Lines Matching +full:pre +full:- +full:configurable
23 \ ----------------------------------------------------------------------
40 * Decrypt the pre-master secret (RSA key exchange).
52 x = (*ctx->policy_vtable)->do_keyx(ctx->policy_vtable, epms, &len);
61 br_enc16be(epms, ctx->client_max_version);
65 * decryption failed. Note that we use a constant-time conditional
68 br_hmac_drbg_generate(&ctx->eng.rng, rpms, sizeof rpms);
74 br_ssl_engine_compute_master(&ctx->eng, prf_id, epms, 48);
77 * Clear the pre-master secret from RAM: it is normally a buffer
78 * in the context, hence potentially long-lived.
99 * decryption failed. Note that we use a constant-time conditional
102 br_hmac_drbg_generate(&ctx->eng.rng, rpms, xcoor_len);
108 br_ssl_engine_compute_master(&ctx->eng, prf_id, xcoor, xcoor_len);
111 * Clear the pre-master secret from RAM: it is normally a buffer
112 * in the context, hence potentially long-lived.
129 x = (*ctx->policy_vtable)->do_keyx(ctx->policy_vtable,
148 xc = ctx->eng.x509ctx;
149 pk = (*xc)->get_pkey(xc, NULL);
150 cpoint_len = pk->key.ec.qlen;
159 memcpy(cpoint, pk->key.ec.q, cpoint_len);
173 hf = br_multihash_getimpl(&ctx->eng.mhash, br_md5_ID);
177 hf->init(&hc.vtable);
178 hf->update(&hc.vtable, src, len);
179 hf->out(&hc.vtable, tmp);
180 hf = br_multihash_getimpl(&ctx->eng.mhash, br_sha1_ID);
184 hf->init(&hc.vtable);
185 hf->update(&hc.vtable, src, len);
186 hf->out(&hc.vtable, tmp + 16);
190 hf = br_multihash_getimpl(&ctx->eng.mhash, hash_id);
194 hf->init(&hc.vtable);
195 hf->update(&hc.vtable, src, len);
196 hf->out(&hc.vtable, dst);
197 return (hf->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
204 * signature length (in bytes), or -x on error (with x being an error
217 if (!((ctx->eng.iec->supported_curves >> curve) & 1)) {
218 return -BR_ERR_INVALID_ALGORITHM;
220 ctx->eng.ecdhe_curve = curve;
223 * Generate our private key. We need a non-zero random value
230 order = ctx->eng.iec->order(curve, &olen);
235 br_hmac_drbg_generate(&ctx->eng.rng, ctx->ecdhe_key, olen);
236 ctx->ecdhe_key[0] &= mask;
237 ctx->ecdhe_key[olen - 1] |= 0x01;
238 ctx->ecdhe_key_len = olen;
243 glen = ctx->eng.iec->mulgen(ctx->eng.ecdhe_point,
244 ctx->ecdhe_key, olen, curve);
245 ctx->eng.ecdhe_point_len = glen;
250 memcpy(ctx->eng.pad, ctx->eng.client_random, 32);
251 memcpy(ctx->eng.pad + 32, ctx->eng.server_random, 32);
252 ctx->eng.pad[64 + 0] = 0x03;
253 ctx->eng.pad[64 + 1] = 0x00;
254 ctx->eng.pad[64 + 2] = curve;
255 ctx->eng.pad[64 + 3] = ctx->eng.ecdhe_point_len;
256 memcpy(ctx->eng.pad + 64 + 4,
257 ctx->eng.ecdhe_point, ctx->eng.ecdhe_point_len);
258 hv_len = 64 + 4 + ctx->eng.ecdhe_point_len;
259 algo_id = ctx->sign_hash_id;
261 hv_len = hash_data(ctx, ctx->eng.pad, algo_id & 0xFF,
262 ctx->eng.pad, hv_len);
264 return -BR_ERR_INVALID_ALGORITHM;
268 sig_len = (*ctx->policy_vtable)->do_sign(ctx->policy_vtable,
269 algo_id, ctx->eng.pad, hv_len, sizeof ctx->eng.pad);
270 return sig_len ? (int)sig_len : -BR_ERR_INVALID_ALGORITHM;
285 curve = ctx->eng.ecdhe_curve;
290 ctl = ctx->eng.iec->mul(cpoint, cpoint_len,
291 ctx->ecdhe_key, ctx->ecdhe_key_len, curve);
292 xoff = ctx->eng.iec->xoff(curve, &xlen);
300 memset(ctx->ecdhe_key, 0, ctx->ecdhe_key_len);
306 * Order is MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512; last value
344 * success, or a non-zero error code. Lack of implementation of the
356 id = ctx->hash_CV_id;
357 xc = ctx->eng.x509ctx;
358 pk = (*xc)->get_pkey(xc, NULL);
359 if (pk->key_type == BR_KEYTYPE_RSA) {
366 hash_oid = HASH_OID[id - 2];
368 if (ctx->eng.irsavrfy == 0) {
371 if (!ctx->eng.irsavrfy(ctx->eng.pad, sig_len,
372 hash_oid, ctx->hash_CV_len, &pk->key.rsa, tmp)
373 || memcmp(tmp, ctx->hash_CV, ctx->hash_CV_len) != 0)
378 if (ctx->eng.iecdsa == 0) {
381 if (!ctx->eng.iecdsa(ctx->eng.iec,
382 ctx->hash_CV, ctx->hash_CV_len,
383 &pk->key.ec, ctx->eng.pad, sig_len))
395 : addr-ctx:
396 next-word { field }
397 "addr-" field + 0 1 define-word
398 0 8191 "offsetof(br_ssl_server_context, " field + ")" + make-CX
401 addr-ctx: client_max_version
402 addr-ctx: client_suites
403 addr-ctx: client_suites_num
404 addr-ctx: hashes
405 addr-ctx: curves
406 addr-ctx: sign_hash_id
410 : addr-len-client_suites ( -- addr len )
411 addr-client_suites
415 : read-client-sni ( lim -- lim )
417 read16 open-elt
420 read16 open-elt
426 read-ignore-16
430 dup addr-server_name + 0 swap set8
431 addr-server_name swap read-blob
433 skip-blob
439 close-elt
442 close-elt ;
446 cc: set-max-frag-len ( len -- ) {
457 if (ENG->hlen_out > max_frag_len) {
458 ENG->hlen_out = max_frag_len;
463 : read-client-frag ( lim -- lim )
473 8 + dup addr-log_max_frag_len get8 < if
474 dup 1 swap << set-max-frag-len
475 dup addr-log_max_frag_len set8
476 addr-peer_log_max_frag_len set8
482 : read-client-reneg ( lim -- lim )
490 addr-reneg get8 case
495 2 addr-reneg set8
502 addr-pad 12 read-blob
503 addr-saved_finished addr-pad 12 memcmp ifnot
515 : read-signatures ( lim -- lim )
517 read16 open-elt
519 read-list-sign-algos addr-hashes set32
522 close-elt ;
525 : read-supported-curves ( lim -- lim )
527 read16 open-elt
530 read16 open-elt
533 0 addr-curves set32
536 1 swap << addr-curves get32 or addr-curves set32
541 close-elt
542 close-elt ;
545 : read-ALPN-from-client ( lim -- lim )
548 addr-protocol_names_num get16 ifnot read-ignore-16 ret then
551 read16 open-elt
554 read16 open-elt
559 \ to -2 and use an unsigned comparison, making -2 a huge value.
560 -2 { found }
562 read8 dup { len } addr-pad swap read-blob
563 len test-protocol-name dup found u< if
571 close-elt
572 close-elt
575 \ then we write -1 (0xFFFF) in the index value, not 0, so that
577 found 1+ addr-selected_protocol set16 ;
581 cc: call-policy-handler ( -- bool ) {
585 x = (*CTX->policy_vtable)->choose(
586 CTX->policy_vtable, CTX, &choices);
587 ENG->session.cipher_suite = choices.cipher_suite;
588 CTX->sign_hash_id = choices.algo_id;
589 ENG->chain = choices.chain;
590 ENG->chain_len = choices.chain_len;
591 T0_PUSHi(-(x != 0));
595 cc: check-resume ( -- bool ) {
596 if (ENG->session.session_id_len == 32
597 && CTX->cache_vtable != NULL && (*CTX->cache_vtable)->load(
598 CTX->cache_vtable, CTX, &ENG->session))
600 T0_PUSHi(-1);
607 cc: save-session ( -- ) {
608 if (CTX->cache_vtable != NULL) {
609 (*CTX->cache_vtable)->save(
610 CTX->cache_vtable, CTX, &ENG->session);
614 \ Read and drop ClientHello. This is used when a client-triggered
616 : skip-ClientHello ( -- )
617 read-handshake-header-core
619 dup skip-blob drop ;
621 \ Read ClientHello. If the session is resumed, then -1 is returned.
622 : read-ClientHello ( -- resume )
624 read-handshake-header 1 = ifnot ERR_UNEXPECTED fail then
627 read16 dup { client-version-max } addr-client_max_version set16
630 addr-client_random 32 read-blob
634 dup addr-session_id_len set8
635 addr-session_id swap read-blob
640 check-resume { resume }
652 read16 open-elt
653 0 { reneg-scsv }
654 0 { resume-suite }
655 addr-len-client_suites dup2 bzero
656 over + { css-off css-max }
664 dup addr-cipher_suite get16 = if
665 -1 >resume-suite
673 addr-reneg get8 if ERR_BAD_SECRENEG fail then
674 -1 >reneg-scsv
682 client-version-max addr-version_min get16 >=
683 client-version-max addr-version_max get16 < and if
684 -1 >client-version-max
689 scan-suite dup 0< if
699 2 << addr-client_suites + suite swap set16
707 css-off css-max >= if
710 suite css-off set16
711 css-off 4 + >css-off
718 0 { ok-compression }
719 read8 open-elt
721 read8 ifnot -1 >ok-compression then
723 close-elt
727 \ -- server name is empty
728 \ -- client is reputed to know RSA and ECDSA, both with SHA-1
729 \ -- the default elliptic curve is P-256 (secp256r1, id = 23)
730 0 addr-server_name set8
731 0x0404 addr-hashes set32
732 0x800000 addr-curves set32
736 read16 open-elt
741 read-client-sni
745 read-client-frag
749 read-client-reneg
753 read-signatures
757 read-supported-curves
764 \ read-ignore-16
769 read-ALPN-from-client
773 drop read-ignore-16 0
776 close-elt
780 close-elt
783 resume resume-suite and >resume
790 \ 0x0300 (SSL-3.0), then fail. Otherwise, we may at least send an
796 client-version-max 0< if
797 addr-client_max_version get16 addr-version_out set16
798 86 fail-alert
800 addr-version_max get16
801 dup client-version-max > if drop client-version-max then
803 client-version-max addr-version_min get16 < if
804 70 fail-alert
809 addr-version get16 client-version-max <= if
810 drop addr-version get16
815 dup addr-version set16
816 dup addr-version_in set16
817 dup addr-version_out set16
818 0x0303 >= { can-tls12 }
822 reneg-scsv if 2 addr-reneg set8 then
827 addr-reneg get8 ifnot 1 addr-reneg set8 then
830 ok-compression ifnot 40 fail-alert then
835 supported-hash-functions drop 257 * 0xFFFF0000 or
836 addr-hashes get32 and dup addr-hashes set32
837 \ In 'can-ecdhe', bit 12 is set if ECDHE_RSA is possible, bit 13 is
840 swap 8 >> 0<> 2 and or 12 << { can-ecdhe }
845 addr-curves get32 supported-curves and dup addr-curves set32
846 ifnot 0 >can-ecdhe then
850 resume if -1 ret then
854 \ by the client because probability of such an event is 2^(-256),
858 addr-session_id 32 mkrand
859 32 addr-session_id_len set8
865 \ -- ECDHE suites are removed if there is no common hash function
867 \ -- TLS-1.2-only suites are removed if the negotiated version is
868 \ TLS-1.1 or lower.
869 addr-client_suites dup >css-off
870 begin dup css-max < while
871 dup get16 dup cipher-suite-to-elements
873 dup can-ecdhe and ifnot
877 can-tls12 ifnot
878 \ Suites compatible with TLS-1.0 and TLS-1.1 are
879 \ exactly the ones that use HMAC/SHA-1.
885 css-off 2+ set16 css-off set16
886 css-off 4 + >css-off
893 css-off addr-client_suites - 2 >>
896 40 fail-alert
898 addr-client_suites_num set8
901 addr-selected_protocol get16 0xFFFF = if
902 3 flag? if 120 fail-alert then
903 0 addr-selected_protocol set16
908 call-policy-handler ifnot 40 fail-alert then
914 : write-ServerHello ( initial -- )
920 addr-reneg get8 2 = if
925 { ext-reneg-len }
928 addr-peer_log_max_frag_len get8 if 5 else 0 then
929 { ext-max-frag-len }
933 addr-selected_protocol get16 dup if 1- copy-protocol-name 7 + then
934 { ext-ALPN-len }
937 ext-reneg-len ext-max-frag-len + ext-ALPN-len + dup if 2 + then +
941 addr-version get16 write16
944 addr-server_random 4 bzero
945 addr-server_random 4 + 28 mkrand
946 addr-server_random 32 write-blob
953 addr-session_id 32 write-blob
956 addr-cipher_suite get16 write16
962 ext-reneg-len ext-max-frag-len + ext-ALPN-len + dup if
964 ext-reneg-len dup if
966 4 - dup write16
967 1- addr-saved_finished swap write-blob-head8
971 ext-max-frag-len if
973 1 write16 addr-peer_log_max_frag_len get8 8 - write8
975 ext-ALPN-len dup if
979 4 - dup write16
980 2- dup write16
981 1- addr-pad swap write-blob-head8
991 cc: do-ecdhe-part1 ( curve -- len ) {
997 : lowest-1 ( bits -- n )
998 dup ifnot drop -1 ret then
1003 : write-ServerKeyExchange ( -- )
1004 addr-cipher_suite get16 use-ecdhe? ifnot ret then
1008 \ a fixed preference order: Curve25519, P-256, P-384, P-521,
1010 \ (TODO: add some option to make that behaviour configurable.)
1015 addr-curves get32
1020 drop lowest-1
1022 { curve-id }
1025 curve-id do-ecdhe-part1 dup 0< if neg fail then { sig-len }
1027 \ If using TLS-1.2+, then the hash function and signature
1029 addr-version get16 0x0303 >= { tls1.2+ }
1032 sig-len addr-ecdhe_point_len get8 + tls1.2+ 2 and + 6 + write24
1034 \ Curve parameters: named curve with 16-bit ID.
1035 3 write8 curve-id write16
1038 addr-ecdhe_point addr-ecdhe_point_len get8 write-blob-head8
1040 \ If TLS-1.2+, write hash and signature identifiers.
1043 \ or the complete 16-bit value to write.
1044 addr-sign_hash_id get16
1049 \ 'use-rsa-ecdhe?' returns -1 for RSA, 0 for
1052 addr-cipher_suite get16 use-rsa-ecdhe? 1 << 3 + write8
1057 sig-len write16
1058 addr-pad sig-len write-blob ;
1061 \ includes the per-name 2-byte header, but _not_ the 2-byte header for
1064 cc: ta-names-total-length ( -- len ) {
1068 if (CTX->ta_names != NULL) {
1069 for (u = 0; u < CTX->num_tas; u ++) {
1070 len += CTX->ta_names[u].len + 2;
1072 } else if (CTX->tas != NULL) {
1073 for (u = 0; u < CTX->num_tas; u ++) {
1074 len += CTX->tas[u].dn.len + 2;
1082 : write-list-auth ( do_write -- len )
1084 addr-cipher_suite get16 use-ecdh? if
1087 supports-rsa-sign? if 1+ over if 1 write8 then then
1088 supports-ecdsa? if 1+ over if 64 write8 then then
1091 : write-signhash-inner2 ( dow algo hashes len id -- dow algo hashes len )
1097 : write-signhash-inner1 ( dow algo hashes -- dow len )
1099 4 write-signhash-inner2
1100 5 write-signhash-inner2
1101 6 write-signhash-inner2
1102 3 write-signhash-inner2
1103 2 write-signhash-inner2
1104 -rot 2drop ;
1108 : write-list-signhash ( do_write -- len )
1113 supports-rsa-sign? supports-ecdsa? or ifnot
1114 1 0x7C write-signhash-inner1 >len
1115 3 0x7C write-signhash-inner1 len +
1118 supports-rsa-sign? if
1119 1 supported-hash-functions drop
1120 write-signhash-inner1 >len
1122 supports-ecdsa? if
1123 3 supported-hash-functions drop
1124 write-signhash-inner1 len + >len
1129 cc: begin-ta-name-list ( -- ) {
1130 CTX->cur_dn_index = 0;
1133 \ Switch to next DN in the list. Returned value is the DN length, or -1
1135 cc: begin-ta-name ( -- len ) {
1137 if (CTX->cur_dn_index >= CTX->num_tas) {
1138 T0_PUSHi(-1);
1140 if (CTX->ta_names == NULL) {
1141 dn = &CTX->tas[CTX->cur_dn_index].dn;
1143 dn = &CTX->ta_names[CTX->cur_dn_index];
1145 CTX->cur_dn_index ++;
1146 CTX->cur_dn = dn->data;
1147 CTX->cur_dn_len = dn->len;
1148 T0_PUSH(CTX->cur_dn_len);
1154 cc: copy-dn-chunk ( -- len ) {
1157 clen = CTX->cur_dn_len;
1158 if (clen > sizeof ENG->pad) {
1159 clen = sizeof ENG->pad;
1161 memcpy(ENG->pad, CTX->cur_dn, clen);
1162 CTX->cur_dn += clen;
1163 CTX->cur_dn_len -= clen;
1168 : write-CertificateRequest ( -- )
1184 \ list, and resort to a generic all-support list if only
1191 0 write-list-auth
1192 addr-version get16 0x0303 >= if
1193 2+ 0 write-list-signhash +
1195 ta-names-total-length + 3 +
1201 0 write-list-auth write8 1 write-list-auth drop
1204 addr-version get16 0x0303 >= if
1205 0 write-list-signhash write16 1 write-list-signhash drop
1209 ta-names-total-length write16
1210 begin-ta-name-list
1212 begin-ta-name
1214 begin copy-dn-chunk dup while
1215 addr-pad swap write-blob
1221 : write-ServerHelloDone ( -- )
1224 \ Perform RSA decryption of the client-sent pre-master secret. The value
1226 cc: do-rsa-decrypt ( len prf_id -- ) {
1229 do_rsa_decrypt(CTX, prf_id, ENG->pad, len);
1234 cc: do-ecdh ( len prf_id -- ) {
1237 do_ecdh(CTX, prf_id, ENG->pad, len);
1241 cc: do-ecdhe-part2 ( len prf_id -- ) {
1244 do_ecdhe_part2(CTX, prf_id, ENG->pad, len);
1249 cc: do-static-ecdh ( prf_id -- ) {
1254 : read-ClientKeyExchange-header ( -- len )
1255 read-handshake-header 16 = ifnot ERR_UNEXPECTED fail then ;
1257 \ Read the Client Key Exchange contents (non-empty case).
1258 : read-ClientKeyExchange-contents ( lim -- )
1260 addr-cipher_suite get16 use-rsa-keyx? if
1261 \ RSA key exchange: we expect a RSA-encrypted value.
1264 dup { enc-rsa-len }
1265 addr-pad swap read-blob
1266 enc-rsa-len addr-cipher_suite get16 prf-id do-rsa-decrypt
1268 addr-cipher_suite get16 dup use-ecdhe? swap use-ecdh? { ecdhe ecdh }
1271 read8 dup { ec-point-len }
1272 addr-pad swap read-blob
1273 ec-point-len addr-cipher_suite get16 prf-id
1274 ecdhe if do-ecdhe-part2 else do-ecdh then
1276 close-elt ;
1279 : read-ClientKeyExchange ( -- )
1280 read-ClientKeyExchange-header
1281 read-ClientKeyExchange-contents ;
1288 cc: compute-hash-CV ( -- ) {
1292 br_multihash_out(&ENG->mhash, i,
1293 ENG->pad + HASH_PAD_OFF[i - 1]);
1298 \ Returned value is true (-1) on success, false (0) on error (error
1300 \ to be either 0 (for MD5+SHA-1) or one of the SHA-* functions.
1301 cc: copy-hash-CV ( hash_id -- bool ) {
1309 if (br_multihash_getimpl(&ENG->mhash, id) == 0) {
1313 off = HASH_PAD_OFF[id - 1];
1314 len = HASH_PAD_OFF[id] - off;
1316 memcpy(CTX->hash_CV, ENG->pad + off, len);
1317 CTX->hash_CV_len = len;
1318 CTX->hash_CV_id = id;
1319 T0_PUSHi(-1);
1323 \ non-zero error code.
1324 cc: verify-CV-sig ( sig-len -- err ) {
1332 : process-static-ECDH ( ktu -- )
1337 addr-cipher_suite get16
1338 dup use-ecdh? ifnot ERR_UNEXPECTED fail then
1339 prf-id
1340 do-static-ecdh ;
1343 : read-CertificateVerify-header ( -- lim )
1344 compute-hash-CV
1345 read-handshake-header 15 = ifnot ERR_UNEXPECTED fail then ;
1349 : read-CertificateVerify ( ktu -- )
1352 0x0F and { key-type }
1355 read-CertificateVerify-header
1359 addr-version get16 0x0303 >= if
1364 dup 0xFF and 1+ 1 >> key-type = ifnot
1369 \ We support only SHA-1, SHA-224, SHA-256, SHA-384
1370 \ and SHA-512. We explicitly reject MD5.
1373 \ With TLS 1.0 and 1.1, hash is MD5+SHA-1 (0) for RSA,
1374 \ SHA-1 (2) for ECDSA.
1375 key-type 0x01 = if 0 else 2 then
1377 copy-hash-CV ifnot ERR_INVALID_ALGORITHM fail then
1380 read16 dup { sig-len }
1382 addr-pad swap read-blob
1383 sig-len verify-CV-sig
1386 close-elt ;
1389 : send-HelloRequest ( -- )
1390 flush-record
1391 begin can-output? not while wait-co drop repeat
1392 22 addr-record_type_out set8
1393 0 write8 0 write24 flush-record
1394 23 addr-record_type_out set8 ;
1397 : do-handshake ( initial -- )
1398 0 addr-application_data set8
1399 22 addr-record_type_out set8
1400 0 addr-selected_protocol set16
1401 multihash-init
1402 read-ClientHello
1403 more-incoming-bytes? if ERR_UNEXPECTED fail then
1406 write-ServerHello
1407 0 write-CCS-Finished
1408 0 read-CCS-Finished
1411 write-ServerHello
1412 write-Certificate drop
1413 write-ServerKeyExchange
1414 ta-names-total-length if
1415 write-CertificateRequest
1417 write-ServerHelloDone
1418 flush-record
1422 ta-names-total-length if
1424 0 read-Certificate
1431 read-ClientKeyExchange
1432 read-CertificateVerify-header
1433 dup skip-blob drop
1441 read-ClientKeyExchange
1445 read-ClientKeyExchange-header
1449 process-static-ECDH
1451 read-ClientKeyExchange-contents
1452 read-CertificateVerify
1457 \ a non-empty ClientKeyExchange.
1458 read-ClientKeyExchange
1460 0 read-CCS-Finished
1461 0 write-CCS-Finished
1462 save-session
1464 1 addr-application_data set8
1465 23 addr-record_type_out set8 ;
1468 : main ( -- ! )
1470 -1 do-handshake
1476 wait-co
1483 0 addr-application_data set8
1484 send-HelloRequest
1492 addr-reneg get8 1 = 1 flag? or if
1493 skip-ClientHello
1494 flush-record
1495 begin can-output? not while
1496 wait-co drop
1498 100 send-warning
1501 1 addr-application_data set8
1502 23 addr-record_type_out set8
1504 0 do-handshake