X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fssl%2Fssl_hs_client.t0;h=23b39e719856f9784e896e05c693377ff83b6700;hp=5bc3d3d568b6c908125f3a38f86598734b39d888;hb=c6ffcd29381f555783a75d957c28c0ff861cd33a;hpb=ef318ef83a3a58b0a9e036676b84d11261ed7bb4 diff --git a/src/ssl/ssl_hs_client.t0 b/src/ssl/ssl_hs_client.t0 index 5bc3d3d..23b39e7 100644 --- a/src/ssl/ssl_hs_client.t0 +++ b/src/ssl/ssl_hs_client.t0 @@ -31,7 +31,7 @@ preamble { * specific name. It must be noted that since the engine context is the * first field of the br_ssl_client_context structure ('eng'), then * pointers values of both types are interchangeable, modulo an - * appropriate cast. This also means that "adresses" computed as offsets + * appropriate cast. This also means that "addresses" computed as offsets * within the structure work for both kinds of context. */ #define CTX ((br_ssl_client_context *)ENG) @@ -115,32 +115,12 @@ make_pms_rsa(br_ssl_client_context *ctx, int prf_id) /* * OID for hash functions in RSA signatures. */ -static const unsigned char HASH_OID_SHA1[] = { - 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A -}; - -static const unsigned char HASH_OID_SHA224[] = { - 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04 -}; - -static const unsigned char HASH_OID_SHA256[] = { - 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 -}; - -static const unsigned char HASH_OID_SHA384[] = { - 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 -}; - -static const unsigned char HASH_OID_SHA512[] = { - 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 -}; - static const unsigned char *HASH_OID[] = { - HASH_OID_SHA1, - HASH_OID_SHA224, - HASH_OID_SHA256, - HASH_OID_SHA384, - HASH_OID_SHA512 + BR_HASH_OID_SHA1, + BR_HASH_OID_SHA224, + BR_HASH_OID_SHA256, + BR_HASH_OID_SHA384, + BR_HASH_OID_SHA512 }; /* @@ -231,7 +211,7 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id) int curve; unsigned char key[66], point[133]; const unsigned char *order, *point_src; - size_t glen, olen, point_len; + size_t glen, olen, point_len, xoff, xlen; unsigned char mask; if (ecdhe) { @@ -284,7 +264,8 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id) /* * The pre-master secret is the X coordinate. */ - br_ssl_engine_compute_master(&ctx->eng, prf_id, point + 1, glen >> 1); + xoff = ctx->eng.iec->xoff(curve, &xlen); + br_ssl_engine_compute_master(&ctx->eng, prf_id, point + xoff, xlen); ctx->eng.iec->mulgen(point, key, olen, curve); memcpy(ctx->eng.pad, point, glen); @@ -317,12 +298,12 @@ make_pms_static_ecdh(br_ssl_client_context *ctx, int prf_id) } memcpy(point, pk->key.ec.q, point_len); if (!(*ctx->client_auth_vtable)->do_keyx( - ctx->client_auth_vtable, point, point_len)) + ctx->client_auth_vtable, point, &point_len)) { return -1; } br_ssl_engine_compute_master(&ctx->eng, - prf_id, point + 1, point_len >> 1); + prf_id, point, point_len); return 0; } @@ -390,10 +371,9 @@ addr-ctx: hash_id \ Length of Signatures extension. : ext-signatures-length ( -- len ) - supported-hash-functions { x } drop - 0 - supports-rsa-sign? if x + then - supports-ecdsa? if x + then + supported-hash-functions { num } drop 0 + supports-rsa-sign? if num + then + supports-ecdsa? if num + then dup if 1 << 6 + then ; \ Write supported hash functions ( sign -- ) @@ -535,13 +515,16 @@ cc: ext-ALPN-length ( -- len ) { supports-rsa-sign? if 1 write-hashes then then \ TODO: add an API to specify preference order for curves. - \ Right now we use increasing id order, which makes P-256 - \ the preferred curve. + \ Right now we send Curve25519 first, then other curves in + \ increasing ID values (hence P-256 in second). ext-supported-curves-length dup if 0x000A write16 \ extension type (10) 4 - dup write16 \ extension length 2- write16 \ list length supported-curves 0 + dup 0x20000000 and if + 0xDFFFFFFF and 29 write16 + then begin dup 32 < while dup2 >> 1 and if dup write16 then 1+ @@ -703,16 +686,12 @@ cc: DEBUG-BLOB ( addr len -- ) { \ Cipher suite. We check that it is part of the list of cipher \ suites that we advertised. - \ read16 { suite ; found } - \ 0 >found - \ addr-suites_buf dup addr-suites_num get8 1 << + - \ begin dup2 < while - \ 2 - dup get16 - \ suite = found or >found - \ repeat - \ 2drop found ifnot ERR_BAD_CIPHER_SUITE fail then read16 dup scan-suite 0< if ERR_BAD_CIPHER_SUITE fail then + \ Also check that the cipher suite is compatible with the + \ announced version: suites that don't use HMAC/SHA-1 are + \ for TLS-1.2 only, not older versions. + dup use-tls12? version 0x0303 < and if ERR_BAD_CIPHER_SUITE fail then addr-cipher_suite resume check-resume \ Compression method. Should be 0 (no compression). @@ -822,6 +801,13 @@ cc: DEBUG-BLOB ( addr len -- ) { 1 addr-reneg set8 then close-elt + else + \ No extension received at all, so the server does not + \ support secure renegotiation. This is a hard failure + \ if the server was previously known to support it (i.e. + \ this is a renegotiation). + ext-reneg-length 5 > if ERR_BAD_SECRENEG fail then + 1 addr-reneg set8 then close-elt resume @@ -983,7 +969,7 @@ cc: get-client-chain ( auth_types -- ) { \ Parse CertificateRequest. Header has already been read. : read-contents-CertificateRequest ( lim -- ) - \ Read supported client authentification types. We keep only + \ Read supported client authentication types. We keep only \ RSA, ECDSA, and ECDH. 0 { auth_types } read8 open-elt @@ -1274,6 +1260,12 @@ cc: do-client-sign ( -- sig_len ) { wait-co drop repeat 100 send-warning + \ We rejected the renegotiation, + \ but the connection is not dead. + \ We must set back things into + \ working "application data" state. + 1 addr-application_data set8 + 23 addr-record_type_out set8 else do-handshake then