PolarSSL v1.2.10
ssl_cli.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 client-side functions
3  *
4  * Copyright (C) 2006-2012, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_CLI_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <time.h>
36 
37 #if defined(POLARSSL_SHA4_C)
38 #include "polarssl/sha4.h"
39 #endif
40 
41 static int ssl_write_client_hello( ssl_context *ssl )
42 {
43  int ret;
44  size_t i, n, ext_len = 0;
45  unsigned char *buf;
46  unsigned char *p;
47  time_t t;
48  unsigned char sig_alg_list[20];
49  size_t sig_alg_len = 0;
50 
51  SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
52 
54  {
55  ssl->major_ver = ssl->min_major_ver;
56  ssl->minor_ver = ssl->min_minor_ver;
57  }
58 
59  if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
60  {
63  }
64 
65  /*
66  * 0 . 0 handshake type
67  * 1 . 3 handshake length
68  * 4 . 5 highest version supported
69  * 6 . 9 current UNIX time
70  * 10 . 37 random bytes
71  */
72  buf = ssl->out_msg;
73  p = buf + 4;
74 
75  *p++ = (unsigned char) ssl->max_major_ver;
76  *p++ = (unsigned char) ssl->max_minor_ver;
77 
78  SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
79  buf[4], buf[5] ) );
80 
81  t = time( NULL );
82  *p++ = (unsigned char)( t >> 24 );
83  *p++ = (unsigned char)( t >> 16 );
84  *p++ = (unsigned char)( t >> 8 );
85  *p++ = (unsigned char)( t );
86 
87  SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
88 
89  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
90  return( ret );
91 
92  p += 28;
93 
94  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
95 
96  SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
97 
98  /*
99  * 38 . 38 session id length
100  * 39 . 39+n session id
101  * 40+n . 41+n ciphersuitelist length
102  * 42+n . .. ciphersuitelist
103  * .. . .. compression methods length
104  * .. . .. compression methods
105  * .. . .. extensions length
106  * .. . .. extensions
107  */
108  n = ssl->session_negotiate->length;
109 
110  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
111  ssl->handshake->resume == 0 )
112  n = 0;
113 
114  *p++ = (unsigned char) n;
115 
116  for( i = 0; i < n; i++ )
117  *p++ = ssl->session_negotiate->id[i];
118 
119  SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
120  SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
121 
122  for( n = 0; ssl->ciphersuites[ssl->minor_ver][n] != 0; n++ );
123  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++;
124  *p++ = (unsigned char)( n >> 7 );
125  *p++ = (unsigned char)( n << 1 );
126 
127  /*
128  * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
129  */
131  {
132  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
133  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
134  n--;
135  }
136 
137  SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
138 
139  for( i = 0; i < n; i++ )
140  {
141  SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
142  ssl->ciphersuites[ssl->minor_ver][i] ) );
143 
144  *p++ = (unsigned char)( ssl->ciphersuites[ssl->minor_ver][i] >> 8 );
145  *p++ = (unsigned char)( ssl->ciphersuites[ssl->minor_ver][i] );
146  }
147 
148 #if defined(POLARSSL_ZLIB_SUPPORT)
149  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
150  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
152 
153  *p++ = 2;
154  *p++ = SSL_COMPRESS_DEFLATE;
155  *p++ = SSL_COMPRESS_NULL;
156 #else
157  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
158  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
159 
160  *p++ = 1;
161  *p++ = SSL_COMPRESS_NULL;
162 #endif
163 
164  if ( ssl->hostname != NULL )
165  {
166  SSL_DEBUG_MSG( 3, ( "client hello, prepping for server name extension: %s",
167  ssl->hostname ) );
168 
169  ext_len += ssl->hostname_len + 9;
170  }
171 
172  if( ssl->renegotiation == SSL_RENEGOTIATION )
173  {
174  SSL_DEBUG_MSG( 3, ( "client hello, prepping for renegotiation extension" ) );
175  ext_len += 5 + ssl->verify_data_len;
176  }
177 
178  /*
179  * Prepare signature_algorithms extension (TLS 1.2)
180  */
181  if( ssl->max_minor_ver == SSL_MINOR_VERSION_3 )
182  {
183 #if defined(POLARSSL_SHA4_C)
184  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
185  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
186  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
187  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
188 #endif
189 #if defined(POLARSSL_SHA2_C)
190  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
191  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
192  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
193  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
194 #endif
195 #if defined(POLARSSL_SHA1_C)
196  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
197  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
198 #endif
199 #if defined(POLARSSL_MD5_C)
200  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
201  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
202 #endif
203  ext_len += 6 + sig_alg_len;
204  }
205 
206  SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
207  ext_len ) );
208 
209  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
210  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
211 
212  if ( ssl->hostname != NULL )
213  {
214  /*
215  * struct {
216  * NameType name_type;
217  * select (name_type) {
218  * case host_name: HostName;
219  * } name;
220  * } ServerName;
221  *
222  * enum {
223  * host_name(0), (255)
224  * } NameType;
225  *
226  * opaque HostName<1..2^16-1>;
227  *
228  * struct {
229  * ServerName server_name_list<1..2^16-1>
230  * } ServerNameList;
231  */
232  SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
233  ssl->hostname ) );
234 
235  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
236  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
237 
238  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
239  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
240 
241  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
242  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
243 
244  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
245  *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
246  *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
247 
248  memcpy( p, ssl->hostname, ssl->hostname_len );
249  p += ssl->hostname_len;
250  }
251 
252  if( ssl->renegotiation == SSL_RENEGOTIATION )
253  {
254  /*
255  * Secure renegotiation
256  */
257  SSL_DEBUG_MSG( 3, ( "client hello, renegotiation info extension" ) );
258 
259  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
260  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
261 
262  *p++ = 0x00;
263  *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
264  *p++ = ssl->verify_data_len & 0xFF;
265 
266  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
267  p += ssl->verify_data_len;
268  }
269 
270  if( ssl->max_minor_ver == SSL_MINOR_VERSION_3 )
271  {
272  /*
273  * enum {
274  * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
275  * sha512(6), (255)
276  * } HashAlgorithm;
277  *
278  * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
279  * SignatureAlgorithm;
280  *
281  * struct {
282  * HashAlgorithm hash;
283  * SignatureAlgorithm signature;
284  * } SignatureAndHashAlgorithm;
285  *
286  * SignatureAndHashAlgorithm
287  * supported_signature_algorithms<2..2^16-2>;
288  */
289  SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
290 
291  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
292  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
293 
294  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
295  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
296 
297  *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
298  *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
299 
300  memcpy( p, sig_alg_list, sig_alg_len );
301 
302  p += sig_alg_len;
303  }
304 
305  ssl->out_msglen = p - buf;
307  ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
308 
309  ssl->state++;
310 
311  if( ( ret = ssl_write_record( ssl ) ) != 0 )
312  {
313  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
314  return( ret );
315  }
316 
317  SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
318 
319  return( 0 );
320 }
321 
322 static int ssl_parse_renegotiation_info( ssl_context *ssl,
323  unsigned char *buf,
324  size_t len )
325 {
326  int ret;
327 
329  {
330  if( len != 1 || buf[0] != 0x0 )
331  {
332  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
333 
334  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
335  return( ret );
336 
338  }
339 
341  }
342  else
343  {
344  if( len != 1 + ssl->verify_data_len * 2 ||
345  buf[0] != ssl->verify_data_len * 2 ||
346  memcmp( buf + 1, ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
347  memcmp( buf + 1 + ssl->verify_data_len,
348  ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
349  {
350  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
351 
352  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
353  return( ret );
354 
356  }
357  }
358 
359  return( 0 );
360 }
361 
362 static int ssl_parse_server_hello( ssl_context *ssl )
363 {
364 #if defined(POLARSSL_DEBUG_C)
365  time_t t;
366 #endif
367  int ret, i, comp;
368  size_t n;
369  size_t ext_len = 0;
370  unsigned char *buf, *ext;
371  int renegotiation_info_seen = 0;
372  int handshake_failure = 0;
373 
374  SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
375 
376  /*
377  * 0 . 0 handshake type
378  * 1 . 3 handshake length
379  * 4 . 5 protocol version
380  * 6 . 9 UNIX time()
381  * 10 . 37 random bytes
382  */
383  buf = ssl->in_msg;
384 
385  if( ( ret = ssl_read_record( ssl ) ) != 0 )
386  {
387  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
388  return( ret );
389  }
390 
391  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
392  {
393  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
395  }
396 
397  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
398  buf[4], buf[5] ) );
399 
400  if( ssl->in_hslen < 42 ||
401  buf[0] != SSL_HS_SERVER_HELLO ||
402  buf[4] != SSL_MAJOR_VERSION_3 )
403  {
404  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
406  }
407 
408  if( buf[5] > ssl->max_minor_ver )
409  {
410  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
412  }
413 
414  ssl->minor_ver = buf[5];
415 
416  if( ssl->minor_ver < ssl->min_minor_ver )
417  {
418  SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
419  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
420  buf[4], buf[5] ) );
421 
424 
426  }
427 
428 #if defined(POLARSSL_DEBUG_C)
429  t = ( (time_t) buf[6] << 24 )
430  | ( (time_t) buf[7] << 16 )
431  | ( (time_t) buf[8] << 8 )
432  | ( (time_t) buf[9] );
433 #endif
434 
435  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
436 
437  n = buf[38];
438 
439  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
440  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
441 
442  if( n > 32 )
443  {
444  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
446  }
447 
448  /*
449  * 38 . 38 session id length
450  * 39 . 38+n session id
451  * 39+n . 40+n chosen ciphersuite
452  * 41+n . 41+n chosen compression alg.
453  * 42+n . 43+n extensions length
454  * 44+n . 44+n+m extensions
455  */
456  if( ssl->in_hslen > 42 + n )
457  {
458  ext_len = ( ( buf[42 + n] << 8 )
459  | ( buf[43 + n] ) );
460 
461  if( ( ext_len > 0 && ext_len < 4 ) ||
462  ssl->in_hslen != 44 + n + ext_len )
463  {
464  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
466  }
467  }
468 
469  i = ( buf[39 + n] << 8 ) | buf[40 + n];
470  comp = buf[41 + n];
471 
472  /*
473  * Initialize update checksum functions
474  */
475  ssl_optimize_checksum( ssl, i );
476 
477  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
478  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
479 
480  /*
481  * Check if the session can be resumed
482  */
483  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
484  ssl->handshake->resume == 0 || n == 0 ||
485  ssl->session_negotiate->ciphersuite != i ||
486  ssl->session_negotiate->compression != comp ||
487  ssl->session_negotiate->length != n ||
488  memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
489  {
490  ssl->state++;
491  ssl->handshake->resume = 0;
492  ssl->session_negotiate->start = time( NULL );
493  ssl->session_negotiate->ciphersuite = i;
494  ssl->session_negotiate->compression = comp;
495  ssl->session_negotiate->length = n;
496  memcpy( ssl->session_negotiate->id, buf + 39, n );
497  }
498  else
499  {
501 
502  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
503  {
504  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
505  return( ret );
506  }
507  }
508 
509  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
510  ssl->handshake->resume ? "a" : "no" ) );
511 
512  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
513  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
514 
515  i = 0;
516  while( 1 )
517  {
518  if( ssl->ciphersuites[ssl->minor_ver][i] == 0 )
519  {
520  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
522  }
523 
524  if( ssl->ciphersuites[ssl->minor_ver][i++] == ssl->session_negotiate->ciphersuite )
525  break;
526  }
527 
528  if( comp != SSL_COMPRESS_NULL
529 #if defined(POLARSSL_ZLIB_SUPPORT)
530  && comp != SSL_COMPRESS_DEFLATE
531 #endif
532  )
533  {
534  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
536  }
537  ssl->session_negotiate->compression = comp;
538 
539  ext = buf + 44 + n;
540 
541  while( ext_len )
542  {
543  unsigned int ext_id = ( ( ext[0] << 8 )
544  | ( ext[1] ) );
545  unsigned int ext_size = ( ( ext[2] << 8 )
546  | ( ext[3] ) );
547 
548  if( ext_size + 4 > ext_len )
549  {
550  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
552  }
553 
554  switch( ext_id )
555  {
557  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
558  renegotiation_info_seen = 1;
559 
560  if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ) ) != 0 )
561  return( ret );
562 
563  break;
564 
565  default:
566  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
567  ext_id ) );
568  }
569 
570  ext_len -= 4 + ext_size;
571  ext += 4 + ext_size;
572 
573  if( ext_len > 0 && ext_len < 4 )
574  {
575  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
577  }
578  }
579 
580  /*
581  * Renegotiation security checks
582  */
585  {
586  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
587  handshake_failure = 1;
588  }
589  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
591  renegotiation_info_seen == 0 )
592  {
593  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
594  handshake_failure = 1;
595  }
596  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
599  {
600  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
601  handshake_failure = 1;
602  }
603  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
605  renegotiation_info_seen == 1 )
606  {
607  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
608  handshake_failure = 1;
609  }
610 
611  if( handshake_failure == 1 )
612  {
613  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
614  return( ret );
615 
617  }
618 
619  SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
620 
621  return( 0 );
622 }
623 
624 static int ssl_parse_server_key_exchange( ssl_context *ssl )
625 {
626 #if defined(POLARSSL_DHM_C)
627  int ret;
628  size_t n;
629  unsigned char *p, *end;
630  unsigned char hash[64];
633  int hash_id = SIG_RSA_RAW;
634  unsigned int hashlen = 0;
635 #endif
636 
637  SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
638 
651  {
652  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
653  ssl->state++;
654  return( 0 );
655  }
656 
657 #if !defined(POLARSSL_DHM_C)
658  SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
660 #else
661  if( ( ret = ssl_read_record( ssl ) ) != 0 )
662  {
663  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
664  return( ret );
665  }
666 
667  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
668  {
669  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
671  }
672 
673  if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
674  {
675  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
677  }
678 
679  SSL_DEBUG_BUF( 3, "server key exchange", ssl->in_msg + 4, ssl->in_hslen - 4 );
680 
681  /*
682  * Ephemeral DH parameters:
683  *
684  * struct {
685  * opaque dh_p<1..2^16-1>;
686  * opaque dh_g<1..2^16-1>;
687  * opaque dh_Ys<1..2^16-1>;
688  * } ServerDHParams;
689  */
690  p = ssl->in_msg + 4;
691  end = ssl->in_msg + ssl->in_hslen;
692 
693  if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, &p, end ) ) != 0 )
694  {
695  SSL_DEBUG_MSG( 2, ( "DHM Read Params returned -0x%x", -ret ) );
696  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
698  }
699 
700  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
701  {
702  if( p[1] != SSL_SIG_RSA )
703  {
704  SSL_DEBUG_MSG( 2, ( "server used unsupported SignatureAlgorithm %d", p[1] ) );
705  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
707  }
708 
709  switch( p[0] )
710  {
711 #if defined(POLARSSL_MD5_C)
712  case SSL_HASH_MD5:
713  hash_id = SIG_RSA_MD5;
714  break;
715 #endif
716 #if defined(POLARSSL_SHA1_C)
717  case SSL_HASH_SHA1:
718  hash_id = SIG_RSA_SHA1;
719  break;
720 #endif
721 #if defined(POLARSSL_SHA2_C)
722  case SSL_HASH_SHA224:
723  hash_id = SIG_RSA_SHA224;
724  break;
725  case SSL_HASH_SHA256:
726  hash_id = SIG_RSA_SHA256;
727  break;
728 #endif
729 #if defined(POLARSSL_SHA4_C)
730  case SSL_HASH_SHA384:
731  hash_id = SIG_RSA_SHA384;
732  break;
733  case SSL_HASH_SHA512:
734  hash_id = SIG_RSA_SHA512;
735  break;
736 #endif
737  default:
738  SSL_DEBUG_MSG( 2, ( "Server used unsupported HashAlgorithm %d", p[0] ) );
739  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
741  }
742 
743  SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", p[1] ) );
744  SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", p[0] ) );
745  p += 2;
746  }
747 
748  n = ( p[0] << 8 ) | p[1];
749  p += 2;
750 
751  if( end != p + n )
752  {
753  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
755  }
756 
757  if( (unsigned int)( end - p ) !=
759  {
760  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
762  }
763 
764  if( ssl->handshake->dhm_ctx.len < 64 || ssl->handshake->dhm_ctx.len > 512 )
765  {
766  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
768  }
769 
770  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
771  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
772  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
773 
774  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
775  {
776  /*
777  * digitally-signed struct {
778  * opaque md5_hash[16];
779  * opaque sha_hash[20];
780  * };
781  *
782  * md5_hash
783  * MD5(ClientHello.random + ServerHello.random
784  * + ServerParams);
785  * sha_hash
786  * SHA(ClientHello.random + ServerHello.random
787  * + ServerParams);
788  */
789  n = ssl->in_hslen - ( end - p ) - 6;
790 
791  md5_starts( &md5 );
792  md5_update( &md5, ssl->handshake->randbytes, 64 );
793  md5_update( &md5, ssl->in_msg + 4, n );
794  md5_finish( &md5, hash );
795 
796  sha1_starts( &sha1 );
797  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
798  sha1_update( &sha1, ssl->in_msg + 4, n );
799  sha1_finish( &sha1, hash + 16 );
800 
801  hash_id = SIG_RSA_RAW;
802  hashlen = 36;
803  }
804  else
805  {
807 #if defined(POLARSSL_SHA4_C)
809 #endif
810 
811  n = ssl->in_hslen - ( end - p ) - 8;
812 
813  /*
814  * digitally-signed struct {
815  * opaque client_random[32];
816  * opaque server_random[32];
817  * ServerDHParams params;
818  * };
819  */
820  switch( hash_id )
821  {
822 #if defined(POLARSSL_MD5_C)
823  case SIG_RSA_MD5:
824  md5_starts( &md5 );
825  md5_update( &md5, ssl->handshake->randbytes, 64 );
826  md5_update( &md5, ssl->in_msg + 4, n );
827  md5_finish( &md5, hash );
828  hashlen = 16;
829  break;
830 #endif
831 #if defined(POLARSSL_SHA1_C)
832  case SIG_RSA_SHA1:
833  sha1_starts( &sha1 );
834  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
835  sha1_update( &sha1, ssl->in_msg + 4, n );
836  sha1_finish( &sha1, hash );
837  hashlen = 20;
838  break;
839 #endif
840 #if defined(POLARSSL_SHA2_C)
841  case SIG_RSA_SHA224:
842  sha2_starts( &sha2, 1 );
843  sha2_update( &sha2, ssl->handshake->randbytes, 64 );
844  sha2_update( &sha2, ssl->in_msg + 4, n );
845  sha2_finish( &sha2, hash );
846  hashlen = 28;
847  break;
848  case SIG_RSA_SHA256:
849  sha2_starts( &sha2, 0 );
850  sha2_update( &sha2, ssl->handshake->randbytes, 64 );
851  sha2_update( &sha2, ssl->in_msg + 4, n );
852  sha2_finish( &sha2, hash );
853  hashlen = 32;
854  break;
855 #endif
856 #if defined(POLARSSL_SHA4_C)
857  case SIG_RSA_SHA384:
858  sha4_starts( &sha4, 1 );
859  sha4_update( &sha4, ssl->handshake->randbytes, 64 );
860  sha4_update( &sha4, ssl->in_msg + 4, n );
861  sha4_finish( &sha4, hash );
862  hashlen = 48;
863  break;
864  case SIG_RSA_SHA512:
865  sha4_starts( &sha4, 0 );
866  sha4_update( &sha4, ssl->handshake->randbytes, 64 );
867  sha4_update( &sha4, ssl->in_msg + 4, n );
868  sha4_finish( &sha4, hash );
869  hashlen = 64;
870  break;
871 #endif
872  }
873  }
874 
875  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
876 
877  if( ( ret = rsa_pkcs1_verify( &ssl->session_negotiate->peer_cert->rsa,
878  NULL, NULL, RSA_PUBLIC,
879  hash_id, hashlen, hash, p ) ) != 0 )
880  {
881  SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
882  return( ret );
883  }
884 
885  ssl->state++;
886 
887  SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
888 
889  return( 0 );
890 #endif
891 }
892 
893 static int ssl_parse_certificate_request( ssl_context *ssl )
894 {
895  int ret;
896  unsigned char *buf, *p;
897  size_t n = 0, m = 0;
898  size_t cert_type_len = 0, sig_alg_len = 0, dn_len = 0;
899 
900  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
901 
902  /*
903  * 0 . 0 handshake type
904  * 1 . 3 handshake length
905  * 4 . 4 cert type count
906  * 5 .. m-1 cert types
907  * m .. m+1 sig alg length (TLS 1.2 only)
908  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
909  * n .. n+1 length of all DNs
910  * n+2 .. n+3 length of DN 1
911  * n+4 .. ... Distinguished Name #1
912  * ... .. ... length of DN 2, etc.
913  */
914  if( ( ret = ssl_read_record( ssl ) ) != 0 )
915  {
916  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
917  return( ret );
918  }
919 
920  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
921  {
922  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
924  }
925 
926  ssl->client_auth = 0;
927  ssl->state++;
928 
929  if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
930  ssl->client_auth++;
931 
932  SSL_DEBUG_MSG( 3, ( "got %s certificate request",
933  ssl->client_auth ? "a" : "no" ) );
934 
935  if( ssl->client_auth == 0 )
936  goto exit;
937 
938  // TODO: handshake_failure alert for an anonymous server to request
939  // client authentication
940 
941  buf = ssl->in_msg;
942 
943  // Retrieve cert types
944  //
945  cert_type_len = buf[4];
946  n = cert_type_len;
947 
948  if( ssl->in_hslen < 6 + n )
949  {
950  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
952  }
953 
954  p = buf + 5;
955  while( cert_type_len > 0 )
956  {
957  if( *p == SSL_CERT_TYPE_RSA_SIGN )
958  {
960  break;
961  }
962 
963  cert_type_len--;
964  p++;
965  }
966 
967  if( ssl->handshake->cert_type == 0 )
968  {
969  SSL_DEBUG_MSG( 1, ( "no known cert_type provided" ) );
971  }
972 
973  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
974  {
975  sig_alg_len = ( ( buf[5 + n] << 8 )
976  | ( buf[6 + n] ) );
977 
978  p = buf + 7 + n;
979  m += 2;
980  n += sig_alg_len;
981 
982  if( ssl->in_hslen < 6 + n )
983  {
984  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
986  }
987  }
988 
989  dn_len = ( ( buf[5 + m + n] << 8 )
990  | ( buf[6 + m + n] ) );
991 
992  n += dn_len;
993  if( ssl->in_hslen != 7 + m + n )
994  {
995  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
997  }
998 
999 exit:
1000  SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1001 
1002  return( 0 );
1003 }
1004 
1005 static int ssl_parse_server_hello_done( ssl_context *ssl )
1006 {
1007  int ret;
1008 
1009  SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
1010 
1011  if( ssl->client_auth != 0 )
1012  {
1013  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1014  {
1015  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1016  return( ret );
1017  }
1018 
1019  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1020  {
1021  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1023  }
1024  }
1025 
1026  if( ssl->in_hslen != 4 ||
1027  ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
1028  {
1029  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1031  }
1032 
1033  ssl->state++;
1034 
1035  SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
1036 
1037  return( 0 );
1038 }
1039 
1040 static int ssl_write_client_key_exchange( ssl_context *ssl )
1041 {
1042  int ret;
1043  size_t i, n;
1044 
1045  SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
1046 
1059  {
1060 #if !defined(POLARSSL_DHM_C)
1061  SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
1063 #else
1064  /*
1065  * DHM key exchange -- send G^X mod P
1066  */
1067  n = ssl->handshake->dhm_ctx.len;
1068 
1069  ssl->out_msg[4] = (unsigned char)( n >> 8 );
1070  ssl->out_msg[5] = (unsigned char)( n );
1071  i = 6;
1072 
1073  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
1074  mpi_size( &ssl->handshake->dhm_ctx.P ),
1075  &ssl->out_msg[i], n,
1076  ssl->f_rng, ssl->p_rng );
1077  if( ret != 0 )
1078  {
1079  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
1080  return( ret );
1081  }
1082 
1083  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1084  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1085 
1086  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1087 
1088  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1089  ssl->handshake->premaster,
1090  &ssl->handshake->pmslen ) ) != 0 )
1091  {
1092  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1093  return( ret );
1094  }
1095 
1096  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1097 #endif
1098  }
1099  else
1100  {
1101  /*
1102  * RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
1103  */
1104  ssl->handshake->premaster[0] = (unsigned char) ssl->max_major_ver;
1105  ssl->handshake->premaster[1] = (unsigned char) ssl->max_minor_ver;
1106  ssl->handshake->pmslen = 48;
1107 
1108  ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster + 2,
1109  ssl->handshake->pmslen - 2 );
1110  if( ret != 0 )
1111  return( ret );
1112 
1113  i = 4;
1114  n = ssl->session_negotiate->peer_cert->rsa.len;
1115 
1116  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
1117  {
1118  i += 2;
1119  ssl->out_msg[4] = (unsigned char)( n >> 8 );
1120  ssl->out_msg[5] = (unsigned char)( n );
1121  }
1122 
1124  ssl->f_rng, ssl->p_rng,
1125  RSA_PUBLIC,
1126  ssl->handshake->pmslen,
1127  ssl->handshake->premaster,
1128  ssl->out_msg + i );
1129  if( ret != 0 )
1130  {
1131  SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1132  return( ret );
1133  }
1134  }
1135 
1136  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1137  {
1138  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1139  return( ret );
1140  }
1141 
1142  ssl->out_msglen = i + n;
1145 
1146  ssl->state++;
1147 
1148  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1149  {
1150  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1151  return( ret );
1152  }
1153 
1154  SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
1155 
1156  return( 0 );
1157 }
1158 
1159 static int ssl_write_certificate_verify( ssl_context *ssl )
1160 {
1161  int ret = 0;
1162  size_t n = 0, offset = 0;
1163  unsigned char hash[48];
1164  int hash_id = SIG_RSA_RAW;
1165  unsigned int hashlen = 36;
1166 
1167  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1168 
1169  if( ssl->client_auth == 0 || ssl->own_cert == NULL )
1170  {
1171  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
1172  ssl->state++;
1173  return( 0 );
1174  }
1175 
1176  if( ssl->rsa_key == NULL )
1177  {
1178  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1180  }
1181 
1182  /*
1183  * Make an RSA signature of the handshake digests
1184  */
1185  ssl->handshake->calc_verify( ssl, hash );
1186 
1187  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1188  {
1189  /*
1190  * digitally-signed struct {
1191  * opaque md5_hash[16];
1192  * opaque sha_hash[20];
1193  * };
1194  *
1195  * md5_hash
1196  * MD5(handshake_messages);
1197  *
1198  * sha_hash
1199  * SHA(handshake_messages);
1200  */
1201  hashlen = 36;
1202  hash_id = SIG_RSA_RAW;
1203  }
1204  else
1205  {
1206  /*
1207  * digitally-signed struct {
1208  * opaque handshake_messages[handshake_messages_length];
1209  * };
1210  *
1211  * Taking shortcut here. We assume that the server always allows the
1212  * PRF Hash function and has sent it in the allowed signature
1213  * algorithms list received in the Certificate Request message.
1214  *
1215  * Until we encounter a server that does not, we will take this
1216  * shortcut.
1217  *
1218  * Reason: Otherwise we should have running hashes for SHA512 and SHA224
1219  * in order to satisfy 'weird' needs from the server side.
1220  */
1223  {
1224  hash_id = SIG_RSA_SHA384;
1225  hashlen = 48;
1226  ssl->out_msg[4] = SSL_HASH_SHA384;
1227  ssl->out_msg[5] = SSL_SIG_RSA;
1228  }
1229  else
1230  {
1231  hash_id = SIG_RSA_SHA256;
1232  hashlen = 32;
1233  ssl->out_msg[4] = SSL_HASH_SHA256;
1234  ssl->out_msg[5] = SSL_SIG_RSA;
1235  }
1236 
1237  offset = 2;
1238  }
1239 
1240  if ( ssl->rsa_key )
1241  n = ssl->rsa_key_len ( ssl->rsa_key );
1242 
1243  ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
1244  ssl->out_msg[5 + offset] = (unsigned char)( n );
1245 
1246  if( ssl->rsa_key )
1247  {
1248  ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1249  RSA_PRIVATE, hash_id,
1250  hashlen, hash, ssl->out_msg + 6 + offset );
1251  }
1252 
1253  if (ret != 0)
1254  {
1255  SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
1256  return( ret );
1257  }
1258 
1259  ssl->out_msglen = 6 + n + offset;
1262 
1263  ssl->state++;
1264 
1265  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1266  {
1267  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1268  return( ret );
1269  }
1270 
1271  SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1272 
1273  return( 0 );
1274 }
1275 
1276 /*
1277  * SSL handshake -- client side -- single step
1278  */
1280 {
1281  int ret = 0;
1282 
1283  if( ssl->state == SSL_HANDSHAKE_OVER )
1285 
1286  SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
1287 
1288  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1289  return( ret );
1290 
1291  switch( ssl->state )
1292  {
1293  case SSL_HELLO_REQUEST:
1294  ssl->state = SSL_CLIENT_HELLO;
1295  break;
1296 
1297  /*
1298  * ==> ClientHello
1299  */
1300  case SSL_CLIENT_HELLO:
1301  ret = ssl_write_client_hello( ssl );
1302  break;
1303 
1304  /*
1305  * <== ServerHello
1306  * Certificate
1307  * ( ServerKeyExchange )
1308  * ( CertificateRequest )
1309  * ServerHelloDone
1310  */
1311  case SSL_SERVER_HELLO:
1312  ret = ssl_parse_server_hello( ssl );
1313  break;
1314 
1316  ret = ssl_parse_certificate( ssl );
1317  break;
1318 
1320  ret = ssl_parse_server_key_exchange( ssl );
1321  break;
1322 
1324  ret = ssl_parse_certificate_request( ssl );
1325  break;
1326 
1327  case SSL_SERVER_HELLO_DONE:
1328  ret = ssl_parse_server_hello_done( ssl );
1329  break;
1330 
1331  /*
1332  * ==> ( Certificate/Alert )
1333  * ClientKeyExchange
1334  * ( CertificateVerify )
1335  * ChangeCipherSpec
1336  * Finished
1337  */
1339  ret = ssl_write_certificate( ssl );
1340  break;
1341 
1343  ret = ssl_write_client_key_exchange( ssl );
1344  break;
1345 
1347  ret = ssl_write_certificate_verify( ssl );
1348  break;
1349 
1351  ret = ssl_write_change_cipher_spec( ssl );
1352  break;
1353 
1354  case SSL_CLIENT_FINISHED:
1355  ret = ssl_write_finished( ssl );
1356  break;
1357 
1358  /*
1359  * <== ChangeCipherSpec
1360  * Finished
1361  */
1363  ret = ssl_parse_change_cipher_spec( ssl );
1364  break;
1365 
1366  case SSL_SERVER_FINISHED:
1367  ret = ssl_parse_finished( ssl );
1368  break;
1369 
1370  case SSL_FLUSH_BUFFERS:
1371  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
1372  ssl->state = SSL_HANDSHAKE_WRAPUP;
1373  break;
1374 
1375  case SSL_HANDSHAKE_WRAPUP:
1376  ssl_handshake_wrapup( ssl );
1377  break;
1378 
1379  default:
1380  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
1382  }
1383 
1384  return( ret );
1385 }
1386 #endif
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:255
unsigned char * hostname
Definition: ssl.h:515
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:218
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:173
size_t length
Definition: ssl.h:322
#define SIG_RSA_MD5
Definition: rsa.h:51
int ciphersuite
Definition: ssl.h:320
mpi P
Definition: dhm.h:139
size_t in_hslen
Definition: ssl.h:469
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:419
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:262
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Processing of the ServerKeyExchange handshake message failed.
Definition: ssl.h:81
SHA-256 context structure.
Definition: sha2.h:50
int major_ver
Definition: ssl.h:408
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:38
SHA-1 context structure.
Definition: sha1.h:50
int compression
Definition: ssl.h:321
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Processing of the ServerHelloDone handshake message failed.
Definition: ssl.h:82
const int ** ciphersuites
Definition: ssl.h:505
int state
Definition: ssl.h:405
char peer_verify_data[36]
Definition: ssl.h:525
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:248
Debug functions.
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:385
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:251
x509_cert * peer_cert
Definition: ssl.h:325
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO
Processing of the ServerHello handshake message failed.
Definition: ssl.h:78
#define SSL_HASH_SHA1
Definition: ssl.h:196
ssl_session * session_negotiate
Definition: ssl.h:444
int ssl_parse_certificate(ssl_context *ssl)
size_t out_msglen
Definition: ssl.h:480
mpi GX
Definition: dhm.h:142
#define SSL_SIG_RSA
Definition: ssl.h:202
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:428
rsa_sign_func rsa_sign
Definition: ssl.h:488
#define RSA_PUBLIC
Definition: rsa.h:58
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:180
#define SSL_RENEGOTIATION
Definition: ssl.h:114
int ssl_write_finished(ssl_context *ssl)
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:35
mpi X
Definition: dhm.h:141
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:524
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:187
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int secure_renegotiation
Definition: ssl.h:521
time_t start
Definition: ssl.h:319
#define SSL_HASH_MD5
Definition: ssl.h:195
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:122
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:98
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Definition: ssl.h:164
unsigned char id[32]
Definition: ssl.h:323
size_t len
Definition: dhm.h:138
int max_major_ver
Definition: ssl.h:411
size_t len
Definition: rsa.h:138
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Definition: ssl.h:186
int max_minor_ver
Definition: ssl.h:412
int dhm_read_params(dhm_context *ctx, unsigned char **p, const unsigned char *end)
Parse the ServerKeyExchange parameters.
unsigned char premaster[POLARSSL_MPI_MAX_SIZE]
Definition: ssl.h:394
void sha4_starts(sha4_context *ctx, int is384)
SHA-512 context setup.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:264
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:207
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:252
#define TLS_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:185
ssl_handshake_params * handshake
Definition: ssl.h:446
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:214
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:239
int rsa_pkcs1_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Generic wrapper to perform a PKCS#1 encryption using the mode from the context.
#define SIG_RSA_SHA512
Definition: rsa.h:56
SHA-384 and SHA-512 cryptographic hash function.
rsa_key_len_func rsa_key_len
Definition: ssl.h:489
int in_msgtype
Definition: ssl.h:465
#define RSA_PRIVATE
Definition: rsa.h:59
size_t verify_data_len
Definition: ssl.h:523
#define SIG_RSA_SHA1
Definition: rsa.h:52
mpi G
Definition: dhm.h:140
int min_minor_ver
Definition: ssl.h:414
unsigned char * out_msg
Definition: ssl.h:477
#define SSL_MINOR_VERSION_0
Definition: ssl.h:99
int client_auth
Definition: ssl.h:501
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:93
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:253
#define TLS_DHE_RSA_WITH_DES_CBC_SHA
Weak! Not in TLS 1.2.
Definition: ssl.h:158
int ssl_handshake_client_step(ssl_context *ssl)
void sha4_update(sha4_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:73
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition: ssl.h:176
mpi GY
Definition: dhm.h:143
void md5_starts(md5_context *ctx)
MD5 context setup.
int ssl_flush_output(ssl_context *ssl)
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Definition: ssl.h:169
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:249
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:107
unsigned char * in_msg
Definition: ssl.h:462
#define SSL_MINOR_VERSION_3
Definition: ssl.h:102
mpi K
Definition: dhm.h:144
MD5 context structure.
Definition: md5.h:50
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:266
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Processing of the CertificateRequest handshake message failed.
Definition: ssl.h:80
int ssl_parse_change_cipher_spec(ssl_context *ssl)
size_t hostname_len
Definition: ssl.h:516
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:409
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:189
#define SSL_HASH_SHA256
Definition: ssl.h:198
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:172
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:41
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key is not set, but needed.
Definition: ssl.h:71
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:113
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Definition: ssl.h:178
void sha2_update(sha2_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int allow_legacy_renegotiation
Definition: ssl.h:504
#define SSL_COMPRESS_NULL
Definition: ssl.h:106
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen)
Derive and export the shared secret (G^Y)^X mod P.
int ssl_read_record(ssl_context *ssl)
void sha4(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
int out_msgtype
Definition: ssl.h:479
#define SIG_RSA_SHA224
Definition: rsa.h:53
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:254
#define TLS_EXT_SERVERNAME
Definition: ssl.h:261
int dhm_make_public(dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Create own private value X and export G^X.
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:44
size_t mpi_size(const mpi *X)
Return the total size in bytes.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:124
x509_cert * own_cert
Definition: ssl.h:491
int min_major_ver
Definition: ssl.h:413
SHA-512 context structure.
Definition: sha4.h:51
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:116
#define SSL_HASH_SHA224
Definition: ssl.h:197
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:117
#define SIG_RSA_SHA256
Definition: rsa.h:54
SSL/TLS functions.
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Definition: ssl.h:167
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
void sha2(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
void * rsa_key
Definition: ssl.h:486
int ssl_derive_keys(ssl_context *ssl)
void sha4_finish(sha4_context *ctx, unsigned char output[64])
SHA-512 final digest.
#define SIG_RSA_SHA384
Definition: rsa.h:55
int renegotiation
Definition: ssl.h:406
dhm_context dhm_ctx
Definition: ssl.h:373
#define SIG_RSA_RAW
Definition: rsa.h:48
void ssl_optimize_checksum(ssl_context *ssl, int ciphersuite)
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
void sha2_starts(sha2_context *ctx, int is224)
SHA-256 context setup.
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:182
rsa_context rsa
Container for the RSA context.
Definition: x509.h:307
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:60
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:61
#define SSL_HASH_SHA512
Definition: ssl.h:200
#define SSL_HASH_SHA384
Definition: ssl.h:199
int ssl_write_record(ssl_context *ssl)
int rsa_pkcs1_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 verification using the mode from the context. ...
unsigned char randbytes[64]
Definition: ssl.h:393
void sha2_finish(sha2_context *ctx, unsigned char output[32])
SHA-256 final digest.