projects / BearSSL / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fixed behaviour in case of rejected renegotiation.
[BearSSL] / src / ssl / ssl_hs_client.t0
diff --git a/src/ssl/ssl_hs_client.t0 b/src/ssl/ssl_hs_client.t0
index 5bc3d3d..911fdfc 100644 (file)
--- a/src/ssl/ssl_hs_client.t0
+++ b/src/ssl/ssl_hs_client.t0
@@ -115,32 +115,12 @@ make_pms_rsa(br_ssl_client_context *ctx, int prf_id)
 /*
  * OID for hash functions in RSA signatures.
  */
 /*
  * OID for hash functions in RSA signatures.
  */
-static const unsigned char HASH_OID_SHA1[] = {
-       0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A
-};
-
-static const unsigned char HASH_OID_SHA224[] = {
-       0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04
-};
-
-static const unsigned char HASH_OID_SHA256[] = {
-       0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
-};
-
-static const unsigned char HASH_OID_SHA384[] = {
-       0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
-};
-
-static const unsigned char HASH_OID_SHA512[] = {
-       0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
-};
-
 static const unsigned char *HASH_OID[] = {
 static const unsigned char *HASH_OID[] = {
-       HASH_OID_SHA1,
-       HASH_OID_SHA224,
-       HASH_OID_SHA256,
-       HASH_OID_SHA384,
-       HASH_OID_SHA512
+       BR_HASH_OID_SHA1,
+       BR_HASH_OID_SHA224,
+       BR_HASH_OID_SHA256,
+       BR_HASH_OID_SHA384,
+       BR_HASH_OID_SHA512
 };
 
 /*
 };
 
 /*
@@ -231,7 +211,7 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id)
        int curve;
        unsigned char key[66], point[133];
        const unsigned char *order, *point_src;
        int curve;
        unsigned char key[66], point[133];
        const unsigned char *order, *point_src;
-       size_t glen, olen, point_len;
+       size_t glen, olen, point_len, xoff, xlen;
        unsigned char mask;
 
        if (ecdhe) {
        unsigned char mask;
 
        if (ecdhe) {
@@ -284,7 +264,8 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id)
        /*
         * The pre-master secret is the X coordinate.
         */
        /*
         * The pre-master secret is the X coordinate.
         */
-       br_ssl_engine_compute_master(&ctx->eng, prf_id, point + 1, glen >> 1);
+       xoff = ctx->eng.iec->xoff(curve, &xlen);
+       br_ssl_engine_compute_master(&ctx->eng, prf_id, point + xoff, xlen);
 
        ctx->eng.iec->mulgen(point, key, olen, curve);
        memcpy(ctx->eng.pad, point, glen);
 
        ctx->eng.iec->mulgen(point, key, olen, curve);
        memcpy(ctx->eng.pad, point, glen);
@@ -317,12 +298,12 @@ make_pms_static_ecdh(br_ssl_client_context *ctx, int prf_id)
        }
        memcpy(point, pk->key.ec.q, point_len);
        if (!(*ctx->client_auth_vtable)->do_keyx(
        }
        memcpy(point, pk->key.ec.q, point_len);
        if (!(*ctx->client_auth_vtable)->do_keyx(
-               ctx->client_auth_vtable, point, point_len))
+               ctx->client_auth_vtable, point, &point_len))
        {
                return -1;
        }
        br_ssl_engine_compute_master(&ctx->eng,
        {
                return -1;
        }
        br_ssl_engine_compute_master(&ctx->eng,
-               prf_id, point + 1, point_len >> 1);
+               prf_id, point, point_len);
        return 0;
 }
 
        return 0;
 }
 
@@ -390,10 +371,9 @@ addr-ctx: hash_id
 
 \ Length of Signatures extension.
 : ext-signatures-length ( -- len )
 
 \ Length of Signatures extension.
 : ext-signatures-length ( -- len )
-       supported-hash-functions { x } drop
-       0
-       supports-rsa-sign? if x + then
-       supports-ecdsa? if x + then
+       supported-hash-functions { num } drop 0
+       supports-rsa-sign? if num + then
+       supports-ecdsa? if num + then
        dup if 1 << 6 + then ;
 
 \ Write supported hash functions ( sign -- )
        dup if 1 << 6 + then ;
 
 \ Write supported hash functions ( sign -- )
@@ -535,13 +515,16 @@ cc: ext-ALPN-length ( -- len ) {
                        supports-rsa-sign? if 1 write-hashes then
                then
                \ TODO: add an API to specify preference order for curves.
                        supports-rsa-sign? if 1 write-hashes then
                then
                \ TODO: add an API to specify preference order for curves.
-               \ Right now we use increasing id order, which makes P-256
-               \ the preferred curve.
+               \ Right now we send Curve25519 first, then other curves in
+               \ increasing ID values (hence P-256 in second).
                ext-supported-curves-length dup if
                        0x000A write16          \ extension type (10)
                        4 - dup write16         \ extension length
                        2- write16              \ list length
                        supported-curves 0
                ext-supported-curves-length dup if
                        0x000A write16          \ extension type (10)
                        4 - dup write16         \ extension length
                        2- write16              \ list length
                        supported-curves 0
+                       dup 0x20000000 and if
+                               0xDFFFFFFF and 29 write16
+                       then
                        begin dup 32 < while
                                dup2 >> 1 and if dup write16 then
                                1+
                        begin dup 32 < while
                                dup2 >> 1 and if dup write16 then
                                1+
@@ -822,6 +805,13 @@ cc: DEBUG-BLOB ( addr len -- ) {
                        1 addr-reneg set8
                then
                close-elt
                        1 addr-reneg set8
                then
                close-elt
+       else
+               \ No extension received at all, so the server does not
+               \ support secure renegotiation. This is a hard failure
+               \ if the server was previously known to support it (i.e.
+               \ this is a renegotiation).
+               ext-reneg-length 5 > if ERR_BAD_SECRENEG fail then
+               1 addr-reneg set8
        then
        close-elt
        resume
        then
        close-elt
        resume
@@ -1274,6 +1264,12 @@ cc: do-client-sign ( -- sig_len ) {
                                                wait-co drop
                                        repeat
                                        100 send-warning
                                                wait-co drop
                                        repeat
                                        100 send-warning
+                                       \ We rejected the renegotiation,
+                                       \ but the connection is not dead.
+                                       \ We must set back things into
+                                       \ working "application data" state.
+                                       1 addr-application_data set8
+                                       23 addr-record_type_out set8
                                else
                                        do-handshake
                                then
                                else
                                        do-handshake
                                then
The BearSSL library and tools.