pike.git / lib / modules / SSL.pmod / Connection.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Connection.pike:145:   }      Packet change_cipher_packet()   {    expect_change_cipher++;    return Packet(version, PACKET_change_cipher_spec, "\001");   }      string(8bit) hash_messages(string(8bit) sender, int|void len)   { -  if(version == PROTOCOL_SSL_3_0) { +  switch( version ) +  { +  case PROTOCOL_SSL_3_0: +  {    string(8bit) data = (string(8bit))handshake_messages + sender;    return .Cipher.MACmd5(session->master_secret)->hash(data) +    .Cipher.MACsha(session->master_secret)->hash(data);    } -  else if(version <= PROTOCOL_TLS_1_1) { +  case PROTOCOL_TLS_1_0: +  case PROTOCOL_TLS_1_1:    return session->cipher_spec->prf(session->master_secret, sender,    Crypto.MD5.hash(handshake_messages)+    Crypto.SHA1.hash(handshake_messages),    len || 12); -  } +  case PROTOCOL_TLS_1_2: +  default:    return session->cipher_spec->prf(session->master_secret, sender,    session->cipher_spec->hash    ->hash(handshake_messages),    len || 12);    } -  + }      Packet certificate_packet(array(string(8bit)) certificates)   {    return handshake_packet(HANDSHAKE_certificate,    Buffer()->add_string_array(certificates, 3, 3));   }      Packet certificate_verify_packet(string(8bit)|void signature_context)   {    SSL3_DEBUG_MSG("SSL.Connection: CERTIFICATE_VERIFY\n"
pike.git/lib/modules/SSL.pmod/Connection.pike:385:   void new_cipher_states();      //! Derive the master secret from the premaster_secret   //! and the random seeds, and configure the keys.   void derive_master_secret(string(8bit) premaster_secret)   {    SSL3_DEBUG_MSG("%O: derive_master_secret: %s (%s)\n",    this, fmt_constant(handshake_state, "STATE"),    fmt_version(version));    -  if (version >= PROTOCOL_TLS_1_3) { -  switch(handshake_state) { -  case STATE_wait_for_hello: // Resume -  case STATE_wait_for_key_share: // Full hello -  session->master_secret = premaster_secret; -  session->master_secret = hash_messages("handshake master secret", 48); -  break; -  case STATE_wait_for_finish: -  session->master_secret = premaster_secret; -  session->master_secret = hash_messages("extended master secret", 48); -  break; -  default: -  error("Unexpected handshake state: %s\n", -  fmt_constant(handshake_state, "STATE")); -  break; -  } -  } else if (!sizeof(premaster_secret)) { +  if (!sizeof(premaster_secret)) {    // Clear text mode.    session->master_secret = "";    } else if (session->extended_master_secret) {    // Extended Master Secret Draft.    session->master_secret = premaster_secret;    session->master_secret = hash_messages("extended master secret", 48);    } else {    session->master_secret =    session->cipher_spec->prf(premaster_secret, "master secret",    client_random + server_random, 48);    }       new_cipher_states(); -  -  if ((version >= PROTOCOL_TLS_1_3) && -  (handshake_state == STATE_wait_for_finish)) { -  // Generate the resumption premaster secret. -  session->master_secret = premaster_secret; -  session->master_secret = hash_messages("resumption premaster secret", 48); +    } - } +          //! Do handshake processing. Type is one of HANDSHAKE_*, data is the   //! contents of the packet, and raw is the raw packet received (needed   //! for supporting SSLv2 hello messages).   //!   //! This function returns 0 if handshake is in progress, 1 if handshake   //! is finished, and -1 if a fatal error occurred. It uses the   //! send_packet() function to transmit packets.   int(-1..1) handle_handshake(int type, Buffer input, Stdio.Buffer raw);      //! Initialize the connection state.   //!   //! @param ctx   //! The context for the connection.   protected void create(Context ctx)   {    current_read_state = State(this);    current_write_state = State(this);    -  if ((ctx->max_version < PROTOCOL_SSL_3_0) || -  (ctx->max_version > PROTOCOL_TLS_MAX)) { -  ctx->max_version = PROTOCOL_TLS_MAX; -  } -  -  if (ctx->min_version < PROTOCOL_SSL_3_0) { -  ctx->min_version = PROTOCOL_SSL_3_0; -  } else if (ctx->min_version > ctx->max_version) { -  ctx->min_version = ctx->max_version; -  } -  -  version = ctx->max_version; +  version = min([int]max(@ctx->supported_versions), PROTOCOL_TLS_1_2);    context = ctx;   }      //! Remove cyclic references as best we can.   void shutdown()   {    current_read_state = current_write_state = UNDEFINED;    pending_read_state = pending_write_state = ({});    ke = UNDEFINED;    alert_callback = UNDEFINED;
pike.git/lib/modules/SSL.pmod/Connection.pike:677:    }    }    packet = current_write_state->encrypt_packet(packet, context);    if (packet->content_type == PACKET_change_cipher_spec) {    if (sizeof(pending_write_state)) {    current_write_state = pending_write_state[0];    pending_write_state = pending_write_state[1..];    } else {    error("Invalid Change Cipher Spec.\n");    } -  if (version >= PROTOCOL_TLS_1_3) { -  // The change cipher state packet is not sent on the wire in TLS 1.3. -  return 2; +     } -  } +        packet->send(output);    return 2;   }      //! Initiate close.   void send_close()   {    send_packet(alert(ALERT_warning, ALERT_close_notify,    "Closing connection.\n"), PRI_application);