Teach TLSProxy about the CertificateVerify message

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

diff --git a/util/TLSProxy/CertificateVerify.pm b/util/TLSProxy/CertificateVerify.pm
new file mode 100644 (file)
index 0000000..8bf969f
--- /dev/null
+++ b/util/TLSProxy/CertificateVerify.pm
@@ -0,0 +1,96 @@
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+
+package TLSProxy::CertificateVerify;
+
+use vars '@ISA';
+push @ISA, 'TLSProxy::Message';
+
+sub new
+{
+    my $class = shift;
+    my ($server,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens) = @_;
+
+    my $self = $class->SUPER::new(
+        $server,
+        TLSProxy::Message::MT_CERTIFICATE_VERIFY,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens);
+
+    $self->{sigalg} = -1;
+    $self->{signature} = "";
+
+    return $self;
+}
+
+sub parse
+{
+    my $self = shift;
+
+    my $sigalg = -1;
+    my $remdata = $self->data;
+    my $record = ${$self->records}[0];
+
+    if (TLSProxy::Proxy->is_tls13()
+            || $record->version() == TLSProxy::Record::VERS_TLS_1_2) {
+        $sigalg = unpack('n', $remdata);
+        $remdata = substr($remdata, 2);
+    }
+
+    my $siglen = unpack('n', substr($remdata, 0, 2));
+    my $sig = substr($remdata, 2);
+
+    die "Invalid CertificateVerify signature length" if length($sig) != $siglen;
+
+    print "    SigAlg:".$sigalg."\n";
+    print "    Signature Len:".$siglen."\n";
+
+    $self->sigalg($sigalg);
+    $self->signature($sig);
+}
+
+#Reconstruct the on-the-wire message data following changes
+sub set_message_contents
+{
+    my $self = shift;
+    my $data = "";
+    my $sig = $self->signature();
+    my $olddata = $self->data();
+
+    $data .= pack("n", $self->sigalg()) if ($self->sigalg() != -1);
+    $data .= pack("n", length($sig));
+    $data .= $sig;
+
+    $self->data($data);
+}
+
+#Read/write accessors
+sub sigalg
+{
+    my $self = shift;
+    if (@_) {
+      $self->{sigalg} = shift;
+    }
+    return $self->{sigalg};
+}
+sub signature
+{
+    my $self = shift;
+    if (@_) {
+      $self->{signature} = shift;
+    }
+    return $self->{signature};
+}
+1;

diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 704fe04db3fcf6dd7284c36b5e526225a2d459e7..1b87befe32a09d09e98c630425a3c845ff5e0368 100644 (file)
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -277,6 +277,15 @@ sub create_message
             [@message_frag_lens]
         );
         $message->parse();
+    } elsif ($mt == MT_CERTIFICATE_VERIFY) {
+        $message = TLSProxy::CertificateVerify->new(
+            $server,
+            $data,
+            [@message_rec_list],
+            $startoffset,
+            [@message_frag_lens]
+        );
+        $message->parse();
     } elsif ($mt == MT_SERVER_KEY_EXCHANGE) {
         $message = TLSProxy::ServerKeyExchange->new(
             $server,

diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm
index 067e9beb86a8d4475d69d53fc993fdacdf0fda1d..0d60bd3bfd9e4cb315935fc2cdcd06ae4052d683 100644 (file)
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -19,6 +19,7 @@ use TLSProxy::ClientHello;
 use TLSProxy::ServerHello;
 use TLSProxy::EncryptedExtensions;
 use TLSProxy::Certificate;
+use TLSProxy::CertificateVerify;
 use TLSProxy::ServerKeyExchange;
 use TLSProxy::NewSessionTicket;