1 #define _POSIX_C_SOURCE 200809L
8 #define TLS12_FLAG 0x01
9 #define TLS13_FLAG 0x03
11 static unsigned char *encrypt_rsa(struct TLSContext *context,
12 const unsigned char *buffer,
16 if (!len || !context || !context->certificates
17 || !context->certificates_count
18 || !context->certificates[0]
19 || !context->certificates[0]->der_bytes
20 || !context->certificates[0]->der_len) {
21 DEBUG_PRINT("No certificate set\n");
26 err = rsa_import(context->certificates[0]->der_bytes,
27 context->certificates[0]->der_len, &key);
30 DEBUG_PRINT("Error importing RSA certificate (code: %i)\n",
34 unsigned long out_size = TLS_MAX_RSA_KEY;
35 unsigned char *out = malloc(out_size);
36 int hash_idx = find_hash("sha256");
37 int prng_idx = find_prng("sprng");
38 err = rsa_encrypt_key_ex(buffer, len, out, &out_size, (unsigned char *)
39 "Concept", 7, NULL, prng_idx, hash_idx,
40 LTC_PKCS_1_V1_5, &key);
42 if (err || !out_size) {
46 *size = (unsigned int) out_size;
51 void add_supported_versions(struct tls_buffer *buf, int versions) {
53 char version12[] = { 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x03 };
54 char version13[] = { 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04 };
55 char both[] = { 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03 };
61 size = sizeof version12;
65 size = sizeof version13;
73 tls_buffer_append(buf, use, size);
76 static void add_sni_extension(struct tls_buffer *buf, char *sni) {
85 /* server name extension id = 0x00 0x00 */
86 tls_buffer_append16(buf, 0x0000);
87 /* length of server name extension */
88 tls_buffer_append16(buf, len + 5);
89 /* length of first entry */
90 tls_buffer_append16(buf, len + 3);
92 tls_buffer_append_byte(buf, 0x00);
94 tls_buffer_append16(buf, len);
95 /* actual server name indication */
96 tls_buffer_append(buf, sni, len);
102 00 20 - 0x20 (32) bytes of cipher suite data
107 static void add_cipher_suites(struct tls_buffer *buf, int suites) {
108 /* the five TLS 1.3 cipher suites in B.4 of rfc 8446 */
109 /* chacha20 preferred */
110 unsigned char tls_13_suites[] = {
111 0x13, 0x03, 0x13, 0x01, 0x13, 0x02, 0x13, 0x04, 0x13, 0x04
113 unsigned char tls_12_suites[] = {
114 0xcc, 0xa9, 0xc0, 0x2b, 0xc0, 0x23, 0xcc, 0xa8, 0xc0, 0x2f,
115 0xc0, 0x27, 0x00, 0x9e, 0x00, 0x6b, 0x00, 0x67, 0xcc, 0xaa
121 len += sizeof tls_12_suites;
125 len += sizeof tls_13_suites;
128 tls_buffer_expand(buf, len + 2);
129 tls_buffer_append16(buf, len);
130 /* if we're including 1.3 ciphers, put them first so they're preferred
133 tls_buffer_append(buf, tls_13_suites, sizeof tls_13_suites);
136 tls_buffer_append(buf, tls_12_suites, sizeof tls_12_suites);
140 void add_signed_certificate_timestamp_extension(struct tls_buffer *buf) {
141 char sct[] = { 0x00, 0x12, 0x00, 0x00 }; /* sct id and zero bytes */
142 tls_buffer_append(buf, sct, sizeof sct);
146 * 00 05 - assigned value for extension "status request"
147 * 00 05 - 0x5 (5) bytes of "status request" extension data follows
148 * 01 - assigned value for "certificate status type: OCSP"
149 * 00 00 - 0x0 (0) bytes of responderID information
150 * 00 00 - 0x0 (0) bytes of request extension information
152 void add_status_request_extension(struct tls_buffer *buf) {
153 char sr[] = { 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00 };
154 tls_buffer_append(buf, sr, sizeof sr);
157 void add_supported_groups_extension(struct tls_buffer *buf) {
158 /* supported groups */
159 /* this specifies the curves */
160 unsigned char groups[] = {
161 /* extension id and size in bytes */
162 0x00, 0x0a, 0x00, 0x08,
163 /* six bytes of groups */
169 /* secp256r1, secp384r1, secp521r1 */
170 0x00, 0x17, 0x00, 0x18, 0x00, 0x19
172 tls_buffer_append(buf, groups, sizeof groups);
176 * 00 0b - assigned value for extension "EC points format"
177 * 00 02 - 0x2 (2) bytes of "EC points format" extension data follows
178 * 01 - 0x1 (1) bytes of data are in the supported formats list
179 * 00 - assigned value for uncompressed form
181 void add_ec_point_formats_extension(struct tls_buffer *buf) {
182 char formats[] = { 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00 };
183 tls_buffer_append(buf, formats, sizeof formats);
186 void add_signature_algorithms_extension(struct tls_buffer *buf) {
187 char algorithms[] = {
188 0x00, 0x0d, 0x00, 0x0e, 0x00, 0x0c, /* id and lengths */
189 0x04, 0x01, /* RSA/PKCS1/SHA256 */
190 0x04, 0x03, /* ECDSA/SECP256r1/SHA256 */
191 0x05, 0x01, /* RSA/PKCS1/SHA386 */
192 0x05, 0x03, /* ECDSA/SECP384r1/SHA384 */
193 0x06, 0x01, /* RSA/PKCS1/SHA512 */
194 0x06, 0x03 /* ECDSA/SECP521r1/SHA512 */
200 0x08, 0x04, /* RSA-PSS-RSAE-SHA256 */
203 0x08, 0x05, /* RSA-PSS-RSAE-SHA384 */
205 0x08, 0x06, /* RSA-PSS-RSAE-SHA512 */
207 /* and 0x02, 0x01 for RSA-PKCS1-SHA1 */
212 tls_buffer_append(buf, algorithms, sizeof algorithms);
215 static void add_renegotiation_info_extension(struct tls_buffer *buf) {
216 /* two bytes id, and one byte of zero bytes of info */
217 char info[] = { 0xff, 0x01, 0x00, 0x01, 0x00 };
219 tls_buffer_append(buf, info, sizeof info);
223 * 00 33 - assigned value for extension "Key Share"
224 * 00 26 - 0x26 (38) bytes of "Key Share" extension data follows
225 * 00 24 - 0x24 (36) bytes of key share data follows
226 * 00 1d - assigned value for x25519 (key exchange via curve25519)
227 * 00 20 - 0x20 (32) bytes of public key follows
228 * 35 80 ... 62 54 - public key from the step "Client Key Exchange Generation"
230 static void add_key_share_extension(struct tls_buffer *buf, struct TLSContext
232 char kseid[] = { 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00,
234 char bogus_key[32] = { 0 };
240 /* TODO figure out where the client key share is */
241 tls_buffer_append(buf, kseid, sizeof kseid);
242 tls_buffer_append(buf, bogus_key, sizeof bogus_key);
246 * 00 2d - assigned value for extension "PSK Key Exchange Modes"
247 * 00 02 - 0x2 (2) bytes of "PSK Key Exchange Modes" extension data follows
248 * 01 - 0x1 (1) bytes of exchange modes follow
249 * 01 - assigned value for "PSK with (EC)DHE key establishment"
251 * we don't actually pre-share keys here, so ignored, but we'll send it
254 /* TODO probably need to get these from the context */
255 static void add_pks_key_exchanges_modes_extension(struct tls_buffer *buf) {
256 char psk[] = { 0x00, 0x2d, 0x00, 0x02, 0x01, 0x01 };
258 tls_buffer_append(buf, psk, sizeof psk);
261 static void set_handshake_header(char *buf, int type, size_t length) {
262 buf[0] = type & 0xff;
263 buf[1] = (length >> 16) & 0xff;
264 buf[2] = (length >> 8) & 0xff;
265 buf[3] = (length >> 0) & 0xff;
268 int tls_client_hello(struct TLSContext *ctx, struct tls_buffer *hello) {
269 size_t hello_offset = hello->len;
271 /* make room for the handshake header */
272 tls_buffer_expand(hello, 4);
275 /* actual client hello structure follows */
277 tls_buffer_append(hello, "\x03\x03", 2); /* legacy_version */
278 /* random not set up yet */
279 //tls_random(ctx->local_random, 32);
280 tls_buffer_append(hello, ctx->local_random, 32); /* client random */
281 tls_buffer_append(hello, "\0", 1); /* legacy_session_id */
282 /* alternatively, append a 32 (0x20) and 32 random bytes as a bogus
287 * TODO need a way to only use v1.3
289 int suites = TLS12_FLAG; /* always use v1.2 suites */
291 if (ctx->tlsver == TLS_VERSION13) {
292 suites |= TLS13_FLAG;
294 add_cipher_suites(hello, suites);
296 /* legacy_compression_methods */
297 tls_buffer_append(hello, "\1\0", 2);
301 * TODO I don't think the extension order matters, so the code below
302 * can be simplified by putting all the extensions together by version
304 size_t extensions_start = hello->len;
305 /* first two bytes are length of extensions, so make room to fill them
306 * in once we know the size
308 tls_buffer_append(hello, "\0\0", 2);
310 /* TODO need to track which extensions we're sending:
311 * "If a client receives an extension type in ServerHello that it did
312 * not request in the associated ClientHello, it MUST abort the
313 * handshake with an unsupported_extension fatal alert."
315 add_sni_extension(hello, ctx->sni); /* server name indicator */
318 /* TODO not sure why 1.3 doesn't need or want this */
319 /* TODO duckduckgo.com seems to fail with this one */
320 if (ctx->tlsver == TLS_VERSION12) {
321 add_status_request_extension(hello);
325 add_supported_groups_extension(hello);
327 /* v1.2 only, points are fixed in v1.3 */
328 if (ctx->tlsver == TLS_VERSION12) {
329 add_ec_point_formats_extension(hello);
332 add_signature_algorithms_extension(hello);
334 if (ctx->tlsver == TLS_VERSION13) {
335 add_key_share_extension(hello, ctx);
336 add_pks_key_exchanges_modes_extension(hello);
339 /* v1.2 only, 1.3 doesn't support renegotiation
340 * and doesn't seem to need cert ts
342 if (ctx->tlsver == TLS_VERSION12) {
343 add_renegotiation_info_extension(hello);
344 add_signed_certificate_timestamp_extension(hello);
347 if (ctx->tlsver == TLS_VERSION13) {
348 /* supported versions is mandatory in V1.3 */
349 /* 1 v1.2 only, 2 = v1.3 only, 3 = both */
350 /* TODO need a context flag to allow fallback to v1.2 */
351 /* could probably pass this in v1.2 and the server
353 add_supported_versions(hello, 3);
356 /* set the extensions length */
357 size_t extensions_length = hello->len - extensions_start - 2;
358 tls_buffer_write16(hello, extensions_length, extensions_start);
360 /* fill in the handshake header */
361 size_t hello_length = hello->len - hello_offset - 4;
362 set_handshake_header(hello->buffer+hello_offset, client_hello,
365 tls_buffer_compact(hello);
370 void pbytes(unsigned char *b, size_t len, char *label) {
373 fprintf(stderr, "%s (%zu bytes)\n", label ? label : "dumping", len);
375 for (i=0; i<len; i++) {
376 fprintf(stderr, "%s%02x%s",
379 (i+1) % 20 ? "" : "\n"
383 fprintf(stderr, "\n");
388 struct TLSPacket *tls_build_client_hello(struct TLSContext *context) {
389 if (context->connection_status == 4) {
390 unsigned char header[4] = { 0xFE, 0, 0, 0 };
391 unsigned char hash[TLS_MAX_SHA_SIZE];
392 static unsigned char sha256_helloretryrequest[] =
393 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE,
394 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2,
395 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07,
396 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
398 fprintf(stderr, "got hello retry request\n");
399 memcpy(context->local_random, sha256_helloretryrequest, 32);
400 int hash_len = tls_done_hash(context, hash);
401 header[3] = (unsigned char) hash_len;
402 tls_update_hash(context, header, sizeof header);
403 tls_update_hash(context, hash, hash_len);
404 } else if (context->tlsver != TLS_VERSION13) {
405 //fprintf(stderr, "creating local_random\n");
406 if (!tls_random(context->local_random, TLS_SERVER_RANDOM_SIZE)) {
411 struct tls_buffer shadow;
412 char record_header[] = { 0x16, 0x03, 0x03, 0x00, 0x00 };
414 tls_buffer_init(&shadow, 106);
415 tls_buffer_append(&shadow, record_header, sizeof record_header);
416 tls_client_hello(context, &shadow);
417 tls_buffer_writebe(&shadow, 3, 6, shadow.len - 9);
420 tls_buffer_free(&shadow);
424 struct TLSPacket *packet = malloc(sizeof *packet);
431 packet->buf = shadow.buffer;
432 packet->len = shadow.len;
433 packet->size = shadow.size;
434 packet->payload_pos = 0;
436 packet->context = context;
438 tls_packet_update(packet);
443 int tls_send_client_hello(struct TLSContext *ctx) {
447 struct TLSPacket *tls_build_hello(struct TLSContext *context,
448 int tls13_downgrade) {
449 if (context->connection_status == 4) {
450 unsigned char header[4] = { 0xFE, 0, 0, 0 };
451 unsigned char hash[TLS_MAX_SHA_SIZE];
452 static unsigned char sha256_helloretryrequest[] =
453 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE,
454 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2,
455 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07,
456 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
458 fprintf(stderr, "got hello retry request\n");
459 memcpy(context->local_random, sha256_helloretryrequest, 32);
460 int hash_len = tls_done_hash(context, hash);
461 header[3] = (unsigned char) hash_len;
462 tls_update_hash(context, header, sizeof header);
463 tls_update_hash(context, hash, hash_len);
464 } else if (!context->is_server || context->tlsver != TLS_VERSION13) {
465 fprintf(stderr, "creating local_random\n");
466 if (!tls_random(context->local_random, TLS_SERVER_RANDOM_SIZE)) {
471 if (context->is_server && tls13_downgrade) {
472 if (tls13_downgrade == TLS_V12 || tls13_downgrade == DTLS_V12)
474 memcpy(context->local_random +
475 TLS_SERVER_RANDOM_SIZE - 8, "DOWNGRD\x01",
478 memcpy(context->local_random +
479 TLS_SERVER_RANDOM_SIZE - 8, "DOWNGRD\x00",
484 if (!context->is_server) {
485 struct tls_buffer shadow;
486 char record_header[] = { 0x16, 0x03, 0x03, 0x00, 0x00 };
488 tls_buffer_init(&shadow, 106);
489 tls_buffer_append(&shadow, record_header, sizeof record_header);
490 tls_client_hello(context, &shadow);
491 tls_buffer_writebe(&shadow, 3, 6, shadow.len - 9);
494 tls_buffer_free(&shadow);
498 struct TLSPacket *packet = malloc(sizeof *packet);
505 packet->buf = shadow.buffer;
506 packet->len = shadow.len;
507 packet->size = shadow.size;
508 packet->payload_pos = 0;
510 packet->context = context;
512 tls_packet_update(packet);
514 fprintf(stderr, "returning packet\n");
518 /* context must be server from here on out */
520 unsigned short packet_version = context->version;
521 unsigned short version = context->version;
523 if (context->version == TLS_V13) {
525 } else if (context->version == DTLS_V13) {
529 struct TLSPacket *packet =
530 tls_create_packet(context, TLS_HANDSHAKE, packet_version, 0);
533 tls_packet_uint8(packet, server_hello);
535 tls_packet_uint24(packet, 0);
537 int start_len = packet->len;
538 tls_packet_uint16(packet, version);
540 tls_packet_append(packet, context->local_random,
541 TLS_SERVER_RANDOM_SIZE);
543 /* session size, always 0, we don't support sessions */
544 tls_packet_uint8(packet, 0);
546 int extension_len = 0;
548 int alpn_negotiated_len = 0;
549 unsigned char shared_key[TLS_MAX_RSA_KEY];
550 unsigned long shared_key_len = TLS_MAX_RSA_KEY;
551 unsigned short shared_key_short = 0;
552 int selected_group = 0;
553 if (context->tlsver == TLS_VERSION13) {
554 if (context->curve == &curve25519) {
555 extension_len += 8 + 32;
556 shared_key_short = (unsigned short) 32;
557 if (context->finished_key) {
561 free(context->finished_key);
562 context->finished_key = NULL;
564 selected_group = context->curve->iana;
565 /* make context->curve NULL (x25519 is a different implementation) */
566 context->curve = NULL;
567 } else if (context->ecc_dhe) {
568 if (ecc_ansi_x963_export
569 (context->ecc_dhe, shared_key,
572 ("Error exporting ECC DHE key\n");
573 tls_destroy_packet(packet);
574 tls_alert(context, 1, internal_error);
577 tls_ecc_dhe_free(context);
578 extension_len += 8 + shared_key_len;
580 (uint16_t)shared_key_len;
581 if (context->curve) {
583 context->curve->iana;
585 } else if (context->dhe) {
586 selected_group = context->dhe->iana;
587 tls_dh_export_Y(shared_key,
590 tls_dhe_free(context);
591 extension_len += 8 + shared_key_len;
592 shared_key_short = shared_key_len;
598 if (context->negotiated_alpn && context->tlsver != TLS_VERSION13) {
599 alpn_negotiated_len = strlen(context->negotiated_alpn);
600 alpn_len = alpn_negotiated_len + 1;
601 extension_len += alpn_len + 6;
605 /* fallback ... this should never happen */
606 if (!context->cipher) {
607 context->cipher = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
610 tls_packet_uint16(packet, context->cipher);
612 tls_packet_uint8(packet, 0);
614 if (context->tlsver == TLS_VERSION13) {
615 /* supported versions */
616 tls_packet_uint16(packet, 0x2B);
618 tls_packet_uint16(packet, 2);
619 if (context->version == TLS_V13) {
620 tls_packet_uint16(packet,
621 context-> tls13_version ?
622 context-> tls13_version :
625 tls_packet_uint16(packet, context->version);
628 if (context->connection_status == 4) {
629 /* fallback to the mandatory secp256r1 */
630 tls_packet_uint16(packet, 0x33);
631 tls_packet_uint16(packet, 2);
632 tls_packet_uint16(packet, (uint16_t) secp256r1.iana);
635 if (shared_key_short && selected_group) {
637 tls_packet_uint16(packet, 0x33);
638 tls_packet_uint16(packet, shared_key_short + 4);
639 tls_packet_uint16(packet, selected_group);
640 tls_packet_uint16(packet, shared_key_short);
641 tls_packet_append(packet, (unsigned char *) shared_key,
646 if (!packet->broken && packet->buf) {
647 tls_set_packet_length(packet, packet->len - start_len);
650 tls_packet_update(packet);
655 struct TLSPacket *tls_buffer_packet(struct tls_buffer *b, struct TLSContext *c) {
656 struct TLSPacket *p = 0;
659 p = tls_create_packet(c, TLS_HANDSHAKE, c->version, 0);
677 static void append_dhe(struct TLSContext *ctx, struct tls_buffer *buf) {
678 unsigned char dh_Ys[0xFFF];
679 unsigned char dh_p[0xFFF];
680 unsigned char dh_g[0xFFF];
681 unsigned long dh_p_len = sizeof dh_p;
682 unsigned long dh_g_len = sizeof dh_g;
683 unsigned long dh_Ys_len = sizeof dh_Ys;
685 if (tls_dh_export_pqY(dh_p, &dh_p_len, dh_g, &dh_g_len, dh_Ys,
686 &dh_Ys_len, ctx->dhe)) {
687 DEBUG_PRINT("ERROR EXPORTING DHE KEY %p\n", ctx->dhe);
695 DEBUG_DUMP_HEX_LABEL("Yc", dh_Ys, dh_Ys_len);
697 tls_buffer_append24(buf, dh_Ys_len + 2);
699 tls_buffer_append16(buf, dh_Ys_len);
700 tls_buffer_append(buf, dh_Ys, dh_Ys_len);
703 static void append_ecdhe(struct TLSContext *ctx, struct tls_buffer *buf) {
704 unsigned char out[TLS_MAX_RSA_KEY];
705 unsigned long out_len = TLS_MAX_RSA_KEY;
707 //fprintf(stderr, "ecc dhe\n");
709 if (ecc_ansi_x963_export(ctx->ecc_dhe, out, &out_len)) {
710 DEBUG_PRINT("Error exporting ECC key\n");
714 tls_ecc_dhe_free(ctx);
716 tls_buffer_append_byte(buf, 0x10);
717 tls_buffer_append24(buf, out_len + 1);
719 tls_buffer_append_byte(buf, out_len);
720 tls_buffer_append(buf, out, out_len);
723 static void set_record_size(struct tls_buffer *b) {
727 tls_buffer_write16(b, size, 3);
730 struct TLSPacket *tls_client_key_exchange(struct TLSContext *context) {
731 struct tls_buffer cke;
734 tls_buffer_init(&cke, 42);
735 tls_buffer_append_byte(&cke, 0x16);
736 tls_buffer_append16(&cke, 0x0303);
737 tls_buffer_append16(&cke, 0); /* record size placeholder */
739 if (context->ecc_dhe) {
740 append_ecdhe(context, &cke);
742 append_dhe(context, &cke);
744 set_record_size(&cke);
746 p = tls_buffer_packet(&cke, context);
748 tls_compute_key(context, 48);
749 context->connection_status = 2;
750 tls_packet_update(p);
755 static int tls_build_random(struct TLSPacket *packet) {
757 unsigned char rand_bytes[48];
760 if (!tls_random(rand_bytes, bytes)) {
761 return TLS_GENERIC_ERROR;
764 /* max supported version */
765 if (packet->context->is_server) {
766 *(unsigned short *) rand_bytes =
767 htons(packet->context->version);
769 *(unsigned short *) rand_bytes = htons(TLS_V12);
772 /* DEBUG_DUMP_HEX_LABEL("PREMASTER KEY", rand_bytes, bytes); */
774 free(packet->context->premaster_key);
776 packet->context->premaster_key = malloc(bytes);
777 if (!packet->context->premaster_key) {
778 return TLS_NO_MEMORY;
781 packet->context->premaster_key_len = bytes;
782 memcpy(packet->context->premaster_key, rand_bytes,
783 packet->context->premaster_key_len);
785 unsigned int out_len;
787 unsigned char *random = encrypt_rsa(packet->context,
788 packet->context->premaster_key,
789 packet->context->premaster_key_len, &out_len);
791 tls_compute_key(packet->context, bytes);
792 if (random && out_len > 2) {
793 tls_packet_uint24(packet, out_len + 2);
794 tls_packet_uint16(packet, out_len);
795 tls_packet_append(packet, random, out_len);
797 res = TLS_GENERIC_ERROR;
809 void tls_send_client_key_exchange(struct TLSContext *context) {
810 struct TLSPacket *packet;
812 int ephemeral = tls_cipher_is_ephemeral(context);
814 if (ephemeral && context->premaster_key && context->premaster_key_len) {
815 //fprintf(stderr, "YYYY\n");
816 packet = tls_client_key_exchange(context);
817 tls_queue_packet(packet);
819 if (ephemeral == 1) {
821 } else if (context->ecc_dhe) {
825 /* TODO should never happen, should always require
826 * either DHE or ECC DHE */
827 fprintf(stderr, "ZZZZ build random\n");
829 packet = tls_create_packet(context, TLS_HANDSHAKE, context->version, 0);
830 tls_packet_uint8(packet, 0x10);
831 tls_build_random(packet);
833 context->connection_status = 2;
834 tls_packet_update(packet);
835 tls_queue_packet(packet);
839 static uint32_t get24(const unsigned char *buf) {
840 return (*buf << 16) + (*(buf+1) << 8) + *(buf+2);
843 static uint16_t get16(const unsigned char *buf) {
844 return (*(buf) << 8) + *(buf+1);
847 int tls_hello_complete(const unsigned char *buf, size_t len) {
855 if (more > len - 3) {
856 fprintf(stderr, "%s:%d\n", __func__, __LINE__);
857 fprintf(stderr, "have %zu, want %zu\n", len, more);
863 int tls_parse_server_hello(struct TLSContext *ctx, const unsigned char *buf, size_t len) {
867 if (ctx->connection_status != 0 && ctx->connection_status != 4) {
868 return TLS_UNEXPECTED_MESSAGE;
871 if (!tls_hello_complete(buf, len)) {
872 return TLS_NEED_MORE_DATA;
875 /* 3 bytes server hello data size */
878 /* TODO check size reported vs actual */
880 /* two bytes server version */
881 uint16_t server_ver = get16(buf+i);
883 if (server_ver != ctx->version) {
884 /* TODO allow (or not) downgrade to v1.2 */
885 return TLS_UNEXPECTED_MESSAGE;
888 /* 32 bytes server random */
889 memcpy(ctx->remote_random, buf+i, 32);
892 /* 1 byte of session id length */
893 uint8_t session_len = *(buf+i);
897 /* possible session id bytes */
898 /* TODO skip? we don't actually use session ids */
900 session_id = malloc(session_len);
905 memcpy(session_id, buf+i, session_len);
909 /* two bytes cipher suite selected */
910 ctx->cipher = get16(buf+i);
912 if (!tls_cipher_supported(ctx, ctx->cipher)) {
914 DEBUG_PRINT("NO CIPHER SUPPORTED\n");
915 return TLS_NO_COMMON_CIPHER;
918 /* one byte compression method */
919 uint8_t compression_method = *(buf+i);
921 if (compression_method != 0) {
925 if (i > 0 && ctx->connection_status != 4) {
926 ctx->connection_status = 1;
934 /* two bytes extensions length */
935 uint16_t extensions_length = get16(buf+i);
938 if (extensions_length + i != len) {
945 int etype = get16(buf+i);
948 /* TODO check that extension type is in the list of
949 * extensions we sent, if not, abort with
950 * unsupported_extension fatal alert
952 uint16_t elen = get16(buf+i);
958 return TLS_BROKEN_PACKET;
963 const unsigned char *alpn;
964 unsigned char alpn_size;
966 uint16_t group_len, iana_n;
972 sni_len = get16(buf+i);
974 ctx->sni = malloc(sni_len + 1);
975 memcpy(ctx->sni, buf+i+2, sni_len);
976 ctx->sni[sni_len] = 0;
979 case 0x000a: /* supported groups */
980 fprintf(stderr, "supported groups\n");
981 /* supported groups */
983 return TLS_BROKEN_PACKET;
986 group_len = get16(buf+i);
987 for (j = i; i < i + group_len+2; i+=2) {
988 iana_n = get16(buf+j);
991 ctx->curve = &secp256r1;
995 ctx->curve = &secp384r1;
999 ctx->curve = &curve25519;
1003 ctx->curve = &secp521r1;
1010 fprintf(stderr, "SELECTED CURVE %s\n",
1014 if (!ctx->alpn || ctx->alpn_count == 0) {
1018 return TLS_BROKEN_PACKET;
1021 alpn_len = get16(buf+i);
1023 if (alpn_len == 0 || alpn_len > elen - 2) {
1027 /* a server's alpn list "must contain exactly
1028 * one "ProtocolName"
1030 alpn_size = buf[i + 2];
1032 if (i + alpn_size + 3 < len) {
1036 if (!tls_alpn_contains(ctx, (char *)alpn, alpn_size)) {
1039 free(ctx->negotiated_alpn);
1040 ctx->negotiated_alpn = malloc(alpn_size + 1);
1041 if (ctx->negotiated_alpn) {
1042 memcpy(ctx->negotiated_alpn,
1045 ctx->negotiated_alpn[alpn_size] = 0;
1048 case 0xff01: /* renegotiation info */
1049 //fprintf(stderr, "renegotiation info\n");
1050 /* ignore, we don't support renegotiation */
1052 case 0x0033: /* key share */
1053 /* TODO parse key share */
1054 fprintf(stderr, "key share info\n");
1057 /* signature algorithms */
1059 case 0x002b: /* supported versions */
1060 /* should be two bytes of 0x00 0x02
1061 * indicating two bytes of server version
1062 * then 0x03 0x04 for v1.3
1064 fprintf(stderr, "supported versions\n");
1067 fprintf(stderr, "unknown extension %04x\n", etype);
1074 if (ctx->connection_status != 4) {
1075 ctx->connection_status = 1;