1 #define _POSIX_C_SOURCE 200809L
8 #define TLS12_FLAG 0x01
9 #define TLS13_FLAG 0x03
11 static unsigned char *encrypt_rsa(struct TLSContext *context,
12 const unsigned char *buffer,
16 if (!len || !context || !context->certificates
17 || !context->certificates_count
18 || !context->certificates[0]
19 || !context->certificates[0]->der_bytes
20 || !context->certificates[0]->der_len) {
21 DEBUG_PRINT("No certificate set\n");
26 err = rsa_import(context->certificates[0]->der_bytes,
27 context->certificates[0]->der_len, &key);
30 DEBUG_PRINT("Error importing RSA certificate (code: %i)\n",
34 unsigned long out_size = TLS_MAX_RSA_KEY;
35 unsigned char *out = malloc(out_size);
36 int hash_idx = find_hash("sha256");
37 int prng_idx = find_prng("sprng");
38 err = rsa_encrypt_key_ex(buffer, len, out, &out_size, (unsigned char *)
39 "Concept", 7, NULL, prng_idx, hash_idx,
40 LTC_PKCS_1_V1_5, &key);
42 if (err || !out_size) {
46 *size = (unsigned int) out_size;
51 void add_supported_versions(struct tls_buffer *buf, int versions) {
53 char version12[] = { 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x03 };
54 char version13[] = { 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04 };
55 char both[] = { 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03 };
61 size = sizeof version12;
65 size = sizeof version13;
73 tls_buffer_append(buf, use, size);
76 static void add_sni_extension(struct tls_buffer *buf, char *sni) {
85 /* server name extension id = 0x00 0x00 */
86 tls_buffer_append16(buf, 0x0000);
87 /* length of server name extension */
88 tls_buffer_append16(buf, len + 5);
89 /* length of first entry */
90 tls_buffer_append16(buf, len + 3);
92 tls_buffer_append_byte(buf, 0x00);
94 tls_buffer_append16(buf, len);
95 /* actual server name indication */
96 tls_buffer_append(buf, sni, len);
102 00 20 - 0x20 (32) bytes of cipher suite data
107 static void add_cipher_suites(struct tls_buffer *buf, int suites) {
108 /* the five TLS 1.3 cipher suites in B.4 of rfc 8446 */
109 /* chacha20 preferred */
110 unsigned char tls_13_suites[] = {
111 0x13, 0x03, 0x13, 0x01, 0x13, 0x02, 0x13, 0x04, 0x13, 0x04
113 unsigned char tls_12_suites[] = {
114 0xcc, 0xa9, 0xc0, 0x2b, 0xc0, 0x23, 0xcc, 0xa8, 0xc0, 0x2f,
115 0xc0, 0x27, 0x00, 0x9e, 0x00, 0x6b, 0x00, 0x67, 0xcc, 0xaa
121 len += sizeof tls_12_suites;
125 len += sizeof tls_13_suites;
128 tls_buffer_expand(buf, len + 2);
129 tls_buffer_append16(buf, len);
130 /* if we're including 1.3 ciphers, put them first so they're preferred
133 tls_buffer_append(buf, tls_13_suites, sizeof tls_13_suites);
136 tls_buffer_append(buf, tls_12_suites, sizeof tls_12_suites);
140 void add_signed_certificate_timestamp_extension(struct tls_buffer *buf) {
141 char sct[] = { 0x00, 0x12, 0x00, 0x00 }; /* sct id and zero bytes */
142 tls_buffer_append(buf, sct, sizeof sct);
146 * 00 05 - assigned value for extension "status request"
147 * 00 05 - 0x5 (5) bytes of "status request" extension data follows
148 * 01 - assigned value for "certificate status type: OCSP"
149 * 00 00 - 0x0 (0) bytes of responderID information
150 * 00 00 - 0x0 (0) bytes of request extension information
152 void add_status_request_extension(struct tls_buffer *buf) {
153 char sr[] = { 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00 };
154 tls_buffer_append(buf, sr, sizeof sr);
157 void add_supported_groups_extension(struct tls_buffer *buf) {
158 /* supported groups */
159 /* this specifies the curves */
160 unsigned char groups[] = {
161 /* extension id and size in bytes */
162 0x00, 0x0a, 0x00, 0x08,
163 /* six bytes of groups */
169 /* secp256r1, secp384r1, secp521r1 */
170 0x00, 0x17, 0x00, 0x18, 0x00, 0x19
172 tls_buffer_append(buf, groups, sizeof groups);
176 * 00 0b - assigned value for extension "EC points format"
177 * 00 02 - 0x2 (2) bytes of "EC points format" extension data follows
178 * 01 - 0x1 (1) bytes of data are in the supported formats list
179 * 00 - assigned value for uncompressed form
181 void add_ec_point_formats_extension(struct tls_buffer *buf) {
182 char formats[] = { 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00 };
183 tls_buffer_append(buf, formats, sizeof formats);
186 void add_signature_algorithms_extension(struct tls_buffer *buf) {
187 char algorithms[] = {
188 0x00, 0x0d, 0x00, 0x0e, 0x00, 0x0c, /* id and lengths */
189 0x04, 0x01, /* RSA/PKCS1/SHA256 */
190 0x04, 0x03, /* ECDSA/SECP256r1/SHA256 */
191 0x05, 0x01, /* RSA/PKCS1/SHA386 */
192 0x05, 0x03, /* ECDSA/SECP384r1/SHA384 */
193 0x06, 0x01, /* RSA/PKCS1/SHA512 */
194 0x06, 0x03 /* ECDSA/SECP521r1/SHA512 */
200 0x08, 0x04, /* RSA-PSS-RSAE-SHA256 */
203 0x08, 0x05, /* RSA-PSS-RSAE-SHA384 */
205 0x08, 0x06, /* RSA-PSS-RSAE-SHA512 */
207 /* and 0x02, 0x01 for RSA-PKCS1-SHA1 */
212 tls_buffer_append(buf, algorithms, sizeof algorithms);
215 static void add_renegotiation_info_extension(struct tls_buffer *buf) {
216 /* two bytes id, and one byte of zero bytes of info */
217 char info[] = { 0xff, 0x01, 0x00, 0x01, 0x00 };
219 tls_buffer_append(buf, info, sizeof info);
223 * 00 33 - assigned value for extension "Key Share"
224 * 00 26 - 0x26 (38) bytes of "Key Share" extension data follows
225 * 00 24 - 0x24 (36) bytes of key share data follows
226 * 00 1d - assigned value for x25519 (key exchange via curve25519)
227 * 00 20 - 0x20 (32) bytes of public key follows
228 * 35 80 ... 62 54 - public key from the step "Client Key Exchange Generation"
230 static void add_key_share_extension(struct tls_buffer *buf, struct TLSContext
232 char kseid[] = { 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00,
234 char bogus_key[32] = { 0 };
240 /* TODO figure out where the client key share is */
241 tls_buffer_append(buf, kseid, sizeof kseid);
242 tls_buffer_append(buf, bogus_key, sizeof bogus_key);
246 * 00 2d - assigned value for extension "PSK Key Exchange Modes"
247 * 00 02 - 0x2 (2) bytes of "PSK Key Exchange Modes" extension data follows
248 * 01 - 0x1 (1) bytes of exchange modes follow
249 * 01 - assigned value for "PSK with (EC)DHE key establishment"
251 * we don't actually pre-share keys here, so ignored, but we'll send it
254 /* TODO probably need to get these from the context */
255 static void add_pks_key_exchanges_modes_extension(struct tls_buffer *buf) {
256 char psk[] = { 0x00, 0x2d, 0x00, 0x02, 0x01, 0x01 };
258 tls_buffer_append(buf, psk, sizeof psk);
261 static void set_handshake_header(char *buf, int type, size_t length) {
262 buf[0] = type & 0xff;
263 buf[1] = (length >> 16) & 0xff;
264 buf[2] = (length >> 8) & 0xff;
265 buf[3] = (length >> 0) & 0xff;
268 int tls_client_hello(struct TLSContext *ctx, struct tls_buffer *hello) {
269 size_t hello_offset = hello->len;
271 /* make room for the handshake header */
272 tls_buffer_expand(hello, 4);
275 /* actual client hello structure follows */
277 tls_buffer_append(hello, "\x03\x03", 2); /* legacy_version */
278 /* random not set up yet */
279 //tls_random(ctx->local_random, 32);
280 tls_buffer_append(hello, ctx->local_random, 32); /* client random */
281 tls_buffer_append(hello, "\0", 1); /* legacy_session_id */
282 /* alternatively, append a 32 (0x20) and 32 random bytes as a bogus
287 * TODO need a way to only use v1.3
289 int suites = TLS12_FLAG; /* always use v1.2 suites */
291 if (ctx->tlsver == TLS_VERSION13) {
292 suites |= TLS13_FLAG;
294 add_cipher_suites(hello, suites);
296 /* legacy_compression_methods */
297 tls_buffer_append(hello, "\1\0", 2);
301 * TODO I don't think the extension order matters, so the code below
302 * can be simplified by putting all the extensions together by version
304 size_t extensions_start = hello->len;
305 /* first two bytes are length of extensions, so make room to fill them
306 * in once we know the size
308 tls_buffer_append(hello, "\0\0", 2);
310 /* TODO need to track which extensions we're sending:
311 * "If a client receives an extension type in ServerHello that it did
312 * not request in the associated ClientHello, it MUST abort the
313 * handshake with an unsupported_extension fatal alert."
315 add_sni_extension(hello, ctx->sni); /* server name indicator */
318 /* TODO not sure why 1.3 doesn't need or want this */
319 /* TODO duckduckgo.com seems to fail with this one */
320 if (ctx->tlsver == TLS_VERSION12) {
321 add_status_request_extension(hello);
325 add_supported_groups_extension(hello);
327 /* v1.2 only, points are fixed in v1.3 */
328 if (ctx->tlsver == TLS_VERSION12) {
329 add_ec_point_formats_extension(hello);
332 add_signature_algorithms_extension(hello);
334 if (ctx->tlsver == TLS_VERSION13) {
335 add_key_share_extension(hello, ctx);
336 add_pks_key_exchanges_modes_extension(hello);
339 /* v1.2 only, 1.3 doesn't support renegotiation
340 * and doesn't seem to need cert ts
342 if (ctx->tlsver == TLS_VERSION12) {
343 add_renegotiation_info_extension(hello);
344 add_signed_certificate_timestamp_extension(hello);
347 if (ctx->tlsver == TLS_VERSION13) {
348 /* supported versions is mandatory in V1.3 */
349 /* 1 v1.2 only, 2 = v1.3 only, 3 = both */
350 /* TODO need a context flag to allow fallback to v1.2 */
351 /* could probably pass this in v1.2 and the server
353 add_supported_versions(hello, 3);
356 /* set the extensions length */
357 size_t extensions_length = hello->len - extensions_start - 2;
358 tls_buffer_write16(hello, extensions_length, extensions_start);
360 /* fill in the handshake header */
361 size_t hello_length = hello->len - hello_offset - 4;
362 set_handshake_header(hello->buffer+hello_offset, client_hello,
365 tls_buffer_compact(hello);
370 void pbytes(unsigned char *b, size_t len, char *label) {
373 fprintf(stderr, "%s (%zu bytes)\n", label ? label : "dumping", len);
375 for (i=0; i<len; i++) {
376 fprintf(stderr, "%s%02x%s",
379 (i+1) % 20 ? "" : "\n"
383 fprintf(stderr, "\n");
388 struct TLSPacket *tls_build_client_hello(struct TLSContext *context) {
389 if (context->connection_status == 4) {
390 unsigned char header[4] = { 0xFE, 0, 0, 0 };
391 unsigned char hash[TLS_MAX_SHA_SIZE];
392 static unsigned char sha256_helloretryrequest[] =
393 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE,
394 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2,
395 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07,
396 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
398 fprintf(stderr, "got hello retry request\n");
399 memcpy(context->local_random, sha256_helloretryrequest, 32);
400 int hash_len = tls_done_hash(context, hash);
401 header[3] = (unsigned char) hash_len;
402 tls_update_hash(context, header, sizeof header);
403 tls_update_hash(context, hash, hash_len);
404 } else if (context->tlsver != TLS_VERSION13) {
405 //fprintf(stderr, "creating local_random\n");
406 if (!tls_random(context->local_random, TLS_SERVER_RANDOM_SIZE)) {
411 struct tls_buffer shadow;
412 char record_header[] = { 0x16, 0x03, 0x03, 0x00, 0x00 };
414 tls_buffer_init(&shadow, 106);
415 tls_buffer_append(&shadow, record_header, sizeof record_header);
416 tls_client_hello(context, &shadow);
417 tls_buffer_writebe(&shadow, 3, 6, shadow.len - 9);
420 tls_buffer_free(&shadow);
424 struct TLSPacket *packet = malloc(sizeof *packet);
430 packet->buf = shadow.buffer;
431 packet->len = shadow.len;
432 packet->size = shadow.size;
433 packet->payload_pos = 0;
435 packet->context = context;
437 tls_packet_update(packet);
442 int tls_send_client_hello(struct TLSContext *ctx) {
446 struct TLSPacket *tls_build_hello(struct TLSContext *context,
447 int tls13_downgrade) {
448 if (context->connection_status == 4) {
449 unsigned char header[4] = { 0xFE, 0, 0, 0 };
450 unsigned char hash[TLS_MAX_SHA_SIZE];
451 static unsigned char sha256_helloretryrequest[] =
452 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE,
453 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2,
454 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07,
455 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
457 fprintf(stderr, "got hello retry request\n");
458 memcpy(context->local_random, sha256_helloretryrequest, 32);
459 int hash_len = tls_done_hash(context, hash);
460 header[3] = (unsigned char) hash_len;
461 tls_update_hash(context, header, sizeof header);
462 tls_update_hash(context, hash, hash_len);
463 } else if (!context->is_server || context->tlsver != TLS_VERSION13) {
464 fprintf(stderr, "creating local_random\n");
465 if (!tls_random(context->local_random, TLS_SERVER_RANDOM_SIZE)) {
470 if (context->is_server && tls13_downgrade) {
471 if (tls13_downgrade == TLS_V12 || tls13_downgrade == DTLS_V12)
473 memcpy(context->local_random +
474 TLS_SERVER_RANDOM_SIZE - 8, "DOWNGRD\x01",
477 memcpy(context->local_random +
478 TLS_SERVER_RANDOM_SIZE - 8, "DOWNGRD\x00",
483 if (!context->is_server) {
484 struct tls_buffer shadow;
485 char record_header[] = { 0x16, 0x03, 0x03, 0x00, 0x00 };
487 tls_buffer_init(&shadow, 106);
488 tls_buffer_append(&shadow, record_header, sizeof record_header);
489 tls_client_hello(context, &shadow);
490 tls_buffer_writebe(&shadow, 3, 6, shadow.len - 9);
493 tls_buffer_free(&shadow);
497 struct TLSPacket *packet = malloc(sizeof *packet);
504 packet->buf = shadow.buffer;
505 packet->len = shadow.len;
506 packet->size = shadow.size;
507 packet->payload_pos = 0;
509 packet->context = context;
511 tls_packet_update(packet);
513 fprintf(stderr, "returning packet\n");
517 /* context must be server from here on out */
519 unsigned short packet_version = context->version;
520 unsigned short version = context->version;
522 if (context->version == TLS_V13) {
524 } else if (context->version == DTLS_V13) {
528 struct TLSPacket *packet =
529 tls_create_packet(context, TLS_HANDSHAKE, packet_version, 0);
532 tls_packet_uint8(packet, server_hello);
534 tls_packet_uint24(packet, 0);
536 int start_len = packet->len;
537 tls_packet_uint16(packet, version);
539 tls_packet_append(packet, context->local_random,
540 TLS_SERVER_RANDOM_SIZE);
542 /* session size, always 0, we don't support sessions */
543 tls_packet_uint8(packet, 0);
545 int extension_len = 0;
547 int alpn_negotiated_len = 0;
548 unsigned char shared_key[TLS_MAX_RSA_KEY];
549 unsigned long shared_key_len = TLS_MAX_RSA_KEY;
550 unsigned short shared_key_short = 0;
551 int selected_group = 0;
552 if (context->tlsver == TLS_VERSION13) {
553 if (context->curve == &curve25519) {
554 extension_len += 8 + 32;
555 shared_key_short = (unsigned short) 32;
556 if (context->finished_key) {
560 free(context->finished_key);
561 context->finished_key = NULL;
563 selected_group = context->curve->iana;
564 /* make context->curve NULL (x25519 is a different implementation) */
565 context->curve = NULL;
566 } else if (context->ecc_dhe) {
567 if (ecc_ansi_x963_export
568 (context->ecc_dhe, shared_key,
571 ("Error exporting ECC DHE key\n");
572 tls_destroy_packet(packet);
573 tls_alert(context, 1, internal_error);
576 tls_ecc_dhe_free(context);
577 extension_len += 8 + shared_key_len;
579 (uint16_t)shared_key_len;
580 if (context->curve) {
582 context->curve->iana;
584 } else if (context->dhe) {
585 selected_group = context->dhe->iana;
586 tls_dh_export_Y(shared_key,
589 tls_dhe_free(context);
590 extension_len += 8 + shared_key_len;
591 shared_key_short = shared_key_len;
597 if (context->negotiated_alpn && context->tlsver != TLS_VERSION13) {
598 alpn_negotiated_len = strlen(context->negotiated_alpn);
599 alpn_len = alpn_negotiated_len + 1;
600 extension_len += alpn_len + 6;
604 /* fallback ... this should never happen */
605 if (!context->cipher) {
606 context->cipher = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
609 tls_packet_uint16(packet, context->cipher);
611 tls_packet_uint8(packet, 0);
613 if (context->tlsver == TLS_VERSION13) {
614 /* supported versions */
615 tls_packet_uint16(packet, 0x2B);
617 tls_packet_uint16(packet, 2);
618 if (context->version == TLS_V13) {
619 tls_packet_uint16(packet,
620 context-> tls13_version ?
621 context-> tls13_version :
624 tls_packet_uint16(packet, context->version);
627 if (context->connection_status == 4) {
628 /* fallback to the mandatory secp256r1 */
629 tls_packet_uint16(packet, 0x33);
630 tls_packet_uint16(packet, 2);
631 tls_packet_uint16(packet, (uint16_t) secp256r1.iana);
634 if (shared_key_short && selected_group) {
636 tls_packet_uint16(packet, 0x33);
637 tls_packet_uint16(packet, shared_key_short + 4);
638 tls_packet_uint16(packet, selected_group);
639 tls_packet_uint16(packet, shared_key_short);
640 tls_packet_append(packet, (unsigned char *) shared_key,
645 if (!packet->broken && packet->buf) {
646 tls_set_packet_length(packet, packet->len - start_len);
649 tls_packet_update(packet);
654 struct TLSPacket *tls_buffer_packet(struct tls_buffer *b, struct TLSContext *c) {
655 struct TLSPacket *p = 0;
658 p = tls_create_packet(c, TLS_HANDSHAKE, c->version, 0);
676 static void append_dhe(struct TLSContext *ctx, struct tls_buffer *buf) {
677 unsigned char dh_Ys[0xFFF];
678 unsigned char dh_p[0xFFF];
679 unsigned char dh_g[0xFFF];
680 unsigned long dh_p_len = sizeof dh_p;
681 unsigned long dh_g_len = sizeof dh_g;
682 unsigned long dh_Ys_len = sizeof dh_Ys;
685 if (tls_dh_export_pqY(dh_p, &dh_p_len, dh_g, &dh_g_len, dh_Ys,
686 &dh_Ys_len, ctx->dhe)) {
687 DEBUG_PRINT("ERROR EXPORTING DHE KEY %p\n", ctx->dhe);
693 tls_buffer_append_byte(buf, 0x10);
697 DEBUG_DUMP_HEX_LABEL("Yc", dh_Ys, dh_Ys_len);
699 tls_buffer_append24(buf, dh_Ys_len + 2);
700 tls_buffer_append16(buf, dh_Ys_len);
701 tls_buffer_append(buf, dh_Ys, dh_Ys_len);
705 static void append_ecdhe(struct TLSContext *ctx, struct tls_buffer *buf) {
706 unsigned char out[TLS_MAX_RSA_KEY];
707 unsigned long out_len = TLS_MAX_RSA_KEY;
711 if (ecc_ansi_x963_export(ctx->ecc_dhe, out, &out_len)) {
712 DEBUG_PRINT("Error exporting ECC key\n");
718 tls_ecc_dhe_free(ctx);
720 tls_buffer_append_byte(buf, 0x10);
721 tls_buffer_append24(buf, out_len + 1);
723 tls_buffer_append_byte(buf, out_len);
724 tls_buffer_append(buf, out, out_len);
728 static void set_record_size(struct tls_buffer *b) {
732 tls_buffer_write16(b, size, 3);
735 struct TLSPacket *tls_client_key_exchange(struct TLSContext *context) {
736 struct tls_buffer cke;
740 tls_buffer_init(&cke, 42);
741 tls_buffer_append_byte(&cke, 0x16);
742 tls_buffer_append16(&cke, 0x0303);
743 tls_buffer_append16(&cke, 0); /* record size placeholder */
745 if (context->ecc_dhe) {
746 append_ecdhe(context, &cke);
748 append_dhe(context, &cke);
750 set_record_size(&cke);
752 p = tls_buffer_packet(&cke, context);
754 tls_compute_key(context, 48);
755 context->connection_status = 2;
756 tls_packet_update(p);
762 static int tls_build_random(struct TLSPacket *packet) {
764 unsigned char rand_bytes[48];
767 if (!tls_random(rand_bytes, bytes)) {
768 return TLS_GENERIC_ERROR;
771 /* max supported version */
772 if (packet->context->is_server) {
773 *(unsigned short *) rand_bytes =
774 htons(packet->context->version);
776 *(unsigned short *) rand_bytes = htons(TLS_V12);
779 /* DEBUG_DUMP_HEX_LABEL("PREMASTER KEY", rand_bytes, bytes); */
781 free(packet->context->premaster_key);
783 packet->context->premaster_key = malloc(bytes);
784 if (!packet->context->premaster_key) {
785 return TLS_NO_MEMORY;
788 packet->context->premaster_key_len = bytes;
789 memcpy(packet->context->premaster_key, rand_bytes,
790 packet->context->premaster_key_len);
792 unsigned int out_len;
794 unsigned char *random = encrypt_rsa(packet->context,
795 packet->context->premaster_key,
796 packet->context->premaster_key_len, &out_len);
798 tls_compute_key(packet->context, bytes);
799 if (random && out_len > 2) {
800 tls_packet_uint24(packet, out_len + 2);
801 tls_packet_uint16(packet, out_len);
802 tls_packet_append(packet, random, out_len);
804 res = TLS_GENERIC_ERROR;
816 void tls_send_client_key_exchange(struct TLSContext *context) {
817 struct TLSPacket *packet;
820 int ephemeral = tls_cipher_is_ephemeral(context);
822 if (ephemeral && context->premaster_key && context->premaster_key_len) {
823 //fprintf(stderr, "YYYY\n");
824 packet = tls_client_key_exchange(context);
825 tls_queue_packet(packet);
828 if (ephemeral == 1) {
830 } else if (context->ecc_dhe) {
834 /* TODO should never happen, should always require
835 * either DHE or ECC DHE */
836 fprintf(stderr, "ZZZZ build random\n");
839 packet = tls_create_packet(context, TLS_HANDSHAKE, context->version, 0);
840 tls_packet_uint8(packet, 0x10);
841 tls_build_random(packet);
843 context->connection_status = 2;
844 tls_packet_update(packet);
845 tls_queue_packet(packet);
850 static uint32_t get24(const unsigned char *buf) {
851 return (*buf << 16) + (*(buf+1) << 8) + *(buf+2);
854 static uint16_t get16(const unsigned char *buf) {
855 return (*(buf) << 8) + *(buf+1);
858 int tls_hello_complete(const unsigned char *buf, size_t len) {
866 if (more > len - 3) {
867 fprintf(stderr, "%s:%d\n", __func__, __LINE__);
868 fprintf(stderr, "have %zu, want %zu\n", len, more);
874 int tls_parse_server_hello(struct TLSContext *ctx, const unsigned char *buf, size_t len) {
878 if (ctx->connection_status != 0 && ctx->connection_status != 4) {
879 return TLS_UNEXPECTED_MESSAGE;
882 if (!tls_hello_complete(buf, len)) {
883 return TLS_NEED_MORE_DATA;
886 /* 3 bytes server hello data size */
889 /* TODO check size reported vs actual */
891 /* two bytes server version */
892 uint16_t server_ver = get16(buf+i);
894 DEBUG_PRINTLN("server version = %04x\n", server_ver);
895 if (server_ver != ctx->version) {
896 /* TODO allow (or not) downgrade to v1.2 */
897 return TLS_UNEXPECTED_MESSAGE;
900 /* 32 bytes server random */
901 memcpy(ctx->remote_random, buf+i, 32);
904 /* 1 byte of session id length */
905 uint8_t session_len = *(buf+i);
909 /* possible session id bytes */
910 /* TODO skip? we don't actually use session ids */
912 session_id = malloc(session_len);
917 memcpy(session_id, buf+i, session_len);
921 /* two bytes cipher suite selected */
922 ctx->cipher = get16(buf+i);
924 DEBUG_PRINTLN("server cipher = %04x\n", ctx->cipher);
925 if (!tls_cipher_supported(ctx, ctx->cipher)) {
927 DEBUG_PRINT("NO CIPHER SUPPORTED\n");
929 return TLS_NO_COMMON_CIPHER;
932 /* one byte compression method */
933 uint8_t compression_method = *(buf+i);
935 if (compression_method != 0) {
939 if (i > 0 && ctx->connection_status != 4) {
940 ctx->connection_status = 1;
948 /* two bytes extensions length */
949 uint16_t extensions_length = get16(buf+i);
952 if (extensions_length + i != len) {
959 int etype = get16(buf+i);
962 /* TODO check that extension type is in the list of
963 * extensions we sent, if not, abort with
964 * unsupported_extension fatal alert
966 uint16_t elen = get16(buf+i);
973 return TLS_BROKEN_PACKET;
978 const unsigned char *alpn;
979 unsigned char alpn_size;
981 uint16_t group_len, iana_n;
987 sni_len = get16(buf+i);
989 ctx->sni = malloc(sni_len + 1);
990 memcpy(ctx->sni, buf+i+2, sni_len);
991 ctx->sni[sni_len] = 0;
994 case 0x000a: /* supported groups */
995 fprintf(stderr, "supported groups\n");
996 /* supported groups */
998 return TLS_BROKEN_PACKET;
1001 group_len = get16(buf+i);
1002 for (j = i; i < i + group_len+2; i+=2) {
1003 iana_n = get16(buf+j);
1006 ctx->curve = &secp256r1;
1010 ctx->curve = &secp384r1;
1014 ctx->curve = &curve25519;
1018 ctx->curve = &secp521r1;
1025 DEBUG_PRINTLN("SELECTED CURVE %s\n",
1029 if (!ctx->alpn || ctx->alpn_count == 0) {
1033 return TLS_BROKEN_PACKET;
1036 alpn_len = get16(buf+i);
1038 if (alpn_len == 0 || alpn_len > elen - 2) {
1042 /* a server's alpn list "must contain exactly
1043 * one "ProtocolName"
1045 alpn_size = buf[i + 2];
1047 if (i + alpn_size + 3 < len) {
1051 if (!tls_alpn_contains(ctx, (char *)alpn, alpn_size)) {
1054 free(ctx->negotiated_alpn);
1055 ctx->negotiated_alpn = malloc(alpn_size + 1);
1056 if (ctx->negotiated_alpn) {
1057 memcpy(ctx->negotiated_alpn,
1060 ctx->negotiated_alpn[alpn_size] = 0;
1063 case 0xff01: /* renegotiation info */
1064 //fprintf(stderr, "renegotiation info\n");
1065 /* ignore, we don't support renegotiation */
1068 case 0x0033: /* key share */
1069 /* TODO parse key share */
1070 fprintf(stderr, "key share info\n");
1073 /* signature algorithms */
1076 case 0x002b: /* supported versions */
1077 /* should be two bytes of 0x00 0x02
1078 * indicating two bytes of server version
1079 * then 0x03 0x04 for v1.3
1081 fprintf(stderr, "supported versions\n");
1084 fprintf(stderr, "unknown extension %04x\n", etype);
1091 if (ctx->connection_status != 4) {
1092 ctx->connection_status = 1;