X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fssl%2Fssl_hs_client.t0;h=911fdfcd30740590698e4946d51b324134540fdd;hp=4067b4d4a83a42d0abcc891605f59fcb124d125e;hb=8e86598b33f9df81d1f77d6cc32568d9ae119d67;hpb=05ac106834fa8889cf55ee462fe4108d4712040a

diff --git a/src/ssl/ssl_hs_client.t0 b/src/ssl/ssl_hs_client.t0
index 4067b4d..911fdfc 100644
--- a/src/ssl/ssl_hs_client.t0
+++ b/src/ssl/ssl_hs_client.t0
@@ -115,32 +115,12 @@ make_pms_rsa(br_ssl_client_context *ctx, int prf_id)
 /*
  * OID for hash functions in RSA signatures.
  */
-static const unsigned char HASH_OID_SHA1[] = {
-	0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A
-};
-
-static const unsigned char HASH_OID_SHA224[] = {
-	0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04
-};
-
-static const unsigned char HASH_OID_SHA256[] = {
-	0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
-};
-
-static const unsigned char HASH_OID_SHA384[] = {
-	0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
-};
-
-static const unsigned char HASH_OID_SHA512[] = {
-	0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
-};
-
 static const unsigned char *HASH_OID[] = {
-	HASH_OID_SHA1,
-	HASH_OID_SHA224,
-	HASH_OID_SHA256,
-	HASH_OID_SHA384,
-	HASH_OID_SHA512
+	BR_HASH_OID_SHA1,
+	BR_HASH_OID_SHA224,
+	BR_HASH_OID_SHA256,
+	BR_HASH_OID_SHA384,
+	BR_HASH_OID_SHA512
 };
 
 /*
@@ -230,8 +210,8 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id)
 {
 	int curve;
 	unsigned char key[66], point[133];
-	const unsigned char *generator, *order, *point_src;
-	size_t glen, olen, point_len;
+	const unsigned char *order, *point_src;
+	size_t glen, olen, point_len, xoff, xlen;
 	unsigned char mask;
 
 	if (ecdhe) {
@@ -271,7 +251,7 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id)
 	 * Compute the common ECDH point, whose X coordinate is the
 	 * pre-master secret.
 	 */
-	generator = ctx->eng.iec->generator(curve, &glen);
+	ctx->eng.iec->generator(curve, &glen);
 	if (glen != point_len) {
 		return -BR_ERR_INVALID_ALGORITHM;
 	}
@@ -284,12 +264,10 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id)
 	/*
 	 * The pre-master secret is the X coordinate.
 	 */
-	br_ssl_engine_compute_master(&ctx->eng, prf_id, point + 1, glen >> 1);
+	xoff = ctx->eng.iec->xoff(curve, &xlen);
+	br_ssl_engine_compute_master(&ctx->eng, prf_id, point + xoff, xlen);
 
-	memcpy(point, generator, glen);
-	if (!ctx->eng.iec->mul(point, glen, key, olen, curve)) {
-		return -BR_ERR_INVALID_ALGORITHM;
-	}
+	ctx->eng.iec->mulgen(point, key, olen, curve);
 	memcpy(ctx->eng.pad, point, glen);
 	return (int)glen;
 }
@@ -320,12 +298,12 @@ make_pms_static_ecdh(br_ssl_client_context *ctx, int prf_id)
 	}
 	memcpy(point, pk->key.ec.q, point_len);
 	if (!(*ctx->client_auth_vtable)->do_keyx(
-		ctx->client_auth_vtable, point, point_len))
+		ctx->client_auth_vtable, point, &point_len))
 	{
 		return -1;
 	}
 	br_ssl_engine_compute_master(&ctx->eng,
-		prf_id, point + 1, point_len >> 1);
+		prf_id, point, point_len);
 	return 0;
 }
 
@@ -393,10 +371,9 @@ addr-ctx: hash_id
 
 \ Length of Signatures extension.
 : ext-signatures-length ( -- len )
-	supported-hash-functions { x } drop
-	0
-	supports-rsa-sign? if x + then
-	supports-ecdsa? if x + then
+	supported-hash-functions { num } drop 0
+	supports-rsa-sign? if num + then
+	supports-ecdsa? if num + then
 	dup if 1 << 6 + then ;
 
 \ Write supported hash functions ( sign -- )
@@ -538,13 +515,16 @@ cc: ext-ALPN-length ( -- len ) {
 			supports-rsa-sign? if 1 write-hashes then
 		then
 		\ TODO: add an API to specify preference order for curves.
-		\ Right now we use increasing id order, which makes P-256
-		\ the preferred curve.
+		\ Right now we send Curve25519 first, then other curves in
+		\ increasing ID values (hence P-256 in second).
 		ext-supported-curves-length dup if
 			0x000A write16          \ extension type (10)
 			4 - dup write16         \ extension length
 			2- write16              \ list length
 			supported-curves 0
+			dup 0x20000000 and if
+				0xDFFFFFFF and 29 write16
+			then
 			begin dup 32 < while
 				dup2 >> 1 and if dup write16 then
 				1+
@@ -825,6 +805,13 @@ cc: DEBUG-BLOB ( addr len -- ) {
 			1 addr-reneg set8
 		then
 		close-elt
+	else
+		\ No extension received at all, so the server does not
+		\ support secure renegotiation. This is a hard failure
+		\ if the server was previously known to support it (i.e.
+		\ this is a renegotiation).
+		ext-reneg-length 5 > if ERR_BAD_SECRENEG fail then
+		1 addr-reneg set8
 	then
 	close-elt
 	resume
@@ -1026,7 +1013,7 @@ cc: get-client-chain ( auth_types -- ) {
 		\  - There is an explicit list of supported sign+hash.
 		\  - The ECDH flags must be adjusted for RSA/ECDSA
 		\    support.
-		read-list-sign-algos dup addr-hashes set16
+		read-list-sign-algos dup addr-hashes set32
 
 		\ Trim down the list depending on what hash functions
 		\ we support (since the hashing itself is done by the SSL
@@ -1277,6 +1264,12 @@ cc: do-client-sign ( -- sig_len ) {
 						wait-co drop
 					repeat
 					100 send-warning
+					\ We rejected the renegotiation,
+					\ but the connection is not dead.
+					\ We must set back things into
+					\ working "application data" state.
+					1 addr-application_data set8
+					23 addr-record_type_out set8
 				else
 					do-handshake
 				then