projects / BearSSL / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Added implementation of keying material export (RFC 5705) (API for PRF implementation...
[BearSSL] / src / ssl / ssl_hs_common.t0
diff --git a/src/ssl/ssl_hs_common.t0 b/src/ssl/ssl_hs_common.t0
index bbd37ac..962daa7 100644 (file)
--- a/src/ssl/ssl_hs_common.t0
+++ b/src/ssl/ssl_hs_common.t0
@@ -157,6 +157,8 @@ addr-eng: pad
 addr-eng: action
 addr-eng: alert
 addr-eng: close_received
 addr-eng: action
 addr-eng: alert
 addr-eng: close_received
+addr-eng: protocol_names_num
+addr-eng: selected_protocol
 
 \ Similar to 'addr-eng:', for fields in the 'session' substructure.
 : addr-session-field:
 
 \ Similar to 'addr-eng:', for fields in the 'session' substructure.
 : addr-session-field:
@@ -273,7 +275,9 @@ cc: flush-record ( -- ) {
        addr-action get8 dup if
                case
                        1 of 0 do-close endof
        addr-action get8 dup if
                case
                        1 of 0 do-close endof
-                       2 of addr-application_data get8 if 0x10 or then endof
+                       2 of addr-application_data get8 1 = if
+                               0x10 or
+                       then endof
                endcase
        else
                drop
                endcase
        else
                drop
@@ -328,13 +332,18 @@ cc: flush-record ( -- ) {
 \ -- If 'cnr' is zero, then incoming data is discarded until a close_notify
 \    is received.
 \ -- At the end, the context is terminated.
 \ -- If 'cnr' is zero, then incoming data is discarded until a close_notify
 \    is received.
 \ -- At the end, the context is terminated.
+\
+\ cnr shall be either 0 or -1.
 : do-close ( cnr -- ! )
        \ 'cnr' is set to non-zero when a close_notify is received from
        \ the peer.
        { cnr }
 
 : do-close ( cnr -- ! )
        \ 'cnr' is set to non-zero when a close_notify is received from
        \ the peer.
        { cnr }
 
-       \ Get out of application data state.
-       0 addr-application_data set8
+       \ Get out of application data state. If we were accepting
+       \ application data (flag is 1), and we still expect a close_notify
+       \ from the peer (cnr is 0), then we should set the flag to 2.
+       \ In all other cases, flag should be set to 0.
+       addr-application_data get8 cnr not and 1 << addr-application_data set8
 
        \ Flush existing payload if any.
        flush-record
 
        \ Flush existing payload if any.
        flush-record
@@ -367,6 +376,10 @@ cc: flush-record ( -- ) {
                has-input? if
                        addr-record_type_in get8 21 = if
                                drop process-alerts
                has-input? if
                        addr-record_type_in get8 21 = if
                                drop process-alerts
+                               \ If we received a close_notify then we
+                               \ no longer accept incoming application
+                               \ data records.
+                               0 addr-application_data set8
                        else
                                discard-input
                        then
                        else
                                discard-input
                        then
@@ -467,7 +480,7 @@ cc: read-chunk-native ( addr len -- addr len ) {
                        \ no_renegotiation has value 100, and we treat it
                        \ as a fatal alert.
                        dup 100 = if 256 + fail then
                        \ no_renegotiation has value 100, and we treat it
                        \ as a fatal alert.
                        dup 100 = if 256 + fail then
-                       0= ret
+                       0=
                endof
                \ Fatal alert implies context termination.
                drop 256 + fail
                endof
                \ Fatal alert implies context termination.
                drop 256 + fail
@@ -741,6 +754,10 @@ cc: mkrand ( addr len -- ) {
 \ -- PRF for TLS-1.2:
 \       4  with SHA-256
 \       5  with SHA-384
 \ -- PRF for TLS-1.2:
 \       4  with SHA-256
 \       5  with SHA-384
+\
+\ WARNING: if adding a new cipher suite that does not use SHA-256 for the
+\ PRF (with TLS 1.2), be sure to check the suites_sha384[] array defined
+\ in ssl/ssl_keyexport.c
 
 data: cipher-suite-def
 
 
 data: cipher-suite-def
 
@@ -1006,21 +1023,22 @@ cc: switch-chapol-in ( is_client prf_id -- ) {
 cc: compute-Finished-inner ( from_client prf_id -- ) {
        int prf_id = T0_POP();
        int from_client = T0_POPi();
 cc: compute-Finished-inner ( from_client prf_id -- ) {
        int prf_id = T0_POP();
        int from_client = T0_POPi();
-       unsigned char seed[48];
-       size_t seed_len;
+       unsigned char tmp[48];
+       br_tls_prf_seed_chunk seed;
 
        br_tls_prf_impl prf = br_ssl_engine_get_PRF(ENG, prf_id);
 
        br_tls_prf_impl prf = br_ssl_engine_get_PRF(ENG, prf_id);
+       seed.data = tmp;
        if (ENG->session.version >= BR_TLS12) {
        if (ENG->session.version >= BR_TLS12) {
-               seed_len = br_multihash_out(&ENG->mhash, prf_id, seed);
+               seed.len = br_multihash_out(&ENG->mhash, prf_id, tmp);
        } else {
        } else {
-               br_multihash_out(&ENG->mhash, br_md5_ID, seed);
-               br_multihash_out(&ENG->mhash, br_sha1_ID, seed + 16);
-               seed_len = 36;
+               br_multihash_out(&ENG->mhash, br_md5_ID, tmp);
+               br_multihash_out(&ENG->mhash, br_sha1_ID, tmp + 16);
+               seed.len = 36;
        }
        prf(ENG->pad, 12, ENG->session.master_secret,
                sizeof ENG->session.master_secret,
                from_client ? "client finished" : "server finished",
        }
        prf(ENG->pad, 12, ENG->session.master_secret,
                sizeof ENG->session.master_secret,
                from_client ? "client finished" : "server finished",
-               seed, seed_len);
+               1, &seed);
 }
 
 \ Receive ChangeCipherSpec and Finished from the peer.
 }
 
 \ Receive ChangeCipherSpec and Finished from the peer.
@@ -1060,13 +1078,22 @@ cc: compute-Finished-inner ( from_client prf_id -- ) {
        read16 open-elt
        begin dup while
                read8 { hash } read8 { sign }
        read16 open-elt
        begin dup while
                read8 { hash } read8 { sign }
-               \ We keep the value if the signature is either 1 (RSA)
-               \ or 3 (ECDSA), and the hash is one of the SHA-* functions
-               \ (2 to 6, from SHA-1 to SHA-512); we reject MD5.
-               hash 2 >= hash 6 <= and
-               sign 1 = sign 3 = or
-               and if
-                       hashes 1 sign 1- 2 << hash + << or >hashes
+
+               \ If hash is 0x08 then this is a "new algorithm" identifier,
+               \ and we set the corresponding bit if it is in the 0..15
+               \ range. Otherwise, we keep the value only if the signature
+               \ is either 1 (RSA) or 3 (ECDSA), and the hash is one of the
+               \ SHA-* functions (2 to 6). Note that we reject MD5.
+               hash 8 = if
+                       sign 15 <= if
+                               1 sign 16 + << hashes or >hashes
+                       then
+               else
+                       hash 2 >= hash 6 <= and
+                       sign 1 = sign 3 = or
+                       and if
+                               hashes 1 sign 1- 2 << hash + << or >hashes
+                       then
                then
        repeat
        close-elt
                then
        repeat
        close-elt
@@ -1235,3 +1262,33 @@ cc: get-key-type-usages ( -- key-type-usages ) {
 
        \ Return key type and usages.
        get-key-type-usages ;
 
        \ Return key type and usages.
        get-key-type-usages ;
+
+\ =======================================================================
+
+\ Copy a specific protocol name from the list to the pad. The byte
+\ length is returned.
+cc: copy-protocol-name ( idx -- len ) {
+       size_t idx = T0_POP();
+       size_t len = strlen(ENG->protocol_names[idx]);
+       memcpy(ENG->pad, ENG->protocol_names[idx], len);
+       T0_PUSH(len);
+}
+
+\ Compare name in pad with the configured list of protocol names.
+\ If a match is found, then the index is returned; otherwise, -1
+\ is returned.
+cc: test-protocol-name ( len -- n ) {
+       size_t len = T0_POP();
+       size_t u;
+
+       for (u = 0; u < ENG->protocol_names_num; u ++) {
+               const char *name;
+
+               name = ENG->protocol_names[u];
+               if (len == strlen(name) && memcmp(ENG->pad, name, len) == 0) {
+                       T0_PUSH(u);
+                       T0_RET();
+               }
+       }
+       T0_PUSHi(-1);
+}
The BearSSL library and tools.