2.2.11 Call Connected Message (SSTP_MSG_CALL_CONNECTED)
The following diagram specifies the format that MUST be used for this message. The client sends this message to the server as a response to the Call Connect Acknowledge message after SSL/TLS handshake and higher-layer authentication (that is, PPP authentication) are completed. This message marks the completion of SSTP negotiation. It cryptographically binds the SSL/TLS handshake and PPP authentication so that a man-in-the-middle attacker cannot relay PPP packets that are received on another medium. For example, wireless packets could be received that are not intended for SSTP communication during protocol operation and could represent an attack. For more information about the PPP authentication phase, see section 3.5 of [RFC1661].
The fields of the structure MUST be transmitted in network byte order from left to right.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Version |
Reserved |
C |
LengthPacket |
||||||||||||||||||||||||||||
|
Message Type |
Num Attributes |
||||||||||||||||||||||||||||||
|
Reserved1 |
Attribute ID |
LengthPacket1 |
|||||||||||||||||||||||||||||
|
Reserved2 |
Hash Protocol Bitmask |
||||||||||||||||||||||||||||||
|
Nonce (32 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Cert Hash (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Padding (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Compound MAC (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Padding1 (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Version (1 byte): An 8-bit (1-byte) field that communicates and negotiates the version of SSTP that is being used. The upper 4 bits are the major version, which MUST be 0x1, and the lower 4 bits are the minor version, which MUST be 0x0. This means that the 8-bit value of the Version field MUST be 0x10 and correspond to Version 1.0.
Reserved (7 bits): This 7-bit field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
C (1 bit): A 1-bit field that specifies whether the packet is an SSTP control packet or an SSTP data packet. The value MUST be 1 for a Call Connect Request message that is a control packet.
LengthPacket (2 bytes): A 16-bit, unsigned integer in network byte order that packs data for two fields, which are configured in the following format.
-
0
1
2
3
4
5
6
7
8
9
1
0
1
2
3
4
5
R
Length
-
R (4 bits): This 4-bit field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
-
Length (12 bits): A 12-bit, unsigned integer in network byte order that specifies the length of a Call Connected message. Its value MUST be 112 (that is, 0x070).
Message Type (2 bytes): A 16-bit field in network byte order that specifies the type of this message. It MUST be 0x0004 (that is, SSTP_MSG_CALL_CONNECTED).
Num Attributes (2 bytes): A 16-bit field in network byte order that specifies the number of attributes in this message. This value MUST be 1 because SSTP supports only the Crypto Binding attribute in a Call Connected message.
Reserved1 (1 byte): This 8-bit field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
Attribute ID (1 byte): An 8-bit (1-byte) field that is used to specify the type of the attribute. This value MUST be 0x03 for the Crypto Binding attribute.
LengthPacket1 (2 bytes): A 16-bit, unsigned integer in network byte order that packs data for two fields, which are configured in the following format.
-
0
1
2
3
4
5
6
7
8
9
1
0
1
2
3
4
5
R1
Length1
-
R1 (4 bits): This 4-bit field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
-
Length1 (12 bits): A 12-bit, unsigned integer in network byte order that specifies the length of the Crypto Binding attribute. Its value MUST be 104 (that is, 0x068).
Reserved2 (3 bytes): This 24-bit field is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt.
Hash Protocol Bitmask (1 byte): A 1-byte field that specifies the Cert Hash Type and hash algorithm that are used for Compound MAC calculation. Its value MUST be one of the following.
-
Name
Value
CERT_HASH_PROTOCOL_SHA1
0x01
CERT_HASH_PROTOCOL_SHA256
0x02
Nonce (32 bytes): A 256-bit, unsigned integer that contains a temporally unique (or random) value. (For more information, see [RFC1750].) This value MUST be the same as the value received from the SSTP server in the Call Connect Acknowledge message (and stored in the ClientNonce state variable described in section 3.2.1). This behavior ensures that a man-in-the-middle attacker cannot cause a replay attack.
Cert Hash (variable): A variable-length field in network byte order that contains either the SHA1 hash or the SHA256 hash (as specified by the Hash Protocol Bitmask field in this message) of the server certificate that is obtained during SSL/TLS handshake and stored in the ClientCertificateHash state variable (described in section 3.2.1). The length of the field is either 20 bytes long when the SHA1 hash is used or 32 bytes long when the SHA256 hash is used.
Padding (variable): A variable-length field that is reserved for future use. MUST be set to zero when sent and MUST be ignored on receipt. This field is either zero bytes long when the SHA256 Cert Hash is used or 12 bytes long when the SHA1 Cert Hash is used.
Compound MAC (variable): A variable-length, unsigned integer containing the value that is used to cryptographically associate the higher-layer authentication (that is, PPP authentication) with a lower-layer HTTPS connection. This association ensures that the SSTP client and the SSTP server participated in both PPP authentication and HTTPS connection. (For more information, see section 3.2.5.2 and [RFC1661].) This field is either 20 bytes long when the SHA1 hash protocol is used for Compound MAC computation or 32 bytes long when the SHA256 hash protocol is used for Compound MAC computation.
Padding1 (variable): A variable-length field that is reserved for future use MUST be set to zero when sent and MUST be ignored on receipt. This field is either zero bytes in length when the SHA256 Hash Protocol is used for Compound MAC computation or 12 bytes in length when the SHA1 Hash Protocol is used.