PolarSSL v1.3.3
ssl_cli.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 client-side functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_CLI_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 
33 #if defined(POLARSSL_MEMORY_C)
34 #include "polarssl/memory.h"
35 #else
36 #define polarssl_malloc malloc
37 #define polarssl_free free
38 #endif
39 
40 #include <stdlib.h>
41 #include <stdio.h>
42 
43 #if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
44 #include <basetsd.h>
45 typedef UINT32 uint32_t;
46 #else
47 #include <inttypes.h>
48 #endif
49 
50 #if defined(POLARSSL_HAVE_TIME)
51 #include <time.h>
52 #endif
53 
54 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
55 static void ssl_write_hostname_ext( ssl_context *ssl,
56  unsigned char *buf,
57  size_t *olen )
58 {
59  unsigned char *p = buf;
60 
61  *olen = 0;
62 
63  if ( ssl->hostname == NULL )
64  return;
65 
66  SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
67  ssl->hostname ) );
68 
69  /*
70  * struct {
71  * NameType name_type;
72  * select (name_type) {
73  * case host_name: HostName;
74  * } name;
75  * } ServerName;
76  *
77  * enum {
78  * host_name(0), (255)
79  * } NameType;
80  *
81  * opaque HostName<1..2^16-1>;
82  *
83  * struct {
84  * ServerName server_name_list<1..2^16-1>
85  * } ServerNameList;
86  */
87  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
88  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
89 
90  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
91  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
92 
93  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
94  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
95 
96  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
97  *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
98  *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
99 
100  memcpy( p, ssl->hostname, ssl->hostname_len );
101 
102  *olen = ssl->hostname_len + 9;
103 }
104 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
105 
106 static void ssl_write_renegotiation_ext( ssl_context *ssl,
107  unsigned char *buf,
108  size_t *olen )
109 {
110  unsigned char *p = buf;
111 
112  *olen = 0;
113 
114  if( ssl->renegotiation != SSL_RENEGOTIATION )
115  return;
116 
117  SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
118 
119  /*
120  * Secure renegotiation
121  */
122  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
123  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
124 
125  *p++ = 0x00;
126  *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
127  *p++ = ssl->verify_data_len & 0xFF;
128 
129  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
130 
131  *olen = 5 + ssl->verify_data_len;
132 }
133 
134 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
135 static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
136  unsigned char *buf,
137  size_t *olen )
138 {
139  unsigned char *p = buf;
140  unsigned char *sig_alg_list = buf + 6;
141  size_t sig_alg_len = 0;
142 
143  *olen = 0;
144 
145  if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
146  return;
147 
148  SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
149 
150  /*
151  * Prepare signature_algorithms extension (TLS 1.2)
152  */
153 #if defined(POLARSSL_RSA_C)
154 #if defined(POLARSSL_SHA512_C)
155  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
156  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
157  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
158  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
159 #endif
160 #if defined(POLARSSL_SHA256_C)
161  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
162  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
163  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
164  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
165 #endif
166 #if defined(POLARSSL_SHA1_C)
167  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
168  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
169 #endif
170 #if defined(POLARSSL_MD5_C)
171  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
172  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
173 #endif
174 #endif /* POLARSSL_RSA_C */
175 #if defined(POLARSSL_ECDSA_C)
176 #if defined(POLARSSL_SHA512_C)
177  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
178  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
179  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
180  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
181 #endif
182 #if defined(POLARSSL_SHA256_C)
183  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
184  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
185  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
186  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
187 #endif
188 #if defined(POLARSSL_SHA1_C)
189  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
190  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
191 #endif
192 #if defined(POLARSSL_MD5_C)
193  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
194  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
195 #endif
196 #endif /* POLARSSL_ECDSA_C */
197 
198  /*
199  * enum {
200  * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
201  * sha512(6), (255)
202  * } HashAlgorithm;
203  *
204  * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
205  * SignatureAlgorithm;
206  *
207  * struct {
208  * HashAlgorithm hash;
209  * SignatureAlgorithm signature;
210  * } SignatureAndHashAlgorithm;
211  *
212  * SignatureAndHashAlgorithm
213  * supported_signature_algorithms<2..2^16-2>;
214  */
215  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
216  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
217 
218  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
219  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
220 
221  *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
222  *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
223 
224  *olen = 6 + sig_alg_len;
225 }
226 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
227 
228 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
229 static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
230  unsigned char *buf,
231  size_t *olen )
232 {
233  unsigned char *p = buf;
234  unsigned char elliptic_curve_list[20];
235  size_t elliptic_curve_len = 0;
236  const ecp_curve_info *curve;
237  ((void) ssl);
238 
239  *olen = 0;
240 
241  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
242 
243  for( curve = ecp_curve_list();
244  curve->grp_id != POLARSSL_ECP_DP_NONE;
245  curve++ )
246  {
247  elliptic_curve_list[elliptic_curve_len++] = curve->tls_id >> 8;
248  elliptic_curve_list[elliptic_curve_len++] = curve->tls_id & 0xFF;
249  }
250 
251  if( elliptic_curve_len == 0 )
252  return;
253 
254  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
255  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
256 
257  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
258  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
259 
260  *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
261  *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
262 
263  memcpy( p, elliptic_curve_list, elliptic_curve_len );
264 
265  *olen = 6 + elliptic_curve_len;
266 }
267 
268 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
269  unsigned char *buf,
270  size_t *olen )
271 {
272  unsigned char *p = buf;
273  ((void) ssl);
274 
275  *olen = 0;
276 
277  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
278 
279  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
280  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
281 
282  *p++ = 0x00;
283  *p++ = 2;
284 
285  *p++ = 1;
287 
288  *olen = 6;
289 }
290 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
291 
292 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
293 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
294  unsigned char *buf,
295  size_t *olen )
296 {
297  unsigned char *p = buf;
298 
299  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
300  *olen = 0;
301  return;
302  }
303 
304  SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
305 
306  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
307  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
308 
309  *p++ = 0x00;
310  *p++ = 1;
311 
312  *p++ = ssl->mfl_code;
313 
314  *olen = 5;
315 }
316 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
317 
318 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
319 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
320  unsigned char *buf, size_t *olen )
321 {
322  unsigned char *p = buf;
323 
324  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
325  {
326  *olen = 0;
327  return;
328  }
329 
330  SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
331 
332  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
333  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
334 
335  *p++ = 0x00;
336  *p++ = 0x00;
337 
338  *olen = 4;
339 }
340 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
341 
342 #if defined(POLARSSL_SSL_SESSION_TICKETS)
343 static void ssl_write_session_ticket_ext( ssl_context *ssl,
344  unsigned char *buf, size_t *olen )
345 {
346  unsigned char *p = buf;
347  size_t tlen = ssl->session_negotiate->ticket_len;
348 
350  {
351  *olen = 0;
352  return;
353  }
354 
355  SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
356 
357  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
358  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
359 
360  *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
361  *p++ = (unsigned char)( ( tlen ) & 0xFF );
362 
363  *olen = 4;
364 
365  if( ssl->session_negotiate->ticket == NULL ||
366  ssl->session_negotiate->ticket_len == 0 )
367  {
368  return;
369  }
370 
371  SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
372 
373  memcpy( p, ssl->session_negotiate->ticket, tlen );
374 
375  *olen += tlen;
376 }
377 #endif /* POLARSSL_SSL_SESSION_TICKETS */
378 
379 static int ssl_write_client_hello( ssl_context *ssl )
380 {
381  int ret;
382  size_t i, n, olen, ext_len = 0;
383  unsigned char *buf;
384  unsigned char *p, *q;
385 #if defined(POLARSSL_HAVE_TIME)
386  time_t t;
387 #endif
388  const int *ciphersuites;
389  const ssl_ciphersuite_t *ciphersuite_info;
390 
391  SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
392 
393  if( ssl->f_rng == NULL )
394  {
395  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
396  return( POLARSSL_ERR_SSL_NO_RNG );
397  }
398 
400  {
401  ssl->major_ver = ssl->min_major_ver;
402  ssl->minor_ver = ssl->min_minor_ver;
403  }
404 
405  if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
406  {
409  }
410 
411  /*
412  * 0 . 0 handshake type
413  * 1 . 3 handshake length
414  * 4 . 5 highest version supported
415  * 6 . 9 current UNIX time
416  * 10 . 37 random bytes
417  */
418  buf = ssl->out_msg;
419  p = buf + 4;
420 
421  *p++ = (unsigned char) ssl->max_major_ver;
422  *p++ = (unsigned char) ssl->max_minor_ver;
423 
424  SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
425  buf[4], buf[5] ) );
426 
427 #if defined(POLARSSL_HAVE_TIME)
428  t = time( NULL );
429  *p++ = (unsigned char)( t >> 24 );
430  *p++ = (unsigned char)( t >> 16 );
431  *p++ = (unsigned char)( t >> 8 );
432  *p++ = (unsigned char)( t );
433 
434  SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
435 #else
436  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
437  return( ret );
438 
439  p += 4;
440 #endif
441 
442  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
443  return( ret );
444 
445  p += 28;
446 
447  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
448 
449  SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
450 
451  /*
452  * 38 . 38 session id length
453  * 39 . 39+n session id
454  * 40+n . 41+n ciphersuitelist length
455  * 42+n . .. ciphersuitelist
456  * .. . .. compression methods length
457  * .. . .. compression methods
458  * .. . .. extensions length
459  * .. . .. extensions
460  */
461  n = ssl->session_negotiate->length;
462 
463  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
464  ssl->handshake->resume == 0 )
465  {
466  n = 0;
467  }
468 
469 #if defined(POLARSSL_SSL_SESSION_TICKETS)
470  /*
471  * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
472  * generate and include a Session ID in the TLS ClientHello."
473  */
474  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
475  ssl->session_negotiate->ticket != NULL &&
476  ssl->session_negotiate->ticket_len != 0 )
477  {
478  ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
479 
480  if( ret != 0 )
481  return( ret );
482 
483  ssl->session_negotiate->length = n = 32;
484  }
485 #endif /* POLARSSL_SSL_SESSION_TICKETS */
486 
487  *p++ = (unsigned char) n;
488 
489  for( i = 0; i < n; i++ )
490  *p++ = ssl->session_negotiate->id[i];
491 
492  SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
493  SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
494 
495  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
496  n = 0;
497  q = p;
498 
499  // Skip writing ciphersuite length for now
500  p += 2;
501 
502  /*
503  * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
504  */
506  {
507  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
508  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
509  n++;
510  }
511 
512  for( i = 0; ciphersuites[i] != 0; i++ )
513  {
514  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
515 
516  if( ciphersuite_info == NULL )
517  continue;
518 
519  if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
520  ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
521  continue;
522 
523  SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
524  ciphersuites[i] ) );
525 
526  n++;
527  *p++ = (unsigned char)( ciphersuites[i] >> 8 );
528  *p++ = (unsigned char)( ciphersuites[i] );
529  }
530 
531  *q++ = (unsigned char)( n >> 7 );
532  *q++ = (unsigned char)( n << 1 );
533 
534  SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
535 
536 
537 #if defined(POLARSSL_ZLIB_SUPPORT)
538  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
539  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
541 
542  *p++ = 2;
543  *p++ = SSL_COMPRESS_DEFLATE;
544  *p++ = SSL_COMPRESS_NULL;
545 #else
546  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
547  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
548 
549  *p++ = 1;
550  *p++ = SSL_COMPRESS_NULL;
551 #endif
552 
553  // First write extensions, then the total length
554  //
555 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
556  ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
557  ext_len += olen;
558 #endif
559 
560  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
561  ext_len += olen;
562 
563 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
564  ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
565  ext_len += olen;
566 #endif
567 
568 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
569  ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
570  ext_len += olen;
571 
572  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
573  ext_len += olen;
574 #endif
575 
576 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
577  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
578  ext_len += olen;
579 #endif
580 
581 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
582  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
583  ext_len += olen;
584 #endif
585 
586 #if defined(POLARSSL_SSL_SESSION_TICKETS)
587  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
588  ext_len += olen;
589 #endif
590 
591  SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
592  ext_len ) );
593 
594  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
595  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
596  p += ext_len;
597 
598  ssl->out_msglen = p - buf;
600  ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
601 
602  ssl->state++;
603 
604  if( ( ret = ssl_write_record( ssl ) ) != 0 )
605  {
606  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
607  return( ret );
608  }
609 
610  SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
611 
612  return( 0 );
613 }
614 
615 static int ssl_parse_renegotiation_info( ssl_context *ssl,
616  const unsigned char *buf,
617  size_t len )
618 {
619  int ret;
620 
622  {
623  if( len != 1 || buf[0] != 0x0 )
624  {
625  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
626 
627  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
628  return( ret );
629 
631  }
632 
634  }
635  else
636  {
637  /* Check verify-data in constant-time. The length OTOH is no secret */
638  if( len != 1 + ssl->verify_data_len * 2 ||
639  buf[0] != ssl->verify_data_len * 2 ||
640  safer_memcmp( buf + 1,
641  ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
642  safer_memcmp( buf + 1 + ssl->verify_data_len,
643  ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
644  {
645  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
646 
647  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
648  return( ret );
649 
651  }
652  }
653 
654  return( 0 );
655 }
656 
657 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
658 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
659  const unsigned char *buf,
660  size_t len )
661 {
662  /*
663  * server should use the extension only if we did,
664  * and if so the server's value should match ours (and len is always 1)
665  */
666  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
667  len != 1 ||
668  buf[0] != ssl->mfl_code )
669  {
671  }
672 
673  return( 0 );
674 }
675 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
676 
677 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
678 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
679  const unsigned char *buf,
680  size_t len )
681 {
682  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
683  len != 0 )
684  {
686  }
687 
688  ((void) buf);
689 
691 
692  return( 0 );
693 }
694 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
695 
696 #if defined(POLARSSL_SSL_SESSION_TICKETS)
697 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
698  const unsigned char *buf,
699  size_t len )
700 {
702  len != 0 )
703  {
705  }
706 
707  ((void) buf);
708 
709  ssl->handshake->new_session_ticket = 1;
710 
711  return( 0 );
712 }
713 #endif /* POLARSSL_SSL_SESSION_TICKETS */
714 
715 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
716 static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
717  const unsigned char *buf,
718  size_t len )
719 {
720  size_t list_size;
721  const unsigned char *p;
722 
723  list_size = buf[0];
724  if( list_size + 1 != len )
725  {
726  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
728  }
729 
730  p = buf + 2;
731  while( list_size > 0 )
732  {
733  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
735  {
736  ssl->handshake->ecdh_ctx.point_format = p[0];
737  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
738  return( 0 );
739  }
740 
741  list_size--;
742  p++;
743  }
744 
745  return( 0 );
746 }
747 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
748 
749 static int ssl_parse_server_hello( ssl_context *ssl )
750 {
751  int ret, i, comp;
752  size_t n;
753  size_t ext_len = 0;
754  unsigned char *buf, *ext;
755  int renegotiation_info_seen = 0;
756  int handshake_failure = 0;
757 #if defined(POLARSSL_DEBUG_C)
758  uint32_t t;
759 #endif
760 
761  SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
762 
763  /*
764  * 0 . 0 handshake type
765  * 1 . 3 handshake length
766  * 4 . 5 protocol version
767  * 6 . 9 UNIX time()
768  * 10 . 37 random bytes
769  */
770  buf = ssl->in_msg;
771 
772  if( ( ret = ssl_read_record( ssl ) ) != 0 )
773  {
774  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
775  return( ret );
776  }
777 
778  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
779  {
780  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
782  }
783 
784  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
785  buf[4], buf[5] ) );
786 
787  if( ssl->in_hslen < 42 ||
788  buf[0] != SSL_HS_SERVER_HELLO ||
789  buf[4] != SSL_MAJOR_VERSION_3 )
790  {
791  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
793  }
794 
795  if( buf[5] > ssl->max_minor_ver )
796  {
797  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
799  }
800 
801  ssl->minor_ver = buf[5];
802 
803  if( ssl->minor_ver < ssl->min_minor_ver )
804  {
805  SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
806  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
807  buf[4], buf[5] ) );
808 
811 
813  }
814 
815 #if defined(POLARSSL_DEBUG_C)
816  t = ( (uint32_t) buf[6] << 24 )
817  | ( (uint32_t) buf[7] << 16 )
818  | ( (uint32_t) buf[8] << 8 )
819  | ( (uint32_t) buf[9] );
820  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
821 #endif
822 
823  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
824 
825  n = buf[38];
826 
827  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
828 
829  if( n > 32 )
830  {
831  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
833  }
834 
835  /*
836  * 38 . 38 session id length
837  * 39 . 38+n session id
838  * 39+n . 40+n chosen ciphersuite
839  * 41+n . 41+n chosen compression alg.
840  * 42+n . 43+n extensions length
841  * 44+n . 44+n+m extensions
842  */
843  if( ssl->in_hslen > 42 + n )
844  {
845  ext_len = ( ( buf[42 + n] << 8 )
846  | ( buf[43 + n] ) );
847 
848  if( ( ext_len > 0 && ext_len < 4 ) ||
849  ssl->in_hslen != 44 + n + ext_len )
850  {
851  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
853  }
854  }
855 
856  i = ( buf[39 + n] << 8 ) | buf[40 + n];
857  comp = buf[41 + n];
858 
859  /*
860  * Initialize update checksum functions
861  */
864 
865  if( ssl->transform_negotiate->ciphersuite_info == NULL )
866  {
867  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
868  ssl->ciphersuite_list[ssl->minor_ver][i] ) );
870  }
871 
872  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
873  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
874 
875  /*
876  * Check if the session can be resumed
877  */
878  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
879  ssl->handshake->resume == 0 || n == 0 ||
880  ssl->session_negotiate->ciphersuite != i ||
881  ssl->session_negotiate->compression != comp ||
882  ssl->session_negotiate->length != n ||
883  memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
884  {
885  ssl->state++;
886  ssl->handshake->resume = 0;
887 #if defined(POLARSSL_HAVE_TIME)
888  ssl->session_negotiate->start = time( NULL );
889 #endif
890  ssl->session_negotiate->ciphersuite = i;
891  ssl->session_negotiate->compression = comp;
892  ssl->session_negotiate->length = n;
893  memcpy( ssl->session_negotiate->id, buf + 39, n );
894  }
895  else
896  {
898 
899  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
900  {
901  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
902  return( ret );
903  }
904  }
905 
906  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
907  ssl->handshake->resume ? "a" : "no" ) );
908 
909  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
910  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
911 
912  i = 0;
913  while( 1 )
914  {
915  if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
916  {
917  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
919  }
920 
921  if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
923  {
924  break;
925  }
926  }
927 
928  if( comp != SSL_COMPRESS_NULL
929 #if defined(POLARSSL_ZLIB_SUPPORT)
930  && comp != SSL_COMPRESS_DEFLATE
931 #endif
932  )
933  {
934  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
936  }
937  ssl->session_negotiate->compression = comp;
938 
939  ext = buf + 44 + n;
940 
941  SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
942 
943  while( ext_len )
944  {
945  unsigned int ext_id = ( ( ext[0] << 8 )
946  | ( ext[1] ) );
947  unsigned int ext_size = ( ( ext[2] << 8 )
948  | ( ext[3] ) );
949 
950  if( ext_size + 4 > ext_len )
951  {
952  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
954  }
955 
956  switch( ext_id )
957  {
959  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
960  renegotiation_info_seen = 1;
961 
962  if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ) ) != 0 )
963  return( ret );
964 
965  break;
966 
967 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
969  SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
970 
971  if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
972  ext + 4, ext_size ) ) != 0 )
973  {
974  return( ret );
975  }
976 
977  break;
978 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
979 
980 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
982  SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
983 
984  if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
985  ext + 4, ext_size ) ) != 0 )
986  {
987  return( ret );
988  }
989 
990  break;
991 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
992 
993 #if defined(POLARSSL_SSL_SESSION_TICKETS)
995  SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
996 
997  if( ( ret = ssl_parse_session_ticket_ext( ssl,
998  ext + 4, ext_size ) ) != 0 )
999  {
1000  return( ret );
1001  }
1002 
1003  break;
1004 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1005 
1006 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1008  SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1009 
1010  if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1011  ext + 4, ext_size ) ) != 0 )
1012  {
1013  return( ret );
1014  }
1015 
1016  break;
1017 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1018 
1019  default:
1020  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1021  ext_id ) );
1022  }
1023 
1024  ext_len -= 4 + ext_size;
1025  ext += 4 + ext_size;
1026 
1027  if( ext_len > 0 && ext_len < 4 )
1028  {
1029  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1031  }
1032  }
1033 
1034  /*
1035  * Renegotiation security checks
1036  */
1039  {
1040  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1041  handshake_failure = 1;
1042  }
1043  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1045  renegotiation_info_seen == 0 )
1046  {
1047  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1048  handshake_failure = 1;
1049  }
1050  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1053  {
1054  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1055  handshake_failure = 1;
1056  }
1057  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1059  renegotiation_info_seen == 1 )
1060  {
1061  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1062  handshake_failure = 1;
1063  }
1064 
1065  if( handshake_failure == 1 )
1066  {
1067  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1068  return( ret );
1069 
1071  }
1072 
1073  SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1074 
1075  return( 0 );
1076 }
1077 
1078 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1079  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1080 static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
1081  unsigned char *end )
1082 {
1084 
1085  /*
1086  * Ephemeral DH parameters:
1087  *
1088  * struct {
1089  * opaque dh_p<1..2^16-1>;
1090  * opaque dh_g<1..2^16-1>;
1091  * opaque dh_Ys<1..2^16-1>;
1092  * } ServerDHParams;
1093  */
1094  if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1095  {
1096  SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
1097  return( ret );
1098  }
1099 
1100  if( ssl->handshake->dhm_ctx.len < 64 ||
1101  ssl->handshake->dhm_ctx.len > 512 )
1102  {
1103  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
1105  }
1106 
1107  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1108  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1109  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1110 
1111  return( ret );
1112 }
1113 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1114  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1115 
1116 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1117  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1118  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1119  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1120  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1121 static int ssl_check_server_ecdh_params( const ssl_context *ssl )
1122 {
1123  SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
1124  (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
1125 
1126  if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1127  ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1128  {
1129  return( -1 );
1130  }
1131 
1132  SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1133 
1134  return( 0 );
1135 }
1136 #endif
1137 
1138 
1139 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1140  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1141  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1142 static int ssl_parse_server_ecdh_params( ssl_context *ssl,
1143  unsigned char **p,
1144  unsigned char *end )
1145 {
1147 
1148  /*
1149  * Ephemeral ECDH parameters:
1150  *
1151  * struct {
1152  * ECParameters curve_params;
1153  * ECPoint public;
1154  * } ServerECDHParams;
1155  */
1156  if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
1157  (const unsigned char **) p, end ) ) != 0 )
1158  {
1159  SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
1160  return( ret );
1161  }
1162 
1163  if( ssl_check_server_ecdh_params( ssl ) != 0 )
1164  {
1165  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDH length)" ) );
1167  }
1168 
1169  return( ret );
1170 }
1171 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1172  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1173  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1174 
1175 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1176 static int ssl_parse_server_psk_hint( ssl_context *ssl,
1177  unsigned char **p,
1178  unsigned char *end )
1179 {
1181  size_t len;
1182  ((void) ssl);
1183 
1184  /*
1185  * PSK parameters:
1186  *
1187  * opaque psk_identity_hint<0..2^16-1>;
1188  */
1189  len = (*p)[0] << 8 | (*p)[1];
1190  *p += 2;
1191 
1192  if( (*p) + len > end )
1193  {
1194  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1196  }
1197 
1198  // TODO: Retrieve PSK identity hint and callback to app
1199  //
1200  *p += len;
1201  ret = 0;
1202 
1203  return( ret );
1204 }
1205 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1206 
1207 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
1208  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1209 /*
1210  * Generate a pre-master secret and encrypt it with the server's RSA key
1211  */
1212 static int ssl_write_encrypted_pms( ssl_context *ssl,
1213  size_t offset, size_t *olen,
1214  size_t pms_offset )
1215 {
1216  int ret;
1217  size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
1218  unsigned char *p = ssl->handshake->premaster + pms_offset;
1219 
1220  /*
1221  * Generate (part of) the pre-master as
1222  * struct {
1223  * ProtocolVersion client_version;
1224  * opaque random[46];
1225  * } PreMasterSecret;
1226  */
1227  p[0] = (unsigned char) ssl->max_major_ver;
1228  p[1] = (unsigned char) ssl->max_minor_ver;
1229 
1230  if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
1231  {
1232  SSL_DEBUG_RET( 1, "f_rng", ret );
1233  return( ret );
1234  }
1235 
1236  ssl->handshake->pmslen = 48;
1237 
1238  /*
1239  * Now write it out, encrypted
1240  */
1241  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1242  POLARSSL_PK_RSA ) )
1243  {
1244  SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1246  }
1247 
1248  if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
1249  p, ssl->handshake->pmslen,
1250  ssl->out_msg + offset + len_bytes, olen,
1251  SSL_MAX_CONTENT_LEN - offset - len_bytes,
1252  ssl->f_rng, ssl->p_rng ) ) != 0 )
1253  {
1254  SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1255  return( ret );
1256  }
1257 
1258 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1259  defined(POLARSSL_SSL_PROTO_TLS1_2)
1260  if( len_bytes == 2 )
1261  {
1262  ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1263  ssl->out_msg[offset+1] = (unsigned char)( *olen );
1264  *olen += 2;
1265  }
1266 #endif
1267 
1268  return( 0 );
1269 }
1270 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
1271  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1272 
1273 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1274 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1275  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1276  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1277 static int ssl_parse_signature_algorithm( ssl_context *ssl,
1278  unsigned char **p,
1279  unsigned char *end,
1280  md_type_t *md_alg,
1281  pk_type_t *pk_alg )
1282 {
1283  ((void) ssl);
1284  *md_alg = POLARSSL_MD_NONE;
1285  *pk_alg = POLARSSL_PK_NONE;
1286 
1287  /* Only in TLS 1.2 */
1288  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1289  {
1290  return( 0 );
1291  }
1292 
1293  if( (*p) + 2 > end )
1295 
1296  /*
1297  * Get hash algorithm
1298  */
1299  if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
1300  {
1301  SSL_DEBUG_MSG( 2, ( "Server used unsupported "
1302  "HashAlgorithm %d", *(p)[0] ) );
1304  }
1305 
1306  /*
1307  * Get signature algorithm
1308  */
1309  if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
1310  {
1311  SSL_DEBUG_MSG( 2, ( "server used unsupported "
1312  "SignatureAlgorithm %d", (*p)[1] ) );
1314  }
1315 
1316  SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1317  SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
1318  *p += 2;
1319 
1320  return( 0 );
1321 }
1322 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1323  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1324  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1325 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1326 
1327 
1328 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1329  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1330 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
1331 {
1332  int ret;
1333  const ecp_keypair *peer_key;
1334 
1335  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1336  POLARSSL_PK_ECKEY ) )
1337  {
1338  SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
1340  }
1341 
1342  peer_key = pk_ec( ssl->session_negotiate->peer_cert->pk );
1343 
1344  if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
1345  POLARSSL_ECDH_THEIRS ) ) != 0 )
1346  {
1347  SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
1348  return( ret );
1349  }
1350 
1351  if( ssl_check_server_ecdh_params( ssl ) != 0 )
1352  {
1353  SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH length)" ) );
1355  }
1356 
1357  return( ret );
1358 }
1359 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
1360  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1361 
1362 static int ssl_parse_server_key_exchange( ssl_context *ssl )
1363 {
1364  int ret;
1365  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1366  unsigned char *p, *end;
1367 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1368  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1369  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1370  size_t sig_len, params_len;
1371  unsigned char hash[64];
1372  md_type_t md_alg = POLARSSL_MD_NONE;
1373  size_t hashlen;
1374  pk_type_t pk_alg = POLARSSL_PK_NONE;
1375 #endif
1376 
1377  SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
1378 
1379 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1380  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1381  {
1382  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1383  ssl->state++;
1384  return( 0 );
1385  }
1386  ((void) p);
1387  ((void) end);
1388 #endif
1389 
1390 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1391  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1392  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
1393  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
1394  {
1395  ssl_get_ecdh_params_from_cert( ssl );
1396 
1397  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1398  ssl->state++;
1399  return( 0 );
1400  }
1401  ((void) p);
1402  ((void) end);
1403 #endif
1404 
1405  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1406  {
1407  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1408  return( ret );
1409  }
1410 
1411  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1412  {
1413  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1415  }
1416 
1417  /*
1418  * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
1419  * doesn't use a psk_identity_hint
1420  */
1421  if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
1422  {
1423  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1424  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1425  {
1426  ssl->record_read = 1;
1427  goto exit;
1428  }
1429 
1430  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1432  }
1433 
1434  p = ssl->in_msg + 4;
1435  end = ssl->in_msg + ssl->in_hslen;
1436  SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 );
1437 
1438 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1439  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1440  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1441  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1442  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1443  {
1444  if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
1445  {
1446  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1448  }
1449  } /* FALLTROUGH */
1450 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1451 
1452 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
1453  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1454  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1455  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1456  ; /* nothing more to do */
1457  else
1458 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
1459  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1460 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1461  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1462  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1463  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1464  {
1465  if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
1466  {
1467  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1469  }
1470  }
1471  else
1472 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1473  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1474 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1475  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1476  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1477  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1478  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1479  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1480  {
1481  if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
1482  {
1483  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1485  }
1486  }
1487  else
1488 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1489  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1490  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1491  {
1492  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1494  }
1495 
1496 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1497  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1498  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1499  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1500  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1501  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1502  {
1503  params_len = p - ( ssl->in_msg + 4 );
1504 
1505  /*
1506  * Handle the digitally-signed structure
1507  */
1508 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1509  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1510  {
1511  if( ssl_parse_signature_algorithm( ssl, &p, end,
1512  &md_alg, &pk_alg ) != 0 )
1513  {
1514  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1516  }
1517 
1518  if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
1519  {
1520  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1522  }
1523  }
1524  else
1525 #endif
1526 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1527  defined(POLARSSL_SSL_PROTO_TLS1_1)
1528  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
1529  {
1530  pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
1531 
1532  /* Default hash for ECDSA is SHA-1 */
1533  if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
1534  md_alg = POLARSSL_MD_SHA1;
1535  }
1536  else
1537 #endif
1538  {
1539  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1541  }
1542 
1543  /*
1544  * Read signature
1545  */
1546  sig_len = ( p[0] << 8 ) | p[1];
1547  p += 2;
1548 
1549  if( end != p + sig_len )
1550  {
1551  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1553  }
1554 
1555  SSL_DEBUG_BUF( 3, "signature", p, sig_len );
1556 
1557  /*
1558  * Compute the hash that has been signed
1559  */
1560 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1561  defined(POLARSSL_SSL_PROTO_TLS1_1)
1562  if( md_alg == POLARSSL_MD_NONE )
1563  {
1564  md5_context md5;
1566 
1567  hashlen = 36;
1568 
1569  /*
1570  * digitally-signed struct {
1571  * opaque md5_hash[16];
1572  * opaque sha_hash[20];
1573  * };
1574  *
1575  * md5_hash
1576  * MD5(ClientHello.random + ServerHello.random
1577  * + ServerParams);
1578  * sha_hash
1579  * SHA(ClientHello.random + ServerHello.random
1580  * + ServerParams);
1581  */
1582  md5_starts( &md5 );
1583  md5_update( &md5, ssl->handshake->randbytes, 64 );
1584  md5_update( &md5, ssl->in_msg + 4, params_len );
1585  md5_finish( &md5, hash );
1586 
1587  sha1_starts( &sha1 );
1588  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1589  sha1_update( &sha1, ssl->in_msg + 4, params_len );
1590  sha1_finish( &sha1, hash + 16 );
1591  }
1592  else
1593 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
1594  POLARSSL_SSL_PROTO_TLS1_1 */
1595 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1596  defined(POLARSSL_SSL_PROTO_TLS1_2)
1597  if( md_alg != POLARSSL_MD_NONE )
1598  {
1599  md_context_t ctx;
1600 
1601  /* Info from md_alg will be used instead */
1602  hashlen = 0;
1603 
1604  /*
1605  * digitally-signed struct {
1606  * opaque client_random[32];
1607  * opaque server_random[32];
1608  * ServerDHParams params;
1609  * };
1610  */
1611  if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1612  {
1613  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1614  return( ret );
1615  }
1616 
1617  md_starts( &ctx );
1618  md_update( &ctx, ssl->handshake->randbytes, 64 );
1619  md_update( &ctx, ssl->in_msg + 4, params_len );
1620  md_finish( &ctx, hash );
1621  md_free_ctx( &ctx );
1622  }
1623  else
1624 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1625  POLARSSL_SSL_PROTO_TLS1_2 */
1626  {
1627  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1629  }
1630 
1631  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
1632  (unsigned int) ( md_info_from_type( md_alg ) )->size );
1633 
1634  /*
1635  * Verify signature
1636  */
1637  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
1638  {
1639  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1641  }
1642 
1643  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
1644  md_alg, hash, hashlen, p, sig_len ) ) != 0 )
1645  {
1646  SSL_DEBUG_RET( 1, "pk_verify", ret );
1647  return( ret );
1648  }
1649  }
1650 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1651  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1652  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1653 
1654 exit:
1655  ssl->state++;
1656 
1657  SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
1658 
1659  return( 0 );
1660 }
1661 
1662 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1663  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1664  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1665  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1666 static int ssl_parse_certificate_request( ssl_context *ssl )
1667 {
1669  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1670 
1671  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1672 
1673  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1674  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1675  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1676  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1677  {
1678  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
1679  ssl->state++;
1680  return( 0 );
1681  }
1682 
1683  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1684  return( ret );
1685 }
1686 #else
1687 static int ssl_parse_certificate_request( ssl_context *ssl )
1688 {
1689  int ret;
1690  unsigned char *buf, *p;
1691  size_t n = 0, m = 0;
1692  size_t cert_type_len = 0, dn_len = 0;
1693  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1694 
1695  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1696 
1697  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1698  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1699  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1700  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1701  {
1702  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
1703  ssl->state++;
1704  return( 0 );
1705  }
1706 
1707  /*
1708  * 0 . 0 handshake type
1709  * 1 . 3 handshake length
1710  * 4 . 4 cert type count
1711  * 5 .. m-1 cert types
1712  * m .. m+1 sig alg length (TLS 1.2 only)
1713  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1714  * n .. n+1 length of all DNs
1715  * n+2 .. n+3 length of DN 1
1716  * n+4 .. ... Distinguished Name #1
1717  * ... .. ... length of DN 2, etc.
1718  */
1719  if( ssl->record_read == 0 )
1720  {
1721  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1722  {
1723  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1724  return( ret );
1725  }
1726 
1727  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1728  {
1729  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1731  }
1732 
1733  ssl->record_read = 1;
1734  }
1735 
1736  ssl->client_auth = 0;
1737  ssl->state++;
1738 
1739  if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
1740  ssl->client_auth++;
1741 
1742  SSL_DEBUG_MSG( 3, ( "got %s certificate request",
1743  ssl->client_auth ? "a" : "no" ) );
1744 
1745  if( ssl->client_auth == 0 )
1746  goto exit;
1747 
1748  ssl->record_read = 0;
1749 
1750  // TODO: handshake_failure alert for an anonymous server to request
1751  // client authentication
1752 
1753  buf = ssl->in_msg;
1754 
1755  // Retrieve cert types
1756  //
1757  cert_type_len = buf[4];
1758  n = cert_type_len;
1759 
1760  if( ssl->in_hslen < 6 + n )
1761  {
1762  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1764  }
1765 
1766  p = buf + 5;
1767  while( cert_type_len > 0 )
1768  {
1769 #if defined(POLARSSL_RSA_C)
1770  if( *p == SSL_CERT_TYPE_RSA_SIGN &&
1772  {
1774  break;
1775  }
1776  else
1777 #endif
1778 #if defined(POLARSSL_ECDSA_C)
1779  if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
1781  {
1783  break;
1784  }
1785  else
1786 #endif
1787  {
1788  ; /* Unsupported cert type, ignore */
1789  }
1790 
1791  cert_type_len--;
1792  p++;
1793  }
1794 
1795 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1796  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1797  {
1798  /* Ignored, see comments about hash in write_certificate_verify */
1799  // TODO: should check the signature part against our pk_key though
1800  size_t sig_alg_len = ( ( buf[5 + n] << 8 )
1801  | ( buf[6 + n] ) );
1802 
1803  p = buf + 7 + n;
1804  m += 2;
1805  n += sig_alg_len;
1806 
1807  if( ssl->in_hslen < 6 + n )
1808  {
1809  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1811  }
1812  }
1813 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1814 
1815  /* Ignore certificate_authorities, we only have one cert anyway */
1816  // TODO: should not send cert if no CA matches
1817  dn_len = ( ( buf[5 + m + n] << 8 )
1818  | ( buf[6 + m + n] ) );
1819 
1820  n += dn_len;
1821  if( ssl->in_hslen != 7 + m + n )
1822  {
1823  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1825  }
1826 
1827 exit:
1828  SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1829 
1830  return( 0 );
1831 }
1832 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1833  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1834  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
1835  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1836 
1837 static int ssl_parse_server_hello_done( ssl_context *ssl )
1838 {
1839  int ret;
1840 
1841  SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
1842 
1843  if( ssl->record_read == 0 )
1844  {
1845  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1846  {
1847  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1848  return( ret );
1849  }
1850 
1851  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1852  {
1853  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1855  }
1856  }
1857  ssl->record_read = 0;
1858 
1859  if( ssl->in_hslen != 4 ||
1860  ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
1861  {
1862  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1864  }
1865 
1866  ssl->state++;
1867 
1868  SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
1869 
1870  return( 0 );
1871 }
1872 
1873 static int ssl_write_client_key_exchange( ssl_context *ssl )
1874 {
1875  int ret;
1876  size_t i, n;
1877  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1878 
1879  SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
1880 
1881 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
1882  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
1883  {
1884  /*
1885  * DHM key exchange -- send G^X mod P
1886  */
1887  n = ssl->handshake->dhm_ctx.len;
1888 
1889  ssl->out_msg[4] = (unsigned char)( n >> 8 );
1890  ssl->out_msg[5] = (unsigned char)( n );
1891  i = 6;
1892 
1893  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
1894  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1895  &ssl->out_msg[i], n,
1896  ssl->f_rng, ssl->p_rng );
1897  if( ret != 0 )
1898  {
1899  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
1900  return( ret );
1901  }
1902 
1903  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1904  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1905 
1906  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1907 
1908  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1909  ssl->handshake->premaster,
1910  &ssl->handshake->pmslen,
1911  ssl->f_rng, ssl->p_rng ) ) != 0 )
1912  {
1913  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1914  return( ret );
1915  }
1916 
1917  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1918  }
1919  else
1920 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
1921 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1922  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1923  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1924  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1925  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1926  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
1927  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
1928  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
1929  {
1930  /*
1931  * ECDH key exchange -- send client public value
1932  */
1933  i = 4;
1934 
1935  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
1936  &n,
1937  &ssl->out_msg[i], 1000,
1938  ssl->f_rng, ssl->p_rng );
1939  if( ret != 0 )
1940  {
1941  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
1942  return( ret );
1943  }
1944 
1945  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
1946 
1947  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
1948  &ssl->handshake->pmslen,
1949  ssl->handshake->premaster,
1951  ssl->f_rng, ssl->p_rng ) ) != 0 )
1952  {
1953  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
1954  return( ret );
1955  }
1956 
1957  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
1958  }
1959  else
1960 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1961  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1962  POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1963  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1964 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1965  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1966  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1967  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1968  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1969  {
1970  /*
1971  * opaque psk_identity<0..2^16-1>;
1972  */
1973  if( ssl->psk == NULL || ssl->psk_identity == NULL )
1975 
1976  i = 4;
1977  n = ssl->psk_identity_len;
1978  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
1979  ssl->out_msg[i++] = (unsigned char)( n );
1980 
1981  memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
1982  i += ssl->psk_identity_len;
1983 
1984 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
1985  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
1986  {
1987  n = 0;
1988  }
1989  else
1990 #endif
1991 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1992  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1993  {
1994  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
1995  return( ret );
1996  }
1997  else
1998 #endif
1999 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2000  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2001  {
2002  /*
2003  * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2004  */
2005  n = ssl->handshake->dhm_ctx.len;
2006  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2007  ssl->out_msg[i++] = (unsigned char)( n );
2008 
2009  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
2010  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2011  &ssl->out_msg[i], n,
2012  ssl->f_rng, ssl->p_rng );
2013  if( ret != 0 )
2014  {
2015  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
2016  return( ret );
2017  }
2018  }
2019  else
2020 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2021 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2022  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2023  {
2024  /*
2025  * ClientECDiffieHellmanPublic public;
2026  */
2027  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2028  &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
2029  ssl->f_rng, ssl->p_rng );
2030  if( ret != 0 )
2031  {
2032  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
2033  return( ret );
2034  }
2035 
2036  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2037  }
2038  else
2039 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2040  {
2041  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2043  }
2044 
2045  if( ( ret = ssl_psk_derive_premaster( ssl,
2046  ciphersuite_info->key_exchange ) ) != 0 )
2047  {
2048  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2049  return( ret );
2050  }
2051  }
2052  else
2053 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2054 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2055  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2056  {
2057  i = 4;
2058  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
2059  return( ret );
2060  }
2061  else
2062 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2063  {
2064  ((void) ciphersuite_info);
2065  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2067  }
2068 
2069  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2070  {
2071  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2072  return( ret );
2073  }
2074 
2075  ssl->out_msglen = i + n;
2078 
2079  ssl->state++;
2080 
2081  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2082  {
2083  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2084  return( ret );
2085  }
2086 
2087  SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
2088 
2089  return( 0 );
2090 }
2091 
2092 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2093  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2094  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2095  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2096 static int ssl_write_certificate_verify( ssl_context *ssl )
2097 {
2099  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2100 
2101  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2102 
2103  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2104  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2105  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2106  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2107  {
2108  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2109  ssl->state++;
2110  return( 0 );
2111  }
2112 
2113  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2114  return( ret );
2115 }
2116 #else
2117 static int ssl_write_certificate_verify( ssl_context *ssl )
2118 {
2120  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2121  size_t n = 0, offset = 0;
2122  unsigned char hash[48];
2123  unsigned char *hash_start = hash;
2124  md_type_t md_alg = POLARSSL_MD_NONE;
2125  unsigned int hashlen;
2126 
2127  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2128 
2129  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2130  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2131  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2132  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2133  {
2134  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2135  ssl->state++;
2136  return( 0 );
2137  }
2138 
2139  if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
2140  {
2141  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2142  ssl->state++;
2143  return( 0 );
2144  }
2145 
2146  if( ssl_own_key( ssl ) == NULL )
2147  {
2148  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2150  }
2151 
2152  /*
2153  * Make an RSA signature of the handshake digests
2154  */
2155  ssl->handshake->calc_verify( ssl, hash );
2156 
2157 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2158  defined(POLARSSL_SSL_PROTO_TLS1_1)
2159  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2160  {
2161  /*
2162  * digitally-signed struct {
2163  * opaque md5_hash[16];
2164  * opaque sha_hash[20];
2165  * };
2166  *
2167  * md5_hash
2168  * MD5(handshake_messages);
2169  *
2170  * sha_hash
2171  * SHA(handshake_messages);
2172  */
2173  hashlen = 36;
2174  md_alg = POLARSSL_MD_NONE;
2175 
2176  /*
2177  * For ECDSA, default hash is SHA-1 only
2178  */
2179  if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
2180  {
2181  hash_start += 16;
2182  hashlen -= 16;
2183  md_alg = POLARSSL_MD_SHA1;
2184  }
2185  }
2186  else
2187 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2188  POLARSSL_SSL_PROTO_TLS1_1 */
2189 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2190  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2191  {
2192  /*
2193  * digitally-signed struct {
2194  * opaque handshake_messages[handshake_messages_length];
2195  * };
2196  *
2197  * Taking shortcut here. We assume that the server always allows the
2198  * PRF Hash function and has sent it in the allowed signature
2199  * algorithms list received in the Certificate Request message.
2200  *
2201  * Until we encounter a server that does not, we will take this
2202  * shortcut.
2203  *
2204  * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2205  * in order to satisfy 'weird' needs from the server side.
2206  */
2209  {
2210  md_alg = POLARSSL_MD_SHA384;
2211  ssl->out_msg[4] = SSL_HASH_SHA384;
2212  }
2213  else
2214  {
2215  md_alg = POLARSSL_MD_SHA256;
2216  ssl->out_msg[4] = SSL_HASH_SHA256;
2217  }
2218  ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
2219 
2220  /* Info from md_alg will be used instead */
2221  hashlen = 0;
2222  offset = 2;
2223  }
2224  else
2225 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2226  {
2227  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2229  }
2230 
2231  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
2232  ssl->out_msg + 6 + offset, &n,
2233  ssl->f_rng, ssl->p_rng ) ) != 0 )
2234  {
2235  SSL_DEBUG_RET( 1, "pk_sign", ret );
2236  return( ret );
2237  }
2238 
2239  ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2240  ssl->out_msg[5 + offset] = (unsigned char)( n );
2241 
2242  ssl->out_msglen = 6 + n + offset;
2245 
2246  ssl->state++;
2247 
2248  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2249  {
2250  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2251  return( ret );
2252  }
2253 
2254  SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
2255 
2256  return( ret );
2257 }
2258 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2259  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2260  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2261 
2262 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2263 static int ssl_parse_new_session_ticket( ssl_context *ssl )
2264 {
2265  int ret;
2266  uint32_t lifetime;
2267  size_t ticket_len;
2268  unsigned char *ticket;
2269 
2270  SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2271 
2272  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2273  {
2274  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2275  return( ret );
2276  }
2277 
2278  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2279  {
2280  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2282  }
2283 
2284  /*
2285  * struct {
2286  * uint32 ticket_lifetime_hint;
2287  * opaque ticket<0..2^16-1>;
2288  * } NewSessionTicket;
2289  *
2290  * 0 . 0 handshake message type
2291  * 1 . 3 handshake message length
2292  * 4 . 7 ticket_lifetime_hint
2293  * 8 . 9 ticket_len (n)
2294  * 10 . 9+n ticket content
2295  */
2296  if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
2297  ssl->in_hslen < 10 )
2298  {
2299  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2301  }
2302 
2303  lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
2304  ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] );
2305 
2306  ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
2307 
2308  if( ticket_len + 10 != ssl->in_hslen )
2309  {
2310  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2312  }
2313 
2314  SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
2315 
2316  /* We're not waiting for a NewSessionTicket message any more */
2317  ssl->handshake->new_session_ticket = 0;
2318 
2319  /*
2320  * Zero-length ticket means the server changed his mind and doesn't want
2321  * to send a ticket after all, so just forget it
2322  */
2323  if( ticket_len == 0)
2324  return( 0 );
2325 
2327  ssl->session_negotiate->ticket = NULL;
2328  ssl->session_negotiate->ticket_len = 0;
2329 
2330  if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
2331  {
2332  SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
2334  }
2335 
2336  memcpy( ticket, ssl->in_msg + 10, ticket_len );
2337 
2338  ssl->session_negotiate->ticket = ticket;
2339  ssl->session_negotiate->ticket_len = ticket_len;
2340  ssl->session_negotiate->ticket_lifetime = lifetime;
2341 
2342  /*
2343  * RFC 5077 section 3.4:
2344  * "If the client receives a session ticket from the server, then it
2345  * discards any Session ID that was sent in the ServerHello."
2346  */
2347  SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
2348  ssl->session_negotiate->length = 0;
2349 
2350  SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2351 
2352  return( 0 );
2353 }
2354 #endif /* POLARSSL_SSL_SESSION_TICKETS */
2355 
2356 /*
2357  * SSL handshake -- client side -- single step
2358  */
2360 {
2361  int ret = 0;
2362 
2363  if( ssl->state == SSL_HANDSHAKE_OVER )
2365 
2366  SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
2367 
2368  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2369  return( ret );
2370 
2371  switch( ssl->state )
2372  {
2373  case SSL_HELLO_REQUEST:
2374  ssl->state = SSL_CLIENT_HELLO;
2375  break;
2376 
2377  /*
2378  * ==> ClientHello
2379  */
2380  case SSL_CLIENT_HELLO:
2381  ret = ssl_write_client_hello( ssl );
2382  break;
2383 
2384  /*
2385  * <== ServerHello
2386  * Certificate
2387  * ( ServerKeyExchange )
2388  * ( CertificateRequest )
2389  * ServerHelloDone
2390  */
2391  case SSL_SERVER_HELLO:
2392  ret = ssl_parse_server_hello( ssl );
2393  break;
2394 
2396  ret = ssl_parse_certificate( ssl );
2397  break;
2398 
2400  ret = ssl_parse_server_key_exchange( ssl );
2401  break;
2402 
2404  ret = ssl_parse_certificate_request( ssl );
2405  break;
2406 
2407  case SSL_SERVER_HELLO_DONE:
2408  ret = ssl_parse_server_hello_done( ssl );
2409  break;
2410 
2411  /*
2412  * ==> ( Certificate/Alert )
2413  * ClientKeyExchange
2414  * ( CertificateVerify )
2415  * ChangeCipherSpec
2416  * Finished
2417  */
2419  ret = ssl_write_certificate( ssl );
2420  break;
2421 
2423  ret = ssl_write_client_key_exchange( ssl );
2424  break;
2425 
2427  ret = ssl_write_certificate_verify( ssl );
2428  break;
2429 
2431  ret = ssl_write_change_cipher_spec( ssl );
2432  break;
2433 
2434  case SSL_CLIENT_FINISHED:
2435  ret = ssl_write_finished( ssl );
2436  break;
2437 
2438  /*
2439  * <== ( NewSessionTicket )
2440  * ChangeCipherSpec
2441  * Finished
2442  */
2444 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2445  if( ssl->handshake->new_session_ticket != 0 )
2446  ret = ssl_parse_new_session_ticket( ssl );
2447  else
2448 #endif
2449  ret = ssl_parse_change_cipher_spec( ssl );
2450  break;
2451 
2452  case SSL_SERVER_FINISHED:
2453  ret = ssl_parse_finished( ssl );
2454  break;
2455 
2456  case SSL_FLUSH_BUFFERS:
2457  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2458  ssl->state = SSL_HANDSHAKE_WRAPUP;
2459  break;
2460 
2461  case SSL_HANDSHAKE_WRAPUP:
2462  ssl_handshake_wrapup( ssl );
2463  break;
2464 
2465  default:
2466  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2468  }
2469 
2470  return( ret );
2471 }
2472 #endif
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:326
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:276
unsigned char * hostname
Definition: ssl.h:751
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:287
unsigned char mfl_code
Definition: ssl.h:693
size_t length
Definition: ssl.h:428
int ciphersuite
Definition: ssl.h:426
mpi P
Definition: dhm.h:146
int trunc_hmac
Definition: ssl.h:725
int ecdh_make_public(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and export the client&#39;s public value.
size_t in_hslen
Definition: ssl.h:673
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:611
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:333
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Processing of the ServerKeyExchange handshake message failed.
Definition: ssl.h:118
int record_read
Definition: ssl.h:675
Memory allocation layer.
int major_ver
Definition: ssl.h:600
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:41
ecp_group_id grp_id
Definition: ecp.h:85
SHA-1 context structure.
Definition: sha1.h:54
void *(* polarssl_malloc)(size_t len)
int compression
Definition: ssl.h:427
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition: ssl.h:133
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Processing of the ServerHelloDone handshake message failed.
Definition: ssl.h:119
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:214
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:597
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:87
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
char peer_verify_data[36]
Definition: ssl.h:762
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:318
const ecp_curve_info * ecp_curve_list(void)
Return the list of supported curves with associated info.
Debug functions.
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:544
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:322
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:337
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO
Processing of the ServerHello handshake message failed.
Definition: ssl.h:115
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:320
size_t ticket_len
Definition: ssl.h:439
#define SSL_HASH_SHA1
Definition: ssl.h:261
ssl_session * session_negotiate
Definition: ssl.h:647
int ssl_parse_certificate(ssl_context *ssl)
size_t out_msglen
Definition: ssl.h:686
mpi GX
Definition: dhm.h:149
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:221
#define SSL_SIG_RSA
Definition: ssl.h:268
const int * ciphersuite_list[4]
Definition: ssl.h:723
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:618
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
#define SSL_RENEGOTIATION
Definition: ssl.h:203
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:553
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:213
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
Processing of the NewSessionTicket handshake message failed.
Definition: ssl.h:131
int ssl_write_finished(ssl_context *ssl)
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:38
size_t psk_identity_len
Definition: ssl.h:744
mpi X
Definition: dhm.h:148
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:218
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:761
int ecdh_get_params(ecdh_context *ctx, const ecp_keypair *key, ecdh_side side)
Setup an ECDH context from an EC key.
ECP key pair structure.
Definition: ecp.h:156
#define SSL_SIG_ECDSA
Definition: ssl.h:269
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:166
int secure_renegotiation
Definition: ssl.h:758
time_t start
Definition: ssl.h:424
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:79
#define SSL_HASH_MD5
Definition: ssl.h:260
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:213
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:140
unsigned char id[32]
Definition: ssl.h:429
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:461
unsigned char * psk
Definition: ssl.h:741
size_t len
Definition: dhm.h:145
int max_major_ver
Definition: ssl.h:603
ecp_point Qp
Definition: ecdh.h:53
md_type_t
Definition: md.h:51
int max_minor_ver
Definition: ssl.h:604
int dhm_read_params(dhm_context *ctx, unsigned char **p, const unsigned char *end)
Parse the ServerKeyExchange parameters.
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:342
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:275
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:323
ssl_handshake_params * handshake
Definition: ssl.h:649
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:283
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:308
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition: ssl.h:104
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:217
int in_msgtype
Definition: ssl.h:669
size_t verify_data_len
Definition: ssl.h:760
mpi G
Definition: dhm.h:147
int point_format
Definition: ecdh.h:55
int min_minor_ver
Definition: ssl.h:606
unsigned char * out_msg
Definition: ssl.h:683
#define SSL_MINOR_VERSION_0
Definition: ssl.h:141
int client_auth
Definition: ssl.h:719
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature.
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:130
ecdh_context ecdh_ctx
Definition: ssl.h:508
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:324
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1566
void(* polarssl_free)(void *ptr)
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:110
unsigned char * ticket
Definition: ssl.h:438
key_exchange_type_t key_exchange
int new_session_ticket
Definition: ssl.h:562
mpi GY
Definition: dhm.h:150
int trunc_hmac
Definition: ssl.h:448
Curve information for use by other modules.
Definition: ecp.h:83
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void md5_starts(md5_context *ctx)
MD5 context setup.
unsigned char ssl_sig_from_pk(pk_context *pk)
int ssl_flush_output(ssl_context *ssl)
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:344
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:319
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:196
unsigned char * in_msg
Definition: ssl.h:666
mpi z
Definition: ecdh.h:54
#define SSL_MINOR_VERSION_3
Definition: ssl.h:144
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:54
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:346
pk_type_t
Public key types.
Definition: pk.h:90
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Processing of the CertificateRequest handshake message failed.
Definition: ssl.h:117
int ssl_parse_change_cipher_spec(ssl_context *ssl)
size_t hostname_len
Definition: ssl.h:752
int ecdh_read_params(ecdh_context *ctx, const unsigned char **buf, const unsigned char *end)
Parse the ServerKeyExhange parameters.
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:601
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:253
This structure is used for storing ciphersuite information.
#define SSL_HASH_SHA256
Definition: ssl.h:263
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:44
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:108
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:202
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:169
int session_tickets
Definition: ssl.h:728
int allow_legacy_renegotiation
Definition: ssl.h:722
#define SSL_COMPRESS_NULL
Definition: ssl.h:195
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
int ssl_read_record(ssl_context *ssl)
int out_msgtype
Definition: ssl.h:685
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:335
size_t nbits
Definition: ecp.h:138
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:186
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:325
#define TLS_EXT_SERVERNAME
Definition: ssl.h:332
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature.
int dhm_make_public(dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Create own private value X and export G^X.
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:48
size_t mpi_size(const mpi *X)
Return the total size in bytes.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:215
int pk_encrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Encrypt message.
int min_major_ver
Definition: ssl.h:605
pk_context pk
Container for the public key context.
Definition: x509_crt.h:71
ssl_transform * transform_negotiate
Definition: ssl.h:658
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:207
#define SSL_HASH_SHA224
Definition: ssl.h:262
uint32_t ticket_lifetime
Definition: ssl.h:440
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:208
SSL/TLS functions.
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:126
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:340
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:53
uint16_t tls_id
Definition: ecp.h:86
int ssl_derive_keys(ssl_context *ssl)
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1560
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:598
dhm_context dhm_ctx
Definition: ssl.h:505
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1574
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:236
unsigned char * psk_identity
Definition: ssl.h:743
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:339
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:97
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:116
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:98
#define SSL_HASH_SHA512
Definition: ssl.h:265
#define SSL_HASH_SHA384
Definition: ssl.h:264
int ssl_write_record(ssl_context *ssl)
unsigned char randbytes[64]
Definition: ssl.h:552
ecp_group grp
Definition: ecdh.h:50
Generic message digest context.
Definition: md.h:129
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ecp_point Q
Definition: ecdh.h:52
x509_crt * peer_cert
Definition: ssl.h:433
md_type_t ssl_md_alg_from_hash(unsigned char hash)
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.