: NYI ( -- ! )
"NOT YET IMPLEMENTED!" puts cr -1 fail ;
+\ Debug function that prints a string (and a newline) on stderr.
+cc: DBG ( addr -- ) {
+ extern void *stderr;
+ extern int fprintf(void *, const char *, ...);
+ fprintf(stderr, "%s\n", &t0_datablock[T0_POPi()]);
+}
+
+\ Debug function that prints a string and an integer value (followed
+\ by a newline) on stderr.
+cc: DBG2 ( addr x -- ) {
+ extern void *stderr;
+ extern int fprintf(void *, const char *, ...);
+ int32_t x = T0_POPi();
+ fprintf(stderr, "%s: %ld (0x%08lX)\n",
+ &t0_datablock[T0_POPi()], (long)x, (unsigned long)(uint32_t)x);
+}
+
\ Mark the context as failed with a specific error code. This also
\ returns control to the caller.
cc: fail ( err -- ! ) {
addr-action get8 dup if
case
1 of 0 do-close endof
- 2 of addr-application_data get8 if 0x10 or then endof
+ 2 of addr-application_data get8 1 = if
+ 0x10 or
+ then endof
endcase
else
drop
\ -- If 'cnr' is zero, then incoming data is discarded until a close_notify
\ is received.
\ -- At the end, the context is terminated.
+\
+\ cnr shall be either 0 or -1.
: do-close ( cnr -- ! )
\ 'cnr' is set to non-zero when a close_notify is received from
\ the peer.
{ cnr }
- \ Get out of application data state.
- 0 addr-application_data set8
+ \ Get out of application data state. If we were accepting
+ \ application data (flag is 1), and we still expect a close_notify
+ \ from the peer (cnr is 0), then we should set the flag to 2.
+ \ In all other cases, flag should be set to 0.
+ addr-application_data get8 cnr not and 1 << addr-application_data set8
\ Flush existing payload if any.
flush-record
has-input? if
addr-record_type_in get8 21 = if
drop process-alerts
+ \ If we received a close_notify then we
+ \ no longer accept incoming application
+ \ data records.
+ 0 addr-application_data set8
else
discard-input
then
\ -- PRF for TLS-1.2:
\ 4 with SHA-256
\ 5 with SHA-384
+\
+\ WARNING: if adding a new cipher suite that does not use SHA-256 for the
+\ PRF (with TLS 1.2), be sure to check the suites_sha384[] array defined
+\ in ssl/ssl_keyexport.c
data: cipher-suite-def
cc: compute-Finished-inner ( from_client prf_id -- ) {
int prf_id = T0_POP();
int from_client = T0_POPi();
- unsigned char seed[48];
- size_t seed_len;
+ unsigned char tmp[48];
+ br_tls_prf_seed_chunk seed;
br_tls_prf_impl prf = br_ssl_engine_get_PRF(ENG, prf_id);
+ seed.data = tmp;
if (ENG->session.version >= BR_TLS12) {
- seed_len = br_multihash_out(&ENG->mhash, prf_id, seed);
+ seed.len = br_multihash_out(&ENG->mhash, prf_id, tmp);
} else {
- br_multihash_out(&ENG->mhash, br_md5_ID, seed);
- br_multihash_out(&ENG->mhash, br_sha1_ID, seed + 16);
- seed_len = 36;
+ br_multihash_out(&ENG->mhash, br_md5_ID, tmp);
+ br_multihash_out(&ENG->mhash, br_sha1_ID, tmp + 16);
+ seed.len = 36;
}
prf(ENG->pad, 12, ENG->session.master_secret,
sizeof ENG->session.master_secret,
from_client ? "client finished" : "server finished",
- seed, seed_len);
+ 1, &seed);
}
\ Receive ChangeCipherSpec and Finished from the peer.