aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/tls/c_hello.cpp3
-rw-r--r--src/tls/s_hello.cpp3
-rw-r--r--src/tls/s_kex.cpp22
-rw-r--r--src/tls/tls_extensions.h2
-rw-r--r--src/tls/tls_messages.h2
-rw-r--r--src/tls/tls_policy.cpp4
-rw-r--r--src/tls/tls_policy.h2
-rw-r--r--src/tls/tls_server.cpp2
-rw-r--r--src/tls/tls_session.h2
9 files changed, 31 insertions, 11 deletions
diff --git a/src/tls/c_hello.cpp b/src/tls/c_hello.cpp
index 60f6de487..a70713a80 100644
--- a/src/tls/c_hello.cpp
+++ b/src/tls/c_hello.cpp
@@ -151,6 +151,9 @@ MemoryVector<byte> Client_Hello::serialize() const
extensions.push_back(new Server_Name_Indicator(m_hostname));
extensions.push_back(new SRP_Identifier(m_srp_identifier));
+ if(m_version >= TLS_V12)
+ extensions.push_back(new Signature_Algorithms());
+
if(m_next_protocol)
extensions.push_back(new Next_Protocol_Notification());
}
diff --git a/src/tls/s_hello.cpp b/src/tls/s_hello.cpp
index 21619fe0c..652544806 100644
--- a/src/tls/s_hello.cpp
+++ b/src/tls/s_hello.cpp
@@ -174,9 +174,6 @@ MemoryVector<byte> Server_Hello::serialize() const
if(m_next_protocol)
extensions.push_back(new Next_Protocol_Notification(m_next_protocols));
- if(s_version == TLS_V12)
- extensions.push_back(new Signature_Algorithms());
-
buf += extensions.serialize();
return buf;
diff --git a/src/tls/s_kex.cpp b/src/tls/s_kex.cpp
index 2e2bc4cb0..ac6ee15ee 100644
--- a/src/tls/s_kex.cpp
+++ b/src/tls/s_kex.cpp
@@ -37,9 +37,15 @@ Server_Key_Exchange::Server_Key_Exchange(Record_Writer& writer,
// FIXME: this should respect client's hash preferences
if(state->version >= TLS_V12)
+ {
hash_algo = TLS_ALGO_HASH_SHA256;
+ sig_algo = TLS_ALGO_SIGNER_RSA;
+ }
else
+ {
hash_algo = TLS_ALGO_NONE;
+ sig_algo = TLS_ALGO_NONE;
+ }
std::pair<std::string, Signature_Format> format =
state->choose_sig_format(private_key, hash_algo, false);
@@ -62,7 +68,10 @@ MemoryVector<byte> Server_Key_Exchange::serialize() const
MemoryVector<byte> buf = serialize_params();
if(hash_algo != TLS_ALGO_NONE)
- {}
+ {
+ buf.push_back(Signature_Algorithms::hash_algo_code(hash_algo));
+ buf.push_back(Signature_Algorithms::sig_algo_code(sig_algo));
+ }
append_tls_length_value(buf, signature, 2);
return buf;
@@ -110,9 +119,16 @@ Server_Key_Exchange::Server_Key_Exchange(const MemoryRegion<byte>& buf,
if(sig_alg != TLS_ALGO_SIGNER_ANON)
{
if(version < TLS_V12)
- hash_algo = TLS_ALGO_NONE; // use old defaults
+ {
+ // use old defaults
+ hash_algo = TLS_ALGO_NONE;
+ sig_algo = TLS_ALGO_NONE;
+ }
else
+ {
hash_algo = Signature_Algorithms::hash_algo_code(reader.get_byte());
+ sig_algo = Signature_Algorithms::sig_algo_code(reader.get_byte());
+ }
signature = reader.get_range<byte>(2, 0, 65535);
}
@@ -137,6 +153,8 @@ bool Server_Key_Exchange::verify(const X509_Certificate& cert,
{
std::auto_ptr<Public_Key> key(cert.subject_public_key());
+ printf("Checking %s vs code %d\n", key->algo_name().c_str(), sig_algo);
+
std::pair<std::string, Signature_Format> format =
state->choose_sig_format(key.get(), hash_algo, false);
diff --git a/src/tls/tls_extensions.h b/src/tls/tls_extensions.h
index 1811bab01..2f4f711c2 100644
--- a/src/tls/tls_extensions.h
+++ b/src/tls/tls_extensions.h
@@ -189,7 +189,7 @@ class Signature_Algorithms : public TLS_Extension
static byte sig_algo_code(TLS_Ciphersuite_Algos code);
TLS_Handshake_Extension_Type type() const
- { return TLSEXT_NEXT_PROTOCOL; }
+ { return TLSEXT_SIGNATURE_ALGORITHMS; }
std::vector<std::pair<TLS_Ciphersuite_Algos, TLS_Ciphersuite_Algos> >
supported_signature_algorthms() const
diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h
index f2052c5e7..9ea0b1a2d 100644
--- a/src/tls/tls_messages.h
+++ b/src/tls/tls_messages.h
@@ -300,6 +300,7 @@ class Certificate_Verify : public Handshake_Message
private:
MemoryVector<byte> serialize() const;
+ TLS_Ciphersuite_Algos sig_algo; // sig algo used to create signature
TLS_Ciphersuite_Algos hash_algo; // hash used to create signature
MemoryVector<byte> signature;
};
@@ -371,6 +372,7 @@ class Server_Key_Exchange : public Handshake_Message
std::vector<BigInt> params;
+ TLS_Ciphersuite_Algos sig_algo; // sig algo used to create signature
TLS_Ciphersuite_Algos hash_algo; // hash used to create signature
MemoryVector<byte> signature;
};
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index 391e8e758..b510c3d4b 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -72,8 +72,8 @@ std::vector<u16bit> TLS_Policy::suite_list(bool use_rsa,
if(use_rsa)
{
- suites.push_back(TLS_RSA_WITH_AES_256_CBC_SHA_256);
- suites.push_back(TLS_RSA_WITH_AES_128_CBC_SHA_256);
+ suites.push_back(TLS_RSA_WITH_AES_256_CBC_SHA256);
+ suites.push_back(TLS_RSA_WITH_AES_128_CBC_SHA256);
suites.push_back(TLS_RSA_WITH_AES_256_CBC_SHA);
suites.push_back(TLS_RSA_WITH_AES_128_CBC_SHA);
diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h
index 48ff9185e..a0bca4e7f 100644
--- a/src/tls/tls_policy.h
+++ b/src/tls/tls_policy.h
@@ -52,7 +52,7 @@ class BOTAN_DLL TLS_Policy
/*
* @return the version we would prefer to negotiate
*/
- virtual Version_Code pref_version() const { return TLS_V11; }
+ virtual Version_Code pref_version() const { return TLS_V12; }
virtual bool check_cert(const std::vector<X509_Certificate>& cert_chain) const = 0;
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index e3e2fe208..503d55610 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -25,7 +25,7 @@ Version_Code choose_version(Version_Code client, Version_Code minimum)
throw TLS_Exception(PROTOCOL_VERSION,
"Client version is unacceptable by policy");
- if(client == SSL_V3 || client == TLS_V10 || client == TLS_V11)
+ if(client == SSL_V3 || client == TLS_V10 || client == TLS_V11 || client == TLS_V12)
return client;
return TLS_V11;
}
diff --git a/src/tls/tls_session.h b/src/tls/tls_session.h
index f1352a0e0..12b76bcab 100644
--- a/src/tls/tls_session.h
+++ b/src/tls/tls_session.h
@@ -75,7 +75,7 @@ class BOTAN_DLL TLS_Session
/**
* Get the minor version of the saved session
*/
- byte minor_version() const { return get_byte(0, m_version); }
+ byte minor_version() const { return get_byte(1, m_version); }
/**
* Get the ciphersuite of the saved session