diff options
author | Martin Willi <martin@revosec.ch> | 2010-02-09 18:19:25 +0100 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2010-08-03 15:39:25 +0200 |
commit | 400df4ca7c659d2f371129d18c6dedf82840c2ea (patch) | |
tree | c345844c243c9ab49b7e07af9921cab0a67a5462 /src/charon/plugins/eap_tls/tls/tls_crypto.c | |
parent | 97abf95412026355bfc3158ce9bb917cd014e2d3 (diff) | |
download | strongswan-400df4ca7c659d2f371129d18c6dedf82840c2ea.tar.bz2 strongswan-400df4ca7c659d2f371129d18c6dedf82840c2ea.tar.xz |
Implemented EAP-TLS server functionality
Diffstat (limited to 'src/charon/plugins/eap_tls/tls/tls_crypto.c')
-rw-r--r-- | src/charon/plugins/eap_tls/tls/tls_crypto.c | 72 |
1 files changed, 56 insertions, 16 deletions
diff --git a/src/charon/plugins/eap_tls/tls/tls_crypto.c b/src/charon/plugins/eap_tls/tls/tls_crypto.c index 789b94289..f8894629f 100644 --- a/src/charon/plugins/eap_tls/tls/tls_crypto.c +++ b/src/charon/plugins/eap_tls/tls/tls_crypto.c @@ -425,42 +425,81 @@ static bool hash_handshake(private_tls_crypto_t *this, chunk_t *hash) } METHOD(tls_crypto_t, sign_handshake, bool, - private_tls_crypto_t *this, private_key_t *key, chunk_t *sig) + private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer) { + chunk_t sig, hash; + if (this->tls->get_version(this->tls) >= TLS_1_2) { - u_int16_t length; - u_int8_t hash_alg; - u_int8_t sig_alg; + /* TODO: use supported algorithms instead of fixed SHA1/RSA */ + if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, &sig)) + { + return FALSE; + } + writer->write_uint8(writer, 2); + writer->write_uint8(writer, 1); + writer->write_data16(writer, sig); + free(sig.ptr); + } + else + { + if (!hash_handshake(this, &hash)) + { + return FALSE; + } + if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig)) + { + free(hash.ptr); + return FALSE; + } + writer->write_data16(writer, sig); + free(hash.ptr); + free(sig.ptr); + } + return TRUE; +} + +METHOD(tls_crypto_t, verify_handshake, bool, + private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader) +{ + if (this->tls->get_version(this->tls) >= TLS_1_2) + { + u_int8_t hash, alg; + chunk_t sig; - if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, sig)) + if (!reader->read_uint8(reader, &hash) || + !reader->read_uint8(reader, &alg) || + !reader->read_data16(reader, &sig)) + { + DBG1(DBG_IKE, "received invalid Certificate Verify"); + return FALSE; + } + /* TODO: map received hash/sig alg to signature scheme */ + if (hash != 2 || alg != 1 || + !key->verify(key, SIGN_RSA_EMSA_PKCS1_SHA1, this->handshake, sig)) { return FALSE; } - /* TODO: signature scheme to hashsign algorithm mapping */ - hash_alg = 2; /* sha1 */ - sig_alg = 1; /* RSA */ - length = htons(sig->len); - *sig = chunk_cat("cccm", chunk_from_thing(hash_alg), - chunk_from_thing(sig_alg), chunk_from_thing(length), *sig); } else { - u_int16_t length; - chunk_t hash; + chunk_t sig, hash; + if (!reader->read_data16(reader, &sig)) + { + DBG1(DBG_IKE, "received invalid Certificate Verify"); + return FALSE; + } if (!hash_handshake(this, &hash)) { return FALSE; } - if (!key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig)) + if (!key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig)) { free(hash.ptr); return FALSE; } free(hash.ptr); - length = htons(sig->len); - *sig = chunk_cat("cm", chunk_from_thing(length), *sig); } return TRUE; } @@ -635,6 +674,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls) .set_protection = _set_protection, .append_handshake = _append_handshake, .sign_handshake = _sign_handshake, + .verify_handshake = _verify_handshake, .calculate_finished = _calculate_finished, .derive_secrets = _derive_secrets, .change_cipher = _change_cipher, |