diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2000-12-06 23:18:00 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2000-12-06 23:18:00 +0000 |
| commit | 4e5a19bcd206c131862c4204a965c6727b8b325e (patch) | |
| tree | a1834ff188e9864f17c4b7adfa07ab7c5fc2c2ce | |
| parent | 41a568c52fb71c692ed086b36404adfb70153bb5 (diff) | |
| download | gnutls-4e5a19bcd206c131862c4204a965c6727b8b325e.tar.gz | |
more ssl3 fixes
| -rw-r--r-- | lib/gnutls.c | 22 | ||||
| -rw-r--r-- | lib/gnutls_buffers.c | 51 | ||||
| -rw-r--r-- | lib/gnutls_buffers.h | 8 | ||||
| -rw-r--r-- | lib/gnutls_cipher.c | 8 | ||||
| -rw-r--r-- | lib/gnutls_handshake.c | 228 | ||||
| -rw-r--r-- | lib/gnutls_hash_int.c | 6 | ||||
| -rw-r--r-- | lib/gnutls_hash_int.h | 6 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 17 |
8 files changed, 166 insertions, 180 deletions
diff --git a/lib/gnutls.c b/lib/gnutls.c index 77bd7ee17f..5e56a191ea 100644 --- a/lib/gnutls.c +++ b/lib/gnutls.c @@ -390,13 +390,13 @@ ssize_t gnutls_send_int(int cd, GNUTLS_STATE state, ContentType type, void *_dat length = byteswap16(cipher_size); #endif memmove( &headers[3], &length, sizeof(uint16)); - if (Write(cd, headers, sizeof(headers)) != sizeof(headers)) { + if (_gnutls_Write(cd, headers, sizeof(headers)) != sizeof(headers)) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); return GNUTLS_E_UNABLE_SEND_DATA; } - if (Write(cd, cipher, cipher_size) != cipher_size) { + if (_gnutls_Write(cd, cipher, cipher_size) != cipher_size) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); @@ -415,13 +415,13 @@ ssize_t gnutls_send_int(int cd, GNUTLS_STATE state, ContentType type, void *_dat length = byteswap16(cipher_size); #endif memmove( &headers[3], &length, sizeof(uint16)); - if (Write(cd, headers, sizeof(headers)) != sizeof(headers)) { + if (_gnutls_Write(cd, headers, sizeof(headers)) != sizeof(headers)) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); return GNUTLS_E_UNABLE_SEND_DATA; } - if (Write(cd, cipher, cipher_size) != cipher_size) { + if (_gnutls_Write(cd, cipher, cipher_size) != cipher_size) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); @@ -467,14 +467,14 @@ ssize_t _gnutls_send_change_cipher_spec(int cd, GNUTLS_STATE state) #endif memmove( &headers[3], &length, sizeof(uint16)); - if (Write(cd, headers, 5) != 5) { + if (_gnutls_Write(cd, headers, 5) != 5) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); return GNUTLS_E_UNABLE_SEND_DATA; } - if (Write(cd, &data, 1) != 1) { + if (_gnutls_Write(cd, &data, 1) != 1) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); @@ -513,7 +513,7 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data return GNUTLS_E_INVALID_SESSION; } - if ( Read(cd, &recv_type, 1) != 1) { + if ( _gnutls_Read(cd, &recv_type, 1) != 1) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); @@ -522,14 +522,14 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data version.local = 0; /* TLS/SSL 3.0 */ - if (Read(cd, &version.major, 1) != 1) { + if (_gnutls_Read(cd, &version.major, 1) != 1) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - if (Read(cd, &version.minor, 1) != 1) { + if (_gnutls_Read(cd, &version.minor, 1) != 1) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); @@ -548,7 +548,7 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data gnutls_set_current_version(state, version); } - if (Read(cd, &length, 2) != 2) { + if (_gnutls_Read(cd, &length, 2) != 2) { state->gnutls_internals.valid_connection = VALID_FALSE; state->gnutls_internals.resumable = RESUME_FALSE; gnutls_assert(); @@ -580,7 +580,7 @@ ssize_t gnutls_recv_int(int cd, GNUTLS_STATE state, ContentType type, char *data /* read ciphertext */ - ret = Read(cd, ciphertext, length); + ret = _gnutls_Read(cd, ciphertext, length); if (ret != length) { #ifdef DEBUG diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 840de05439..689d2ed03f 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -108,7 +108,7 @@ int gnutls_getDataFromBuffer(ContentType type, GNUTLS_STATE state, char *data, i return length; } -ssize_t Read(int fd, void *iptr, size_t sizeOfPtr) +ssize_t _gnutls_Read(int fd, void *iptr, size_t sizeOfPtr) { size_t left; ssize_t i=0; @@ -151,7 +151,7 @@ ssize_t Read(int fd, void *iptr, size_t sizeOfPtr) } -ssize_t Write(int fd, const void *iptr, size_t n) +ssize_t _gnutls_Write(int fd, const void *iptr, size_t n) { size_t left; #ifdef WRITE_DEBUG @@ -307,3 +307,50 @@ int gnutls_getHashDataFromBuffer(int type, GNUTLS_STATE state, char *data, int l return length; } } + +int gnutls_readHashDataFromBuffer(int type, GNUTLS_STATE state, char *data, int length) +{ + if (type==GNUTLS_SERVER) { + if (length > state->gnutls_internals.server_hash_bufferSize) { + length = state->gnutls_internals.server_hash_bufferSize; + } +#ifdef HARD_DEBUG + fprintf(stderr, "Read %d bytes of SSL3 Server Hash Data(%d) from buffer\n", length, type); +#endif + memmove(data, state->gnutls_internals.server_hash_buffer, length); + return length; + + } else { /* CLIENT */ + if (length > state->gnutls_internals.client_hash_bufferSize) { + length = state->gnutls_internals.client_hash_bufferSize; + } +#ifdef HARD_DEBUG + fprintf(stderr, "Read %d bytes of SSL3 Client Hash Data(%d) from buffer\n", length, type); +#endif + memmove(data, state->gnutls_internals.client_hash_buffer, length); + return length; + } +} + + + +int gnutls_clearHashDataBuffer(int type, GNUTLS_STATE state) +{ + if (type==GNUTLS_SERVER) { +#ifdef HARD_DEBUG + fprintf(stderr, "Cleared SSL3 Server Hash Data(%d) from buffer\n",type); +#endif + state->gnutls_internals.server_hash_bufferSize = 0; + gnutls_free(state->gnutls_internals.server_hash_buffer); + state->gnutls_internals.server_hash_buffer = NULL; + } else { /* CLIENT */ +#ifdef HARD_DEBUG + fprintf(stderr, "Cleared SSL3 Client Hash Data(%d) from buffer\n", type); +#endif + state->gnutls_internals.client_hash_bufferSize = 0; + gnutls_free(state->gnutls_internals.client_hash_buffer); + state->gnutls_internals.client_hash_buffer = NULL; + } + + return 0; +} diff --git a/lib/gnutls_buffers.h b/lib/gnutls_buffers.h index 22b24b4530..4a04dc69f1 100644 --- a/lib/gnutls_buffers.h +++ b/lib/gnutls_buffers.h @@ -1,12 +1,12 @@ int gnutls_insertDataBuffer(ContentType type, GNUTLS_STATE state, char *data, int length); int gnutls_getDataBufferSize(ContentType type, GNUTLS_STATE state); int gnutls_getDataFromBuffer(ContentType type, GNUTLS_STATE state, char *data, int length); -ssize_t Read(int fd, void *iptr, size_t n); -ssize_t Write(int fd, const void *iptr, size_t n); -ssize_t _gnutls_Recv_int(int fd, GNUTLS_STATE state, ContentType type, void *iptr, size_t sizeOfPtr); -ssize_t _gnutls_Send_int(int fd, GNUTLS_STATE state, ContentType type, void *, size_t); +ssize_t _gnutls_Read(int fd, void *iptr, size_t n); +ssize_t _gnutls_Write(int fd, const void *iptr, size_t n); /* used in SSL3 */ int gnutls_getHashDataFromBuffer(int type, GNUTLS_STATE state, char *data, int length); int gnutls_getHashDataBufferSize(int type, GNUTLS_STATE state); +int gnutls_readHashDataFromBuffer(int type, GNUTLS_STATE state, char *data, int length); int gnutls_insertHashDataBuffer(int type, GNUTLS_STATE state, char *data, int length); +int gnutls_clearHashDataBuffer(int type, GNUTLS_STATE state); diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index dd713ac93f..7f856c77da 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -415,7 +415,7 @@ int _gnutls_TLSCompressed2TLSCiphertext(GNUTLS_STATE state, if (_gnutls_version_ssl3(state->connection_state.version) == 0) { /* SSL 3.0 */ td = - gnutls_hash_init_ssl3(state->security_parameters. + gnutls_mac_init_ssl3(state->security_parameters. mac_algorithm, state->connection_state. write_mac_secret, @@ -455,7 +455,7 @@ int _gnutls_TLSCompressed2TLSCiphertext(GNUTLS_STATE state, gnutls_hmac(td, &c_length, 2); gnutls_hmac(td, compressed->fragment, compressed->length); if (_gnutls_version_ssl3(state->connection_state.version) == 0) { /* SSL 3.0 */ - MAC = gnutls_hash_deinit_ssl3(td); + MAC = gnutls_mac_deinit_ssl3(td); } else { MAC = gnutls_hmac_deinit(td); } @@ -556,7 +556,7 @@ int _gnutls_TLSCiphertext2TLSCompressed(GNUTLS_STATE state, if (_gnutls_version_ssl3(state->connection_state.version) == 0) { td = - gnutls_hash_init_ssl3(state->security_parameters. + gnutls_mac_init_ssl3(state->security_parameters. mac_algorithm, state->connection_state. read_mac_secret, @@ -650,7 +650,7 @@ int _gnutls_TLSCiphertext2TLSCompressed(GNUTLS_STATE state, gnutls_hmac(td, &c_length, 2); gnutls_hmac(td, data, compressed->length); if (_gnutls_version_ssl3(state->connection_state.version) == 0) { /* SSL 3.0 */ - MAC = gnutls_hash_deinit_ssl3(td); + MAC = gnutls_mac_deinit_ssl3(td); } else { MAC = gnutls_hmac_deinit(td); } diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 62c866ee41..d2a23f0a78 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -42,51 +42,69 @@ #define HASH_TRUE 1 #define HASH_FALSE 0 +/* Calculate The SSL3 Finished message */ +#define SSL3_CLIENT_MSG "CLNT" +#define SSL3_SERVER_MSG "SRVR" +void* _gnutls_ssl3_finished( GNUTLS_STATE state, int type) { + int siz; + GNUTLS_MAC_HANDLE td; + GNUTLS_MAC_HANDLE td2; + char* data; + char* concat=gnutls_malloc(36); + char *mesg; + + td = gnutls_mac_init_ssl3( GNUTLS_MAC_MD5, state->security_parameters.master_secret, 48); + td2 = gnutls_mac_init_ssl3( GNUTLS_MAC_SHA, state->security_parameters.master_secret, 48); + + siz = gnutls_getHashDataBufferSize( type, state); + data = gnutls_malloc( siz); + + gnutls_getHashDataFromBuffer( type, state, data, siz); + + gnutls_mac_ssl3(td, data, siz); + gnutls_mac_ssl3(td2, data, siz); + + gnutls_free(data); + if (type==GNUTLS_SERVER) { + mesg = SSL3_SERVER_MSG; + } else { + mesg = SSL3_CLIENT_MSG; + } + siz = strlen(mesg); + + gnutls_mac_ssl3(td, mesg, siz); + gnutls_mac_ssl3(td2, mesg, siz); + + data = gnutls_mac_deinit_ssl3(td); + memcpy( concat, data, 16); + gnutls_free(data); + + data = gnutls_mac_deinit_ssl3(td2); + + memcpy( &concat[16], data, 20); + gnutls_free(data); + + return concat; +} + + /* This is to be called after sending CHANGE CIPHER SPEC packet * and initializing encryption. This is the first encrypted message * we send. */ #define SERVER_MSG "server finished" #define CLIENT_MSG "client finished" -#define SSL3_CLIENT_MSG "CLNT" -#define SSL3_SERVER_MSG "SRVR" int _gnutls_send_finished(int cd, GNUTLS_STATE state) { uint8 *data; uint8 concat[36]; /* md5+sha1 */ int ret; - GNUTLS_MAC_HANDLE td; /* for SSL3 */ - GNUTLS_MAC_HANDLE td2; int data_size; if (state->security_parameters.entity == GNUTLS_CLIENT) { /* we are a CLIENT */ if (_gnutls_version_ssl3(state->connection_state.version) == 0) { /* SSL 3 */ - /* Calculate The SSL3 Finished */ - td = gnutls_hash_init_ssl3( GNUTLS_MAC_MD5, state->security_parameters.master_secret, 48); - td2 = gnutls_hash_init_ssl3( GNUTLS_MAC_SHA, state->security_parameters.master_secret, 48); - - ret = gnutls_getHashDataBufferSize( GNUTLS_CLIENT, state); - data = gnutls_malloc( ret); - - gnutls_getHashDataFromBuffer( GNUTLS_CLIENT, state, data, ret); - - gnutls_hash(td, data, ret); - gnutls_hash(td2, data, ret); - - gnutls_free(data); - gnutls_hash(td, SSL3_CLIENT_MSG, strlen(SSL3_CLIENT_MSG)); - data = gnutls_hash_deinit_ssl3(td); - memcpy( concat, data, 16); - gnutls_free(data); - - gnutls_hash(td2, SSL3_CLIENT_MSG, strlen(SSL3_CLIENT_MSG)); - data = gnutls_hash_deinit_ssl3(td2); - - memcpy( &concat[16], data, 20); - gnutls_free(data); - + data = _gnutls_ssl3_finished( state, GNUTLS_CLIENT); data_size = 36; - data = concat; } else { memmove(concat, state->gnutls_internals.client_md_md5, 16); memmove(&concat[16], @@ -98,34 +116,10 @@ int _gnutls_send_finished(int cd, GNUTLS_STATE state) 36, 12); data_size = 12; } - } else { /* server */ + } else { /* SERVER SIDE */ if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - /* Calculate The SSL3 Finished */ - td = gnutls_hash_init_ssl3( GNUTLS_MAC_MD5, state->security_parameters.master_secret, 48); - td2 = gnutls_hash_init_ssl3( GNUTLS_MAC_SHA, state->security_parameters.master_secret, 48); - - ret = gnutls_getHashDataBufferSize( GNUTLS_SERVER, state); - data = gnutls_malloc( ret); - - gnutls_getHashDataFromBuffer( GNUTLS_SERVER, state, data, ret); - - gnutls_hash(td, data, ret); - gnutls_hash(td2, data, ret); - - gnutls_free(data); - gnutls_hash(td, SSL3_SERVER_MSG, strlen(SSL3_SERVER_MSG)); - data = gnutls_hash_deinit_ssl3(td); - memcpy( concat, data, 16); - gnutls_free(data); - - gnutls_hash(td2, SSL3_SERVER_MSG, strlen(SSL3_SERVER_MSG)); - data = gnutls_hash_deinit_ssl3(td2); - - memcpy( &concat[16], data, 20); - gnutls_free(data); - + data = _gnutls_ssl3_finished( state, GNUTLS_SERVER); data_size = 36; - data = concat; } else { /* TLS 1 - Using PRF */ memmove(concat, state->gnutls_internals.server_md_md5, 16); memmove(&concat[16], @@ -139,10 +133,10 @@ int _gnutls_send_finished(int cd, GNUTLS_STATE state) } } +fprintf(stderr, "Finished: %s\n", _gnutls_bin2hex(data, data_size)); ret = _gnutls_send_handshake(cd, state, data, data_size, GNUTLS_FINISHED); - if (_gnutls_version_ssl3(state->connection_state.version) != 0) - gnutls_free(data); + gnutls_free(data); return ret; } @@ -157,8 +151,6 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) uint8 concat[36]; /* md5+sha1 */ int ret; int vrfysize; - GNUTLS_MAC_HANDLE td; /* SSL3 */ - GNUTLS_MAC_HANDLE td2; ret = 0; @@ -181,32 +173,7 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) if (state->security_parameters.entity == GNUTLS_CLIENT) { if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - /* Calculate The SSL3 Finished */ - td = gnutls_hash_init_ssl3( GNUTLS_MAC_MD5, state->security_parameters.master_secret, 48); - td2 = gnutls_hash_init_ssl3( GNUTLS_MAC_SHA, state->security_parameters.master_secret, 48); - - ret = gnutls_getHashDataBufferSize( GNUTLS_SERVER, state); - data = gnutls_malloc( ret); - - gnutls_getHashDataFromBuffer( GNUTLS_SERVER, state, data, ret); - - gnutls_hash(td, data, ret); - gnutls_hash(td2, data, ret); - - gnutls_free(data); - gnutls_hash(td, SSL3_SERVER_MSG, strlen(SSL3_SERVER_MSG)); - data = gnutls_hash_deinit_ssl3(td); - memcpy( concat, data, 16); - gnutls_free(data); - - gnutls_hash(td2, SSL3_SERVER_MSG, strlen(SSL3_SERVER_MSG)); - data = gnutls_hash_deinit_ssl3(td2); - - memcpy( &concat[16], data, 20); - gnutls_free(data); - - data_size = 36; - data = concat; + data = _gnutls_ssl3_finished( state, GNUTLS_SERVER); } else { memmove(concat, state->gnutls_internals.server_md_md5, 16); memmove(&concat[16], @@ -217,34 +184,9 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) 48, SERVER_MSG, strlen(SERVER_MSG), concat, 36, 12); } - } else { /* server */ + } else { /* SERVER SIDE */ if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - /* Calculate The SSL3 Finished */ - td = gnutls_hash_init_ssl3( GNUTLS_MAC_MD5, state->security_parameters.master_secret, 48); - td2 = gnutls_hash_init_ssl3( GNUTLS_MAC_SHA, state->security_parameters.master_secret, 48); - - ret = gnutls_getHashDataBufferSize( GNUTLS_CLIENT, state); - data = gnutls_malloc( ret); - - gnutls_getHashDataFromBuffer( GNUTLS_CLIENT, state, data, ret); - - gnutls_hash(td, data, ret); - gnutls_hash(td2, data, ret); - gnutls_free(data); - - gnutls_hash(td, SSL3_CLIENT_MSG, strlen(SSL3_CLIENT_MSG)); - data = gnutls_hash_deinit_ssl3(td); - memcpy( concat, data, 16); - gnutls_free(data); - - gnutls_hash(td2, SSL3_CLIENT_MSG, strlen(SSL3_CLIENT_MSG)); - data = gnutls_hash_deinit_ssl3(td2); - - memcpy( &concat[16], data, 20); - gnutls_free(data); - - data_size = 36; - data = concat; + data = _gnutls_ssl3_finished( state, GNUTLS_CLIENT); } else { /* TLS 1.0 */ memmove(concat, state->gnutls_internals.client_md_md5, 16); memmove(&concat[16], @@ -262,8 +204,7 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; } - if (_gnutls_version_ssl3(state->connection_state.version) != 0) - gnutls_free(data); + gnutls_free(data); gnutls_free(vrfy); return ret; @@ -271,7 +212,7 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) /* This selects the best supported ciphersuite from the ones provided */ -int SelectSuite(GNUTLS_STATE state, opaque ret[2], char *data, int datalen) +static int SelectSuite(GNUTLS_STATE state, opaque ret[2], char *data, int datalen) { int x, i, j; GNUTLS_CipherSuite *ciphers; @@ -308,7 +249,7 @@ int SelectSuite(GNUTLS_STATE state, opaque ret[2], char *data, int datalen) } /* This selects the best supported compression method from the ones provided */ -int SelectCompMethod(GNUTLS_STATE state, CompressionMethod * ret, char *data, int datalen) +static int SelectCompMethod(GNUTLS_STATE state, CompressionMethod * ret, char *data, int datalen) { int x, i, j; CompressionMethod *ciphers; @@ -364,24 +305,23 @@ int _gnutls_send_handshake(int cd, GNUTLS_STATE state, void *i_data, if (i_datasize > 4) memmove(&data[pos], i_data, i_datasize - 4); + /* Here we hash - for TLS - or keep the message in a buffer - for SSL 3.0 - in order + * to calculate the MAC of the messages for finished message + */ if (state->gnutls_internals.client_hash == HASH_TRUE) { if (_gnutls_version_ssl3(state->connection_state.version) == 0) { gnutls_insertHashDataBuffer( GNUTLS_CLIENT, state, data, i_datasize); } else { /* TLS 1 */ - gnutls_hash(state->gnutls_internals.client_td_md5, data, - i_datasize); - gnutls_hash(state->gnutls_internals.client_td_sha1, data, - i_datasize); + gnutls_hash(state->gnutls_internals.client_td_md5, data, i_datasize); + gnutls_hash(state->gnutls_internals.client_td_sha1, data, i_datasize); } } if (state->gnutls_internals.server_hash == HASH_TRUE) { if (_gnutls_version_ssl3(state->connection_state.version) == 0) { gnutls_insertHashDataBuffer( GNUTLS_SERVER, state, data, i_datasize); } else { /* TLS 1 */ - gnutls_hash(state->gnutls_internals.server_td_md5, data, - i_datasize); - gnutls_hash(state->gnutls_internals.server_td_sha1, data, - i_datasize); + gnutls_hash(state->gnutls_internals.server_td_md5, data, i_datasize); + gnutls_hash(state->gnutls_internals.server_td_sha1, data, i_datasize); } } @@ -476,29 +416,27 @@ int _gnutls_recv_handshake(int cd, GNUTLS_STATE state, uint8 **data, if (length32 > 0 && data!=NULL) memmove( *data, &dataptr[4], length32); - /* here we do the hashing work needed at finished messages */ - if (state->gnutls_internals.client_hash == HASH_TRUE) { + /* here we do the hashing work needed at Finished message */ + if (state->gnutls_internals.server_hash == HASH_TRUE) { if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - gnutls_insertHashDataBuffer( GNUTLS_CLIENT, state, dataptr, length32+4); + gnutls_insertHashDataBuffer( GNUTLS_SERVER, state, dataptr, length32+4); } else { /* TLS 1 */ - gnutls_hash(state->gnutls_internals.client_td_md5, dataptr, + gnutls_hash(state->gnutls_internals.server_td_md5, dataptr, length32 + 4); - gnutls_hash(state->gnutls_internals.client_td_sha1, dataptr, + gnutls_hash(state->gnutls_internals.server_td_sha1, dataptr, length32 + 4); } } - - if (state->gnutls_internals.server_hash == HASH_TRUE) { + if (state->gnutls_internals.client_hash == HASH_TRUE) { if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - gnutls_insertHashDataBuffer( GNUTLS_SERVER, state, dataptr, length32+4); + gnutls_insertHashDataBuffer( GNUTLS_CLIENT, state, dataptr, length32+4); } else { /* TLS 1 */ - gnutls_hash(state->gnutls_internals.server_td_md5, dataptr, + gnutls_hash(state->gnutls_internals.client_td_md5, dataptr, length32 + 4); - gnutls_hash(state->gnutls_internals.server_td_sha1, dataptr, + gnutls_hash(state->gnutls_internals.client_td_sha1, dataptr, length32 + 4); } } - switch (dataptr[0]) { case GNUTLS_CLIENT_HELLO: @@ -937,12 +875,12 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) /* These are in order to hash the messages transmitted and received. * (needed by the protocol) */ - if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS */ +// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS */ state->gnutls_internals.client_td_md5 = gnutls_hash_init(GNUTLS_MAC_MD5); state->gnutls_internals.client_td_sha1 = gnutls_hash_init(GNUTLS_MAC_SHA); state->gnutls_internals.server_td_md5 = gnutls_hash_init(GNUTLS_MAC_MD5); state->gnutls_internals.server_td_sha1 = gnutls_hash_init(GNUTLS_MAC_SHA); - } +// } if (state->security_parameters.entity == GNUTLS_CLIENT) { HASH(client_hash); HASH(server_hash); @@ -1042,12 +980,12 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) ERR("send ChangeCipherSpec", ret); return ret; } - if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS1 */ +// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS1 */ state->gnutls_internals.client_md_md5 = gnutls_hash_deinit(state->gnutls_internals.client_td_md5); state->gnutls_internals.client_md_sha1 = gnutls_hash_deinit(state->gnutls_internals.client_td_sha1); - } +// } /* Initialize the connection state (start encryption) */ ret = _gnutls_connection_state_init(state); @@ -1074,12 +1012,12 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) return ret; } - if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS1 */ +// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS1 */ state->gnutls_internals.server_md_md5 = gnutls_hash_deinit(state->gnutls_internals.server_td_md5); state->gnutls_internals.server_md_sha1 = gnutls_hash_deinit(state->gnutls_internals.server_td_sha1); - } +// } NOT_HASH(client_hash); NOT_HASH(server_hash); ret = _gnutls_recv_finished(cd, state); @@ -1169,12 +1107,12 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) ret = _gnutls_connection_state_init(state); if (ret<0) return ret; - if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS 1.0 */ +// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS 1.0 */ state->gnutls_internals.client_md_md5 = gnutls_hash_deinit(state->gnutls_internals.client_td_md5); state->gnutls_internals.client_md_sha1 = gnutls_hash_deinit(state->gnutls_internals.client_td_sha1); - } +// } NOT_HASH(client_hash); HASH(server_hash); ret = _gnutls_recv_finished(cd, state); @@ -1191,12 +1129,12 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) return ret; } - if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS 1.0 */ +// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS 1.0 */ state->gnutls_internals.server_md_md5 = gnutls_hash_deinit(state->gnutls_internals.server_td_md5); state->gnutls_internals.server_md_sha1 = gnutls_hash_deinit(state->gnutls_internals.server_td_sha1); - } +// } NOT_HASH(client_hash); NOT_HASH(server_hash); ret = _gnutls_send_finished(cd, state); diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index 89be1699fa..c847d42edf 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -232,7 +232,7 @@ void *gnutls_hmac_deinit(GNUTLS_MAC_HANDLE handle) return ret; } -GNUTLS_MAC_HANDLE gnutls_hash_init_ssl3(MACAlgorithm algorithm, void *key, +GNUTLS_MAC_HANDLE gnutls_mac_init_ssl3(MACAlgorithm algorithm, void *key, int keylen) { GNUTLS_MAC_HANDLE ret; @@ -265,7 +265,7 @@ GNUTLS_MAC_HANDLE gnutls_hash_init_ssl3(MACAlgorithm algorithm, void *key, return ret; } -void *gnutls_hash_deinit_ssl3(GNUTLS_MAC_HANDLE handle) +void *gnutls_mac_deinit_ssl3(GNUTLS_MAC_HANDLE handle) { void *ret=NULL; GNUTLS_MAC_HANDLE td; @@ -283,7 +283,7 @@ void *gnutls_hash_deinit_ssl3(GNUTLS_MAC_HANDLE handle) default: padsize=0; } - if (padsize>0) { + if (padsize > 0) { memset(opad, 0x5C, padsize); } diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h index a95e3942bb..14c246bc85 100644 --- a/lib/gnutls_hash_int.h +++ b/lib/gnutls_hash_int.h @@ -27,13 +27,15 @@ typedef GNUTLS_MAC_HANDLE_INT* GNUTLS_MAC_HANDLE; #define GNUTLS_HASH_FAILED NULL #define GNUTLS_MAC_FAILED NULL +#define gnutls_mac_ssl3 gnutls_hmac + GNUTLS_MAC_HANDLE gnutls_hmac_init( MACAlgorithm algorithm, void* key, int keylen); int gnutls_hmac_get_algo_len(MACAlgorithm algorithm); int gnutls_hmac(GNUTLS_MAC_HANDLE handle, void* text, int textlen); void* gnutls_hmac_deinit( GNUTLS_MAC_HANDLE handle); -GNUTLS_MAC_HANDLE gnutls_hash_init_ssl3( MACAlgorithm algorithm, void* key, int keylen); -void* gnutls_hash_deinit_ssl3( GNUTLS_MAC_HANDLE handle); +GNUTLS_MAC_HANDLE gnutls_mac_init_ssl3( MACAlgorithm algorithm, void* key, int keylen); +void* gnutls_mac_deinit_ssl3( GNUTLS_MAC_HANDLE handle); GNUTLS_MAC_HANDLE gnutls_hash_init(MACAlgorithm algorithm); int gnutls_hash_get_algo_len(MACAlgorithm algorithm); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 2d532d90f1..b4ba02943f 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -2,8 +2,8 @@ #define GNUTLS_INT_H -//#define HARD_DEBUG -//#define READ_DEBUG +#define HARD_DEBUG +#define READ_DEBUG //#define WRITE_DEBUG #define DEBUG @@ -111,8 +111,7 @@ typedef struct { ConnectionEnd entity; BulkCipherAlgorithm bulk_cipher_algorithm; CipherType cipher_type; - uint8 IV_size; /* not specified in the protocol, but later it - * uses it */ + uint8 IV_size; uint8 key_size; uint8 key_material_length; IsExportable is_exportable; @@ -145,13 +144,13 @@ extern GNUTLS_Version GNUTLS_SSL3; typedef struct { GNUTLS_Version version; - opaque* read_compression_state; - opaque* write_compression_state; + opaque* read_compression_state; + opaque* write_compression_state; GNUTLS_CIPHER_HANDLE write_cipher_state; GNUTLS_CIPHER_HANDLE read_cipher_state; - opaque* read_mac_secret; - opaque* write_mac_secret; - uint8 mac_secret_size; + opaque* read_mac_secret; + opaque* write_mac_secret; + uint8 mac_secret_size; uint64 read_sequence_number; uint64 write_sequence_number; } ConnectionState; |