1 #define _POSIX_C_SOURCE 200809L
14 static int tls_cipher_is_fs(struct TLSContext *context, unsigned short cipher) {
19 if (context->tlsver == TLS_VERSION13) {
21 case TLS_AES_128_GCM_SHA256:
22 case TLS_AES_256_GCM_SHA384:
23 case TLS_CHACHA20_POLY1305_SHA256:
30 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
31 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
32 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
33 if (context && context->certificates
34 && context->certificates_count
35 && context->ec_private_key) {
39 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
40 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
41 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
42 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
43 if (context->version == TLS_V12
44 || context->version == DTLS_V12) {
45 if (context && context->certificates
46 && context->certificates_count
47 && context->ec_private_key) {
52 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
53 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
54 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
55 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
57 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
58 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
59 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
60 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
61 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
62 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
63 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
64 case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
65 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
66 if (context->tlsver == TLS_VERSION12) {
74 static uint16_t get16(const unsigned char *buf) {
77 res = ((*buf) << 8) + (*(buf+1));
81 int tls_choose_cipher(struct TLSContext *context, const unsigned char *buf,
82 int buf_len, int *scsv_set) {
90 int selected_cipher = TLS_NO_COMMON_CIPHER;
92 if (selected_cipher == TLS_NO_COMMON_CIPHER) {
93 for (i = 0; i < buf_len; i += 2) {
94 uint16_t cipher = get16(&buf[i]);
95 if (tls_cipher_is_fs(context, cipher)) {
96 selected_cipher = cipher;
102 for (i = 0; i < buf_len; i += 2) {
103 uint16_t cipher = get16(&buf[i]);
104 if (cipher == TLS_FALLBACK_SCSV) {
108 if (selected_cipher != TLS_NO_COMMON_CIPHER) {
113 return selected_cipher;
116 int tls_parse_client_hello(struct TLSContext *context,
117 const unsigned char *buf, int buf_len,
118 unsigned int *write_packets) {
120 if (context->connection_status != 0 && context->connection_status != 4) {
121 DEBUG_PRINT("UNEXPECTED HELLO MESSAGE\n");
122 return TLS_UNEXPECTED_MESSAGE;
128 int hello_min_size = TLS_CLIENT_HELLO_MINSIZE;
130 if (buf_len < hello_min_size) {
131 return TLS_NEED_MORE_DATA;
135 int bytes_to_follow = buf[0] * 0x10000 + buf[1] * 0x100 + buf[2];
137 if (buf_len - res < bytes_to_follow) {
138 return TLS_NEED_MORE_DATA;
141 if (buf_len - res < 2) {
142 return TLS_NEED_MORE_DATA;
145 unsigned short version = get16(&buf[res]);
148 if (!tls_supported_version(version)) {
151 DEBUG_PRINT("VERSION REQUIRED BY REMOTE %x, VERSION NOW %x\n",
152 (int) version, (int) context->version);
153 memcpy(context->remote_random, &buf[res], TLS_CLIENT_RANDOM_SIZE);
154 res += TLS_CLIENT_RANDOM_SIZE;
156 unsigned char session_len = buf[res++];
157 if (buf_len - res < session_len) return TLS_NEED_MORE_DATA;
159 if (session_len && session_len <= TLS_MAX_SESSION_ID) {
160 memcpy(context->session, &buf[res], session_len);
161 context->session_size = session_len;
162 DEBUG_DUMP_HEX_LABEL("REMOTE SESSION ID: ",
164 context->session_size);
166 context->session_size = 0;
170 const unsigned char *cipher_buffer = NULL;
171 unsigned short cipher_len = 0;
173 if (context->is_server) {
174 if (buf_len - res < 2) {
175 return TLS_NEED_MORE_DATA;
178 cipher_len = get16(&buf[res]);
180 if (buf_len - res < cipher_len) return TLS_NEED_MORE_DATA;
181 /* faster than cipher_len % 2 */
182 /* TODO unlikely, let the compiler worry about it */
183 if (cipher_len & 1) {
184 return TLS_BROKEN_PACKET;
187 cipher_buffer = &buf[res];
190 if (buf_len - res < 1) {
191 return TLS_NEED_MORE_DATA;
194 unsigned char compression_list_size = buf[res++];
195 if (buf_len - res < compression_list_size) {
196 return TLS_NEED_MORE_DATA;
198 /* no compression support */
199 res += compression_list_size;
202 if (buf_len - res < 2) {
203 return TLS_NEED_MORE_DATA;
206 unsigned short cipher = get16(&buf[res]);
208 context->cipher = cipher;
209 if (!tls_cipher_supported(context, cipher)) {
211 DEBUG_PRINT("NO CIPHER SUPPORTED\n");
212 return TLS_NO_COMMON_CIPHER;
214 DEBUG_PRINT("CIPHER: %s\n", tls_cipher_name(context));
215 if (buf_len - res < 1) return TLS_NEED_MORE_DATA;
216 unsigned char compression = buf[res++];
217 if (compression != 0) {
218 DEBUG_PRINT("COMPRESSION NOT SUPPORTED\n");
219 return TLS_COMPRESSION_NOT_SUPPORTED;
224 if (context->is_server) {
227 if (context->connection_status != 4) {
228 context->connection_status = 1;
236 const unsigned char *key_share = NULL;
237 unsigned short key_size = 0;
238 while (buf_len - res >= 4) {
239 /* have extensions */
240 unsigned short extension_type = get16(&buf[res]);
242 unsigned short extension_len = get16(&buf[res]);
244 DEBUG_PRINT("Extension: 0x0%x (%i), len: %i\n",
245 (int) extension_type, (int) extension_type,
246 (int) extension_len);
249 if (buf_len - res < extension_len) {
250 return TLS_NEED_MORE_DATA;
252 if (extension_type == 0x00) {
253 /* unsigned char sni_type = buf[res + 2]; */
254 uint16_t sni_host_len = get16(&buf[res+3]);
255 if (buf_len - res - 5 < sni_host_len) {
256 return TLS_NEED_MORE_DATA;
261 context->sni = malloc(sni_host_len + 1);
266 context->sni[sni_host_len] = 0;
267 DEBUG_PRINT("SNI HOST INDICATOR: [%s]\n", context->sni);
270 } else if (extension_type == 0x0A) {
271 /* supported groups */
272 if (buf_len - res > 2) {
273 uint16_t group_len = get16(&buf[res]);
274 if (buf_len - res >= group_len + 2) {
281 for (i = 0; i < group_len;
283 uint16_t iana_n = get16(&buf[res + 2 + i]);
300 /* needs different implementation */
302 context->curve = &curve25519;
307 /* do not use it anymore */
309 context->curve = &secp521r1;
316 ("SELECTED CURVE %s\n",
326 if (extension_type == 0x10 && context->alpn &&
327 context->alpn_count) {
328 if (buf_len - res > 2) {
329 uint16_t alpn_len = get16(&buf[res]);
330 if (alpn_len && alpn_len <=
332 unsigned char *alpn =
336 while (alpn_pos < alpn_len) {
363 if (context->negotiated_alpn) {
376 ("NEGOTIATED ALPN: %s\n",
384 /* ServerHello contains just one alpn */
391 } else if (extension_type == 0x0D) {
392 /* supported signatures */
394 ("SUPPORTED SIGNATURES", &buf[res],
396 } else if (extension_type == 0x0B) {
397 /* supported point formats */
399 ("SUPPORTED POINT FORMATS", &buf[res],
402 else if (extension_type == 0x2B) {
403 /* supported versions */
404 if ((buf[res] == extension_len - 1)
405 && (extension_len > 4)) {
407 ("SUPPORTED VERSIONS",
408 &buf[res], extension_len);
409 /* tls 1.3 draft version 28 */
411 int limit = (int) buf[res];
412 if (limit == extension_len - 1) {
414 for (i = 1; i < limit;
416 if ((get16(&buf[res + i]) == 0x7F1C)
418 (get16(&buf[res + i]) == TLS_V13)) {
426 get16(&buf[res + i]);
428 ("TLS 1.3 SUPPORTED\n");
434 } else if (extension_type == 0x2A) {
437 ("EXTENSION, EARLY DATA", &buf[res],
439 } else if (extension_type == 0x29) {
442 ("EXTENSION, PRE SHARED KEY",
443 &buf[res], extension_len);
444 } else if (extension_type == 0x33) {
446 key_size = get16(&buf[res]);
447 if (key_size > extension_len - 2) {
448 DEBUG_PRINT("BROKEN KEY SHARE\n");
449 return TLS_BROKEN_PACKET;
452 ("EXTENSION, KEY SHARE", &buf[res],
454 key_share = &buf[res + 2];
455 } else if (extension_type == 0x0D) {
456 /* signature algorithms */
458 ("EXTENSION, SIGNATURE ALGORITHMS",
459 &buf[res], extension_len);
460 } else if (extension_type == 0x2D) {
461 /* psk key exchange modes */
463 ("EXTENSION, PSK KEY EXCHANGE MODES",
464 &buf[res], extension_len);
466 res += extension_len;
470 if (buf_len != res) {
471 return TLS_NEED_MORE_DATA;
474 if (context->is_server && cipher_buffer && cipher_len) {
476 tls_choose_cipher(context, cipher_buffer, cipher_len,
479 DEBUG_PRINT("NO COMMON CIPHERS\n");
482 if (downgraded && scsv_set) {
483 DEBUG_PRINT("NO DOWNGRADE (SCSV SET)\n");
484 tls_alert(context, 1, inappropriate_fallback);
485 context->critical_error = 1;
488 context->cipher = cipher;
490 if (key_share && key_size && context->tlsver == TLS_VERSION13) {
492 tls_parse_key_share(context, key_share, key_size);
494 /* request hello retry */
495 if (context->connection_status != 4) {
497 context->hs_messages[1] = 0;
498 context->connection_status = 4;
501 return key_share_err;
503 /* we have key share */
504 context->connection_status = 3;