aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorlloyd <[email protected]>2011-12-30 15:54:50 +0000
committerlloyd <[email protected]>2011-12-30 15:54:50 +0000
commiteedc562549e726e040a1a76893ddb264d3b85e64 (patch)
treef5e5cce131eedd9cd882ee1a5a5d8a049126ac4d /src
parentfc626d62f464a7dee5e62134781f5a6ccdfafc72 (diff)
Server side handling of the secure renegotiation extension.
Diffstat (limited to 'src')
-rw-r--r--src/tls/hello.cpp17
-rw-r--r--src/tls/tls_messages.h2
-rw-r--r--src/tls/tls_server.cpp9
3 files changed, 26 insertions, 2 deletions
diff --git a/src/tls/hello.cpp b/src/tls/hello.cpp
index 055f92018..c2593ba4c 100644
--- a/src/tls/hello.cpp
+++ b/src/tls/hello.cpp
@@ -160,6 +160,9 @@ void Client_Hello::deserialize_sslv2(const MemoryRegion<byte>& buf)
c_random.resize(challenge_len);
copy_mem(&c_random[0], &buf[9+cipher_spec_len+sess_id_len], challenge_len);
+
+ // FIXME: might be a ciphersuite value
+ has_secure_renegotiation = false;
}
/*
@@ -223,13 +226,16 @@ Server_Hello::Server_Hello(Record_Writer& writer,
TLS_Handshake_Hash& hash,
const TLS_Policy& policy,
RandomNumberGenerator& rng,
+ const MemoryRegion<byte>& reneg_info,
const std::vector<X509_Certificate>& certs,
const Client_Hello& c_hello,
const MemoryRegion<byte>& session_id,
Version_Code ver) :
s_version(ver),
sess_id(session_id),
- s_random(rng.random_vec(32))
+ s_random(rng.random_vec(32)),
+ has_secure_renegotiation(false),
+ renegotiation_info_bits(reneg_info)
{
bool have_rsa = false, have_dsa = false;
@@ -260,6 +266,7 @@ Server_Hello::Server_Hello(Record_Writer& writer,
Server_Hello::Server_Hello(Record_Writer& writer,
TLS_Handshake_Hash& hash,
RandomNumberGenerator& rng,
+ const MemoryRegion<byte>& reneg_info,
const MemoryRegion<byte>& session_id,
u16bit ciphersuite,
byte compression,
@@ -268,7 +275,9 @@ Server_Hello::Server_Hello(Record_Writer& writer,
sess_id(session_id),
s_random(rng.random_vec(32)),
suite(ciphersuite),
- comp_method(compression)
+ comp_method(compression),
+ has_secure_renegotiation(false),
+ renegotiation_info_bits(reneg_info)
{
send(writer, hash);
}
@@ -291,6 +300,10 @@ MemoryVector<byte> Server_Hello::serialize() const
buf.push_back(comp_method);
+ TLS_Extensions extensions;
+
+ extensions.push_back(new Renegotation_Extension(renegotiation_info_bits));
+
return buf;
}
diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h
index 5ac655bec..3f02903fe 100644
--- a/src/tls/tls_messages.h
+++ b/src/tls/tls_messages.h
@@ -135,6 +135,7 @@ class Server_Hello : public HandshakeMessage
TLS_Handshake_Hash& hash,
const TLS_Policy& policies,
RandomNumberGenerator& rng,
+ const MemoryRegion<byte>& reneg_info,
const std::vector<X509_Certificate>& certs,
const Client_Hello& other,
const MemoryRegion<byte>& session_id,
@@ -143,6 +144,7 @@ class Server_Hello : public HandshakeMessage
Server_Hello(Record_Writer& writer,
TLS_Handshake_Hash& hash,
RandomNumberGenerator& rng,
+ const MemoryRegion<byte>& reneg_info,
const MemoryRegion<byte>& session_id,
u16bit ciphersuite,
byte compression,
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 197ed4b2c..427e699af 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -171,6 +171,8 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
state->version = choose_version(state->client_hello->version(),
policy.min_version());
+ secure_renegotiation.update(state->client_hello);
+
writer.set_version(state->version);
reader.set_version(state->version);
@@ -186,6 +188,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
writer,
state->hash,
rng,
+ secure_renegotiation.for_server_hello(),
session_info.session_id(),
session_info.ciphersuite(),
session_info.compression_method(),
@@ -216,6 +219,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
state->hash,
policy,
rng,
+ secure_renegotiation.for_server_hello(),
cert_chain,
*(state->client_hello),
rng.random_vec(32),
@@ -263,6 +267,8 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
state->set_expected_next(CERTIFICATE);
}
+ secure_renegotiation.update(state->server_hello);
+
/*
* If the client doesn't have a cert they want to use they are
* allowed to send either an empty cert message or proceed
@@ -379,6 +385,9 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
session_manager.save(session_info);
}
+ secure_renegotiation.update(state->client_finished,
+ state->server_finished);
+
delete state;
state = 0;
active = true;