diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2009-11-01 02:54:08 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2009-11-01 02:54:08 +0200 |
commit | 6773d2ddb01d86fa283ce154b419e989916ab3f7 (patch) | |
tree | c3e38318016acfd0c50c8a4f6d694f5aa6d6f08a /lib/gnutls_handshake.c | |
parent | 9a262d093744f37b26f45c4e74d22f3a5a425211 (diff) | |
download | gnutls-6773d2ddb01d86fa283ce154b419e989916ab3f7.tar.gz |
Improved TLS 1.2 support. Added support for the SignatureAlgorithm extension
as well for the SignatureAlgorithm in certificate request.
Limitation for TLS 1.2 clients:
Only SHA1 or SHA256 are supported for generating signatures in
certificate verify message. That is to avoid storing all handshake
messages in memory. To be reconsidered in the future.
Diffstat (limited to 'lib/gnutls_handshake.c')
-rw-r--r-- | lib/gnutls_handshake.c | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 7423f2737c..b7d5af3310 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -90,7 +90,9 @@ _gnutls_handshake_hash_buffers_clear (gnutls_session_t session) handshake_mac_handle_type == HANDSHAKE_MAC_TYPE_12) { _gnutls_hash_deinit (&session->internals. - handshake_mac_handle.tls12.mac, NULL); + handshake_mac_handle.tls12.sha256, NULL); + _gnutls_hash_deinit (&session->internals. + handshake_mac_handle.tls12.sha1, NULL); } session->security_parameters.handshake_mac_handle_type = 0; session->internals.handshake_mac_handle_init = 0; @@ -261,7 +263,7 @@ _gnutls_finished (gnutls_session_t session, int type, void *ret) handshake_mac_handle_type == HANDSHAKE_MAC_TYPE_12) { rc = _gnutls_hash_copy (&td_sha, &session->internals. - handshake_mac_handle.tls12.mac); + handshake_mac_handle.tls12.sha256); if (rc < 0) { gnutls_assert (); @@ -574,7 +576,8 @@ _gnutls_handshake_hash_pending (gnutls_session_t session) } else if (session->security_parameters.handshake_mac_handle_type == HANDSHAKE_MAC_TYPE_12) { - _gnutls_hash (&session->internals.handshake_mac_handle.tls12.mac, data, siz); + _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha256, data, siz); + _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha1, data, siz); } } @@ -984,7 +987,9 @@ _gnutls_handshake_hash_add_sent (gnutls_session_t session, } else if (session->security_parameters.handshake_mac_handle_type == HANDSHAKE_MAC_TYPE_12) { - _gnutls_hash (&session->internals.handshake_mac_handle.tls12.mac, dataptr, + _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha256, dataptr, + datalen); + _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha1, dataptr, datalen); } } @@ -2301,14 +2306,22 @@ _gnutls_handshake_hash_init (gnutls_session_t session) /* The algorithm to compute hash over handshake messages must be same as the one used as the basis for PRF. By now we use SHA256. */ - gnutls_digest_algorithm_t hash_algo = GNUTLS_MAC_SHA256; + ret = + _gnutls_hash_init (&session->internals.handshake_mac_handle.tls12.sha256, + GNUTLS_DIG_SHA256); + if (ret < 0) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } ret = - _gnutls_hash_init (&session->internals.handshake_mac_handle.tls12.mac, - hash_algo); + _gnutls_hash_init (&session->internals.handshake_mac_handle.tls12.sha1, + GNUTLS_DIG_SHA1); if (ret < 0) { gnutls_assert (); + _gnutls_hash_deinit(&session->internals.handshake_mac_handle.tls12.sha256, NULL); return GNUTLS_E_MEMORY_ERROR; } } |