1 #define _POSIX_C_SOURCE 200809L
8 #define TLS12_FLAG 0x01
9 #define TLS13_FLAG 0x03
11 static unsigned char *encrypt_rsa(struct TLSContext *context,
12 const unsigned char *buffer,
16 if (!len || !context || !context->certificates
17 || !context->certificates_count
18 || !context->certificates[0]
19 || !context->certificates[0]->der_bytes
20 || !context->certificates[0]->der_len) {
21 DEBUG_PRINT("No certificate set\n");
26 err = rsa_import(context->certificates[0]->der_bytes,
27 context->certificates[0]->der_len, &key);
30 DEBUG_PRINT("Error importing RSA certificate (code: %i)\n",
34 unsigned long out_size = TLS_MAX_RSA_KEY;
35 unsigned char *out = malloc(out_size);
36 int hash_idx = find_hash("sha256");
37 int prng_idx = find_prng("sprng");
38 err = rsa_encrypt_key_ex(buffer, len, out, &out_size, (unsigned char *)
39 "Concept", 7, NULL, prng_idx, hash_idx,
40 LTC_PKCS_1_V1_5, &key);
42 if (err || !out_size) {
46 *size = (unsigned int) out_size;
51 void add_supported_versions(struct tls_buffer *buf, int versions) {
53 char version12[] = { 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x03 };
54 char version13[] = { 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04 };
55 char both[] = { 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03 };
61 size = sizeof version12;
65 size = sizeof version13;
73 tls_buffer_append(buf, use, size);
76 static void add_sni_extension(struct tls_buffer *buf, char *sni) {
85 /* server name extension id = 0x00 0x00 */
86 tls_buffer_append16(buf, 0x0000);
87 /* length of server name extension */
88 tls_buffer_append16(buf, len + 5);
89 /* length of first entry */
90 tls_buffer_append16(buf, len + 3);
92 tls_buffer_append_byte(buf, 0x00);
94 tls_buffer_append16(buf, len);
95 /* actual server name indication */
96 tls_buffer_append(buf, sni, len);
102 00 20 - 0x20 (32) bytes of cipher suite data
107 static void add_cipher_suites(struct tls_buffer *buf, int suites) {
108 /* the five TLS 1.3 cipher suites in B.4 of rfc 8446 */
109 /* chacha20 preferred */
110 unsigned char tls_13_suites[] = {
111 0x13, 0x03, 0x13, 0x01, 0x13, 0x02, 0x13, 0x04, 0x13, 0x04
113 unsigned char tls_12_suites[] = {
114 0xcc, 0xa9, 0xc0, 0x2b, 0xc0, 0x23, 0xcc, 0xa8, 0xc0, 0x2f,
115 0xc0, 0x27, 0x00, 0x9e, 0x00, 0x6b, 0x00, 0x67, 0xcc, 0xaa
121 len += sizeof tls_12_suites;
125 len += sizeof tls_13_suites;
128 tls_buffer_expand(buf, len + 2);
129 tls_buffer_append16(buf, len);
130 /* if we're including 1.3 ciphers, put them first so they're preferred
133 tls_buffer_append(buf, tls_13_suites, sizeof tls_13_suites);
136 tls_buffer_append(buf, tls_12_suites, sizeof tls_12_suites);
140 void add_signed_certificate_timestamp_extension(struct tls_buffer *buf) {
141 char sct[] = { 0x00, 0x12, 0x00, 0x00 }; /* sct id and zero bytes */
142 tls_buffer_append(buf, sct, sizeof sct);
146 * 00 05 - assigned value for extension "status request"
147 * 00 05 - 0x5 (5) bytes of "status request" extension data follows
148 * 01 - assigned value for "certificate status type: OCSP"
149 * 00 00 - 0x0 (0) bytes of responderID information
150 * 00 00 - 0x0 (0) bytes of request extension information
152 void add_status_request_extension(struct tls_buffer *buf) {
153 char sr[] = { 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00 };
154 tls_buffer_append(buf, sr, sizeof sr);
157 void add_supported_groups_extension(struct tls_buffer *buf) {
158 /* supported groups */
159 /* this specifies the curves */
160 unsigned char groups[] = {
161 /* extension id and size in bytes */
162 0x00, 0x0a, 0x00, 0x08,
163 /* six bytes of groups */
169 /* secp256r1, secp384r1, secp521r1 */
170 0x00, 0x17, 0x00, 0x18, 0x00, 0x19
172 tls_buffer_append(buf, groups, sizeof groups);
176 * 00 0b - assigned value for extension "EC points format"
177 * 00 02 - 0x2 (2) bytes of "EC points format" extension data follows
178 * 01 - 0x1 (1) bytes of data are in the supported formats list
179 * 00 - assigned value for uncompressed form
181 void add_ec_point_formats_extension(struct tls_buffer *buf) {
182 char formats[] = { 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00 };
183 tls_buffer_append(buf, formats, sizeof formats);
186 void add_signature_algorithms_extension(struct tls_buffer *buf) {
187 char algorithms[] = {
188 0x00, 0x0d, 0x00, 0x0e, 0x00, 0x0c, /* id and lengths */
189 0x04, 0x01, /* RSA/PKCS1/SHA256 */
190 0x04, 0x03, /* ECDSA/SECP256r1/SHA256 */
191 0x05, 0x01, /* RSA/PKCS1/SHA386 */
192 0x05, 0x03, /* ECDSA/SECP384r1/SHA384 */
193 0x06, 0x01, /* RSA/PKCS1/SHA512 */
194 0x06, 0x03 /* ECDSA/SECP521r1/SHA512 */
200 0x08, 0x04, /* RSA-PSS-RSAE-SHA256 */
203 0x08, 0x05, /* RSA-PSS-RSAE-SHA384 */
205 0x08, 0x06, /* RSA-PSS-RSAE-SHA512 */
207 /* and 0x02, 0x01 for RSA-PKCS1-SHA1 */
212 tls_buffer_append(buf, algorithms, sizeof algorithms);
215 static void add_renegotiation_info_extension(struct tls_buffer *buf) {
216 /* two bytes id, and one byte of zero bytes of info */
217 char info[] = { 0xff, 0x01, 0x00, 0x01, 0x00 };
219 tls_buffer_append(buf, info, sizeof info);
223 * 00 33 - assigned value for extension "Key Share"
224 * 00 26 - 0x26 (38) bytes of "Key Share" extension data follows
225 * 00 24 - 0x24 (36) bytes of key share data follows
226 * 00 1d - assigned value for x25519 (key exchange via curve25519)
227 * 00 20 - 0x20 (32) bytes of public key follows
228 * 35 80 ... 62 54 - public key from the step "Client Key Exchange Generation"
230 static void add_key_share_extension(struct tls_buffer *buf, struct TLSContext
232 char kseid[] = { 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00,
234 char bogus_key[32] = { 0 };
240 /* TODO figure out where the client key share is */
241 tls_buffer_append(buf, kseid, sizeof kseid);
242 tls_buffer_append(buf, bogus_key, sizeof bogus_key);
246 * 00 2d - assigned value for extension "PSK Key Exchange Modes"
247 * 00 02 - 0x2 (2) bytes of "PSK Key Exchange Modes" extension data follows
248 * 01 - 0x1 (1) bytes of exchange modes follow
249 * 01 - assigned value for "PSK with (EC)DHE key establishment"
251 * we don't actually pre-share keys here, so ignored, but we'll send it
254 /* TODO probably need to get these from the context */
255 static void add_pks_key_exchanges_modes_extension(struct tls_buffer *buf) {
256 char psk[] = { 0x00, 0x2d, 0x00, 0x02, 0x01, 0x01 };
258 tls_buffer_append(buf, psk, sizeof psk);
261 static void set_handshake_header(char *buf, int type, size_t length) {
262 buf[0] = type & 0xff;
263 buf[1] = (length >> 16) & 0xff;
264 buf[2] = (length >> 8) & 0xff;
265 buf[3] = (length >> 0) & 0xff;
268 int tls_client_hello(struct TLSContext *ctx, struct tls_buffer *hello) {
269 size_t hello_offset = hello->len;
271 /* make room for the handshake header */
272 tls_buffer_expand(hello, 4);
275 /* actual client hello structure follows */
277 tls_buffer_append(hello, "\x03\x03", 2); /* legacy_version */
278 /* random not set up yet */
279 //tls_random(ctx->local_random, 32);
280 tls_buffer_append(hello, ctx->local_random, 32); /* client random */
281 tls_buffer_append(hello, "\0", 1); /* legacy_session_id */
282 /* alternatively, append a 32 (0x20) and 32 random bytes as a bogus
287 * TODO need a way to only use v1.3
289 int suites = TLS12_FLAG; /* always use v1.2 suites */
291 if (ctx->tlsver == TLS_VERSION13) {
292 suites |= TLS13_FLAG;
294 add_cipher_suites(hello, suites);
296 /* legacy_compression_methods */
297 tls_buffer_append(hello, "\1\0", 2);
301 * TODO I don't think the extension order matters, so the code below
302 * can be simplified by putting all the extensions together by version
304 size_t extensions_start = hello->len;
305 /* first two bytes are length of extensions, so make room to fill them
306 * in once we know the size
308 tls_buffer_append(hello, "\0\0", 2);
310 /* TODO need to track which extensions we're sending:
311 * "If a client receives an extension type in ServerHello that it did
312 * not request in the associated ClientHello, it MUST abort the
313 * handshake with an unsupported_extension fatal alert."
315 add_sni_extension(hello, ctx->sni); /* server name indicator */
318 /* TODO not sure why 1.3 doesn't need or want this */
319 /* TODO duckduckgo.com seems to fail with this one */
320 if (ctx->tlsver == TLS_VERSION12) {
321 add_status_request_extension(hello);
325 add_supported_groups_extension(hello);
327 /* v1.2 only, points are fixed in v1.3 */
328 if (ctx->tlsver == TLS_VERSION12) {
329 add_ec_point_formats_extension(hello);
332 add_signature_algorithms_extension(hello);
334 if (ctx->tlsver == TLS_VERSION13) {
335 add_key_share_extension(hello, ctx);
336 add_pks_key_exchanges_modes_extension(hello);
339 /* v1.2 only, 1.3 doesn't support renegotiation
340 * and doesn't seem to need cert ts
342 if (ctx->tlsver == TLS_VERSION12) {
343 add_renegotiation_info_extension(hello);
344 add_signed_certificate_timestamp_extension(hello);
347 if (ctx->tlsver == TLS_VERSION13) {
348 /* supported versions is mandatory in V1.3 */
349 /* 1 v1.2 only, 2 = v1.3 only, 3 = both */
350 /* TODO need a context flag to allow fallback to v1.2 */
351 /* could probably pass this in v1.2 and the server
353 add_supported_versions(hello, 3);
356 /* set the extensions length */
357 size_t extensions_length = hello->len - extensions_start - 2;
358 tls_buffer_write16(hello, extensions_length, extensions_start);
360 /* fill in the handshake header */
361 size_t hello_length = hello->len - hello_offset - 4;
362 set_handshake_header(hello->buffer+hello_offset, client_hello,
365 tls_buffer_compact(hello);
370 void pbytes(unsigned char *b, size_t len, char *label) {
373 fprintf(stderr, "%s (%zu bytes)\n", label ? label : "dumping", len);
375 for (i=0; i<len; i++) {
376 fprintf(stderr, "%s%02x%s",
379 (i+1) % 20 ? "" : "\n"
383 fprintf(stderr, "\n");
388 struct TLSPacket *tls_build_client_hello(struct TLSContext *context) {
389 if (context->connection_status == 4) {
390 unsigned char header[4] = { 0xFE, 0, 0, 0 };
391 unsigned char hash[TLS_MAX_SHA_SIZE];
392 static unsigned char sha256_helloretryrequest[] =
393 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE,
394 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2,
395 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07,
396 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
398 fprintf(stderr, "got hello retry request\n");
399 memcpy(context->local_random, sha256_helloretryrequest, 32);
400 int hash_len = tls_done_hash(context, hash);
401 header[3] = (unsigned char) hash_len;
402 tls_update_hash(context, header, sizeof header);
403 tls_update_hash(context, hash, hash_len);
404 } else if (context->tlsver != TLS_VERSION13) {
405 //fprintf(stderr, "creating local_random\n");
406 if (!tls_random(context->local_random, TLS_SERVER_RANDOM_SIZE)) {
411 struct tls_buffer shadow;
412 char record_header[] = { 0x16, 0x03, 0x03, 0x00, 0x00 };
414 tls_buffer_init(&shadow, 106);
415 tls_buffer_append(&shadow, record_header, sizeof record_header);
416 tls_client_hello(context, &shadow);
417 tls_buffer_writebe(&shadow, 3, 6, shadow.len - 9);
420 tls_buffer_free(&shadow);
424 struct TLSPacket *packet = malloc(sizeof *packet);
430 packet->buf = shadow.buffer;
431 packet->len = shadow.len;
432 packet->size = shadow.size;
433 packet->payload_pos = 0;
435 packet->context = context;
437 tls_packet_update(packet);
442 int tls_send_client_hello(struct TLSContext *ctx) {
446 struct TLSPacket *tls_build_hello(struct TLSContext *context,
447 int tls13_downgrade) {
448 if (context->connection_status == 4) {
449 unsigned char header[4] = { 0xFE, 0, 0, 0 };
450 unsigned char hash[TLS_MAX_SHA_SIZE];
451 static unsigned char sha256_helloretryrequest[] =
452 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE,
453 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2,
454 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07,
455 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
457 fprintf(stderr, "got hello retry request\n");
458 memcpy(context->local_random, sha256_helloretryrequest, 32);
459 int hash_len = tls_done_hash(context, hash);
460 header[3] = (unsigned char) hash_len;
461 tls_update_hash(context, header, sizeof header);
462 tls_update_hash(context, hash, hash_len);
463 } else if (!context->is_server || context->tlsver != TLS_VERSION13) {
464 fprintf(stderr, "creating local_random\n");
465 if (!tls_random(context->local_random, TLS_SERVER_RANDOM_SIZE)) {
470 if (context->is_server && tls13_downgrade) {
471 if (tls13_downgrade == TLS_V12 || tls13_downgrade == DTLS_V12)
473 memcpy(context->local_random +
474 TLS_SERVER_RANDOM_SIZE - 8, "DOWNGRD\x01",
477 memcpy(context->local_random +
478 TLS_SERVER_RANDOM_SIZE - 8, "DOWNGRD\x00",
483 if (!context->is_server) {
484 struct tls_buffer shadow;
485 char record_header[] = { 0x16, 0x03, 0x03, 0x00, 0x00 };
487 tls_buffer_init(&shadow, 106);
488 tls_buffer_append(&shadow, record_header, sizeof record_header);
489 tls_client_hello(context, &shadow);
490 tls_buffer_writebe(&shadow, 3, 6, shadow.len - 9);
493 tls_buffer_free(&shadow);
497 struct TLSPacket *packet = malloc(sizeof *packet);
504 packet->buf = shadow.buffer;
505 packet->len = shadow.len;
506 packet->size = shadow.size;
507 packet->payload_pos = 0;
509 packet->context = context;
511 tls_packet_update(packet);
513 fprintf(stderr, "returning packet\n");
517 /* context must be server from here on out */
519 unsigned short packet_version = context->version;
520 unsigned short version = context->version;
522 if (context->version == TLS_V13) {
524 } else if (context->version == DTLS_V13) {
528 struct TLSPacket *packet =
529 tls_create_packet(context, TLS_HANDSHAKE, packet_version, 0);
532 tls_packet_uint8(packet, server_hello);
534 tls_packet_uint24(packet, 0);
536 int start_len = packet->len;
537 tls_packet_uint16(packet, version);
539 tls_packet_append(packet, context->local_random,
540 TLS_SERVER_RANDOM_SIZE);
542 /* session size, always 0, we don't support sessions */
543 tls_packet_uint8(packet, 0);
545 int extension_len = 0;
547 int alpn_negotiated_len = 0;
548 unsigned char shared_key[TLS_MAX_RSA_KEY];
549 unsigned long shared_key_len = TLS_MAX_RSA_KEY;
550 unsigned short shared_key_short = 0;
551 int selected_group = 0;
552 if (context->tlsver == TLS_VERSION13) {
553 if (context->curve == &curve25519) {
554 extension_len += 8 + 32;
555 shared_key_short = (unsigned short) 32;
556 if (context->finished_key) {
560 free(context->finished_key);
561 context->finished_key = NULL;
563 selected_group = context->curve->iana;
564 /* make context->curve NULL (x25519 is a different implementation) */
565 context->curve = NULL;
566 } else if (context->ecc_dhe) {
567 if (ecc_ansi_x963_export
568 (context->ecc_dhe, shared_key,
571 ("Error exporting ECC DHE key\n");
572 tls_destroy_packet(packet);
573 tls_alert(context, 1, internal_error);
576 tls_ecc_dhe_free(context);
577 extension_len += 8 + shared_key_len;
579 (uint16_t)shared_key_len;
580 if (context->curve) {
582 context->curve->iana;
584 } else if (context->dhe) {
585 selected_group = context->dhe->iana;
586 tls_dh_export_Y(shared_key,
589 tls_dhe_free(context);
590 extension_len += 8 + shared_key_len;
591 shared_key_short = shared_key_len;
597 if (context->negotiated_alpn && context->tlsver != TLS_VERSION13) {
598 alpn_negotiated_len = strlen(context->negotiated_alpn);
599 alpn_len = alpn_negotiated_len + 1;
600 extension_len += alpn_len + 6;
604 /* fallback ... this should never happen */
605 if (!context->cipher) {
606 context->cipher = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
609 tls_packet_uint16(packet, context->cipher);
611 tls_packet_uint8(packet, 0);
613 if (context->tlsver == TLS_VERSION13) {
614 /* supported versions */
615 tls_packet_uint16(packet, 0x2B);
617 tls_packet_uint16(packet, 2);
618 if (context->version == TLS_V13) {
619 tls_packet_uint16(packet,
620 context-> tls13_version ?
621 context-> tls13_version :
624 tls_packet_uint16(packet, context->version);
627 if (context->connection_status == 4) {
628 /* fallback to the mandatory secp256r1 */
629 tls_packet_uint16(packet, 0x33);
630 tls_packet_uint16(packet, 2);
631 tls_packet_uint16(packet, (uint16_t) secp256r1.iana);
634 if (shared_key_short && selected_group) {
636 tls_packet_uint16(packet, 0x33);
637 tls_packet_uint16(packet, shared_key_short + 4);
638 tls_packet_uint16(packet, selected_group);
639 tls_packet_uint16(packet, shared_key_short);
640 tls_packet_append(packet, (unsigned char *) shared_key,
645 if (!packet->broken && packet->buf) {
646 tls_set_packet_length(packet, packet->len - start_len);
649 tls_packet_update(packet);
654 struct TLSPacket *tls_buffer_packet(struct tls_buffer *b, struct TLSContext *c) {
655 struct TLSPacket *p = 0;
658 p = tls_create_packet(c, TLS_HANDSHAKE, c->version, 0);
676 static void append_dhe(struct TLSContext *ctx, struct tls_buffer *buf) {
677 unsigned char dh_Ys[0xFFF];
678 unsigned char dh_p[0xFFF];
679 unsigned char dh_g[0xFFF];
680 unsigned long dh_p_len = sizeof dh_p;
681 unsigned long dh_g_len = sizeof dh_g;
682 unsigned long dh_Ys_len = sizeof dh_Ys;
684 if (tls_dh_export_pqY(dh_p, &dh_p_len, dh_g, &dh_g_len, dh_Ys,
685 &dh_Ys_len, ctx->dhe)) {
686 DEBUG_PRINT("ERROR EXPORTING DHE KEY %p\n", ctx->dhe);
694 DEBUG_DUMP_HEX_LABEL("Yc", dh_Ys, dh_Ys_len);
696 tls_buffer_append24(buf, dh_Ys_len + 2);
698 tls_buffer_append16(buf, dh_Ys_len);
699 tls_buffer_append(buf, dh_Ys, dh_Ys_len);
702 static void append_ecdhe(struct TLSContext *ctx, struct tls_buffer *buf) {
703 unsigned char out[TLS_MAX_RSA_KEY];
704 unsigned long out_len = TLS_MAX_RSA_KEY;
706 //fprintf(stderr, "ecc dhe\n");
708 if (ecc_ansi_x963_export(ctx->ecc_dhe, out, &out_len)) {
709 DEBUG_PRINT("Error exporting ECC key\n");
713 tls_ecc_dhe_free(ctx);
715 tls_buffer_append_byte(buf, 0x10);
716 tls_buffer_append24(buf, out_len + 1);
718 tls_buffer_append_byte(buf, out_len);
719 tls_buffer_append(buf, out, out_len);
722 static void set_record_size(struct tls_buffer *b) {
726 tls_buffer_write16(b, size, 3);
729 struct TLSPacket *tls_client_key_exchange(struct TLSContext *context) {
730 struct tls_buffer cke;
733 tls_buffer_init(&cke, 42);
734 tls_buffer_append_byte(&cke, 0x16);
735 tls_buffer_append16(&cke, 0x0303);
736 tls_buffer_append16(&cke, 0); /* record size placeholder */
738 if (context->ecc_dhe) {
739 append_ecdhe(context, &cke);
741 append_dhe(context, &cke);
743 set_record_size(&cke);
745 p = tls_buffer_packet(&cke, context);
747 tls_compute_key(context, 48);
748 context->connection_status = 2;
749 tls_packet_update(p);
754 static int tls_build_random(struct TLSPacket *packet) {
756 unsigned char rand_bytes[48];
759 if (!tls_random(rand_bytes, bytes)) {
760 return TLS_GENERIC_ERROR;
763 /* max supported version */
764 if (packet->context->is_server) {
765 *(unsigned short *) rand_bytes =
766 htons(packet->context->version);
768 *(unsigned short *) rand_bytes = htons(TLS_V12);
771 /* DEBUG_DUMP_HEX_LABEL("PREMASTER KEY", rand_bytes, bytes); */
773 free(packet->context->premaster_key);
775 packet->context->premaster_key = malloc(bytes);
776 if (!packet->context->premaster_key) {
777 return TLS_NO_MEMORY;
780 packet->context->premaster_key_len = bytes;
781 memcpy(packet->context->premaster_key, rand_bytes,
782 packet->context->premaster_key_len);
784 unsigned int out_len;
786 unsigned char *random = encrypt_rsa(packet->context,
787 packet->context->premaster_key,
788 packet->context->premaster_key_len, &out_len);
790 tls_compute_key(packet->context, bytes);
791 if (random && out_len > 2) {
792 tls_packet_uint24(packet, out_len + 2);
793 tls_packet_uint16(packet, out_len);
794 tls_packet_append(packet, random, out_len);
796 res = TLS_GENERIC_ERROR;
808 void tls_send_client_key_exchange(struct TLSContext *context) {
809 struct TLSPacket *packet;
811 int ephemeral = tls_cipher_is_ephemeral(context);
813 if (ephemeral && context->premaster_key && context->premaster_key_len) {
814 //fprintf(stderr, "YYYY\n");
815 packet = tls_client_key_exchange(context);
816 tls_queue_packet(packet);
818 if (ephemeral == 1) {
820 } else if (context->ecc_dhe) {
824 /* TODO should never happen, should always require
825 * either DHE or ECC DHE */
826 fprintf(stderr, "ZZZZ build random\n");
828 packet = tls_create_packet(context, TLS_HANDSHAKE, context->version, 0);
829 tls_packet_uint8(packet, 0x10);
830 tls_build_random(packet);
832 context->connection_status = 2;
833 tls_packet_update(packet);
834 tls_queue_packet(packet);
838 static uint32_t get24(const unsigned char *buf) {
839 return (*buf << 16) + (*(buf+1) << 8) + *(buf+2);
842 static uint16_t get16(const unsigned char *buf) {
843 return (*(buf) << 8) + *(buf+1);
846 int tls_hello_complete(const unsigned char *buf, size_t len) {
854 if (more > len - 3) {
855 fprintf(stderr, "%s:%d\n", __func__, __LINE__);
856 fprintf(stderr, "have %zu, want %zu\n", len, more);
862 int tls_parse_server_hello(struct TLSContext *ctx, const unsigned char *buf, size_t len) {
866 if (ctx->connection_status != 0 && ctx->connection_status != 4) {
867 return TLS_UNEXPECTED_MESSAGE;
870 if (!tls_hello_complete(buf, len)) {
871 return TLS_NEED_MORE_DATA;
874 /* 3 bytes server hello data size */
877 /* TODO check size reported vs actual */
879 /* two bytes server version */
880 uint16_t server_ver = get16(buf+i);
882 if (server_ver != ctx->version) {
883 /* TODO allow (or not) downgrade to v1.2 */
884 return TLS_UNEXPECTED_MESSAGE;
887 /* 32 bytes server random */
888 memcpy(ctx->remote_random, buf+i, 32);
891 /* 1 byte of session id length */
892 uint8_t session_len = *(buf+i);
896 /* possible session id bytes */
897 /* TODO skip? we don't actually use session ids */
899 session_id = malloc(session_len);
904 memcpy(session_id, buf+i, session_len);
908 /* two bytes cipher suite selected */
909 ctx->cipher = get16(buf+i);
911 if (!tls_cipher_supported(ctx, ctx->cipher)) {
913 DEBUG_PRINT("NO CIPHER SUPPORTED\n");
914 return TLS_NO_COMMON_CIPHER;
917 /* one byte compression method */
918 uint8_t compression_method = *(buf+i);
920 if (compression_method != 0) {
924 if (i > 0 && ctx->connection_status != 4) {
925 ctx->connection_status = 1;
933 /* two bytes extensions length */
934 uint16_t extensions_length = get16(buf+i);
937 if (extensions_length + i != len) {
944 int etype = get16(buf+i);
947 /* TODO check that extension type is in the list of
948 * extensions we sent, if not, abort with
949 * unsupported_extension fatal alert
951 uint16_t elen = get16(buf+i);
957 return TLS_BROKEN_PACKET;
962 const unsigned char *alpn;
963 unsigned char alpn_size;
965 uint16_t group_len, iana_n;
971 sni_len = get16(buf+i);
973 ctx->sni = malloc(sni_len + 1);
974 memcpy(ctx->sni, buf+i+2, sni_len);
975 ctx->sni[sni_len] = 0;
978 case 0x000a: /* supported groups */
979 fprintf(stderr, "supported groups\n");
980 /* supported groups */
982 return TLS_BROKEN_PACKET;
985 group_len = get16(buf+i);
986 for (j = i; i < i + group_len+2; i+=2) {
987 iana_n = get16(buf+j);
990 ctx->curve = &secp256r1;
994 ctx->curve = &secp384r1;
998 ctx->curve = &curve25519;
1002 ctx->curve = &secp521r1;
1009 fprintf(stderr, "SELECTED CURVE %s\n",
1013 if (!ctx->alpn || ctx->alpn_count == 0) {
1017 return TLS_BROKEN_PACKET;
1020 alpn_len = get16(buf+i);
1022 if (alpn_len == 0 || alpn_len > elen - 2) {
1026 /* a server's alpn list "must contain exactly
1027 * one "ProtocolName"
1029 alpn_size = buf[i + 2];
1031 if (i + alpn_size + 3 < len) {
1035 if (!tls_alpn_contains(ctx, (char *)alpn, alpn_size)) {
1038 free(ctx->negotiated_alpn);
1039 ctx->negotiated_alpn = malloc(alpn_size + 1);
1040 if (ctx->negotiated_alpn) {
1041 memcpy(ctx->negotiated_alpn,
1044 ctx->negotiated_alpn[alpn_size] = 0;
1047 case 0xff01: /* renegotiation info */
1048 //fprintf(stderr, "renegotiation info\n");
1049 /* ignore, we don't support renegotiation */
1051 case 0x0033: /* key share */
1052 /* TODO parse key share */
1053 fprintf(stderr, "key share info\n");
1056 /* signature algorithms */
1058 case 0x002b: /* supported versions */
1059 /* should be two bytes of 0x00 0x02
1060 * indicating two bytes of server version
1061 * then 0x03 0x04 for v1.3
1063 fprintf(stderr, "supported versions\n");
1066 fprintf(stderr, "unknown extension %04x\n", etype);
1073 if (ctx->connection_status != 4) {
1074 ctx->connection_status = 1;