cleanup CertificateVerify signature data generation

core/Network/TLS/Handshake/Client.hs

@@ -155,32 +155,21 @@ sendClientData cparams ctx = sendCertificate >> sendClientKeyXchg >> sendCertifi
             certSent <- usingHState ctx $ getClientCertSent
             case certSent of
                 True -> do
-                    -- Fetch all handshake messages up to now.
-                    msgs <- usingHState ctx $ B.concat <$> getHandshakeMessages
 
-                    (malg, hashMethod, toSign) <- case usedVersion of
-                        SSL3 -> do
-                            Just masterSecret <- usingHState ctx $ gets hstMasterSecret
-                            let digest = generateCertificateVerify_SSL masterSecret (hashUpdate (hashInit hashMD5SHA1) msgs)
-                                hsh = HashDescr id id
-                            return (Nothing, hsh, digest)
-
-                        x | x == TLS10 || x == TLS11 -> do
-                            let hashf bs = hashFinal (hashUpdate (hashInit hashMD5SHA1) bs)
-                                hsh = HashDescr hashf id
-                            return (Nothing, hsh, msgs)
-
-                        _ -> do
+                    malg <- case usedVersion of
+                        TLS12 -> do
                             Just (_, Just hashSigs, _) <- usingHState ctx $ getClientCertRequest
                             let suppHashSigs = pHashSignatures $ ctxParams ctx
                                 hashSigs' = filter (\ a -> a `elem` hashSigs) suppHashSigs
 
-                            when (null hashSigs') $ do
+                            when (null hashSigs') $
                                 throwCore $ Error_Protocol ("no hash/signature algorithms in common with the server", True, HandshakeFailure)
+                            return $ Just $ head hashSigs'
+                        _     -> return Nothing
 
-                            let hashSig = head hashSigs'
-                            hsh <- getHashAndASN1 hashSig
-                            return (Just hashSig, hsh, msgs)
+                    -- Fetch all handshake messages up to now.
+                    msgs <- usingHState ctx $ B.concat <$> getHandshakeMessages
+                    (hashMethod, toSign) <- prepareCertificateVerifySignatureData ctx usedVersion malg msgs
 
                     sigDig <- signRSA ctx hashMethod toSign
                     sendPacket ctx $ Handshake [CertVerify malg (CertVerifyData sigDig)]

core/Network/TLS/Handshake/Server.hs

@@ -11,13 +11,11 @@ module Network.TLS.Handshake.Server
     , handshakeServerWith
     ) where
 
-import Network.TLS.Crypto
 import Network.TLS.Context
 import Network.TLS.Session
 import Network.TLS.Struct
 import Network.TLS.Cipher
 import Network.TLS.Compression
-import Network.TLS.Packet
 import Network.TLS.Extension
 import Network.TLS.Util (catchException)
 import Network.TLS.IO
@@ -255,29 +253,13 @@ recvClientData sparams ctx = runRecvState ctx (RecvStateHandshake processClientC
 
             checkValidClientCertChain "change cipher message expected"
 
+            usedVersion <- usingState_ ctx getVersion
             -- Fetch all handshake messages up to now.
             msgs <- usingHState ctx $ B.concat <$> getHandshakeMessages
-
-            usedVersion <- usingState_ ctx getVersion
-
-            (signature, hsh) <- case usedVersion of
-                SSL3 -> do
-                    Just masterSecret <- usingHState ctx $ gets hstMasterSecret
-                    let digest = generateCertificateVerify_SSL masterSecret (hashUpdate (hashInit hashMD5SHA1) msgs)
-                        hsh = HashDescr id id
-                    return (digest, hsh)
-
-                x | x == TLS10 || x == TLS11 -> do
-                    let hashf bs' = hashFinal (hashUpdate (hashInit hashMD5SHA1) bs')
-                        hsh = HashDescr hashf id
-                    return (msgs,hsh)
-                _ -> do
-                    let Just sentHashSig = mbHashSig
-                    hsh <- getHashAndASN1 sentHashSig
-                    return (msgs,hsh)
+            (hashMethod, toSign) <- prepareCertificateVerifySignatureData ctx usedVersion mbHashSig msgs
 
             -- Verify the signature.
-            verif <- verifyRSA ctx hsh signature bs
+            verif <- verifyRSA ctx hashMethod toSign bs
 
             case verif of
                 True -> do

core/Network/TLS/Handshake/Signature.hs

@@ -8,11 +8,15 @@
 --
 module Network.TLS.Handshake.Signature
     ( getHashAndASN1
+    , prepareCertificateVerifySignatureData
     ) where
 
 import Crypto.PubKey.HashDescr
+import Network.TLS.Crypto
 import Network.TLS.Context
 import Network.TLS.Struct
+import Network.TLS.Packet (generateCertificateVerify_SSL)
+import Network.TLS.Handshake.State
 
 import Control.Monad.State
 
@@ -24,3 +28,23 @@ getHashAndASN1 hashSig = case hashSig of
     (HashSHA384, SignatureRSA) -> return hashDescrSHA384
     (HashSHA512, SignatureRSA) -> return hashDescrSHA512
     _                          -> throwCore $ Error_Misc "unsupported hash/sig algorithm"
+
+prepareCertificateVerifySignatureData :: Context
+                                      -> Version
+                                      -> Maybe (HashAlgorithm, SignatureAlgorithm)
+                                      -> Bytes
+                                      -> IO (HashDescr, Bytes)
+prepareCertificateVerifySignatureData ctx usedVersion malg msgs
+    | usedVersion == SSL3 = do
+        Just masterSecret <- usingHState ctx $ gets hstMasterSecret
+        let digest = generateCertificateVerify_SSL masterSecret (hashUpdate (hashInit hashMD5SHA1) msgs)
+            hsh = HashDescr id id
+        return (hsh, digest)
+    | usedVersion == TLS10 || usedVersion == TLS11 = do
+        let hashf bs = hashFinal (hashUpdate (hashInit hashMD5SHA1) bs)
+            hsh = HashDescr hashf id
+        return (hsh, msgs)
+    | otherwise = do
+        let Just hashSig = malg
+        hsh <- getHashAndASN1 hashSig
+        return (hsh, msgs)