aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/tls/msg_client_kex.cpp11
-rw-r--r--src/tls/tls_handshake_state.h10
-rw-r--r--src/tls/tls_messages.h1
-rw-r--r--src/tls/tls_server.cpp28
4 files changed, 29 insertions, 21 deletions
diff --git a/src/tls/msg_client_kex.cpp b/src/tls/msg_client_kex.cpp
index 16aa2e5a5..8469708d6 100644
--- a/src/tls/msg_client_kex.cpp
+++ b/src/tls/msg_client_kex.cpp
@@ -267,6 +267,7 @@ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io,
*/
Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents,
const Handshake_State* state,
+ const Private_Key* server_rsa_kex_key,
Credentials_Manager& creds,
const Policy& policy,
RandomNumberGenerator& rng)
@@ -278,15 +279,13 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents,
BOTAN_ASSERT(state->server_certs() && !state->server_certs()->cert_chain().empty(),
"RSA key exchange negotiated so server sent a certificate");
- const Private_Key* private_key = state->server_rsa_kex_key;
-
- if(!private_key)
+ if(!server_rsa_kex_key)
throw Internal_Error("Expected RSA kex but no server kex key set");
- if(!dynamic_cast<const RSA_PrivateKey*>(private_key))
- throw Internal_Error("Expected RSA key but got " + private_key->algo_name());
+ if(!dynamic_cast<const RSA_PrivateKey*>(server_rsa_kex_key))
+ throw Internal_Error("Expected RSA key but got " + server_rsa_kex_key->algo_name());
- PK_Decryptor_EME decryptor(*private_key, "PKCS1v15");
+ PK_Decryptor_EME decryptor(*server_rsa_kex_key, "PKCS1v15");
Protocol_Version client_version = state->client_hello()->version();
diff --git a/src/tls/tls_handshake_state.h b/src/tls/tls_handshake_state.h
index 6710e1ce6..d0a03e2d9 100644
--- a/src/tls/tls_handshake_state.h
+++ b/src/tls/tls_handshake_state.h
@@ -13,7 +13,6 @@
#include <botan/internal/tls_session_key.h>
#include <botan/pk_keys.h>
#include <botan/pubkey.h>
-
#include <functional>
#include <utility>
#include <memory>
@@ -147,15 +146,6 @@ class Handshake_State
const Handshake_Hash& hash() const { return m_handshake_hash; }
- // Used by the server only, in case of RSA key exchange
- Private_Key* server_rsa_kex_key = nullptr; // FIXME make private
-
- /*
- * Used by the server to know if resumption should be allowed on
- * a server-initiated renegotiation
- */
- bool allow_session_resumption = true; // FIXME make private
-
private:
std::unique_ptr<Handshake_IO> m_handshake_io;
diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h
index 4e9d13803..29f75c58e 100644
--- a/src/tls/tls_messages.h
+++ b/src/tls/tls_messages.h
@@ -258,6 +258,7 @@ class Client_Key_Exchange : public Handshake_Message
Client_Key_Exchange(const std::vector<byte>& buf,
const Handshake_State* state,
+ const Private_Key* server_rsa_kex_key,
Credentials_Manager& creds,
const Policy& policy,
RandomNumberGenerator& rng);
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 12de34cdd..61a7642df 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -18,6 +18,21 @@ namespace TLS {
namespace {
+class Server_Handshake_State : public Handshake_State
+ {
+ public:
+ Server_Handshake_State(Handshake_IO* io) : Handshake_State(io) {}
+
+ // Used by the server only, in case of RSA key exchange. Not owned
+ Private_Key* server_rsa_kex_key = nullptr;
+
+ /*
+ * Used by the server to know if resumption should be allowed on
+ * a server-initiated renegotiation
+ */
+ bool allow_session_resumption = true;
+ };
+
bool check_for_resume(Session& session_info,
Session_Manager& session_manager,
Credentials_Manager& credentials,
@@ -207,7 +222,7 @@ Server::Server(std::function<void (const byte[], size_t)> output_fn,
Handshake_State* Server::new_handshake_state()
{
- Handshake_State* state = new Handshake_State(new Stream_Handshake_IO(m_writer));
+ Handshake_State* state = new Server_Handshake_State(new Stream_Handshake_IO(m_writer));
state->set_expected_next(CLIENT_HELLO);
return state;
}
@@ -221,7 +236,8 @@ void Server::renegotiate(bool force_full_renegotiation)
return; // currently in handshake
m_state.reset(new_handshake_state());
- m_state->allow_session_resumption = !force_full_renegotiation;
+ dynamic_cast<Server_Handshake_State&>(*m_state).allow_session_resumption =
+ !force_full_renegotiation;
Hello_Request hello_req(m_state->handshake_io());
}
@@ -338,7 +354,7 @@ void Server::process_handshake_msg(Handshake_Type type,
Session session_info;
const bool resuming =
- m_state->allow_session_resumption &&
+ dynamic_cast<Server_Handshake_State&>(*m_state).allow_session_resumption &&
check_for_resume(session_info,
m_session_manager,
m_creds,
@@ -521,7 +537,7 @@ void Server::process_handshake_msg(Handshake_Type type,
if(kex_algo == "RSA")
{
- m_state->server_rsa_kex_key = private_key;
+ dynamic_cast<Server_Handshake_State&>(*m_state).server_rsa_kex_key = private_key;
}
else
{
@@ -577,7 +593,9 @@ void Server::process_handshake_msg(Handshake_Type type,
m_state->set_expected_next(HANDSHAKE_CCS);
m_state->client_kex(
- new Client_Key_Exchange(contents, m_state.get(), m_creds, m_policy, m_rng)
+ new Client_Key_Exchange(contents, m_state.get(),
+ dynamic_cast<Server_Handshake_State&>(*m_state).server_rsa_kex_key,
+ m_creds, m_policy, m_rng)
);
m_state->compute_session_keys();
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 18:06:38 +0000