From e55b2e266b5f6301e8bd2bbef3a39382817f3206 Mon Sep 17 00:00:00 2001 From: occheung Date: Fri, 27 Nov 2020 13:55:27 +0800 Subject: [PATCH] hash: fix, exclude content byte --- src/session.rs | 16 ++++++++++++++-- src/tls.rs | 13 +++++-------- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/src/session.rs b/src/session.rs index 841cfc4..e671250 100644 --- a/src/session.rs +++ b/src/session.rs @@ -1776,7 +1776,13 @@ impl<'a> Session<'a> { CertificatePrivateKey::ECDSA_SECP256R1_SHA256 { cert_signing_key } => { let verify_hash = sha2::Sha256::new() .chain(&[0x20; 64]) - .chain("TLS 1.3, client CertificateVerify") + .chain({ + match role { + TlsRole::Client => "TLS 1.3, client CertificateVerify", + TlsRole::Server => "TLS 1.3, server CertificateVerify", + _ => unreachable!() + } + }) .chain(&[0x00]) .chain(&transcript_hash); @@ -1795,7 +1801,13 @@ impl<'a> Session<'a> { // Similar to server CertificateVerify let mut verify_message: Vec = Vec::new(); verify_message.extend_from_slice(&[0x20; 64]).unwrap(); - verify_message.extend_from_slice(b"TLS 1.3, client CertificateVerify").unwrap(); + verify_message.extend_from_slice({ + match role { + TlsRole::Client => b"TLS 1.3, client CertificateVerify", + TlsRole::Server => b"TLS 1.3, server CertificateVerify", + _ => unreachable!() + } + }).unwrap(); verify_message.extend_from_slice(&[0]).unwrap(); verify_message.extend_from_slice(&transcript_hash).unwrap(); diff --git a/src/tls.rs b/src/tls.rs index 43e04c3..c28e16e 100644 --- a/src/tls.rs +++ b/src/tls.rs @@ -512,7 +512,7 @@ impl<'s> TlsSocket<'s> { { let mut session = self.session.borrow_mut(); session.server_update_for_encrypted_extension( - &inner_plaintext + &inner_plaintext[..(inner_plaintext_length-1)] ); } @@ -580,11 +580,11 @@ impl<'s> TlsSocket<'s> { }; self.send_application_slice(sockets, &mut inner_plaintext.clone())?; - + let inner_plaintext_length = inner_plaintext.len(); // Update session { self.session.borrow_mut() - .server_update_for_sent_certificate(&inner_plaintext); + .server_update_for_sent_certificate(&inner_plaintext[..(inner_plaintext_length-1)]); } // Construct and send certificate verify @@ -624,10 +624,11 @@ impl<'s> TlsSocket<'s> { &mut inner_plaintext.clone() )?; + let inner_plaintext_length = inner_plaintext.len(); { self.session.borrow_mut() .server_update_for_sent_certificate_verify( - &inner_plaintext[..] + &inner_plaintext[..(inner_plaintext_length-1)] ); } } @@ -1381,15 +1382,11 @@ impl<'s> TlsSocket<'s> { // TODO: Rename this function. It is only good for client finished fn send_application_slice(&self, sockets: &mut SocketSet, slice: &mut [u8]) -> Result<()> { let mut tcp_socket = sockets.get::(self.tcp_handle); - log::info!("Got socket"); if !tcp_socket.can_send() { return Err(Error::Illegal); } - - log::info!("Socket usable"); // Borrow session in advance let mut session = self.session.borrow_mut(); - log::info!("Got session"); // Pre-compute TLS record layer as associated_data let mut associated_data: [u8; 5] = [0x17, 0x03, 0x03, 0x00, 0x00];