diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2000-12-07 09:07:00 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2000-12-07 09:07:00 +0000 |
commit | 8ea2cb55648ba24899e57ed41b61ee7dc5bf7678 (patch) | |
tree | 44db0ee0a9166ec33a714e4116bb2481d8baee27 | |
parent | 4e5a19bcd206c131862c4204a965c6727b8b325e (diff) | |
download | gnutls-8ea2cb55648ba24899e57ed41b61ee7dc5bf7678.tar.gz |
major cleanups
-rw-r--r-- | lib/gnutls.c | 9 | ||||
-rw-r--r-- | lib/gnutls_buffers.c | 145 | ||||
-rw-r--r-- | lib/gnutls_buffers.h | 13 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 353 | ||||
-rw-r--r-- | lib/gnutls_int.h | 22 |
5 files changed, 176 insertions, 366 deletions
diff --git a/lib/gnutls.c b/lib/gnutls.c index 5e56a191ea..ee4f5e82f6 100644 --- a/lib/gnutls.c +++ b/lib/gnutls.c @@ -77,16 +77,9 @@ int gnutls_init(GNUTLS_STATE * state, ConnectionEnd con_end) (*state)->gnutls_internals.buffer = NULL; /* SSL3 stuff */ - (*state)->gnutls_internals.client_hash_buffer = NULL; - (*state)->gnutls_internals.server_hash_buffer = NULL; + (*state)->gnutls_internals.hash_buffer = NULL; (*state)->gnutls_internals.buffer_handshake = NULL; - (*state)->gnutls_internals.client_md_md5 = NULL; - (*state)->gnutls_internals.client_md_sha1 = NULL; - (*state)->gnutls_internals.server_md_md5 = NULL; - (*state)->gnutls_internals.server_md_sha1 = NULL; - (*state)->gnutls_internals.server_hash = 0; - (*state)->gnutls_internals.client_hash = 0; (*state)->gnutls_internals.resumable = RESUME_TRUE; gnutls_set_current_version ( (*state), GNUTLS_TLS1); /* default */ diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 689d2ed03f..a8bd6db007 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -227,130 +227,75 @@ ssize_t _gnutls_Recv_int(int fd, GNUTLS_STATE state, ContentType type, void *ipt return (sizeOfPtr - left); } -int gnutls_insertHashDataBuffer( int type, GNUTLS_STATE state, char *data, int length) +int gnutls_insertHashDataBuffer( GNUTLS_STATE state, char *data, int length) { int old_buffer; - if (type==GNUTLS_SERVER) { - old_buffer = state->gnutls_internals.server_hash_bufferSize; + old_buffer = state->gnutls_internals.hash_bufferSize; - state->gnutls_internals.server_hash_bufferSize += length; -#ifdef HARD_DEBUG - fprintf(stderr, "Inserted %d bytes of SSL3 Server Hash Data(%d) into buffer\n", length, type); + state->gnutls_internals.hash_bufferSize += length; +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Inserted %d bytes of Hash Data into buffer\n", length); #endif - state->gnutls_internals.server_hash_buffer = - gnutls_realloc(state->gnutls_internals.server_hash_buffer, - state->gnutls_internals.server_hash_bufferSize); - memmove(&state->gnutls_internals.server_hash_buffer[old_buffer], data, length); - - } else { /* GNUTLS_CLIENT */ - old_buffer = state->gnutls_internals.client_hash_bufferSize; + state->gnutls_internals.hash_buffer = + gnutls_realloc(state->gnutls_internals.hash_buffer, + state->gnutls_internals.hash_bufferSize); + memmove(&state->gnutls_internals.hash_buffer[old_buffer], data, length); - state->gnutls_internals.client_hash_bufferSize += length; -#ifdef HARD_DEBUG - fprintf(stderr, "Inserted %d bytes of SSL3 Client Hash Data(%d) into buffer\n", length, type); -#endif - state->gnutls_internals.client_hash_buffer = - gnutls_realloc(state->gnutls_internals.client_hash_buffer, - state->gnutls_internals.client_hash_bufferSize); - memmove(&state->gnutls_internals.client_hash_buffer[old_buffer], data, length); - } return 0; } -int gnutls_getHashDataBufferSize( int type, GNUTLS_STATE state) +int gnutls_getHashDataBufferSize( GNUTLS_STATE state) { - if (type==GNUTLS_SERVER) { - return state->gnutls_internals.server_hash_bufferSize; - } else { - return state->gnutls_internals.client_hash_bufferSize; - } + + return state->gnutls_internals.hash_bufferSize; } -int gnutls_getHashDataFromBuffer(int type, GNUTLS_STATE state, char *data, int length) +int gnutls_getHashDataFromBuffer( GNUTLS_STATE state, char *data, int length) { - if (type==GNUTLS_SERVER) { - if (length > state->gnutls_internals.server_hash_bufferSize) { - length = state->gnutls_internals.server_hash_bufferSize; - } -#ifdef HARD_DEBUG - fprintf(stderr, "Read %d bytes of SSL3 Server Hash Data(%d) from buffer\n", length, type); -#endif - state->gnutls_internals.server_hash_bufferSize -= length; - memmove(data, state->gnutls_internals.server_hash_buffer, length); - /* overwrite buffer */ - memmove(state->gnutls_internals.server_hash_buffer, - &state->gnutls_internals.server_hash_buffer[length], - state->gnutls_internals.server_hash_bufferSize); - state->gnutls_internals.server_hash_buffer = - gnutls_realloc(state->gnutls_internals.server_hash_buffer, - state->gnutls_internals.server_hash_bufferSize); - - return length; - } else { /* CLIENT */ - if (length > state->gnutls_internals.client_hash_bufferSize) { - length = state->gnutls_internals.client_hash_bufferSize; - } -#ifdef HARD_DEBUG - fprintf(stderr, "Read %d bytes of SSL3 Client Hash Data(%d) from buffer\n", length, type); -#endif - state->gnutls_internals.client_hash_bufferSize -= length; - memmove(data, state->gnutls_internals.client_hash_buffer, length); - /* overwrite buffer */ - memmove(state->gnutls_internals.client_hash_buffer, - &state->gnutls_internals.client_hash_buffer[length], - state->gnutls_internals.client_hash_bufferSize); - state->gnutls_internals.client_hash_buffer = - gnutls_realloc(state->gnutls_internals.client_hash_buffer, - state->gnutls_internals.client_hash_bufferSize); - - return length; + if (length > state->gnutls_internals.hash_bufferSize) { + length = state->gnutls_internals.hash_bufferSize; } +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Got %d bytes of Hash Data from buffer\n", length); +#endif + state->gnutls_internals.hash_bufferSize -= length; + memmove(data, state->gnutls_internals.hash_buffer, length); + /* overwrite buffer */ + memmove(state->gnutls_internals.hash_buffer, + &state->gnutls_internals.hash_buffer[length], + state->gnutls_internals.hash_bufferSize); + state->gnutls_internals.hash_buffer = + gnutls_realloc(state->gnutls_internals.hash_buffer, + state->gnutls_internals.hash_bufferSize); + + return length; + } -int gnutls_readHashDataFromBuffer(int type, GNUTLS_STATE state, char *data, int length) +int gnutls_readHashDataFromBuffer( GNUTLS_STATE state, char *data, int length) { - if (type==GNUTLS_SERVER) { - if (length > state->gnutls_internals.server_hash_bufferSize) { - length = state->gnutls_internals.server_hash_bufferSize; - } -#ifdef HARD_DEBUG - fprintf(stderr, "Read %d bytes of SSL3 Server Hash Data(%d) from buffer\n", length, type); -#endif - memmove(data, state->gnutls_internals.server_hash_buffer, length); - return length; - - } else { /* CLIENT */ - if (length > state->gnutls_internals.client_hash_bufferSize) { - length = state->gnutls_internals.client_hash_bufferSize; - } -#ifdef HARD_DEBUG - fprintf(stderr, "Read %d bytes of SSL3 Client Hash Data(%d) from buffer\n", length, type); -#endif - memmove(data, state->gnutls_internals.client_hash_buffer, length); - return length; + if (length > state->gnutls_internals.hash_bufferSize) { + length = state->gnutls_internals.hash_bufferSize; } +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Read %d bytes of Hash Data from buffer\n", length); +#endif + memmove(data, state->gnutls_internals.hash_buffer, length); + return length; } -int gnutls_clearHashDataBuffer(int type, GNUTLS_STATE state) +int gnutls_clearHashDataBuffer( GNUTLS_STATE state) { - if (type==GNUTLS_SERVER) { -#ifdef HARD_DEBUG - fprintf(stderr, "Cleared SSL3 Server Hash Data(%d) from buffer\n",type); -#endif - state->gnutls_internals.server_hash_bufferSize = 0; - gnutls_free(state->gnutls_internals.server_hash_buffer); - state->gnutls_internals.server_hash_buffer = NULL; - } else { /* CLIENT */ -#ifdef HARD_DEBUG - fprintf(stderr, "Cleared SSL3 Client Hash Data(%d) from buffer\n", type); + +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Cleared Hash Data from buffer\n"); #endif - state->gnutls_internals.client_hash_bufferSize = 0; - gnutls_free(state->gnutls_internals.client_hash_buffer); - state->gnutls_internals.client_hash_buffer = NULL; - } + state->gnutls_internals.hash_bufferSize = 0; + gnutls_free(state->gnutls_internals.hash_buffer); + state->gnutls_internals.hash_buffer = NULL; return 0; } diff --git a/lib/gnutls_buffers.h b/lib/gnutls_buffers.h index 4a04dc69f1..7baa97f969 100644 --- a/lib/gnutls_buffers.h +++ b/lib/gnutls_buffers.h @@ -5,8 +5,11 @@ ssize_t _gnutls_Read(int fd, void *iptr, size_t n); ssize_t _gnutls_Write(int fd, const void *iptr, size_t n); /* used in SSL3 */ -int gnutls_getHashDataFromBuffer(int type, GNUTLS_STATE state, char *data, int length); -int gnutls_getHashDataBufferSize(int type, GNUTLS_STATE state); -int gnutls_readHashDataFromBuffer(int type, GNUTLS_STATE state, char *data, int length); -int gnutls_insertHashDataBuffer(int type, GNUTLS_STATE state, char *data, int length); -int gnutls_clearHashDataBuffer(int type, GNUTLS_STATE state); +int gnutls_getHashDataFromBuffer( GNUTLS_STATE state, char *data, int length); +int gnutls_getHashDataBufferSize( GNUTLS_STATE state); +int gnutls_readHashDataFromBuffer( GNUTLS_STATE state, char *data, int length); +int gnutls_insertHashDataBuffer( GNUTLS_STATE state, char *data, int length); +int gnutls_clearHashDataBuffer( GNUTLS_STATE state); + +ssize_t _gnutls_Recv_int(int fd, GNUTLS_STATE state, ContentType type, void *iptr, size_t sizeOfPtr); +ssize_t _gnutls_Send_int(int fd, GNUTLS_STATE state, ContentType type, void *iptr, size_t n); diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index d2a23f0a78..2cf93e1e38 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -39,13 +39,11 @@ #define ERR(x, y) #endif -#define HASH_TRUE 1 -#define HASH_FALSE 0 /* Calculate The SSL3 Finished message */ #define SSL3_CLIENT_MSG "CLNT" #define SSL3_SERVER_MSG "SRVR" -void* _gnutls_ssl3_finished( GNUTLS_STATE state, int type) { +void* _gnutls_ssl3_finished( GNUTLS_STATE state, int type, int skip) { int siz; GNUTLS_MAC_HANDLE td; GNUTLS_MAC_HANDLE td2; @@ -56,10 +54,10 @@ void* _gnutls_ssl3_finished( GNUTLS_STATE state, int type) { td = gnutls_mac_init_ssl3( GNUTLS_MAC_MD5, state->security_parameters.master_secret, 48); td2 = gnutls_mac_init_ssl3( GNUTLS_MAC_SHA, state->security_parameters.master_secret, 48); - siz = gnutls_getHashDataBufferSize( type, state); + siz = gnutls_getHashDataBufferSize( state) - skip; data = gnutls_malloc( siz); - gnutls_getHashDataFromBuffer( type, state, data, siz); + gnutls_readHashDataFromBuffer( state, data, siz); gnutls_mac_ssl3(td, data, siz); gnutls_mac_ssl3(td2, data, siz); @@ -70,8 +68,8 @@ void* _gnutls_ssl3_finished( GNUTLS_STATE state, int type) { } else { mesg = SSL3_CLIENT_MSG; } + siz = strlen(mesg); - gnutls_mac_ssl3(td, mesg, siz); gnutls_mac_ssl3(td2, mesg, siz); @@ -87,52 +85,70 @@ void* _gnutls_ssl3_finished( GNUTLS_STATE state, int type) { return concat; } +/* Hash the handshake messages as required by TLS 1.0 */ +#define SERVER_MSG "server finished" +#define CLIENT_MSG "client finished" +void* _gnutls_finished( GNUTLS_STATE state, int type, int skip) { + int siz; + GNUTLS_MAC_HANDLE td; + GNUTLS_MAC_HANDLE td2; + char* data; + char concat[36]; + char *mesg; + + td = gnutls_hash_init( GNUTLS_MAC_MD5); + td2 = gnutls_hash_init( GNUTLS_MAC_SHA); + + siz = gnutls_getHashDataBufferSize( state) - skip; + data = gnutls_malloc( siz); + + gnutls_readHashDataFromBuffer( state, data, siz); + + gnutls_hash(td, data, siz); + gnutls_hash(td2, data, siz); + + gnutls_free(data); + + data = gnutls_hash_deinit(td); + memcpy( concat, data, 16); + gnutls_free(data); + + data = gnutls_hash_deinit(td2); + + memcpy( &concat[16], data, 20); + gnutls_free(data); + + if (type==GNUTLS_SERVER) { + mesg=SERVER_MSG; + } else { + mesg=CLIENT_MSG; + } + data = + gnutls_PRF( state->security_parameters.master_secret, + 48, mesg, strlen(mesg), concat, + 36, 12); + return data; +} + /* This is to be called after sending CHANGE CIPHER SPEC packet * and initializing encryption. This is the first encrypted message * we send. */ -#define SERVER_MSG "server finished" -#define CLIENT_MSG "client finished" int _gnutls_send_finished(int cd, GNUTLS_STATE state) { uint8 *data; - uint8 concat[36]; /* md5+sha1 */ int ret; int data_size; - if (state->security_parameters.entity == GNUTLS_CLIENT) { /* we are a CLIENT */ - if (_gnutls_version_ssl3(state->connection_state.version) == 0) { /* SSL 3 */ - data = _gnutls_ssl3_finished( state, GNUTLS_CLIENT); - data_size = 36; - } else { - memmove(concat, state->gnutls_internals.client_md_md5, 16); - memmove(&concat[16], - state->gnutls_internals.client_md_sha1, 20); - - data = - gnutls_PRF( state->security_parameters.master_secret, - 48, CLIENT_MSG, strlen(CLIENT_MSG), concat, - 36, 12); - data_size = 12; - } - } else { /* SERVER SIDE */ - if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - data = _gnutls_ssl3_finished( state, GNUTLS_SERVER); - data_size = 36; - } else { /* TLS 1 - Using PRF */ - memmove(concat, state->gnutls_internals.server_md_md5, 16); - memmove(&concat[16], - state->gnutls_internals.server_md_sha1, 20); - - data = - gnutls_PRF( state->security_parameters.master_secret, - 48, SERVER_MSG, strlen(SERVER_MSG), concat, - 36, 12); - data_size = 12; - - } + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + data = _gnutls_ssl3_finished( state, state->security_parameters.entity, 0); + data_size = 36; + } else { /* TLS 1.0 */ + data = _gnutls_finished( state, state->security_parameters.entity, 0); + data_size=12; } + fprintf(stderr, "Finished: %s\n", _gnutls_bin2hex(data, data_size)); ret = _gnutls_send_handshake(cd, state, data, data_size, GNUTLS_FINISHED); @@ -144,11 +160,12 @@ fprintf(stderr, "Finished: %s\n", _gnutls_bin2hex(data, data_size)); /* This is to be called after sending our finished message. If everything * went fine we have negotiated a secure connection */ +#define HANDSHAKE_HEADERS_SIZE 4 int _gnutls_recv_finished(int cd, GNUTLS_STATE state) { uint8 *data, *vrfy; int data_size; - uint8 concat[36]; /* md5+sha1 */ + uint8* concat; /* md5+sha1 */ int ret; int vrfysize; @@ -165,38 +182,17 @@ int _gnutls_recv_finished(int cd, GNUTLS_STATE state) } else { data_size=12; } - + if (vrfysize != data_size) { gnutls_assert(); return GNUTLS_E_ERROR_IN_FINISHED_PACKET; } - if (state->security_parameters.entity == GNUTLS_CLIENT) { - if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - data = _gnutls_ssl3_finished( state, GNUTLS_SERVER); - } else { - memmove(concat, state->gnutls_internals.server_md_md5, 16); - memmove(&concat[16], - state->gnutls_internals.server_md_sha1, 20); - - data = - gnutls_PRF( state->security_parameters.master_secret, - 48, SERVER_MSG, strlen(SERVER_MSG), concat, - 36, 12); - } - } else { /* SERVER SIDE */ - if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - data = _gnutls_ssl3_finished( state, GNUTLS_CLIENT); - } else { /* TLS 1.0 */ - memmove(concat, state->gnutls_internals.client_md_md5, 16); - memmove(&concat[16], - state->gnutls_internals.client_md_sha1, 20); - - data = - gnutls_PRF( state->security_parameters.master_secret, - 48, CLIENT_MSG, strlen(CLIENT_MSG), concat, - 36, 12); - } + if (_gnutls_version_ssl3(state->connection_state.version) == 0) { + /* skip the bytes from the last message */ + data = _gnutls_ssl3_finished( state, (state->security_parameters.entity+1)%2, vrfysize + HANDSHAKE_HEADERS_SIZE); + } else { /* TLS 1.0 */ + data = _gnutls_finished( state, (state->security_parameters.entity+1)%2, vrfysize + HANDSHAKE_HEADERS_SIZE); } if (memcmp(vrfy, data, data_size) != 0) { @@ -294,7 +290,7 @@ int _gnutls_send_handshake(int cd, GNUTLS_STATE state, void *i_data, length = uint32touint24(datasize); - i_datasize += 4; + i_datasize += HANDSHAKE_HEADERS_SIZE; data = gnutls_malloc(i_datasize); memmove(&data[pos++], &type, 1); @@ -305,29 +301,15 @@ int _gnutls_send_handshake(int cd, GNUTLS_STATE state, void *i_data, if (i_datasize > 4) memmove(&data[pos], i_data, i_datasize - 4); - /* Here we hash - for TLS - or keep the message in a buffer - for SSL 3.0 - in order - * to calculate the MAC of the messages for finished message +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Send HANDSHAKE[%d] of %d bytes\n", type, i_datasize+4); +#endif + + /* Here we keep the handshake messages in order to hash them later! */ - if (state->gnutls_internals.client_hash == HASH_TRUE) { - if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - gnutls_insertHashDataBuffer( GNUTLS_CLIENT, state, data, i_datasize); - } else { /* TLS 1 */ - gnutls_hash(state->gnutls_internals.client_td_md5, data, i_datasize); - gnutls_hash(state->gnutls_internals.client_td_sha1, data, i_datasize); - } - } - if (state->gnutls_internals.server_hash == HASH_TRUE) { - if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - gnutls_insertHashDataBuffer( GNUTLS_SERVER, state, data, i_datasize); - } else { /* TLS 1 */ - gnutls_hash(state->gnutls_internals.server_td_md5, data, i_datasize); - gnutls_hash(state->gnutls_internals.server_td_sha1, data, i_datasize); - } - } + if (type!=GNUTLS_HELLO_REQUEST) + gnutls_insertHashDataBuffer( state, data, i_datasize); -#ifdef HARD_DEBUG - fprintf(stderr, "Send HANDSHAKE[%d]\n", type); -#endif ret = _gnutls_Send_int(cd, state, GNUTLS_HANDSHAKE, data, i_datasize); @@ -362,23 +344,19 @@ int _gnutls_recv_handshake(int cd, GNUTLS_STATE state, uint8 **data, } } - dataptr = gnutls_malloc(4); + dataptr = gnutls_malloc(HANDSHAKE_HEADERS_SIZE); - ret = _gnutls_Recv_int(cd, state, GNUTLS_HANDSHAKE, dataptr, 4); + ret = _gnutls_Recv_int(cd, state, GNUTLS_HANDSHAKE, dataptr, HANDSHAKE_HEADERS_SIZE); if (ret < 0) { gnutls_free(dataptr); return ret; } - if (ret!=4) { + if (ret!=HANDSHAKE_HEADERS_SIZE) { gnutls_assert(); gnutls_free(dataptr); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } -#ifdef HARD_DEBUG - fprintf(stderr, "Received HANDSHAKE[%d]\n", dataptr[0]); -#endif - if (dataptr[0]!=type) { gnutls_assert(); gnutls_free(dataptr); @@ -393,18 +371,21 @@ int _gnutls_recv_handshake(int cd, GNUTLS_STATE state, uint8 **data, #ifndef WORDS_BIGENDIAN length32 = byteswap32(length32); #endif +#ifdef HANDSHAKE_DEBUG + fprintf(stderr, "Received HANDSHAKE[%d] of %d bytes\n", dataptr[0], length32+4); +#endif - dataptr = gnutls_realloc( dataptr, length32+4); + dataptr = gnutls_realloc( dataptr, length32+HANDSHAKE_HEADERS_SIZE); if (length32>0 && data!=NULL) *data = gnutls_malloc( length32); if (datalen!=NULL) *datalen = length32; - sum=4; + sum=HANDSHAKE_HEADERS_SIZE; do { ret = _gnutls_Recv_int(cd, state, GNUTLS_HANDSHAKE, &dataptr[sum], length32); sum += ret; - } while( ( (sum-4) < length32) && (ret > 0) ); + } while( ( (sum-HANDSHAKE_HEADERS_SIZE) < length32) && (ret > 0) ); if (ret < 0) { gnutls_assert(); @@ -414,38 +395,19 @@ int _gnutls_recv_handshake(int cd, GNUTLS_STATE state, uint8 **data, ret = GNUTLS_E_UNKNOWN_ERROR; if (length32 > 0 && data!=NULL) - memmove( *data, &dataptr[4], length32); + memmove( *data, &dataptr[HANDSHAKE_HEADERS_SIZE], length32); /* here we do the hashing work needed at Finished message */ - if (state->gnutls_internals.server_hash == HASH_TRUE) { - if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - gnutls_insertHashDataBuffer( GNUTLS_SERVER, state, dataptr, length32+4); - } else { /* TLS 1 */ - gnutls_hash(state->gnutls_internals.server_td_md5, dataptr, - length32 + 4); - gnutls_hash(state->gnutls_internals.server_td_sha1, dataptr, - length32 + 4); - } - } - if (state->gnutls_internals.client_hash == HASH_TRUE) { - if (_gnutls_version_ssl3(state->connection_state.version) == 0) { - gnutls_insertHashDataBuffer( GNUTLS_CLIENT, state, dataptr, length32+4); - } else { /* TLS 1 */ - gnutls_hash(state->gnutls_internals.client_td_md5, dataptr, - length32 + 4); - gnutls_hash(state->gnutls_internals.client_td_sha1, dataptr, - length32 + 4); - } - } - + gnutls_insertHashDataBuffer( state, dataptr, length32+HANDSHAKE_HEADERS_SIZE); + switch (dataptr[0]) { case GNUTLS_CLIENT_HELLO: case GNUTLS_SERVER_HELLO: - ret = _gnutls_recv_hello(cd, state, &dataptr[4], + ret = _gnutls_recv_hello(cd, state, &dataptr[HANDSHAKE_HEADERS_SIZE], length32, NULL, 0); break; case GNUTLS_CERTIFICATE: - ret = _gnutls_recv_certificate(cd, state, &dataptr[4], + ret = _gnutls_recv_certificate(cd, state, &dataptr[HANDSHAKE_HEADERS_SIZE], length32); break; case GNUTLS_SERVER_HELLO_DONE: @@ -864,113 +826,78 @@ int _gnutls_recv_certificate(int cd, GNUTLS_STATE state, char *data, int datalen * everything. (exchange hello messages etc). */ -#define HASH(x) state->gnutls_internals.x=HASH_TRUE -#define NOT_HASH(x) state->gnutls_internals.x=HASH_FALSE int gnutls_handshake(int cd, GNUTLS_STATE state) { int ret; char *session_id; uint8 session_id_size; - /* These are in order to hash the messages transmitted and received. - * (needed by the protocol) - */ -// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS */ - state->gnutls_internals.client_td_md5 = gnutls_hash_init(GNUTLS_MAC_MD5); - state->gnutls_internals.client_td_sha1 = gnutls_hash_init(GNUTLS_MAC_SHA); - state->gnutls_internals.server_td_md5 = gnutls_hash_init(GNUTLS_MAC_MD5); - state->gnutls_internals.server_td_sha1 = gnutls_hash_init(GNUTLS_MAC_SHA); -// } if (state->security_parameters.entity == GNUTLS_CLIENT) { - HASH(client_hash); - HASH(server_hash); ret = _gnutls_send_hello(cd, state, NULL, 0); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("send hello", ret); + gnutls_clearHashDataBuffer( state); return ret; } /* receive the server hello */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_recv_handshake(cd, state, NULL, NULL, GNUTLS_SERVER_HELLO); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("recv hello", ret); + gnutls_clearHashDataBuffer( state); return ret; } /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_recv_handshake(cd, state, NULL, NULL, GNUTLS_CERTIFICATE); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("recv server certificate", ret); + gnutls_clearHashDataBuffer( state); return ret; } /* receive the server key exchange */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_recv_server_kx_message(cd, state); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("recv server kx message", ret); + gnutls_clearHashDataBuffer( state); return ret; } /* receive the server hello done */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_recv_handshake(cd, state, NULL, NULL, GNUTLS_SERVER_HELLO_DONE); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("recv server hello done", ret); + gnutls_clearHashDataBuffer( state); return ret; } /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_send_client_certificate(cd, state); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("send client certificate", ret); + gnutls_clearHashDataBuffer( state); return ret; } - HASH(client_hash); - HASH(server_hash); ret = _gnutls_send_client_kx_message(cd, state); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("send client kx", ret); + gnutls_clearHashDataBuffer( state); return ret; } - HASH(client_hash); - HASH(server_hash); ret = _gnutls_send_client_certificate_verify( cd, state); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("send client certificate verify", ret); + gnutls_clearHashDataBuffer( state); return ret; } @@ -978,28 +905,24 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) ret = _gnutls_send_change_cipher_spec(cd, state); if (ret < 0) { ERR("send ChangeCipherSpec", ret); + gnutls_clearHashDataBuffer( state); return ret; } -// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS1 */ - state->gnutls_internals.client_md_md5 = - gnutls_hash_deinit(state->gnutls_internals.client_td_md5); - state->gnutls_internals.client_md_sha1 = - gnutls_hash_deinit(state->gnutls_internals.client_td_sha1); -// } + /* Initialize the connection state (start encryption) */ ret = _gnutls_connection_state_init(state); - if (ret<0) return ret; + if (ret<0) { + gnutls_clearHashDataBuffer( state); + return ret; + } /* send the finished message */ - NOT_HASH(client_hash); - HASH(server_hash); ret = _gnutls_send_finished(cd, state); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("send Finished", ret); + gnutls_clearHashDataBuffer( state); return ret; } @@ -1009,89 +932,63 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) NULL, 0); if (ret < 0) { ERR("recv ChangeCipherSpec", ret); + gnutls_clearHashDataBuffer( state); return ret; } -// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS1 */ - state->gnutls_internals.server_md_md5 = - gnutls_hash_deinit(state->gnutls_internals.server_td_md5); - state->gnutls_internals.server_md_sha1 = - gnutls_hash_deinit(state->gnutls_internals.server_td_sha1); -// } - NOT_HASH(client_hash); - NOT_HASH(server_hash); ret = _gnutls_recv_finished(cd, state); if (ret < 0) { ERR("recv finished", ret); + gnutls_clearHashDataBuffer( state); return ret; } - gnutls_free(state->gnutls_internals.client_md_md5); - gnutls_free(state->gnutls_internals.client_md_sha1); - gnutls_free(state->gnutls_internals.server_md_md5); - gnutls_free(state->gnutls_internals.server_md_sha1); - } else { /* SERVER */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_recv_handshake(cd, state, NULL, NULL, GNUTLS_CLIENT_HELLO); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("recv hello", ret); + gnutls_clearHashDataBuffer( state); return ret; } _gnutls_generate_session_id(&session_id, &session_id_size); - HASH(client_hash); - HASH(server_hash); ret = _gnutls_send_hello(cd, state, session_id, session_id_size); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("send hello", ret); + gnutls_clearHashDataBuffer( state); return ret; } gnutls_free(session_id); /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_send_server_kx_message(cd, state); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("send server kx", ret); + gnutls_clearHashDataBuffer( state); return ret; } /* send the server hello done */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_send_handshake(cd, state, NULL, 0, GNUTLS_SERVER_HELLO_DONE); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("send server hello done", ret); + gnutls_clearHashDataBuffer( state); return ret; } /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ - HASH(client_hash); - HASH(server_hash); ret = _gnutls_recv_client_kx_message(cd, state); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("recv client kx", ret); + gnutls_clearHashDataBuffer( state); return ret; } @@ -1105,51 +1002,35 @@ int gnutls_handshake(int cd, GNUTLS_STATE state) /* Initialize the connection state (start encryption) */ ret = _gnutls_connection_state_init(state); - if (ret<0) return ret; + if (ret<0) { + gnutls_clearHashDataBuffer( state); + return ret; + } -// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS 1.0 */ - state->gnutls_internals.client_md_md5 = - gnutls_hash_deinit(state->gnutls_internals.client_td_md5); - state->gnutls_internals.client_md_sha1 = - gnutls_hash_deinit(state->gnutls_internals.client_td_sha1); -// } - NOT_HASH(client_hash); - HASH(server_hash); ret = _gnutls_recv_finished(cd, state); - NOT_HASH(client_hash); - NOT_HASH(server_hash); if (ret < 0) { ERR("recv finished", ret); + gnutls_clearHashDataBuffer( state); return ret; } ret = _gnutls_send_change_cipher_spec(cd, state); if (ret < 0) { ERR("send ChangeCipherSpec", ret); + gnutls_clearHashDataBuffer( state); return ret; } -// if (_gnutls_version_ssl3(state->connection_state.version) != 0) { /* TLS 1.0 */ - state->gnutls_internals.server_md_md5 = - gnutls_hash_deinit(state->gnutls_internals.server_td_md5); - state->gnutls_internals.server_md_sha1 = - gnutls_hash_deinit(state->gnutls_internals.server_td_sha1); -// } - NOT_HASH(client_hash); - NOT_HASH(server_hash); ret = _gnutls_send_finished(cd, state); if (ret < 0) { ERR("send finished", ret); + gnutls_clearHashDataBuffer( state); return ret; } - gnutls_free(state->gnutls_internals.server_md_md5); - gnutls_free(state->gnutls_internals.server_md_sha1); - gnutls_free(state->gnutls_internals.client_md_md5); - gnutls_free(state->gnutls_internals.client_md_sha1); - } - + /* clear handshake buffer */ + gnutls_clearHashDataBuffer( state); return ret; } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b4ba02943f..34313726b9 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -2,8 +2,9 @@ #define GNUTLS_INT_H -#define HARD_DEBUG -#define READ_DEBUG +#define HANDSHAKE_DEBUG +//#define HARD_DEBUG +//#define READ_DEBUG //#define WRITE_DEBUG #define DEBUG @@ -177,10 +178,8 @@ typedef struct { typedef struct { char* buffer; uint32 bufferSize; - char* client_hash_buffer; /* used in SSL3 */ - uint32 client_hash_bufferSize; /* used in SSL3 */ - char* server_hash_buffer; /* used in SSL3 */ - uint32 server_hash_bufferSize; /* used in SSL3 */ + char* hash_buffer; /* used in SSL3 */ + uint32 hash_bufferSize; /* used in SSL3 */ char* buffer_handshake; uint32 bufferSize_handshake; ResumableSession resumable; /* TRUE or FALSE */ @@ -188,17 +187,6 @@ typedef struct { AlertDescription last_alert; /* last alert received */ GNUTLS_CipherSuite current_cipher_suite; CompressionMethod compression_method; - /* for the handshake protocol */ - GNUTLS_MAC_HANDLE client_td_md5; - GNUTLS_MAC_HANDLE client_td_sha1; - void* client_md_md5; - void* client_md_sha1; - GNUTLS_MAC_HANDLE server_td_md5; - GNUTLS_MAC_HANDLE server_td_sha1; - void* server_md_md5; - void* server_md_sha1; - int server_hash; - int client_hash; /* For DH KX */ MPI KEY; MPI client_Y; |