8 files changed, 271 insertions, 223 deletions

diff --git a/src/tls/hello.cpp b/src/tls/c_hello.cpp
index 8c13cb8f6..3164f30ee 100644
--- a/src/tls/hello.cpp
+++ b/src/tls/c_hello.cpp
@@ -1,5 +1,5 @@
 ;/*
-* TLS Hello Messages
+* TLS Hello Request and Client Hello Messages
 * (C) 2004-2011 Jack Lloyd
 *
 * Released under the terms of the Botan license
@@ -287,182 +287,4 @@ bool Client_Hello::offered_suite(u16bit ciphersuite) const
    return false;
    }
 
-/*
-* Create a new Server Hello message
-*/
-Server_Hello::Server_Hello(Record_Writer& writer,
-                           TLS_Handshake_Hash& hash,
-                           const TLS_Policy& policy,
-                           RandomNumberGenerator& rng,
-                           bool client_has_secure_renegotiation,
-                           const MemoryRegion<byte>& reneg_info,
-                           const std::vector<X509_Certificate>& certs,
-                           const Client_Hello& c_hello,
-                           Version_Code ver) :
-   s_version(ver),
-   m_session_id(rng.random_vec(32)),
-   s_random(rng.random_vec(32)),
-   m_fragment_size(c_hello.fragment_size()),
-   m_secure_renegotiation(client_has_secure_renegotiation),
-   m_renegotiation_info(reneg_info),
-   m_next_protocol(false)
-   {
-   bool have_rsa = false, have_dsa = false;
-
-   for(size_t i = 0; i != certs.size(); ++i)
-      {
-      Public_Key* key = certs[i].subject_public_key();
-      if(key->algo_name() == "RSA")
-         have_rsa = true;
-
-      if(key->algo_name() == "DSA")
-         have_dsa = true;
-      }
-
-   suite = policy.choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa, false);
-
-   if(suite == 0)
-      throw TLS_Exception(HANDSHAKE_FAILURE,
-                          "Can't agree on a ciphersuite with client");
-
-   comp_method = policy.choose_compression(c_hello.compression_methods());
-
-   send(writer, hash);
-   }
-
-/*
-* Create a new Server Hello message
-*/
-Server_Hello::Server_Hello(Record_Writer& writer,
-                           TLS_Handshake_Hash& hash,
-                           RandomNumberGenerator& rng,
-                           bool client_has_secure_renegotiation,
-                           const MemoryRegion<byte>& reneg_info,
-                           const MemoryRegion<byte>& session_id,
-                           size_t fragment_size,
-                           u16bit ciphersuite,
-                           byte compression,
-                           Version_Code ver) :
-   s_version(ver),
-   m_session_id(session_id),
-   s_random(rng.random_vec(32)),
-   suite(ciphersuite),
-   comp_method(compression),
-   m_fragment_size(fragment_size),
-   m_secure_renegotiation(client_has_secure_renegotiation),
-   m_renegotiation_info(reneg_info),
-   m_next_protocol(false)
-   {
-   send(writer, hash);
-   }
-
-/*
-* Serialize a Server Hello message
-*/
-MemoryVector<byte> Server_Hello::serialize() const
-   {
-   MemoryVector<byte> buf;
-
-   buf.push_back(static_cast<byte>(s_version >> 8));
-   buf.push_back(static_cast<byte>(s_version     ));
-   buf += s_random;
-
-   append_tls_length_value(buf, m_session_id, 1);
-
-   buf.push_back(get_byte(0, suite));
-   buf.push_back(get_byte(1, suite));
-
-   buf.push_back(comp_method);
-
-   TLS_Extensions extensions;
-
-   if(m_secure_renegotiation)
-      extensions.push_back(new Renegotation_Extension(m_renegotiation_info));
-
-   if(m_fragment_size != 0)
-      extensions.push_back(new Maximum_Fragment_Length(m_fragment_size));
-
-   if(m_next_protocol)
-      extensions.push_back(new Next_Protocol_Negotiation(m_next_protocols));
-
-   buf += extensions.serialize();
-
-   return buf;
-   }
-
-/*
-* Deserialize a Server Hello message
-*/
-void Server_Hello::deserialize(const MemoryRegion<byte>& buf)
-   {
-   m_secure_renegotiation = false;
-   m_next_protocol = false;
-
-   if(buf.size() < 38)
-      throw Decoding_Error("Server_Hello: Packet corrupted");
-
-   TLS_Data_Reader reader(buf);
-
-   s_version = static_cast<Version_Code>(reader.get_u16bit());
-
-   if(s_version != SSL_V3 && s_version != TLS_V10 && s_version != TLS_V11)
-      {
-      throw TLS_Exception(PROTOCOL_VERSION,
-                          "Server_Hello: Unsupported server version");
-      }
-
-   s_random = reader.get_fixed<byte>(32);
-
-   m_session_id = reader.get_range<byte>(1, 0, 32);
-
-   suite = reader.get_u16bit();
-
-   comp_method = reader.get_byte();
-
-   TLS_Extensions extensions(reader);
-
-   for(size_t i = 0; i != extensions.count(); ++i)
-      {
-      TLS_Extension* extn = extensions.at(i);
-
-      if(Renegotation_Extension* reneg = dynamic_cast<Renegotation_Extension*>(extn))
-         {
-         // checked by TLS_Client / TLS_Server as they know the handshake state
-         m_secure_renegotiation = true;
-         m_renegotiation_info = reneg->renegotiation_info();
-         }
-      else if(Next_Protocol_Negotiation* npn = dynamic_cast<Next_Protocol_Negotiation*>(extn))
-         {
-         m_next_protocols = npn->protocols();
-         m_next_protocol = true;
-         }
-      }
-   }
-
-/*
-* Create a new Server Hello Done message
-*/
-Server_Hello_Done::Server_Hello_Done(Record_Writer& writer,
-                                     TLS_Handshake_Hash& hash)
-   {
-   send(writer, hash);
-   }
-
-/*
-* Serialize a Server Hello Done message
-*/
-MemoryVector<byte> Server_Hello_Done::serialize() const
-   {
-   return MemoryVector<byte>();
-   }
-
-/*
-* Deserialize a Server Hello Done message
-*/
-void Server_Hello_Done::deserialize(const MemoryRegion<byte>& buf)
-   {
-   if(buf.size())
-      throw Decoding_Error("Server_Hello_Done: Must be empty, and is not");
-   }
-
 }
diff --git a/src/tls/info.txt b/src/tls/info.txt
index 6654c3b80..9473b0ae2 100644
--- a/src/tls/info.txt
+++ b/src/tls/info.txt
@@ -22,34 +22,35 @@ tls_suites.h
 
 <header:internal>
 tls_alerts.h
-tls_handshake_hash.h
 tls_extensions.h
+tls_handshake_hash.h
+tls_handshake_state.h
 tls_messages.h
 tls_reader.h
 tls_session_key.h
-tls_handshake_state.h
 </header:internal>
 
 <source>
+c_hello.cpp
 c_kex.cpp
 cert_req.cpp
 cert_ver.cpp
 finished.cpp
-tls_handshake_hash.cpp
-tls_extensions.cpp
-hello.cpp
+next_protocol.cpp
 rec_read.cpp
 rec_wri.cpp
+s_hello.cpp
 s_kex.cpp
-next_protocol.cpp
 tls_channel.cpp
 tls_client.cpp
+tls_extensions.cpp
+tls_handshake_hash.cpp
+tls_handshake_state.cpp
 tls_policy.cpp
 tls_server.cpp
-tls_session_key.cpp
 tls_session.cpp
+tls_session_key.cpp
 tls_session_manager.cpp
-tls_handshake_state.cpp
 tls_suites.cpp
 </source>
 
diff --git a/src/tls/s_hello.cpp b/src/tls/s_hello.cpp
new file mode 100644
index 000000000..5ffb1e7d4
--- /dev/null
+++ b/src/tls/s_hello.cpp
@@ -0,0 +1,201 @@
+;/*
+* TLS Server Hello and Server Hello Done
+* (C) 2004-2011 Jack Lloyd
+*
+* Released under the terms of the Botan license
+*/
+
+#include <botan/internal/tls_messages.h>
+#include <botan/internal/tls_reader.h>
+#include <botan/internal/tls_session_key.h>
+#include <botan/internal/tls_extensions.h>
+#include <botan/tls_record.h>
+#include <botan/internal/stl_util.h>
+
+namespace Botan {
+
+/*
+* Create a new Server Hello message
+*/
+Server_Hello::Server_Hello(Record_Writer& writer,
+                           TLS_Handshake_Hash& hash,
+                           Version_Code version,
+                           const Client_Hello& c_hello,
+                           const std::vector<X509_Certificate>& certs,
+                           const TLS_Policy& policy,
+                           bool client_has_secure_renegotiation,
+                           const MemoryRegion<byte>& reneg_info,
+                           bool client_has_npn,
+                           const std::vector<std::string>& next_protocols,
+                           RandomNumberGenerator& rng) :
+   s_version(version),
+   m_session_id(rng.random_vec(32)),
+   s_random(rng.random_vec(32)),
+   m_fragment_size(c_hello.fragment_size()),
+   m_secure_renegotiation(client_has_secure_renegotiation),
+   m_renegotiation_info(reneg_info),
+   m_next_protocol(client_has_npn),
+   m_next_protocols(next_protocols)
+   {
+   bool have_rsa = false, have_dsa = false;
+
+   for(size_t i = 0; i != certs.size(); ++i)
+      {
+      Public_Key* key = certs[i].subject_public_key();
+      if(key->algo_name() == "RSA")
+         have_rsa = true;
+
+      if(key->algo_name() == "DSA")
+         have_dsa = true;
+      }
+
+   suite = policy.choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa, false);
+
+   if(suite == 0)
+      throw TLS_Exception(HANDSHAKE_FAILURE,
+                          "Can't agree on a ciphersuite with client");
+
+   comp_method = policy.choose_compression(c_hello.compression_methods());
+
+   send(writer, hash);
+   }
+
+/*
+* Create a new Server Hello message
+*/
+Server_Hello::Server_Hello(Record_Writer& writer,
+                           TLS_Handshake_Hash& hash,
+                           const MemoryRegion<byte>& session_id,
+                           Version_Code ver,
+                           u16bit ciphersuite,
+                           byte compression,
+                           size_t max_fragment_size,
+                           bool client_has_secure_renegotiation,
+                           const MemoryRegion<byte>& reneg_info,
+                           bool client_has_npn,
+                           const std::vector<std::string>& next_protocols,
+                           RandomNumberGenerator& rng) :
+   s_version(ver),
+   m_session_id(session_id),
+   s_random(rng.random_vec(32)),
+   suite(ciphersuite),
+   comp_method(compression),
+   m_fragment_size(max_fragment_size),
+   m_secure_renegotiation(client_has_secure_renegotiation),
+   m_renegotiation_info(reneg_info),
+   m_next_protocol(client_has_npn),
+   m_next_protocols(next_protocols)
+   {
+   send(writer, hash);
+   }
+
+/*
+* Serialize a Server Hello message
+*/
+MemoryVector<byte> Server_Hello::serialize() const
+   {
+   MemoryVector<byte> buf;
+
+   buf.push_back(static_cast<byte>(s_version >> 8));
+   buf.push_back(static_cast<byte>(s_version     ));
+   buf += s_random;
+
+   append_tls_length_value(buf, m_session_id, 1);
+
+   buf.push_back(get_byte(0, suite));
+   buf.push_back(get_byte(1, suite));
+
+   buf.push_back(comp_method);
+
+   TLS_Extensions extensions;
+
+   if(m_secure_renegotiation)
+      extensions.push_back(new Renegotation_Extension(m_renegotiation_info));
+
+   if(m_fragment_size != 0)
+      extensions.push_back(new Maximum_Fragment_Length(m_fragment_size));
+
+   if(m_next_protocol)
+      extensions.push_back(new Next_Protocol_Negotiation(m_next_protocols));
+
+   buf += extensions.serialize();
+
+   return buf;
+   }
+
+/*
+* Deserialize a Server Hello message
+*/
+void Server_Hello::deserialize(const MemoryRegion<byte>& buf)
+   {
+   m_secure_renegotiation = false;
+   m_next_protocol = false;
+
+   if(buf.size() < 38)
+      throw Decoding_Error("Server_Hello: Packet corrupted");
+
+   TLS_Data_Reader reader(buf);
+
+   s_version = static_cast<Version_Code>(reader.get_u16bit());
+
+   if(s_version != SSL_V3 && s_version != TLS_V10 && s_version != TLS_V11)
+      {
+      throw TLS_Exception(PROTOCOL_VERSION,
+                          "Server_Hello: Unsupported server version");
+      }
+
+   s_random = reader.get_fixed<byte>(32);
+
+   m_session_id = reader.get_range<byte>(1, 0, 32);
+
+   suite = reader.get_u16bit();
+
+   comp_method = reader.get_byte();
+
+   TLS_Extensions extensions(reader);
+
+   for(size_t i = 0; i != extensions.count(); ++i)
+      {
+      TLS_Extension* extn = extensions.at(i);
+
+      if(Renegotation_Extension* reneg = dynamic_cast<Renegotation_Extension*>(extn))
+         {
+         // checked by TLS_Client / TLS_Server as they know the handshake state
+         m_secure_renegotiation = true;
+         m_renegotiation_info = reneg->renegotiation_info();
+         }
+      else if(Next_Protocol_Negotiation* npn = dynamic_cast<Next_Protocol_Negotiation*>(extn))
+         {
+         m_next_protocols = npn->protocols();
+         m_next_protocol = true;
+         }
+      }
+   }
+
+/*
+* Create a new Server Hello Done message
+*/
+Server_Hello_Done::Server_Hello_Done(Record_Writer& writer,
+                                     TLS_Handshake_Hash& hash)
+   {
+   send(writer, hash);
+   }
+
+/*
+* Serialize a Server Hello Done message
+*/
+MemoryVector<byte> Server_Hello_Done::serialize() const
+   {
+   return MemoryVector<byte>();
+   }
+
+/*
+* Deserialize a Server Hello Done message
+*/
+void Server_Hello_Done::deserialize(const MemoryRegion<byte>& buf)
+   {
+   if(buf.size())
+      throw Decoding_Error("Server_Hello_Done: Must be empty, and is not");
+   }
+
+}
diff --git a/src/tls/tls_extensions.cpp b/src/tls/tls_extensions.cpp
index a6ab13f46..c74790ea1 100644
--- a/src/tls/tls_extensions.cpp
+++ b/src/tls/tls_extensions.cpp
@@ -9,8 +9,6 @@
 #include <botan/internal/tls_reader.h>
 #include <botan/tls_exceptn.h>
 
-#include <stdio.h>
-
 namespace Botan {
 
 namespace {
@@ -244,8 +242,6 @@ Next_Protocol_Negotiation::Next_Protocol_Negotiation(TLS_Data_Reader& reader,
       {
       const std::string p = reader.get_string(1, 0, 255);
 
-      printf("Protocol option %s\n", p.c_str());
-
       if(bytes_remaining < p.size() + 1)
          throw Decoding_Error("Bad encoding for next protocol extension");
 
diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h
index 9c61501c9..67647d5a3 100644
--- a/src/tls/tls_messages.h
+++ b/src/tls/tls_messages.h
@@ -154,24 +154,28 @@ class Server_Hello : public Handshake_Message
 
       Server_Hello(Record_Writer& writer,
                    TLS_Handshake_Hash& hash,
+                   Version_Code version,
+                   const Client_Hello& other,
+                   const std::vector<X509_Certificate>& certs,
                    const TLS_Policy& policies,
-                   RandomNumberGenerator& rng,
                    bool client_has_secure_renegotiation,
                    const MemoryRegion<byte>& reneg_info,
-                   const std::vector<X509_Certificate>& certs,
-                   const Client_Hello& other,
-                   Version_Code version);
+                   bool client_has_npn,
+                   const std::vector<std::string>& next_protocols,
+                   RandomNumberGenerator& rng);
 
       Server_Hello(Record_Writer& writer,
                    TLS_Handshake_Hash& hash,
-                   RandomNumberGenerator& rng,
-                   bool client_has_secure_renegotiation,
-                   const MemoryRegion<byte>& reneg_info,
                    const MemoryRegion<byte>& session_id,
-                   size_t max_fragment_size,
+                   Version_Code ver,
                    u16bit ciphersuite,
                    byte compression,
-                   Version_Code ver);
+                   size_t max_fragment_size,
+                   bool client_has_secure_renegotiation,
+                   const MemoryRegion<byte>& reneg_info,
+                   bool client_has_npn,
+                   const std::vector<std::string>& next_protocols,
+                   RandomNumberGenerator& rng);
 
       Server_Hello(const MemoryRegion<byte>& buf) { deserialize(buf); }
    private:
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 109835e4a..729c185df 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -12,8 +12,6 @@
 #include <botan/rsa.h>
 #include <botan/dh.h>
 
-#include <stdio.h>
-
 namespace Botan {
 
 namespace {
@@ -87,12 +85,14 @@ TLS_Server::TLS_Server(std::tr1::function<void (const byte[], size_t)> output_fn
                        TLS_Session_Manager& session_manager,
                        Credentials_Manager& creds,
                        const TLS_Policy& policy,
-                       RandomNumberGenerator& rng) :
+                       RandomNumberGenerator& rng,
+                       const std::vector<std::string>& next_protocols) :
    TLS_Channel(output_fn, proc_fn, handshake_fn),
    policy(policy),
    rng(rng),
    session_manager(session_manager),
-   creds(creds)
+   creds(creds),
+   m_possible_protocols(next_protocols)
    {
    }
 
@@ -154,7 +154,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
       {
       state->client_hello = new Client_Hello(contents, type);
 
-      client_requested_hostname = state->client_hello->sni_hostname();
+      m_hostname = state->client_hello->sni_hostname();
 
       state->version = choose_version(state->client_hello->version(),
                                       policy.min_version());
@@ -176,14 +176,16 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
          state->server_hello = new Server_Hello(
             writer,
             state->hash,
-            rng,
-            secure_renegotiation.supported(),
-            secure_renegotiation.for_server_hello(),
             session_info.session_id(),
+            Version_Code(session_info.version()),
             session_info.ciphersuite(),
             session_info.compression_method(),
             session_info.fragment_size(),
-            Version_Code(session_info.version()));
+            secure_renegotiation.supported(),
+            secure_renegotiation.for_server_hello(),
+            state->client_hello->next_protocol_negotiation(),
+            m_possible_protocols,
+            rng);
 
          if(session_info.fragment_size())
             writer.set_maximum_fragment_size(session_info.fragment_size());
@@ -214,24 +216,26 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
          std::vector<X509_Certificate> server_certs =
             creds.cert_chain("",
                              "tls-server",
-                             client_requested_hostname);
+                             m_hostname);
 
          Private_Key* private_key =
             server_certs.empty() ? 0 :
             (creds.private_key_for(server_certs[0],
                                   "tls-server",
-                                   client_requested_hostname));
+                                   m_hostname));
 
          state->server_hello = new Server_Hello(
             writer,
             state->hash,
+            state->version,
+            *(state->client_hello),
+            server_certs,
             policy,
-            rng,
             secure_renegotiation.supported(),
             secure_renegotiation.for_server_hello(),
-            server_certs,
-            *(state->client_hello),
-            state->version);
+            state->client_hello->next_protocol_negotiation(),
+            m_possible_protocols,
+            rng);
 
          if(state->client_hello->fragment_size())
             writer.set_maximum_fragment_size(state->client_hello->fragment_size());
@@ -347,10 +351,21 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
       }
    else if(type == HANDSHAKE_CCS)
       {
-      state->set_expected_next(FINISHED);
+      if(state->server_hello->next_protocol_negotiation())
+         state->set_expected_next(NEXT_PROTOCOL);
+      else
+         state->set_expected_next(FINISHED);
 
       reader.activate(state->suite, state->keys, SERVER);
       }
+   else if(type == NEXT_PROTOCOL)
+      {
+      state->set_expected_next(FINISHED);
+
+      state->next_protocol = new Next_Protocol(contents);
+
+      m_next_protocol = state->next_protocol->protocol();
+      }
    else if(type == FINISHED)
       {
       state->set_expected_next(HANDSHAKE_NONE);
@@ -389,7 +404,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
          secure_renegotiation.supported(),
          state->server_hello->fragment_size(),
          peer_certs,
-         client_requested_hostname,
+         m_hostname,
          ""
          );
 
diff --git a/src/tls/tls_server.h b/src/tls/tls_server.h
index b08d3f7e8..31e0e9ca4 100644
--- a/src/tls/tls_server.h
+++ b/src/tls/tls_server.h
@@ -30,15 +30,24 @@ class BOTAN_DLL TLS_Server : public TLS_Channel
                  TLS_Session_Manager& session_manager,
                  Credentials_Manager& creds,
                  const TLS_Policy& policy,
-                 RandomNumberGenerator& rng);
+                 RandomNumberGenerator& rng,
+                 const std::vector<std::string>& protocols =
+                    std::vector<std::string>());
 
       void renegotiate();
 
       /**
-      * Return the server name indicator, if set by the client
+      * Return the server name indicator, if sent by the client
       */
       std::string server_name_indicator() const
-         { return client_requested_hostname; }
+         { return m_hostname; }
+
+      /**
+      * Return the protocol negotiated with NPN extension
+      */
+      std::string next_protocol() const
+         { return m_next_protocol; }
+
    private:
       void read_handshake(byte, const MemoryRegion<byte>&);
 
@@ -49,7 +58,9 @@ class BOTAN_DLL TLS_Server : public TLS_Channel
       TLS_Session_Manager& session_manager;
       Credentials_Manager& creds;
 
-      std::string client_requested_hostname;
+      std::vector<std::string> m_possible_protocols;
+      std::string m_hostname;
+      std::string m_next_protocol;
    };
 
 }
diff --git a/src/tls/tls_session_manager.cpp b/src/tls/tls_session_manager.cpp
index 4a0126fc0..e5ec75c88 100644
--- a/src/tls/tls_session_manager.cpp
+++ b/src/tls/tls_session_manager.cpp
@@ -9,8 +9,6 @@
 #include <botan/hex.h>
 #include <botan/time.h>
 
-#include <stdio.h>
-
 namespace Botan {
 
 bool TLS_Session_Manager_In_Memory::load_from_session_str(