +88,7 @@ void Client::initiate_handshake(bool force_full_renegotiation, { m_state->client_hello(new Client_Hello( m_state->handshake_io(), - m_state->hash, + m_state->hash(), m_policy, m_rng, m_secure_renegotiation.for_client_hello(), @@ -104,7 +104,7 @@ void Client::initiate_handshake(bool force_full_renegotiation, { m_state->client_hello(new Client_Hello( m_state->handshake_io(), - m_state->hash, + m_state->hash(), version, m_policy, m_rng, @@ -160,7 +160,7 @@ void Client::process_handshake_msg(Handshake_Type type, m_state->confirm_transition_to(type); if(type != HANDSHAKE_CCS && type != FINISHED && type != HELLO_VERIFY_REQUEST) - m_state->hash.update(m_state->handshake_io().format(contents, type)); + m_state->hash().update(m_state->handshake_io().format(contents, type)); if(type == HELLO_VERIFY_REQUEST) { @@ -171,7 +171,7 @@ void Client::process_handshake_msg(Handshake_Type type, std::unique_ptr<Client_Hello> client_hello_w_cookie( new Client_Hello(m_state->handshake_io(), - m_state->hash, + m_state->hash(), *m_state->client_hello(), hello_verify_request)); @@ -366,7 +366,7 @@ void Client::process_handshake_msg(Handshake_Type type, m_state->client_certs( new Certificate(m_state->handshake_io(), - m_state->hash, + m_state->hash(), client_certs) ); } @@ -413,7 +413,7 @@ void Client::process_handshake_msg(Handshake_Type type, m_state->client_npn_cb(m_state->server_hello()->next_protocols()); m_state->next_protocol( - new Next_Protocol(m_state->handshake_io(), m_state->hash, protocol) + new Next_Protocol(m_state->handshake_io(), m_state->hash(), protocol) ); } @@ -451,7 +451,7 @@ void Client::process_handshake_msg(Handshake_Type type, throw TLS_Exception(Alert::DECRYPT_ERROR, "Finished message didn't verify"); - m_state->hash.update(m_state->handshake_io().format(contents, type)); + m_state->hash().update(m_state->handshake_io().format(contents, type)); if(!m_state->client_finished()) // session resume case { diff --git a/src/tls/tls_handshake_state.h b/src/tls/tls_handshake_state.h index 8fc9cc89e..66c1ac113 100644 --- a/src/tls/tls_handshake_state.h +++ b/src/tls/tls_handshake_state.h @@ -143,11 +143,13 @@ class Handshake_State void compute_session_keys(const secure_vector<byte>& resume_master_secret); + Handshake_Hash& hash() { return m_handshake_hash; } + + const Handshake_Hash& hash() const { return m_handshake_hash; } + // Used by the server only, in case of RSA key exchange Private_Key* server_rsa_kex_key = nullptr; // FIXME make private - Handshake_Hash hash; // FIXME make private - /* * Only used by clients for session resumption */ @@ -172,6 +174,7 @@ class Handshake_State Protocol_Version m_version; Ciphersuite m_ciphersuite; Session_Keys m_session_keys; + Handshake_Hash m_handshake_hash; std::unique_ptr<Client_Hello> m_client_hello; std::unique_ptr<Server_Hello> m_server_hello; diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index dbdea9eac..12de34cdd 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -256,9 +256,9 @@ void Server::process_handshake_msg(Handshake_Type type, if(type != HANDSHAKE_CCS && type != FINISHED && type != CERTIFICATE_VERIFY) { if(type == CLIENT_HELLO_SSLV2) - m_state->hash.update(contents); + m_state->hash().update(contents); else - m_state->hash.update(m_state->handshake_io().format(contents, type)); + m_state->hash().update(m_state->handshake_io().format(contents, type)); } if(type == CLIENT_HELLO || type == CLIENT_HELLO_SSLV2) @@ -366,7 +366,7 @@ void Server::process_handshake_msg(Handshake_Type type, m_state->server_hello( new Server_Hello( m_state->handshake_io(), - m_state->hash, + m_state->hash(), m_state->client_hello()->session_id(), Protocol_Version(session_info.version()), session_info.ciphersuite_code(), @@ -399,7 +399,7 @@ void Server::process_handshake_msg(Handshake_Type type, { m_state->new_session_ticket( new New_Session_Ticket(m_state->handshake_io(), - m_state->hash) + m_state->hash()) ); } } @@ -412,7 +412,7 @@ void Server::process_handshake_msg(Handshake_Type type, m_state->new_session_ticket( new New_Session_Ticket(m_state->handshake_io(), - m_state->hash, + m_state->hash(), session_info.encrypt(ticket_key, m_rng), m_policy.session_ticket_lifetime()) ); @@ -422,7 +422,7 @@ void Server::process_handshake_msg(Handshake_Type type, if(!m_state->new_session_ticket()) { m_state->new_session_ticket( - new New_Session_Ticket(m_state->handshake_io(), m_state->hash) + new New_Session_Ticket(m_state->handshake_io(), m_state->hash()) ); } } @@ -464,7 +464,7 @@ void Server::process_handshake_msg(Handshake_Type type, m_state->server_hello( new Server_Hello( m_state->handshake_io(), - m_state->hash, + m_state->hash(), make_hello_random(m_rng), // new session ID m_state->version(), choose_ciphersuite(m_policy, @@ -501,7 +501,7 @@ void Server::process_handshake_msg(Handshake_Type type, m_state->server_certs( new Certificate(m_state->handshake_io(), - m_state->hash, + m_state->hash(), cert_chains[sig_algo]) ); } @@ -542,7 +542,7 @@ void Server::process_handshake_msg(Handshake_Type type, { m_state->cert_req( new Certificate_Req(m_state->handshake_io(), - m_state->hash, + m_state->hash(), m_policy, client_auth_CAs, m_state->version()) @@ -559,7 +559,7 @@ void Server::process_handshake_msg(Handshake_Type type, m_state->set_expected_next(CLIENT_KEX); m_state->server_hello_done( - new Server_Hello_Done(m_state->handshake_io(), m_state->hash) + new Server_Hello_Done(m_state->handshake_io(), m_state->hash()) ); } } @@ -591,7 +591,7 @@ void Server::process_handshake_msg(Handshake_Type type, const bool sig_valid = m_state->client_verify()->verify(m_peer_certs[0], m_state.get()); - m_state->hash.update(m_state->handshake_io().format(contents, type)); + m_state->hash().update(m_state->handshake_io().format(contents, type)); /* * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for @@ -647,7 +647,7 @@ void Server::process_handshake_msg(Handshake_Type type, { // already sent finished if resuming, so this is a new session - m_state->hash.update(m_state->handshake_io().format(contents, type)); + m_state->hash().update(m_state->handshake_io().format(contents, type)); Session session_info( m_state->server_hello()->session_id(), @@ -674,7 +674,7 @@ void Server::process_handshake_msg(Handshake_Type type, m_state->new_session_ticket( new New_Session_Ticket(m_state->handshake_io(), - m_state->hash, + m_state->hash(), session_info.encrypt(ticket_key, m_rng), m_policy.session_ticket_lifetime()) ); @@ -689,7 +689,7 @@ void Server::process_handshake_msg(Handshake_Type type, m_state->server_hello()->supports_session_ticket()) { m_state->new_session_ticket( - new New_Session_Ticket(m_state->handshake_io(), m_state->hash) + new New_Session_Ticket(m_state->handshake_io(), m_state->hash()) ); } |