Improved support of draft-ietf-tls-session-hash-02.

Now the session hash is calculated correctly even when a
client certificate is sent. That is, the session hash now
does not take into account the CertificateVerify message.

2 files changed, 24 insertions, 5 deletions

diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index cb00c821a9..2fec7c670f 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -116,6 +116,7 @@ recv_hello_verify_request(gnutls_session_t session,
 void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session)
 {
 	session->internals.handshake_hash_buffer_prev_len = 0;
+	session->internals.handshake_hash_buffer_client_kx_len = 0;
 	_gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
 }
 
@@ -1355,6 +1356,13 @@ handshake_hash_add_recvd(gnutls_session_t session,
 			return gnutls_assert_val(ret);
 	}
 
+	/* save the size until client KX. That is because the TLS
+	 * session hash is calculated up to this message.
+	 */
+	if (recv_type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
+		session->internals.handshake_hash_buffer_client_kx_len =
+			session->internals.handshake_hash_buffer.length;
+
 	return 0;
 }
 
@@ -1397,6 +1405,10 @@ handshake_hash_add_sent(gnutls_session_t session,
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
+		if (type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
+			session->internals.handshake_hash_buffer_client_kx_len =
+				session->internals.handshake_hash_buffer.length;
+
 		return 0;
 	}
 
@@ -3591,6 +3603,12 @@ int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t
 	if (unlikely(ver == NULL))
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
 
+	if (session->internals.handshake_hash_buffer_client_kx_len == 0 ||
+	    (session->internals.handshake_hash_buffer.length <
+	    session->internals.handshake_hash_buffer_client_kx_len)) {
+			return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+	}
+
 	if (_gnutls_version_has_selectable_prf(ver)) { /* TLS 1.2+ */
 		gnutls_mac_algorithm_t prf;
 
@@ -3604,8 +3622,8 @@ int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t
 		    _gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
 				      session->internals.handshake_hash_buffer.
 				      data,
-				      session->internals.handshake_hash_buffer.
-				      length, concat);
+				      session->internals.handshake_hash_buffer_client_kx_len,
+				      concat);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
@@ -3619,7 +3637,7 @@ int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t
 
 		_gnutls_hash(&td_sha,
 			     session->internals.handshake_hash_buffer.data,
-			     session->internals.handshake_hash_buffer.length);
+			     session->internals.handshake_hash_buffer_client_kx_len);
 
 		_gnutls_hash_deinit(&td_sha, &concat[16]);
 
@@ -3631,8 +3649,7 @@ int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t
 
 		_gnutls_hash(&td_md5,
 			     session->internals.handshake_hash_buffer.data,
-			     session->internals.handshake_hash_buffer.
-			     length);
+			     session->internals.handshake_hash_buffer_client_kx_len);
 
 		_gnutls_hash_deinit(&td_md5, concat);
 
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 2782bfc4e5..7faa5ace05 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -757,6 +757,8 @@ typedef struct {
 
 	int handshake_hash_buffer_prev_len;	/* keeps the length of handshake_hash_buffer, excluding
 						 * the last received message */
+	unsigned handshake_hash_buffer_client_kx_len;/* if non-zero it is the length of data until the
+						 * the client key exchange message */
 	gnutls_buffer_st handshake_hash_buffer;	/* used to keep the last received handshake 
 						 * message */
 	bool resumable;	/* TRUE or FALSE - if we can resume that session */