more fixes and bugs introduced

8 files changed, 75 insertions, 14 deletions

diff --git a/doc/TODO b/doc/TODO
index 1c6d9d85d0..3ef2d5a82b 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -1,3 +1,4 @@
+* x509 Certificate API
 * Add support for v2.0 init packet
-* Add a transparent support for TLS versions (so we can add SSL 3.0)
-* Certificate API
+* Add a transparent support for multiple versions (so we can add SSL 3.0)
+* Resume old sessions
diff --git a/lib/gnutls.c b/lib/gnutls.c
index 36b0520765..7c97f36ca8 100644
--- a/lib/gnutls.c
+++ b/lib/gnutls.c
@@ -89,6 +89,9 @@ int gnutls_init(GNUTLS_STATE * state, ConnectionEnd con_end)
 	(*state)->gnutls_internals.client_p = NULL;
 	(*state)->gnutls_internals.client_g = NULL;
 	(*state)->gnutls_internals.dh_secret = NULL;
+	
+	(*state)->gnutls_internals.certificate_requested = 0;
+	(*state)->gnutls_internals.certificate_verify_needed = 0;
 
 	return 0;
 }
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index 10b4d142ad..456dcc5e7c 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -359,9 +359,9 @@ int _gnutls_TLSCompressed2TLSCiphertext(GNUTLS_STATE state,
 			    _gnutls_make_mul(length,
 				     _gnutls_cipher_get_block_size
 				     (state->security_parameters.bulk_cipher_algorithm));
-			pad =
+			pad = (uint8)
 			    length - compressed->length -
-			    state->connection_state.mac_secret_size - 1;
+			    state->connection_state.mac_secret_size;
 			
 			/* set pad bytes pad */
 			padding = gnutls_malloc(pad);
@@ -374,10 +374,6 @@ int _gnutls_TLSCompressed2TLSCiphertext(GNUTLS_STATE state,
 			memmove(&data
 				[state->connection_state.mac_secret_size +
 				 compressed->length], padding, pad);
-			memmove(&data
-				[pad +
-				 state->connection_state.mac_secret_size +
-				 compressed->length], &pad, 1);
 
 			gnutls_free(padding);
 
@@ -422,7 +418,7 @@ int _gnutls_TLSCiphertext2TLSCompressed(GNUTLS_STATE state,
 	uint64 seq_num;
 	uint16 length;
 	GNUTLS_MAC_HANDLE td;
-
+	int blocksize = _gnutls_cipher_get_block_size(state->security_parameters.cipher_type);
 
 	content = gnutls_malloc(ciphertext->length);
 	memmove(content, ciphertext->fragment, ciphertext->length);
@@ -463,6 +459,12 @@ int _gnutls_TLSCiphertext2TLSCompressed(GNUTLS_STATE state,
 			    ciphertext->version.minor;
 		break;
 	case CIPHER_BLOCK:
+
+fprintf(stderr, "LEN: %d-%d\n", ciphertext->length, blocksize);
+			if ( ciphertext->length < blocksize || ciphertext->length % blocksize != 0) {
+				gnutls_assert();
+				return GNUTLS_E_DECRYPTION_FAILED;
+			}
 			gnutls_cipher_decrypt(state->
 					    connection_state.read_cipher_state,
 					    content, ciphertext->length);
@@ -470,8 +472,7 @@ int _gnutls_TLSCiphertext2TLSCompressed(GNUTLS_STATE state,
 			pad = content[ciphertext->length - 1];	/* pad */
 			length =
 			    ciphertext->length -
-			    state->connection_state.mac_secret_size - pad -
-			    1;
+			    state->connection_state.mac_secret_size - pad;
 
 			if (pad > ciphertext->length - state->connection_state.mac_secret_size) {
 				gnutls_assert();
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 7ceec431ab..99ce837d82 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -57,6 +57,7 @@ static gnutls_error_entry error_algorithms[] = {
 	GNUTLS_ERROR_ENTRY( GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET, 1),
 	GNUTLS_ERROR_ENTRY( GNUTLS_E_UNKNOWN_KX_ALGORITHM, 1),
 	GNUTLS_ERROR_ENTRY( GNUTLS_E_MPI_SCAN_FAILED, 1),
+	GNUTLS_ERROR_ENTRY( GNUTLS_E_DECRYPTION_FAILED, 1),
 	GNUTLS_ERROR_ENTRY( GNUTLS_E_UNIMPLEMENTED_FEATURE, 1),
 	{0}
 };
diff --git a/lib/gnutls_errors.h b/lib/gnutls_errors.h
index eac021ee6a..808da9a72d 100644
--- a/lib/gnutls_errors.h
+++ b/lib/gnutls_errors.h
@@ -23,6 +23,7 @@
 #define	GNUTLS_E_UNKNOWN_CIPHER_SUITE -21
 #define	GNUTLS_E_UNWANTED_ALGORITHM -22
 #define	GNUTLS_E_MPI_SCAN_FAILED -23
+#define GNUTLS_E_DECRYPTION_FAILED -24
 #define GNUTLS_E_UNIMPLEMENTED_FEATURE -50
 
 
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 6d6f31e263..a04bbc3580 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -351,6 +351,7 @@ int _gnutls_recv_handshake(int cd, GNUTLS_STATE state, uint8 **data,
 	if (length32 > 0 && data!=NULL)
 		memmove( *data, &dataptr[4], length32);
 
+	/* here we do the hashing work needed at finished messages */
 	if (state->gnutls_internals.client_hash == HASH_TRUE) {
 		gnutls_hash(state->gnutls_internals.client_td_md5, dataptr,
 		      length32 + 4);
@@ -388,6 +389,19 @@ int _gnutls_recv_handshake(int cd, GNUTLS_STATE state, uint8 **data,
 	case GNUTLS_CLIENT_KEY_EXCHANGE:
 		ret = length32;
 		break;
+	case GNUTLS_CERTIFICATE_REQUEST:
+#ifdef HARD_DEBUG
+		fprintf(stderr, "Requested Client Certificate!\n");
+#endif
+	/* FIXME: just ignore that message for the time being 
+	 * we have to parse it and the store the needed information
+	 */
+		state->gnutls_internals.certificate_requested = 1;
+		ret = length32;
+		break;
+	default:
+		gnutls_assert();
+		ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
 	}
 	gnutls_free(dataptr);
 	return ret;
@@ -399,6 +413,29 @@ int _gnutls_send_hello_request(int cd, GNUTLS_STATE state)
 				      GNUTLS_HELLO_REQUEST);
 }
 
+int _gnutls_send_client_certificate(int cd, GNUTLS_STATE state)
+{
+	char data[1];
+	int ret;
+	
+	if (state->gnutls_internals.certificate_requested==0) return 0;
+
+	/* we do not have that functionality yet */
+	state->gnutls_internals.certificate_verify_needed = 0;
+#ifdef HARD_DEBUG
+	fprintf(stderr, "Sending Client Certificate\n");
+#endif
+
+/* Here since we do not support certificates yet we
+ * do not have that functionality.
+ */
+	data[0] = 0;
+	ret = _gnutls_send_handshake(cd, state, &data, 1,
+				      GNUTLS_CERTIFICATE);
+				      
+	return ret;
+}
+
 
 int _gnutls_send_hello(int cd, GNUTLS_STATE state, opaque * SessionID,
 		       uint8 SessionIDLen)
@@ -820,6 +857,16 @@ int gnutls_handshake(int cd, GNUTLS_STATE state)
 		}
 
 		/* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
+		HASH(client_hash);
+		HASH(server_hash);
+		ret = _gnutls_send_client_certificate(cd, state);
+		NOT_HASH(client_hash);
+		NOT_HASH(server_hash);
+		if (ret < 0) {
+			ERR("send client certificate", ret);
+			return ret;
+		}
+
 
 		HASH(client_hash);
 		HASH(server_hash);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index ea46943a44..fddb479a46 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -189,6 +189,8 @@ typedef struct {
 	MPI			client_g;
 	MPI			client_p;
 	MPI			dh_secret;
+	int			certificate_requested;
+	int			certificate_verify_needed;
 } GNUTLS_INTERNALS;
 
 typedef struct {
diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c
index 247efa250d..0f7de47b76 100644
--- a/lib/gnutls_kx.c
+++ b/lib/gnutls_kx.c
@@ -210,20 +210,25 @@ int _gnutls_send_client_kx_message(int cd, GNUTLS_STATE state)
 
 /* This is the function for the client to send the certificate
  * verify message
- * FIXME: this function does almost nothing except sending shit to
+ * FIXME: this function does almost nothing except sending garbage to
  * peer.
  */
 int _gnutls_send_client_certificate_verify(int cd, GNUTLS_STATE state)
 {
 	uint8 *data;
 	int ret = 0;
+
+	/* if certificate verify is not needed just exit */
+	if (state->gnutls_internals.certificate_verify_needed==0) return 0;
+
 #ifdef HARD_DEBUG
 	fprintf(stderr, "Sending client certificate verify message\n");
 #endif
+	
 	switch (_gnutls_cipher_suite_get_kx_algo
 		(state->gnutls_internals.current_cipher_suite)) {
 	case GNUTLS_KX_DHE_DSS:
-		data=gnutls_malloc(20);
+		data=gnutls_calloc(1, 20);
 		ret =
 		    _gnutls_send_handshake(cd, state, data,
 					   20,
@@ -231,7 +236,7 @@ int _gnutls_send_client_certificate_verify(int cd, GNUTLS_STATE state)
 		gnutls_free(data);
 		break;
 	case GNUTLS_KX_DHE_RSA:
-		data=gnutls_malloc(20+16);
+		data=gnutls_calloc(1, 20+16);
 		ret =
 		    _gnutls_send_handshake(cd, state, data,
 					   20+16,