PolarSSL v1.3.4
ssl_cli.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 client-side functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_CLI_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 
33 #if defined(POLARSSL_MEMORY_C)
34 #include "polarssl/memory.h"
35 #else
36 #define polarssl_malloc malloc
37 #define polarssl_free free
38 #endif
39 
40 #include <stdlib.h>
41 #include <stdio.h>
42 
43 #if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
44 #include <basetsd.h>
45 typedef UINT32 uint32_t;
46 #else
47 #include <inttypes.h>
48 #endif
49 
50 #if defined(POLARSSL_HAVE_TIME)
51 #include <time.h>
52 #endif
53 
54 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
55 static void ssl_write_hostname_ext( ssl_context *ssl,
56  unsigned char *buf,
57  size_t *olen )
58 {
59  unsigned char *p = buf;
60 
61  *olen = 0;
62 
63  if ( ssl->hostname == NULL )
64  return;
65 
66  SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
67  ssl->hostname ) );
68 
69  /*
70  * struct {
71  * NameType name_type;
72  * select (name_type) {
73  * case host_name: HostName;
74  * } name;
75  * } ServerName;
76  *
77  * enum {
78  * host_name(0), (255)
79  * } NameType;
80  *
81  * opaque HostName<1..2^16-1>;
82  *
83  * struct {
84  * ServerName server_name_list<1..2^16-1>
85  * } ServerNameList;
86  */
87  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
88  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
89 
90  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
91  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
92 
93  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
94  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
95 
96  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
97  *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
98  *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
99 
100  memcpy( p, ssl->hostname, ssl->hostname_len );
101 
102  *olen = ssl->hostname_len + 9;
103 }
104 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
105 
106 static void ssl_write_renegotiation_ext( ssl_context *ssl,
107  unsigned char *buf,
108  size_t *olen )
109 {
110  unsigned char *p = buf;
111 
112  *olen = 0;
113 
114  if( ssl->renegotiation != SSL_RENEGOTIATION )
115  return;
116 
117  SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
118 
119  /*
120  * Secure renegotiation
121  */
122  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
123  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
124 
125  *p++ = 0x00;
126  *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
127  *p++ = ssl->verify_data_len & 0xFF;
128 
129  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
130 
131  *olen = 5 + ssl->verify_data_len;
132 }
133 
134 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
135 static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
136  unsigned char *buf,
137  size_t *olen )
138 {
139  unsigned char *p = buf;
140  unsigned char *sig_alg_list = buf + 6;
141  size_t sig_alg_len = 0;
142 
143  *olen = 0;
144 
145  if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
146  return;
147 
148  SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
149 
150  /*
151  * Prepare signature_algorithms extension (TLS 1.2)
152  */
153 #if defined(POLARSSL_RSA_C)
154 #if defined(POLARSSL_SHA512_C)
155  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
156  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
157  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
158  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
159 #endif
160 #if defined(POLARSSL_SHA256_C)
161  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
162  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
163  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
164  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
165 #endif
166 #if defined(POLARSSL_SHA1_C)
167  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
168  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
169 #endif
170 #if defined(POLARSSL_MD5_C)
171  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
172  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
173 #endif
174 #endif /* POLARSSL_RSA_C */
175 #if defined(POLARSSL_ECDSA_C)
176 #if defined(POLARSSL_SHA512_C)
177  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
178  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
179  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
180  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
181 #endif
182 #if defined(POLARSSL_SHA256_C)
183  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
184  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
185  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
186  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
187 #endif
188 #if defined(POLARSSL_SHA1_C)
189  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
190  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
191 #endif
192 #if defined(POLARSSL_MD5_C)
193  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
194  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
195 #endif
196 #endif /* POLARSSL_ECDSA_C */
197 
198  /*
199  * enum {
200  * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
201  * sha512(6), (255)
202  * } HashAlgorithm;
203  *
204  * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
205  * SignatureAlgorithm;
206  *
207  * struct {
208  * HashAlgorithm hash;
209  * SignatureAlgorithm signature;
210  * } SignatureAndHashAlgorithm;
211  *
212  * SignatureAndHashAlgorithm
213  * supported_signature_algorithms<2..2^16-2>;
214  */
215  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
216  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
217 
218  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
219  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
220 
221  *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
222  *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
223 
224  *olen = 6 + sig_alg_len;
225 }
226 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
227 
228 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
229 static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
230  unsigned char *buf,
231  size_t *olen )
232 {
233  unsigned char *p = buf;
234  unsigned char *elliptic_curve_list = p + 6;
235  size_t elliptic_curve_len = 0;
236  const ecp_curve_info *curve;
237  ((void) ssl);
238 
239  *olen = 0;
240 
241  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
242 
243  for( curve = ecp_curve_list();
244  curve->grp_id != POLARSSL_ECP_DP_NONE;
245  curve++ )
246  {
247  elliptic_curve_list[elliptic_curve_len++] = curve->tls_id >> 8;
248  elliptic_curve_list[elliptic_curve_len++] = curve->tls_id & 0xFF;
249  }
250 
251  if( elliptic_curve_len == 0 )
252  return;
253 
254  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
255  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
256 
257  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
258  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
259 
260  *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
261  *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
262 
263  *olen = 6 + elliptic_curve_len;
264 }
265 
266 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
267  unsigned char *buf,
268  size_t *olen )
269 {
270  unsigned char *p = buf;
271  ((void) ssl);
272 
273  *olen = 0;
274 
275  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
276 
277  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
278  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
279 
280  *p++ = 0x00;
281  *p++ = 2;
282 
283  *p++ = 1;
285 
286  *olen = 6;
287 }
288 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
289 
290 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
291 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
292  unsigned char *buf,
293  size_t *olen )
294 {
295  unsigned char *p = buf;
296 
297  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
298  *olen = 0;
299  return;
300  }
301 
302  SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
303 
304  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
305  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
306 
307  *p++ = 0x00;
308  *p++ = 1;
309 
310  *p++ = ssl->mfl_code;
311 
312  *olen = 5;
313 }
314 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
315 
316 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
317 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
318  unsigned char *buf, size_t *olen )
319 {
320  unsigned char *p = buf;
321 
322  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
323  {
324  *olen = 0;
325  return;
326  }
327 
328  SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
329 
330  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
331  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
332 
333  *p++ = 0x00;
334  *p++ = 0x00;
335 
336  *olen = 4;
337 }
338 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
339 
340 #if defined(POLARSSL_SSL_SESSION_TICKETS)
341 static void ssl_write_session_ticket_ext( ssl_context *ssl,
342  unsigned char *buf, size_t *olen )
343 {
344  unsigned char *p = buf;
345  size_t tlen = ssl->session_negotiate->ticket_len;
346 
348  {
349  *olen = 0;
350  return;
351  }
352 
353  SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
354 
355  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
356  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
357 
358  *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
359  *p++ = (unsigned char)( ( tlen ) & 0xFF );
360 
361  *olen = 4;
362 
363  if( ssl->session_negotiate->ticket == NULL ||
364  ssl->session_negotiate->ticket_len == 0 )
365  {
366  return;
367  }
368 
369  SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
370 
371  memcpy( p, ssl->session_negotiate->ticket, tlen );
372 
373  *olen += tlen;
374 }
375 #endif /* POLARSSL_SSL_SESSION_TICKETS */
376 
377 static int ssl_write_client_hello( ssl_context *ssl )
378 {
379  int ret;
380  size_t i, n, olen, ext_len = 0;
381  unsigned char *buf;
382  unsigned char *p, *q;
383 #if defined(POLARSSL_HAVE_TIME)
384  time_t t;
385 #endif
386  const int *ciphersuites;
387  const ssl_ciphersuite_t *ciphersuite_info;
388 
389  SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
390 
391  if( ssl->f_rng == NULL )
392  {
393  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
394  return( POLARSSL_ERR_SSL_NO_RNG );
395  }
396 
398  {
399  ssl->major_ver = ssl->min_major_ver;
400  ssl->minor_ver = ssl->min_minor_ver;
401  }
402 
403  if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
404  {
407  }
408 
409  /*
410  * 0 . 0 handshake type
411  * 1 . 3 handshake length
412  * 4 . 5 highest version supported
413  * 6 . 9 current UNIX time
414  * 10 . 37 random bytes
415  */
416  buf = ssl->out_msg;
417  p = buf + 4;
418 
419  *p++ = (unsigned char) ssl->max_major_ver;
420  *p++ = (unsigned char) ssl->max_minor_ver;
421 
422  SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
423  buf[4], buf[5] ) );
424 
425 #if defined(POLARSSL_HAVE_TIME)
426  t = time( NULL );
427  *p++ = (unsigned char)( t >> 24 );
428  *p++ = (unsigned char)( t >> 16 );
429  *p++ = (unsigned char)( t >> 8 );
430  *p++ = (unsigned char)( t );
431 
432  SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
433 #else
434  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
435  return( ret );
436 
437  p += 4;
438 #endif
439 
440  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
441  return( ret );
442 
443  p += 28;
444 
445  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
446 
447  SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
448 
449  /*
450  * 38 . 38 session id length
451  * 39 . 39+n session id
452  * 40+n . 41+n ciphersuitelist length
453  * 42+n . .. ciphersuitelist
454  * .. . .. compression methods length
455  * .. . .. compression methods
456  * .. . .. extensions length
457  * .. . .. extensions
458  */
459  n = ssl->session_negotiate->length;
460 
461  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
462  ssl->handshake->resume == 0 )
463  {
464  n = 0;
465  }
466 
467 #if defined(POLARSSL_SSL_SESSION_TICKETS)
468  /*
469  * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
470  * generate and include a Session ID in the TLS ClientHello."
471  */
472  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
473  ssl->session_negotiate->ticket != NULL &&
474  ssl->session_negotiate->ticket_len != 0 )
475  {
476  ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
477 
478  if( ret != 0 )
479  return( ret );
480 
481  ssl->session_negotiate->length = n = 32;
482  }
483 #endif /* POLARSSL_SSL_SESSION_TICKETS */
484 
485  *p++ = (unsigned char) n;
486 
487  for( i = 0; i < n; i++ )
488  *p++ = ssl->session_negotiate->id[i];
489 
490  SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
491  SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
492 
493  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
494  n = 0;
495  q = p;
496 
497  // Skip writing ciphersuite length for now
498  p += 2;
499 
500  /*
501  * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
502  */
504  {
505  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
506  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
507  n++;
508  }
509 
510  for( i = 0; ciphersuites[i] != 0; i++ )
511  {
512  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
513 
514  if( ciphersuite_info == NULL )
515  continue;
516 
517  if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
518  ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
519  continue;
520 
521  SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
522  ciphersuites[i] ) );
523 
524  n++;
525  *p++ = (unsigned char)( ciphersuites[i] >> 8 );
526  *p++ = (unsigned char)( ciphersuites[i] );
527  }
528 
529  *q++ = (unsigned char)( n >> 7 );
530  *q++ = (unsigned char)( n << 1 );
531 
532  SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
533 
534 
535 #if defined(POLARSSL_ZLIB_SUPPORT)
536  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
537  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
539 
540  *p++ = 2;
541  *p++ = SSL_COMPRESS_DEFLATE;
542  *p++ = SSL_COMPRESS_NULL;
543 #else
544  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
545  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
546 
547  *p++ = 1;
548  *p++ = SSL_COMPRESS_NULL;
549 #endif
550 
551  // First write extensions, then the total length
552  //
553 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
554  ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
555  ext_len += olen;
556 #endif
557 
558  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
559  ext_len += olen;
560 
561 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
562  ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
563  ext_len += olen;
564 #endif
565 
566 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
567  ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
568  ext_len += olen;
569 
570  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
571  ext_len += olen;
572 #endif
573 
574 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
575  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
576  ext_len += olen;
577 #endif
578 
579 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
580  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
581  ext_len += olen;
582 #endif
583 
584 #if defined(POLARSSL_SSL_SESSION_TICKETS)
585  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
586  ext_len += olen;
587 #endif
588 
589  SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
590  ext_len ) );
591 
592  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
593  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
594  p += ext_len;
595 
596  ssl->out_msglen = p - buf;
598  ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
599 
600  ssl->state++;
601 
602  if( ( ret = ssl_write_record( ssl ) ) != 0 )
603  {
604  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
605  return( ret );
606  }
607 
608  SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
609 
610  return( 0 );
611 }
612 
613 static int ssl_parse_renegotiation_info( ssl_context *ssl,
614  const unsigned char *buf,
615  size_t len )
616 {
617  int ret;
618 
620  {
621  if( len != 1 || buf[0] != 0x0 )
622  {
623  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
624 
625  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
626  return( ret );
627 
629  }
630 
632  }
633  else
634  {
635  /* Check verify-data in constant-time. The length OTOH is no secret */
636  if( len != 1 + ssl->verify_data_len * 2 ||
637  buf[0] != ssl->verify_data_len * 2 ||
638  safer_memcmp( buf + 1,
639  ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
640  safer_memcmp( buf + 1 + ssl->verify_data_len,
641  ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
642  {
643  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
644 
645  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
646  return( ret );
647 
649  }
650  }
651 
652  return( 0 );
653 }
654 
655 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
656 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
657  const unsigned char *buf,
658  size_t len )
659 {
660  /*
661  * server should use the extension only if we did,
662  * and if so the server's value should match ours (and len is always 1)
663  */
664  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
665  len != 1 ||
666  buf[0] != ssl->mfl_code )
667  {
669  }
670 
671  return( 0 );
672 }
673 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
674 
675 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
676 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
677  const unsigned char *buf,
678  size_t len )
679 {
680  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
681  len != 0 )
682  {
684  }
685 
686  ((void) buf);
687 
689 
690  return( 0 );
691 }
692 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
693 
694 #if defined(POLARSSL_SSL_SESSION_TICKETS)
695 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
696  const unsigned char *buf,
697  size_t len )
698 {
700  len != 0 )
701  {
703  }
704 
705  ((void) buf);
706 
707  ssl->handshake->new_session_ticket = 1;
708 
709  return( 0 );
710 }
711 #endif /* POLARSSL_SSL_SESSION_TICKETS */
712 
713 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
714 static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
715  const unsigned char *buf,
716  size_t len )
717 {
718  size_t list_size;
719  const unsigned char *p;
720 
721  list_size = buf[0];
722  if( list_size + 1 != len )
723  {
724  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
726  }
727 
728  p = buf + 2;
729  while( list_size > 0 )
730  {
731  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
733  {
734  ssl->handshake->ecdh_ctx.point_format = p[0];
735  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
736  return( 0 );
737  }
738 
739  list_size--;
740  p++;
741  }
742 
743  return( 0 );
744 }
745 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
746 
747 static int ssl_parse_server_hello( ssl_context *ssl )
748 {
749  int ret, i, comp;
750  size_t n;
751  size_t ext_len = 0;
752  unsigned char *buf, *ext;
753  int renegotiation_info_seen = 0;
754  int handshake_failure = 0;
755 #if defined(POLARSSL_DEBUG_C)
756  uint32_t t;
757 #endif
758 
759  SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
760 
761  /*
762  * 0 . 0 handshake type
763  * 1 . 3 handshake length
764  * 4 . 5 protocol version
765  * 6 . 9 UNIX time()
766  * 10 . 37 random bytes
767  */
768  buf = ssl->in_msg;
769 
770  if( ( ret = ssl_read_record( ssl ) ) != 0 )
771  {
772  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
773  return( ret );
774  }
775 
776  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
777  {
778  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
780  }
781 
782  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
783  buf[4], buf[5] ) );
784 
785  if( ssl->in_hslen < 42 ||
786  buf[0] != SSL_HS_SERVER_HELLO ||
787  buf[4] != SSL_MAJOR_VERSION_3 )
788  {
789  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
791  }
792 
793  if( buf[5] > ssl->max_minor_ver )
794  {
795  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
797  }
798 
799  ssl->minor_ver = buf[5];
800 
801  if( ssl->minor_ver < ssl->min_minor_ver )
802  {
803  SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
804  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
805  buf[4], buf[5] ) );
806 
809 
811  }
812 
813 #if defined(POLARSSL_DEBUG_C)
814  t = ( (uint32_t) buf[6] << 24 )
815  | ( (uint32_t) buf[7] << 16 )
816  | ( (uint32_t) buf[8] << 8 )
817  | ( (uint32_t) buf[9] );
818  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
819 #endif
820 
821  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
822 
823  n = buf[38];
824 
825  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
826 
827  if( n > 32 )
828  {
829  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
831  }
832 
833  /*
834  * 38 . 38 session id length
835  * 39 . 38+n session id
836  * 39+n . 40+n chosen ciphersuite
837  * 41+n . 41+n chosen compression alg.
838  * 42+n . 43+n extensions length
839  * 44+n . 44+n+m extensions
840  */
841  if( ssl->in_hslen > 42 + n )
842  {
843  ext_len = ( ( buf[42 + n] << 8 )
844  | ( buf[43 + n] ) );
845 
846  if( ( ext_len > 0 && ext_len < 4 ) ||
847  ssl->in_hslen != 44 + n + ext_len )
848  {
849  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
851  }
852  }
853 
854  i = ( buf[39 + n] << 8 ) | buf[40 + n];
855  comp = buf[41 + n];
856 
857  /*
858  * Initialize update checksum functions
859  */
862 
863  if( ssl->transform_negotiate->ciphersuite_info == NULL )
864  {
865  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
866  ssl->ciphersuite_list[ssl->minor_ver][i] ) );
868  }
869 
870  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
871  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
872 
873  /*
874  * Check if the session can be resumed
875  */
876  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
877  ssl->handshake->resume == 0 || n == 0 ||
878  ssl->session_negotiate->ciphersuite != i ||
879  ssl->session_negotiate->compression != comp ||
880  ssl->session_negotiate->length != n ||
881  memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
882  {
883  ssl->state++;
884  ssl->handshake->resume = 0;
885 #if defined(POLARSSL_HAVE_TIME)
886  ssl->session_negotiate->start = time( NULL );
887 #endif
888  ssl->session_negotiate->ciphersuite = i;
889  ssl->session_negotiate->compression = comp;
890  ssl->session_negotiate->length = n;
891  memcpy( ssl->session_negotiate->id, buf + 39, n );
892  }
893  else
894  {
896 
897  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
898  {
899  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
900  return( ret );
901  }
902  }
903 
904  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
905  ssl->handshake->resume ? "a" : "no" ) );
906 
907  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
908  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
909 
910  i = 0;
911  while( 1 )
912  {
913  if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
914  {
915  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
917  }
918 
919  if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
921  {
922  break;
923  }
924  }
925 
926  if( comp != SSL_COMPRESS_NULL
927 #if defined(POLARSSL_ZLIB_SUPPORT)
928  && comp != SSL_COMPRESS_DEFLATE
929 #endif
930  )
931  {
932  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
934  }
935  ssl->session_negotiate->compression = comp;
936 
937  ext = buf + 44 + n;
938 
939  SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
940 
941  while( ext_len )
942  {
943  unsigned int ext_id = ( ( ext[0] << 8 )
944  | ( ext[1] ) );
945  unsigned int ext_size = ( ( ext[2] << 8 )
946  | ( ext[3] ) );
947 
948  if( ext_size + 4 > ext_len )
949  {
950  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
952  }
953 
954  switch( ext_id )
955  {
957  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
958  renegotiation_info_seen = 1;
959 
960  if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ) ) != 0 )
961  return( ret );
962 
963  break;
964 
965 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
967  SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
968 
969  if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
970  ext + 4, ext_size ) ) != 0 )
971  {
972  return( ret );
973  }
974 
975  break;
976 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
977 
978 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
980  SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
981 
982  if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
983  ext + 4, ext_size ) ) != 0 )
984  {
985  return( ret );
986  }
987 
988  break;
989 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
990 
991 #if defined(POLARSSL_SSL_SESSION_TICKETS)
993  SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
994 
995  if( ( ret = ssl_parse_session_ticket_ext( ssl,
996  ext + 4, ext_size ) ) != 0 )
997  {
998  return( ret );
999  }
1000 
1001  break;
1002 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1003 
1004 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1006  SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1007 
1008  if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1009  ext + 4, ext_size ) ) != 0 )
1010  {
1011  return( ret );
1012  }
1013 
1014  break;
1015 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1016 
1017  default:
1018  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1019  ext_id ) );
1020  }
1021 
1022  ext_len -= 4 + ext_size;
1023  ext += 4 + ext_size;
1024 
1025  if( ext_len > 0 && ext_len < 4 )
1026  {
1027  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1029  }
1030  }
1031 
1032  /*
1033  * Renegotiation security checks
1034  */
1037  {
1038  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1039  handshake_failure = 1;
1040  }
1041  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1043  renegotiation_info_seen == 0 )
1044  {
1045  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1046  handshake_failure = 1;
1047  }
1048  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1051  {
1052  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1053  handshake_failure = 1;
1054  }
1055  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1057  renegotiation_info_seen == 1 )
1058  {
1059  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1060  handshake_failure = 1;
1061  }
1062 
1063  if( handshake_failure == 1 )
1064  {
1065  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1066  return( ret );
1067 
1069  }
1070 
1071  SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1072 
1073  return( 0 );
1074 }
1075 
1076 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1077  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1078 static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
1079  unsigned char *end )
1080 {
1082 
1083  /*
1084  * Ephemeral DH parameters:
1085  *
1086  * struct {
1087  * opaque dh_p<1..2^16-1>;
1088  * opaque dh_g<1..2^16-1>;
1089  * opaque dh_Ys<1..2^16-1>;
1090  * } ServerDHParams;
1091  */
1092  if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1093  {
1094  SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
1095  return( ret );
1096  }
1097 
1098  if( ssl->handshake->dhm_ctx.len < 64 ||
1099  ssl->handshake->dhm_ctx.len > 512 )
1100  {
1101  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
1103  }
1104 
1105  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1106  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1107  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1108 
1109  return( ret );
1110 }
1111 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1112  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1113 
1114 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1115  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1116  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1117  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1118  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1119 static int ssl_check_server_ecdh_params( const ssl_context *ssl )
1120 {
1121  SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
1122  (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
1123 
1124  if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1125  ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1126  {
1127  return( -1 );
1128  }
1129 
1130  SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1131 
1132  return( 0 );
1133 }
1134 #endif
1135 
1136 
1137 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1138  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1139  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1140 static int ssl_parse_server_ecdh_params( ssl_context *ssl,
1141  unsigned char **p,
1142  unsigned char *end )
1143 {
1145 
1146  /*
1147  * Ephemeral ECDH parameters:
1148  *
1149  * struct {
1150  * ECParameters curve_params;
1151  * ECPoint public;
1152  * } ServerECDHParams;
1153  */
1154  if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
1155  (const unsigned char **) p, end ) ) != 0 )
1156  {
1157  SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
1158  return( ret );
1159  }
1160 
1161  if( ssl_check_server_ecdh_params( ssl ) != 0 )
1162  {
1163  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDH length)" ) );
1165  }
1166 
1167  return( ret );
1168 }
1169 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1170  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1171  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1172 
1173 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1174 static int ssl_parse_server_psk_hint( ssl_context *ssl,
1175  unsigned char **p,
1176  unsigned char *end )
1177 {
1179  size_t len;
1180  ((void) ssl);
1181 
1182  /*
1183  * PSK parameters:
1184  *
1185  * opaque psk_identity_hint<0..2^16-1>;
1186  */
1187  len = (*p)[0] << 8 | (*p)[1];
1188  *p += 2;
1189 
1190  if( (*p) + len > end )
1191  {
1192  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1194  }
1195 
1196  // TODO: Retrieve PSK identity hint and callback to app
1197  //
1198  *p += len;
1199  ret = 0;
1200 
1201  return( ret );
1202 }
1203 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1204 
1205 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
1206  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1207 /*
1208  * Generate a pre-master secret and encrypt it with the server's RSA key
1209  */
1210 static int ssl_write_encrypted_pms( ssl_context *ssl,
1211  size_t offset, size_t *olen,
1212  size_t pms_offset )
1213 {
1214  int ret;
1215  size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
1216  unsigned char *p = ssl->handshake->premaster + pms_offset;
1217 
1218  /*
1219  * Generate (part of) the pre-master as
1220  * struct {
1221  * ProtocolVersion client_version;
1222  * opaque random[46];
1223  * } PreMasterSecret;
1224  */
1225  p[0] = (unsigned char) ssl->max_major_ver;
1226  p[1] = (unsigned char) ssl->max_minor_ver;
1227 
1228  if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
1229  {
1230  SSL_DEBUG_RET( 1, "f_rng", ret );
1231  return( ret );
1232  }
1233 
1234  ssl->handshake->pmslen = 48;
1235 
1236  /*
1237  * Now write it out, encrypted
1238  */
1239  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1240  POLARSSL_PK_RSA ) )
1241  {
1242  SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1244  }
1245 
1246  if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
1247  p, ssl->handshake->pmslen,
1248  ssl->out_msg + offset + len_bytes, olen,
1249  SSL_MAX_CONTENT_LEN - offset - len_bytes,
1250  ssl->f_rng, ssl->p_rng ) ) != 0 )
1251  {
1252  SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1253  return( ret );
1254  }
1255 
1256 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1257  defined(POLARSSL_SSL_PROTO_TLS1_2)
1258  if( len_bytes == 2 )
1259  {
1260  ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1261  ssl->out_msg[offset+1] = (unsigned char)( *olen );
1262  *olen += 2;
1263  }
1264 #endif
1265 
1266  return( 0 );
1267 }
1268 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
1269  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1270 
1271 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1272 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1273  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1274  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1275 static int ssl_parse_signature_algorithm( ssl_context *ssl,
1276  unsigned char **p,
1277  unsigned char *end,
1278  md_type_t *md_alg,
1279  pk_type_t *pk_alg )
1280 {
1281  ((void) ssl);
1282  *md_alg = POLARSSL_MD_NONE;
1283  *pk_alg = POLARSSL_PK_NONE;
1284 
1285  /* Only in TLS 1.2 */
1286  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1287  {
1288  return( 0 );
1289  }
1290 
1291  if( (*p) + 2 > end )
1293 
1294  /*
1295  * Get hash algorithm
1296  */
1297  if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
1298  {
1299  SSL_DEBUG_MSG( 2, ( "Server used unsupported "
1300  "HashAlgorithm %d", *(p)[0] ) );
1302  }
1303 
1304  /*
1305  * Get signature algorithm
1306  */
1307  if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
1308  {
1309  SSL_DEBUG_MSG( 2, ( "server used unsupported "
1310  "SignatureAlgorithm %d", (*p)[1] ) );
1312  }
1313 
1314  SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1315  SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
1316  *p += 2;
1317 
1318  return( 0 );
1319 }
1320 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1321  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1322  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1323 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1324 
1325 
1326 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1327  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1328 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
1329 {
1330  int ret;
1331  const ecp_keypair *peer_key;
1332 
1333  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1334  POLARSSL_PK_ECKEY ) )
1335  {
1336  SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
1338  }
1339 
1340  peer_key = pk_ec( ssl->session_negotiate->peer_cert->pk );
1341 
1342  if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
1343  POLARSSL_ECDH_THEIRS ) ) != 0 )
1344  {
1345  SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
1346  return( ret );
1347  }
1348 
1349  if( ssl_check_server_ecdh_params( ssl ) != 0 )
1350  {
1351  SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH length)" ) );
1353  }
1354 
1355  return( ret );
1356 }
1357 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
1358  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1359 
1360 static int ssl_parse_server_key_exchange( ssl_context *ssl )
1361 {
1362  int ret;
1363  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1364  unsigned char *p, *end;
1365 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1366  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1367  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1368  size_t sig_len, params_len;
1369  unsigned char hash[64];
1370  md_type_t md_alg = POLARSSL_MD_NONE;
1371  size_t hashlen;
1372  pk_type_t pk_alg = POLARSSL_PK_NONE;
1373 #endif
1374 
1375  SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
1376 
1377 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1378  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1379  {
1380  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1381  ssl->state++;
1382  return( 0 );
1383  }
1384  ((void) p);
1385  ((void) end);
1386 #endif
1387 
1388 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1389  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1390  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
1391  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
1392  {
1393  ssl_get_ecdh_params_from_cert( ssl );
1394 
1395  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1396  ssl->state++;
1397  return( 0 );
1398  }
1399  ((void) p);
1400  ((void) end);
1401 #endif
1402 
1403  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1404  {
1405  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1406  return( ret );
1407  }
1408 
1409  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1410  {
1411  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1413  }
1414 
1415  /*
1416  * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
1417  * doesn't use a psk_identity_hint
1418  */
1419  if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
1420  {
1421  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1422  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1423  {
1424  ssl->record_read = 1;
1425  goto exit;
1426  }
1427 
1428  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1430  }
1431 
1432  p = ssl->in_msg + 4;
1433  end = ssl->in_msg + ssl->in_hslen;
1434  SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 );
1435 
1436 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1437  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1438  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1439  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1440  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1441  {
1442  if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
1443  {
1444  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1446  }
1447  } /* FALLTROUGH */
1448 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1449 
1450 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
1451  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1452  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1453  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1454  ; /* nothing more to do */
1455  else
1456 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
1457  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1458 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1459  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1460  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1461  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1462  {
1463  if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
1464  {
1465  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1467  }
1468  }
1469  else
1470 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1471  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1472 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1473  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1474  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1475  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1476  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1477  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1478  {
1479  if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
1480  {
1481  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1483  }
1484  }
1485  else
1486 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1487  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1488  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1489  {
1490  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1492  }
1493 
1494 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1495  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1496  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1497  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1498  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1499  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1500  {
1501  params_len = p - ( ssl->in_msg + 4 );
1502 
1503  /*
1504  * Handle the digitally-signed structure
1505  */
1506 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1507  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1508  {
1509  if( ssl_parse_signature_algorithm( ssl, &p, end,
1510  &md_alg, &pk_alg ) != 0 )
1511  {
1512  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1514  }
1515 
1516  if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
1517  {
1518  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1520  }
1521  }
1522  else
1523 #endif
1524 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1525  defined(POLARSSL_SSL_PROTO_TLS1_1)
1526  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
1527  {
1528  pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
1529 
1530  /* Default hash for ECDSA is SHA-1 */
1531  if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
1532  md_alg = POLARSSL_MD_SHA1;
1533  }
1534  else
1535 #endif
1536  {
1537  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1539  }
1540 
1541  /*
1542  * Read signature
1543  */
1544  sig_len = ( p[0] << 8 ) | p[1];
1545  p += 2;
1546 
1547  if( end != p + sig_len )
1548  {
1549  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1551  }
1552 
1553  SSL_DEBUG_BUF( 3, "signature", p, sig_len );
1554 
1555  /*
1556  * Compute the hash that has been signed
1557  */
1558 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1559  defined(POLARSSL_SSL_PROTO_TLS1_1)
1560  if( md_alg == POLARSSL_MD_NONE )
1561  {
1562  md5_context md5;
1564 
1565  hashlen = 36;
1566 
1567  /*
1568  * digitally-signed struct {
1569  * opaque md5_hash[16];
1570  * opaque sha_hash[20];
1571  * };
1572  *
1573  * md5_hash
1574  * MD5(ClientHello.random + ServerHello.random
1575  * + ServerParams);
1576  * sha_hash
1577  * SHA(ClientHello.random + ServerHello.random
1578  * + ServerParams);
1579  */
1580  md5_starts( &md5 );
1581  md5_update( &md5, ssl->handshake->randbytes, 64 );
1582  md5_update( &md5, ssl->in_msg + 4, params_len );
1583  md5_finish( &md5, hash );
1584 
1585  sha1_starts( &sha1 );
1586  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1587  sha1_update( &sha1, ssl->in_msg + 4, params_len );
1588  sha1_finish( &sha1, hash + 16 );
1589  }
1590  else
1591 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
1592  POLARSSL_SSL_PROTO_TLS1_1 */
1593 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1594  defined(POLARSSL_SSL_PROTO_TLS1_2)
1595  if( md_alg != POLARSSL_MD_NONE )
1596  {
1597  md_context_t ctx;
1598 
1599  /* Info from md_alg will be used instead */
1600  hashlen = 0;
1601 
1602  /*
1603  * digitally-signed struct {
1604  * opaque client_random[32];
1605  * opaque server_random[32];
1606  * ServerDHParams params;
1607  * };
1608  */
1609  if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1610  {
1611  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1612  return( ret );
1613  }
1614 
1615  md_starts( &ctx );
1616  md_update( &ctx, ssl->handshake->randbytes, 64 );
1617  md_update( &ctx, ssl->in_msg + 4, params_len );
1618  md_finish( &ctx, hash );
1619  md_free_ctx( &ctx );
1620  }
1621  else
1622 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1623  POLARSSL_SSL_PROTO_TLS1_2 */
1624  {
1625  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1627  }
1628 
1629  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
1630  (unsigned int) ( md_info_from_type( md_alg ) )->size );
1631 
1632  /*
1633  * Verify signature
1634  */
1635  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
1636  {
1637  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1639  }
1640 
1641  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
1642  md_alg, hash, hashlen, p, sig_len ) ) != 0 )
1643  {
1644  SSL_DEBUG_RET( 1, "pk_verify", ret );
1645  return( ret );
1646  }
1647  }
1648 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1649  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1650  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1651 
1652 exit:
1653  ssl->state++;
1654 
1655  SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
1656 
1657  return( 0 );
1658 }
1659 
1660 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1661  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1662  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1663  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1664 static int ssl_parse_certificate_request( ssl_context *ssl )
1665 {
1667  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1668 
1669  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1670 
1671  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1672  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1673  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1674  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1675  {
1676  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
1677  ssl->state++;
1678  return( 0 );
1679  }
1680 
1681  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1682  return( ret );
1683 }
1684 #else
1685 static int ssl_parse_certificate_request( ssl_context *ssl )
1686 {
1687  int ret;
1688  unsigned char *buf, *p;
1689  size_t n = 0, m = 0;
1690  size_t cert_type_len = 0, dn_len = 0;
1691  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1692 
1693  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1694 
1695  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1696  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1697  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1698  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1699  {
1700  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
1701  ssl->state++;
1702  return( 0 );
1703  }
1704 
1705  /*
1706  * 0 . 0 handshake type
1707  * 1 . 3 handshake length
1708  * 4 . 4 cert type count
1709  * 5 .. m-1 cert types
1710  * m .. m+1 sig alg length (TLS 1.2 only)
1711  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1712  * n .. n+1 length of all DNs
1713  * n+2 .. n+3 length of DN 1
1714  * n+4 .. ... Distinguished Name #1
1715  * ... .. ... length of DN 2, etc.
1716  */
1717  if( ssl->record_read == 0 )
1718  {
1719  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1720  {
1721  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1722  return( ret );
1723  }
1724 
1725  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1726  {
1727  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1729  }
1730 
1731  ssl->record_read = 1;
1732  }
1733 
1734  ssl->client_auth = 0;
1735  ssl->state++;
1736 
1737  if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
1738  ssl->client_auth++;
1739 
1740  SSL_DEBUG_MSG( 3, ( "got %s certificate request",
1741  ssl->client_auth ? "a" : "no" ) );
1742 
1743  if( ssl->client_auth == 0 )
1744  goto exit;
1745 
1746  ssl->record_read = 0;
1747 
1748  // TODO: handshake_failure alert for an anonymous server to request
1749  // client authentication
1750 
1751  buf = ssl->in_msg;
1752 
1753  // Retrieve cert types
1754  //
1755  cert_type_len = buf[4];
1756  n = cert_type_len;
1757 
1758  if( ssl->in_hslen < 6 + n )
1759  {
1760  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1762  }
1763 
1764  p = buf + 5;
1765  while( cert_type_len > 0 )
1766  {
1767 #if defined(POLARSSL_RSA_C)
1768  if( *p == SSL_CERT_TYPE_RSA_SIGN &&
1770  {
1772  break;
1773  }
1774  else
1775 #endif
1776 #if defined(POLARSSL_ECDSA_C)
1777  if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
1779  {
1781  break;
1782  }
1783  else
1784 #endif
1785  {
1786  ; /* Unsupported cert type, ignore */
1787  }
1788 
1789  cert_type_len--;
1790  p++;
1791  }
1792 
1793 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1794  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1795  {
1796  /* Ignored, see comments about hash in write_certificate_verify */
1797  // TODO: should check the signature part against our pk_key though
1798  size_t sig_alg_len = ( ( buf[5 + n] << 8 )
1799  | ( buf[6 + n] ) );
1800 
1801  p = buf + 7 + n;
1802  m += 2;
1803  n += sig_alg_len;
1804 
1805  if( ssl->in_hslen < 6 + n )
1806  {
1807  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1809  }
1810  }
1811 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1812 
1813  /* Ignore certificate_authorities, we only have one cert anyway */
1814  // TODO: should not send cert if no CA matches
1815  dn_len = ( ( buf[5 + m + n] << 8 )
1816  | ( buf[6 + m + n] ) );
1817 
1818  n += dn_len;
1819  if( ssl->in_hslen != 7 + m + n )
1820  {
1821  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1823  }
1824 
1825 exit:
1826  SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1827 
1828  return( 0 );
1829 }
1830 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1831  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1832  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
1833  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1834 
1835 static int ssl_parse_server_hello_done( ssl_context *ssl )
1836 {
1837  int ret;
1838 
1839  SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
1840 
1841  if( ssl->record_read == 0 )
1842  {
1843  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1844  {
1845  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1846  return( ret );
1847  }
1848 
1849  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1850  {
1851  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1853  }
1854  }
1855  ssl->record_read = 0;
1856 
1857  if( ssl->in_hslen != 4 ||
1858  ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
1859  {
1860  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1862  }
1863 
1864  ssl->state++;
1865 
1866  SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
1867 
1868  return( 0 );
1869 }
1870 
1871 static int ssl_write_client_key_exchange( ssl_context *ssl )
1872 {
1873  int ret;
1874  size_t i, n;
1875  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1876 
1877  SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
1878 
1879 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
1880  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
1881  {
1882  /*
1883  * DHM key exchange -- send G^X mod P
1884  */
1885  n = ssl->handshake->dhm_ctx.len;
1886 
1887  ssl->out_msg[4] = (unsigned char)( n >> 8 );
1888  ssl->out_msg[5] = (unsigned char)( n );
1889  i = 6;
1890 
1891  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
1892  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1893  &ssl->out_msg[i], n,
1894  ssl->f_rng, ssl->p_rng );
1895  if( ret != 0 )
1896  {
1897  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
1898  return( ret );
1899  }
1900 
1901  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1902  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1903 
1904  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1905 
1906  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1907  ssl->handshake->premaster,
1908  &ssl->handshake->pmslen,
1909  ssl->f_rng, ssl->p_rng ) ) != 0 )
1910  {
1911  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1912  return( ret );
1913  }
1914 
1915  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1916  }
1917  else
1918 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
1919 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1920  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1921  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1922  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1923  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1924  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
1925  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
1926  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
1927  {
1928  /*
1929  * ECDH key exchange -- send client public value
1930  */
1931  i = 4;
1932 
1933  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
1934  &n,
1935  &ssl->out_msg[i], 1000,
1936  ssl->f_rng, ssl->p_rng );
1937  if( ret != 0 )
1938  {
1939  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
1940  return( ret );
1941  }
1942 
1943  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
1944 
1945  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
1946  &ssl->handshake->pmslen,
1947  ssl->handshake->premaster,
1949  ssl->f_rng, ssl->p_rng ) ) != 0 )
1950  {
1951  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
1952  return( ret );
1953  }
1954 
1955  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
1956  }
1957  else
1958 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1959  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1960  POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1961  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1962 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1963  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1964  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1965  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1966  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1967  {
1968  /*
1969  * opaque psk_identity<0..2^16-1>;
1970  */
1971  if( ssl->psk == NULL || ssl->psk_identity == NULL )
1973 
1974  i = 4;
1975  n = ssl->psk_identity_len;
1976  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
1977  ssl->out_msg[i++] = (unsigned char)( n );
1978 
1979  memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
1980  i += ssl->psk_identity_len;
1981 
1982 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
1983  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
1984  {
1985  n = 0;
1986  }
1987  else
1988 #endif
1989 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1990  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1991  {
1992  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
1993  return( ret );
1994  }
1995  else
1996 #endif
1997 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1998  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1999  {
2000  /*
2001  * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2002  */
2003  n = ssl->handshake->dhm_ctx.len;
2004  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2005  ssl->out_msg[i++] = (unsigned char)( n );
2006 
2007  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
2008  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2009  &ssl->out_msg[i], n,
2010  ssl->f_rng, ssl->p_rng );
2011  if( ret != 0 )
2012  {
2013  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
2014  return( ret );
2015  }
2016  }
2017  else
2018 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2019 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2020  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2021  {
2022  /*
2023  * ClientECDiffieHellmanPublic public;
2024  */
2025  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2026  &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
2027  ssl->f_rng, ssl->p_rng );
2028  if( ret != 0 )
2029  {
2030  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
2031  return( ret );
2032  }
2033 
2034  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2035  }
2036  else
2037 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2038  {
2039  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2041  }
2042 
2043  if( ( ret = ssl_psk_derive_premaster( ssl,
2044  ciphersuite_info->key_exchange ) ) != 0 )
2045  {
2046  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2047  return( ret );
2048  }
2049  }
2050  else
2051 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2052 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2053  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2054  {
2055  i = 4;
2056  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
2057  return( ret );
2058  }
2059  else
2060 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2061  {
2062  ((void) ciphersuite_info);
2063  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2065  }
2066 
2067  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2068  {
2069  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2070  return( ret );
2071  }
2072 
2073  ssl->out_msglen = i + n;
2076 
2077  ssl->state++;
2078 
2079  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2080  {
2081  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2082  return( ret );
2083  }
2084 
2085  SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
2086 
2087  return( 0 );
2088 }
2089 
2090 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2091  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2092  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2093  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2094 static int ssl_write_certificate_verify( ssl_context *ssl )
2095 {
2097  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2098 
2099  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2100 
2101  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2102  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2103  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2104  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2105  {
2106  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2107  ssl->state++;
2108  return( 0 );
2109  }
2110 
2111  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2112  return( ret );
2113 }
2114 #else
2115 static int ssl_write_certificate_verify( ssl_context *ssl )
2116 {
2118  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2119  size_t n = 0, offset = 0;
2120  unsigned char hash[48];
2121  unsigned char *hash_start = hash;
2122  md_type_t md_alg = POLARSSL_MD_NONE;
2123  unsigned int hashlen;
2124 
2125  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2126 
2127  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2128  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2129  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2130  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2131  {
2132  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2133  ssl->state++;
2134  return( 0 );
2135  }
2136 
2137  if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
2138  {
2139  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2140  ssl->state++;
2141  return( 0 );
2142  }
2143 
2144  if( ssl_own_key( ssl ) == NULL )
2145  {
2146  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2148  }
2149 
2150  /*
2151  * Make an RSA signature of the handshake digests
2152  */
2153  ssl->handshake->calc_verify( ssl, hash );
2154 
2155 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2156  defined(POLARSSL_SSL_PROTO_TLS1_1)
2157  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2158  {
2159  /*
2160  * digitally-signed struct {
2161  * opaque md5_hash[16];
2162  * opaque sha_hash[20];
2163  * };
2164  *
2165  * md5_hash
2166  * MD5(handshake_messages);
2167  *
2168  * sha_hash
2169  * SHA(handshake_messages);
2170  */
2171  hashlen = 36;
2172  md_alg = POLARSSL_MD_NONE;
2173 
2174  /*
2175  * For ECDSA, default hash is SHA-1 only
2176  */
2177  if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
2178  {
2179  hash_start += 16;
2180  hashlen -= 16;
2181  md_alg = POLARSSL_MD_SHA1;
2182  }
2183  }
2184  else
2185 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2186  POLARSSL_SSL_PROTO_TLS1_1 */
2187 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2188  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2189  {
2190  /*
2191  * digitally-signed struct {
2192  * opaque handshake_messages[handshake_messages_length];
2193  * };
2194  *
2195  * Taking shortcut here. We assume that the server always allows the
2196  * PRF Hash function and has sent it in the allowed signature
2197  * algorithms list received in the Certificate Request message.
2198  *
2199  * Until we encounter a server that does not, we will take this
2200  * shortcut.
2201  *
2202  * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2203  * in order to satisfy 'weird' needs from the server side.
2204  */
2207  {
2208  md_alg = POLARSSL_MD_SHA384;
2209  ssl->out_msg[4] = SSL_HASH_SHA384;
2210  }
2211  else
2212  {
2213  md_alg = POLARSSL_MD_SHA256;
2214  ssl->out_msg[4] = SSL_HASH_SHA256;
2215  }
2216  ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
2217 
2218  /* Info from md_alg will be used instead */
2219  hashlen = 0;
2220  offset = 2;
2221  }
2222  else
2223 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2224  {
2225  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2227  }
2228 
2229  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
2230  ssl->out_msg + 6 + offset, &n,
2231  ssl->f_rng, ssl->p_rng ) ) != 0 )
2232  {
2233  SSL_DEBUG_RET( 1, "pk_sign", ret );
2234  return( ret );
2235  }
2236 
2237  ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2238  ssl->out_msg[5 + offset] = (unsigned char)( n );
2239 
2240  ssl->out_msglen = 6 + n + offset;
2243 
2244  ssl->state++;
2245 
2246  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2247  {
2248  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2249  return( ret );
2250  }
2251 
2252  SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
2253 
2254  return( ret );
2255 }
2256 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2257  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2258  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2259 
2260 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2261 static int ssl_parse_new_session_ticket( ssl_context *ssl )
2262 {
2263  int ret;
2264  uint32_t lifetime;
2265  size_t ticket_len;
2266  unsigned char *ticket;
2267 
2268  SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2269 
2270  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2271  {
2272  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2273  return( ret );
2274  }
2275 
2276  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2277  {
2278  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2280  }
2281 
2282  /*
2283  * struct {
2284  * uint32 ticket_lifetime_hint;
2285  * opaque ticket<0..2^16-1>;
2286  * } NewSessionTicket;
2287  *
2288  * 0 . 0 handshake message type
2289  * 1 . 3 handshake message length
2290  * 4 . 7 ticket_lifetime_hint
2291  * 8 . 9 ticket_len (n)
2292  * 10 . 9+n ticket content
2293  */
2294  if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
2295  ssl->in_hslen < 10 )
2296  {
2297  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2299  }
2300 
2301  lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
2302  ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] );
2303 
2304  ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
2305 
2306  if( ticket_len + 10 != ssl->in_hslen )
2307  {
2308  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2310  }
2311 
2312  SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
2313 
2314  /* We're not waiting for a NewSessionTicket message any more */
2315  ssl->handshake->new_session_ticket = 0;
2316 
2317  /*
2318  * Zero-length ticket means the server changed his mind and doesn't want
2319  * to send a ticket after all, so just forget it
2320  */
2321  if( ticket_len == 0)
2322  return( 0 );
2323 
2325  ssl->session_negotiate->ticket = NULL;
2326  ssl->session_negotiate->ticket_len = 0;
2327 
2328  if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
2329  {
2330  SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
2332  }
2333 
2334  memcpy( ticket, ssl->in_msg + 10, ticket_len );
2335 
2336  ssl->session_negotiate->ticket = ticket;
2337  ssl->session_negotiate->ticket_len = ticket_len;
2338  ssl->session_negotiate->ticket_lifetime = lifetime;
2339 
2340  /*
2341  * RFC 5077 section 3.4:
2342  * "If the client receives a session ticket from the server, then it
2343  * discards any Session ID that was sent in the ServerHello."
2344  */
2345  SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
2346  ssl->session_negotiate->length = 0;
2347 
2348  SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2349 
2350  return( 0 );
2351 }
2352 #endif /* POLARSSL_SSL_SESSION_TICKETS */
2353 
2354 /*
2355  * SSL handshake -- client side -- single step
2356  */
2358 {
2359  int ret = 0;
2360 
2361  if( ssl->state == SSL_HANDSHAKE_OVER )
2363 
2364  SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
2365 
2366  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2367  return( ret );
2368 
2369  switch( ssl->state )
2370  {
2371  case SSL_HELLO_REQUEST:
2372  ssl->state = SSL_CLIENT_HELLO;
2373  break;
2374 
2375  /*
2376  * ==> ClientHello
2377  */
2378  case SSL_CLIENT_HELLO:
2379  ret = ssl_write_client_hello( ssl );
2380  break;
2381 
2382  /*
2383  * <== ServerHello
2384  * Certificate
2385  * ( ServerKeyExchange )
2386  * ( CertificateRequest )
2387  * ServerHelloDone
2388  */
2389  case SSL_SERVER_HELLO:
2390  ret = ssl_parse_server_hello( ssl );
2391  break;
2392 
2394  ret = ssl_parse_certificate( ssl );
2395  break;
2396 
2398  ret = ssl_parse_server_key_exchange( ssl );
2399  break;
2400 
2402  ret = ssl_parse_certificate_request( ssl );
2403  break;
2404 
2405  case SSL_SERVER_HELLO_DONE:
2406  ret = ssl_parse_server_hello_done( ssl );
2407  break;
2408 
2409  /*
2410  * ==> ( Certificate/Alert )
2411  * ClientKeyExchange
2412  * ( CertificateVerify )
2413  * ChangeCipherSpec
2414  * Finished
2415  */
2417  ret = ssl_write_certificate( ssl );
2418  break;
2419 
2421  ret = ssl_write_client_key_exchange( ssl );
2422  break;
2423 
2425  ret = ssl_write_certificate_verify( ssl );
2426  break;
2427 
2429  ret = ssl_write_change_cipher_spec( ssl );
2430  break;
2431 
2432  case SSL_CLIENT_FINISHED:
2433  ret = ssl_write_finished( ssl );
2434  break;
2435 
2436  /*
2437  * <== ( NewSessionTicket )
2438  * ChangeCipherSpec
2439  * Finished
2440  */
2442 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2443  if( ssl->handshake->new_session_ticket != 0 )
2444  ret = ssl_parse_new_session_ticket( ssl );
2445  else
2446 #endif
2447  ret = ssl_parse_change_cipher_spec( ssl );
2448  break;
2449 
2450  case SSL_SERVER_FINISHED:
2451  ret = ssl_parse_finished( ssl );
2452  break;
2453 
2454  case SSL_FLUSH_BUFFERS:
2455  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2456  ssl->state = SSL_HANDSHAKE_WRAPUP;
2457  break;
2458 
2459  case SSL_HANDSHAKE_WRAPUP:
2460  ssl_handshake_wrapup( ssl );
2461  break;
2462 
2463  default:
2464  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2466  }
2467 
2468  return( ret );
2469 }
2470 #endif
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:326
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:276
unsigned char * hostname
Definition: ssl.h:751
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:287
unsigned char mfl_code
Definition: ssl.h:693
size_t length
Definition: ssl.h:428
int ciphersuite
Definition: ssl.h:426
mpi P
Definition: dhm.h:146
int trunc_hmac
Definition: ssl.h:725
int ecdh_make_public(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and export the client&#39;s public value.
size_t in_hslen
Definition: ssl.h:673
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:611
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:333
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Processing of the ServerKeyExchange handshake message failed.
Definition: ssl.h:118
int record_read
Definition: ssl.h:675
Memory allocation layer.
int major_ver
Definition: ssl.h:600
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:41
ecp_group_id grp_id
Definition: ecp.h:88
SHA-1 context structure.
Definition: sha1.h:54
void *(* polarssl_malloc)(size_t len)
int compression
Definition: ssl.h:427
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition: ssl.h:133
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Processing of the ServerHelloDone handshake message failed.
Definition: ssl.h:119
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:217
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:597
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:87
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
char peer_verify_data[36]
Definition: ssl.h:762
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:318
const ecp_curve_info * ecp_curve_list(void)
Return the list of supported curves with associated info.
Debug functions.
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:544
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:322
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:337
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO
Processing of the ServerHello handshake message failed.
Definition: ssl.h:115
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:320
size_t ticket_len
Definition: ssl.h:439
#define SSL_HASH_SHA1
Definition: ssl.h:261
ssl_session * session_negotiate
Definition: ssl.h:647
int ssl_parse_certificate(ssl_context *ssl)
size_t out_msglen
Definition: ssl.h:686
mpi GX
Definition: dhm.h:149
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:221
#define SSL_SIG_RSA
Definition: ssl.h:268
const int * ciphersuite_list[4]
Definition: ssl.h:723
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:618
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
#define SSL_RENEGOTIATION
Definition: ssl.h:203
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:553
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:216
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
Processing of the NewSessionTicket handshake message failed.
Definition: ssl.h:131
int ssl_write_finished(ssl_context *ssl)
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:38
size_t psk_identity_len
Definition: ssl.h:744
mpi X
Definition: dhm.h:148
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:218
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:761
int ecdh_get_params(ecdh_context *ctx, const ecp_keypair *key, ecdh_side side)
Setup an ECDH context from an EC key.
ECP key pair structure.
Definition: ecp.h:159
#define SSL_SIG_ECDSA
Definition: ssl.h:269
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:166
int secure_renegotiation
Definition: ssl.h:758
time_t start
Definition: ssl.h:424
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:79
#define SSL_HASH_MD5
Definition: ssl.h:260
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:213
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:140
unsigned char id[32]
Definition: ssl.h:429
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:461
unsigned char * psk
Definition: ssl.h:741
size_t len
Definition: dhm.h:145
int max_major_ver
Definition: ssl.h:603
ecp_point Qp
Definition: ecdh.h:53
md_type_t
Definition: md.h:51
int max_minor_ver
Definition: ssl.h:604
int dhm_read_params(dhm_context *ctx, unsigned char **p, const unsigned char *end)
Parse the ServerKeyExchange parameters.
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:342
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:275
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:323
ssl_handshake_params * handshake
Definition: ssl.h:649
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:283
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:308
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition: ssl.h:104
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:217
int in_msgtype
Definition: ssl.h:669
size_t verify_data_len
Definition: ssl.h:760
mpi G
Definition: dhm.h:147
int point_format
Definition: ecdh.h:55
int min_minor_ver
Definition: ssl.h:606
unsigned char * out_msg
Definition: ssl.h:683
#define SSL_MINOR_VERSION_0
Definition: ssl.h:141
int client_auth
Definition: ssl.h:719
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature.
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:130
ecdh_context ecdh_ctx
Definition: ssl.h:508
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:324
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1571
void(* polarssl_free)(void *ptr)
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:110
unsigned char * ticket
Definition: ssl.h:438
key_exchange_type_t key_exchange
int new_session_ticket
Definition: ssl.h:562
mpi GY
Definition: dhm.h:150
int trunc_hmac
Definition: ssl.h:448
Curve information for use by other modules.
Definition: ecp.h:86
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void md5_starts(md5_context *ctx)
MD5 context setup.
unsigned char ssl_sig_from_pk(pk_context *pk)
int ssl_flush_output(ssl_context *ssl)
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:344
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:319
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:196
unsigned char * in_msg
Definition: ssl.h:666
mpi z
Definition: ecdh.h:54
#define SSL_MINOR_VERSION_3
Definition: ssl.h:144
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:54
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:346
pk_type_t
Public key types.
Definition: pk.h:90
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Processing of the CertificateRequest handshake message failed.
Definition: ssl.h:117
int ssl_parse_change_cipher_spec(ssl_context *ssl)
size_t hostname_len
Definition: ssl.h:752
int ecdh_read_params(ecdh_context *ctx, const unsigned char **buf, const unsigned char *end)
Parse the ServerKeyExhange parameters.
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:601
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:253
This structure is used for storing ciphersuite information.
#define SSL_HASH_SHA256
Definition: ssl.h:263
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:44
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:108
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:202
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:169
int session_tickets
Definition: ssl.h:728
int allow_legacy_renegotiation
Definition: ssl.h:722
#define SSL_COMPRESS_NULL
Definition: ssl.h:195
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
int ssl_read_record(ssl_context *ssl)
int out_msgtype
Definition: ssl.h:685
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:335
size_t nbits
Definition: ecp.h:141
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:186
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:325
#define TLS_EXT_SERVERNAME
Definition: ssl.h:332
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature.
int dhm_make_public(dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Create own private value X and export G^X.
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:48
size_t mpi_size(const mpi *X)
Return the total size in bytes.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:215
int pk_encrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Encrypt message.
int min_major_ver
Definition: ssl.h:605
pk_context pk
Container for the public key context.
Definition: x509_crt.h:71
ssl_transform * transform_negotiate
Definition: ssl.h:658
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:207
#define SSL_HASH_SHA224
Definition: ssl.h:262
uint32_t ticket_lifetime
Definition: ssl.h:440
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:208
SSL/TLS functions.
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:126
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:340
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:53
uint16_t tls_id
Definition: ecp.h:89
int ssl_derive_keys(ssl_context *ssl)
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1565
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:598
dhm_context dhm_ctx
Definition: ssl.h:505
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1579
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:236
unsigned char * psk_identity
Definition: ssl.h:743
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:339
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:97
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:116
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:98
#define SSL_HASH_SHA512
Definition: ssl.h:265
#define SSL_HASH_SHA384
Definition: ssl.h:264
int ssl_write_record(ssl_context *ssl)
unsigned char randbytes[64]
Definition: ssl.h:552
ecp_group grp
Definition: ecdh.h:50
Generic message digest context.
Definition: md.h:130
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ecp_point Q
Definition: ecdh.h:52
x509_crt * peer_cert
Definition: ssl.h:433
md_type_t ssl_md_alg_from_hash(unsigned char hash)
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.