From: Tobias Brunner Date: Tue, 25 Aug 2020 15:17:55 +0000 (+0200) Subject: tls-crypto: Add method to hash handshake data and use result as initial transcript X-Git-Tag: 5.9.2rc1~23^2~77 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2271d67f07a8b3c9ee93d5b8b592067e179ccf99;p=thirdparty%2Fstrongswan.git tls-crypto: Add method to hash handshake data and use result as initial transcript This is used for HelloRetryRequest. --- diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 04fe4ef0f4..39adcaebf7 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1579,6 +1579,30 @@ static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash) return TRUE; } +METHOD(tls_crypto_t, hash_handshake, bool, + private_tls_crypto_t *this, chunk_t *out) +{ + chunk_t hash; + + if (!hash_data(this, this->handshake, &hash)) + { + return FALSE; + } + + chunk_free(&this->handshake); + append_handshake(this, TLS_MESSAGE_HASH, hash); + + if (out) + { + *out = hash; + } + else + { + free(hash.ptr); + } + return TRUE; +} + /** * TLS 1.3 static part of the data the server signs (64 spaces followed by the * context string "TLS 1.3, server CertificateVerify" and a 0 byte). @@ -2118,6 +2142,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache) .create_ec_enumerator = _create_ec_enumerator, .set_protection = _set_protection, .append_handshake = _append_handshake, + .hash_handshake = _hash_handshake, .sign = _sign, .verify = _verify, .sign_handshake = _sign_handshake, diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h index 3f48cfe132..d8d7ebe729 100644 --- a/src/libtls/tls_crypto.h +++ b/src/libtls/tls_crypto.h @@ -474,6 +474,14 @@ struct tls_crypto_t { void (*append_handshake)(tls_crypto_t *this, tls_handshake_type_t type, chunk_t data); + /** + * Hash the stored handshake data and store it. It is optionally returned + * so it could be sent in a cookie extension. + * + * @param hash optionally returned hash (allocated) + */ + bool (*hash_handshake)(tls_crypto_t *this, chunk_t *hash); + /** * Sign a blob of data, append signature to writer. *