diff options
-rw-r--r-- | src/tls/cert_req.cpp | 2 | ||||
-rw-r--r-- | src/tls/cert_ver.cpp | 24 | ||||
-rw-r--r-- | src/tls/tls_client.cpp | 18 | ||||
-rw-r--r-- | src/tls/tls_magic.h | 12 | ||||
-rw-r--r-- | src/tls/tls_messages.h | 2 | ||||
-rw-r--r-- | src/tls/tls_session.h | 10 |
6 files changed, 53 insertions, 15 deletions
diff --git a/src/tls/cert_req.cpp b/src/tls/cert_req.cpp index ce1941a0a..0168e4b7d 100644 --- a/src/tls/cert_req.cpp +++ b/src/tls/cert_req.cpp @@ -45,7 +45,7 @@ MemoryVector<byte> Certificate_Req::serialize() const append_tls_length_value(buf, types, 1); - for(size_t i = 0; i 1= names.size(); ++i) + for(size_t i = 0; i != names.size(); ++i) { DER_Encoder encoder; encoder.encode(names[i]); diff --git a/src/tls/cert_ver.cpp b/src/tls/cert_ver.cpp index 5a20e3029..2c2ec9b2a 100644 --- a/src/tls/cert_ver.cpp +++ b/src/tls/cert_ver.cpp @@ -1,6 +1,6 @@ /* * Certificate Verify Message -* (C) 2004-2011 Jack Lloyd +* (C) 2004,2006,2011,2012 Jack Lloyd * * Released under the terms of the Botan license */ @@ -23,6 +23,8 @@ namespace Botan { Certificate_Verify::Certificate_Verify(Record_Writer& writer, TLS_Handshake_Hash& hash, RandomNumberGenerator& rng, + Version_Code version, + const SecureVector<byte>& master_secret, const Private_Key* priv_key) { BOTAN_ASSERT_NONNULL(priv_key); @@ -34,7 +36,10 @@ Certificate_Verify::Certificate_Verify(Record_Writer& writer, padding = "EMSA3(TLS.Digest.0)"; else if(priv_key->algo_name() == "DSA") { - padding = "EMSA1(SHA-1)"; + if(version == SSL_V3) + padding = "Raw"; + else + padding = "EMSA1(SHA-1)"; format = DER_SEQUENCE; } else @@ -43,7 +48,20 @@ Certificate_Verify::Certificate_Verify(Record_Writer& writer, PK_Signer signer(*priv_key, padding, format); - signature = signer.sign_message(hash.final(), rng); + if(version == SSL_V3) + { + SecureVector<byte> md5_sha = hash.final_ssl3(master_secret); + + signature = signer.sign_message(&md5_sha[16], md5_sha.size()-16, rng); + } + else if(version == TLS_V10 || version == TLS_V11) + { + signature = signer.sign_message(hash.get_contents(), rng); + } + else + throw TLS_Exception(PROTOCOL_VERSION, + "Unknown TLS version in certificate verification"); + send(writer, hash); } diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index 7abcdf644..ca4a56007 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -333,6 +333,11 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, state->kex_pub, state->version, state->client_hello->version()); + state->keys = SessionKeys(state->suite, state->version, + state->client_kex->pre_master_secret(), + state->client_hello->random(), + state->server_hello->random()); + if(state->received_handshake_msg(CERTIFICATE_REQUEST) && !state->client_certs->empty()) { @@ -341,15 +346,14 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, "tls-client", state->client_hello->sni_hostname()); - state->client_verify = new Certificate_Verify(writer, state->hash, - rng, private_key); + state->client_verify = new Certificate_Verify(writer, + state->hash, + rng, + state->version, + state->keys.master_secret(), + private_key); } - state->keys = SessionKeys(state->suite, state->version, - state->client_kex->pre_master_secret(), - state->client_hello->random(), - state->server_hello->random()); - writer.send(CHANGE_CIPHER_SPEC, 1); writer.activate(state->suite, state->keys, CLIENT); diff --git a/src/tls/tls_magic.h b/src/tls/tls_magic.h index 51fe91e8b..231ac363f 100644 --- a/src/tls/tls_magic.h +++ b/src/tls/tls_magic.h @@ -101,10 +101,14 @@ enum Alert_Type { }; enum Certificate_Type { - RSA_CERT = 1, - DSS_CERT = 2, - DH_RSA_CERT = 3, - DH_DSS_CERT = 4 + RSA_CERT = 1, + DSS_CERT = 2, + DH_RSA_CERT = 3, + DH_DSS_CERT = 4, + + ECDSA_CERT = 64, + ECDH_RSA_CERT = 65, + ECDH_ECDSA_CERT = 66 }; enum Ciphersuite_Code { diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h index 6c2749e42..ee05031c0 100644 --- a/src/tls/tls_messages.h +++ b/src/tls/tls_messages.h @@ -302,6 +302,8 @@ class Certificate_Verify : public Handshake_Message Certificate_Verify(Record_Writer& writer, TLS_Handshake_Hash& hash, RandomNumberGenerator& rng, + Version_Code version, + const SecureVector<byte>& master_secret, const Private_Key* key); Certificate_Verify(const MemoryRegion<byte>& buf) { deserialize(buf); } diff --git a/src/tls/tls_session.h b/src/tls/tls_session.h index b4b3861ed..f1352a0e0 100644 --- a/src/tls/tls_session.h +++ b/src/tls/tls_session.h @@ -68,6 +68,16 @@ class BOTAN_DLL TLS_Session { return static_cast<Version_Code>(m_version); } /** + * Get the major version of the saved session + */ + byte major_version() const { return get_byte(0, m_version); } + + /** + * Get the minor version of the saved session + */ + byte minor_version() const { return get_byte(0, m_version); } + + /** * Get the ciphersuite of the saved session */ u16bit ciphersuite() const { return m_ciphersuite; } |