X-Git-Url: https://bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fssl%2Fssl_hs_client.t0;h=0747d42b93ea303748b7524c02fe53c848b70e8f;hp=3d65841c80d81c9ce66ae4a4fd54b32e61f08f49;hb=932fb89081a66eef18fee56265fd29b93af0b081;hpb=44c79c1add4cd4a217b1dd77c8421c1d3a08dcef diff --git a/src/ssl/ssl_hs_client.t0 b/src/ssl/ssl_hs_client.t0 index 3d65841..0747d42 100644 --- a/src/ssl/ssl_hs_client.t0 +++ b/src/ssl/ssl_hs_client.t0 @@ -115,32 +115,12 @@ make_pms_rsa(br_ssl_client_context *ctx, int prf_id) /* * OID for hash functions in RSA signatures. */ -static const unsigned char HASH_OID_SHA1[] = { - 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A -}; - -static const unsigned char HASH_OID_SHA224[] = { - 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04 -}; - -static const unsigned char HASH_OID_SHA256[] = { - 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 -}; - -static const unsigned char HASH_OID_SHA384[] = { - 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 -}; - -static const unsigned char HASH_OID_SHA512[] = { - 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 -}; - static const unsigned char *HASH_OID[] = { - HASH_OID_SHA1, - HASH_OID_SHA224, - HASH_OID_SHA256, - HASH_OID_SHA384, - HASH_OID_SHA512 + BR_HASH_OID_SHA1, + BR_HASH_OID_SHA224, + BR_HASH_OID_SHA256, + BR_HASH_OID_SHA384, + BR_HASH_OID_SHA512 }; /* @@ -230,8 +210,8 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id) { int curve; unsigned char key[66], point[133]; - const unsigned char *generator, *order, *point_src; - size_t glen, olen, point_len; + const unsigned char *order, *point_src; + size_t glen, olen, point_len, xoff, xlen; unsigned char mask; if (ecdhe) { @@ -271,7 +251,7 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id) * Compute the common ECDH point, whose X coordinate is the * pre-master secret. */ - generator = ctx->eng.iec->generator(curve, &glen); + ctx->eng.iec->generator(curve, &glen); if (glen != point_len) { return -BR_ERR_INVALID_ALGORITHM; } @@ -284,7 +264,8 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id) /* * The pre-master secret is the X coordinate. */ - br_ssl_engine_compute_master(&ctx->eng, prf_id, point + 1, glen >> 1); + xoff = ctx->eng.iec->xoff(curve, &xlen); + br_ssl_engine_compute_master(&ctx->eng, prf_id, point + xoff, xlen); ctx->eng.iec->mulgen(point, key, olen, curve); memcpy(ctx->eng.pad, point, glen); @@ -317,12 +298,12 @@ make_pms_static_ecdh(br_ssl_client_context *ctx, int prf_id) } memcpy(point, pk->key.ec.q, point_len); if (!(*ctx->client_auth_vtable)->do_keyx( - ctx->client_auth_vtable, point, point_len)) + ctx->client_auth_vtable, point, &point_len)) { return -1; } br_ssl_engine_compute_master(&ctx->eng, - prf_id, point + 1, point_len >> 1); + prf_id, point, point_len); return 0; } @@ -390,10 +371,9 @@ addr-ctx: hash_id \ Length of Signatures extension. : ext-signatures-length ( -- len ) - supported-hash-functions { x } drop - 0 - supports-rsa-sign? if x + then - supports-ecdsa? if x + then + supported-hash-functions { num } drop 0 + supports-rsa-sign? if num + then + supports-ecdsa? if num + then dup if 1 << 6 + then ; \ Write supported hash functions ( sign -- ) @@ -535,13 +515,16 @@ cc: ext-ALPN-length ( -- len ) { supports-rsa-sign? if 1 write-hashes then then \ TODO: add an API to specify preference order for curves. - \ Right now we use increasing id order, which makes P-256 - \ the preferred curve. + \ Right now we send Curve25519 first, then other curves in + \ increasing ID values (hence P-256 in second). ext-supported-curves-length dup if 0x000A write16 \ extension type (10) 4 - dup write16 \ extension length 2- write16 \ list length supported-curves 0 + dup 0x20000000 and if + 0xDFFFFFFF and 29 write16 + then begin dup 32 < while dup2 >> 1 and if dup write16 then 1+ @@ -703,16 +686,12 @@ cc: DEBUG-BLOB ( addr len -- ) { \ Cipher suite. We check that it is part of the list of cipher \ suites that we advertised. - \ read16 { suite ; found } - \ 0 >found - \ addr-suites_buf dup addr-suites_num get8 1 << + - \ begin dup2 < while - \ 2 - dup get16 - \ suite = found or >found - \ repeat - \ 2drop found ifnot ERR_BAD_CIPHER_SUITE fail then read16 dup scan-suite 0< if ERR_BAD_CIPHER_SUITE fail then + \ Also check that the cipher suite is compatible with the + \ announced version: suites that don't use HMAC/SHA-1 are + \ for TLS-1.2 only, not older versions. + dup use-tls12? version 0x0303 < and if ERR_BAD_CIPHER_SUITE fail then addr-cipher_suite resume check-resume \ Compression method. Should be 0 (no compression). @@ -822,6 +801,13 @@ cc: DEBUG-BLOB ( addr len -- ) { 1 addr-reneg set8 then close-elt + else + \ No extension received at all, so the server does not + \ support secure renegotiation. This is a hard failure + \ if the server was previously known to support it (i.e. + \ this is a renegotiation). + ext-reneg-length 5 > if ERR_BAD_SECRENEG fail then + 1 addr-reneg set8 then close-elt resume @@ -1023,7 +1009,7 @@ cc: get-client-chain ( auth_types -- ) { \ - There is an explicit list of supported sign+hash. \ - The ECDH flags must be adjusted for RSA/ECDSA \ support. - read-list-sign-algos dup addr-hashes set16 + read-list-sign-algos dup addr-hashes set32 \ Trim down the list depending on what hash functions \ we support (since the hashing itself is done by the SSL @@ -1274,6 +1260,12 @@ cc: do-client-sign ( -- sig_len ) { wait-co drop repeat 100 send-warning + \ We rejected the renegotiation, + \ but the connection is not dead. + \ We must set back things into + \ working "application data" state. + 1 addr-application_data set8 + 23 addr-record_type_out set8 else do-handshake then