PolarSSL v1.3.4
ssl_srv.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 server-side functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_SRV_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 #if defined(POLARSSL_ECP_C)
33 #include "polarssl/ecp.h"
34 #endif
35 
36 #if defined(POLARSSL_MEMORY_C)
37 #include "polarssl/memory.h"
38 #else
39 #define polarssl_malloc malloc
40 #define polarssl_free free
41 #endif
42 
43 #include <stdlib.h>
44 #include <stdio.h>
45 
46 #if defined(POLARSSL_HAVE_TIME)
47 #include <time.h>
48 #endif
49 
50 #if defined(POLARSSL_SSL_SESSION_TICKETS)
51 /*
52  * Serialize a session in the following format:
53  * 0 . n-1 session structure, n = sizeof(ssl_session)
54  * n . n+2 peer_cert length = m (0 if no certificate)
55  * n+3 . n+2+m peer cert ASN.1
56  *
57  * Assumes ticket is NULL (always true on server side).
58  */
59 static int ssl_save_session( const ssl_session *session,
60  unsigned char *buf, size_t buf_len,
61  size_t *olen )
62 {
63  unsigned char *p = buf;
64  size_t left = buf_len;
65 #if defined(POLARSSL_X509_CRT_PARSE_C)
66  size_t cert_len;
67 #endif /* POLARSSL_X509_CRT_PARSE_C */
68 
69  if( left < sizeof( ssl_session ) )
70  return( -1 );
71 
72  memcpy( p, session, sizeof( ssl_session ) );
73  p += sizeof( ssl_session );
74  left -= sizeof( ssl_session );
75 
76 #if defined(POLARSSL_X509_CRT_PARSE_C)
77  if( session->peer_cert == NULL )
78  cert_len = 0;
79  else
80  cert_len = session->peer_cert->raw.len;
81 
82  if( left < 3 + cert_len )
83  return( -1 );
84 
85  *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
86  *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
87  *p++ = (unsigned char)( cert_len & 0xFF );
88 
89  if( session->peer_cert != NULL )
90  memcpy( p, session->peer_cert->raw.p, cert_len );
91 
92  p += cert_len;
93 #endif /* POLARSSL_X509_CRT_PARSE_C */
94 
95  *olen = p - buf;
96 
97  return( 0 );
98 }
99 
100 /*
101  * Unserialise session, see ssl_save_session()
102  */
103 static int ssl_load_session( ssl_session *session,
104  const unsigned char *buf, size_t len )
105 {
106  const unsigned char *p = buf;
107  const unsigned char * const end = buf + len;
108 #if defined(POLARSSL_X509_CRT_PARSE_C)
109  size_t cert_len;
110 #endif /* POLARSSL_X509_CRT_PARSE_C */
111 
112  if( p + sizeof( ssl_session ) > end )
114 
115  memcpy( session, p, sizeof( ssl_session ) );
116  p += sizeof( ssl_session );
117 
118 #if defined(POLARSSL_X509_CRT_PARSE_C)
119  if( p + 3 > end )
121 
122  cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
123  p += 3;
124 
125  if( cert_len == 0 )
126  {
127  session->peer_cert = NULL;
128  }
129  else
130  {
131  int ret;
132 
133  if( p + cert_len > end )
135 
136  session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
137 
138  if( session->peer_cert == NULL )
140 
141  x509_crt_init( session->peer_cert );
142 
143  if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 )
144  {
145  x509_crt_free( session->peer_cert );
146  polarssl_free( session->peer_cert );
147  session->peer_cert = NULL;
148  return( ret );
149  }
150 
151  p += cert_len;
152  }
153 #endif /* POLARSSL_X509_CRT_PARSE_C */
154 
155  if( p != end )
157 
158  return( 0 );
159 }
160 
161 /*
162  * Create session ticket, secured as recommended in RFC 5077 section 4:
163  *
164  * struct {
165  * opaque key_name[16];
166  * opaque iv[16];
167  * opaque encrypted_state<0..2^16-1>;
168  * opaque mac[32];
169  * } ticket;
170  *
171  * (the internal state structure differs, however).
172  */
173 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
174 {
175  int ret;
176  unsigned char * const start = ssl->out_msg + 10;
177  unsigned char *p = start;
178  unsigned char *state;
179  unsigned char iv[16];
180  size_t clear_len, enc_len, pad_len, i;
181 
182  *tlen = 0;
183 
184  if( ssl->ticket_keys == NULL )
186 
187  /* Write key name */
188  memcpy( p, ssl->ticket_keys->key_name, 16 );
189  p += 16;
190 
191  /* Generate and write IV (with a copy for aes_crypt) */
192  if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
193  return( ret );
194  memcpy( iv, p, 16 );
195  p += 16;
196 
197  /*
198  * Dump session state
199  *
200  * After the session state itself, we still need room for 16 bytes of
201  * padding and 32 bytes of MAC, so there's only so much room left
202  */
203  state = p + 2;
204  if( ssl_save_session( ssl->session_negotiate, state,
205  SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
206  &clear_len ) != 0 )
207  {
209  }
210  SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
211 
212  /* Apply PKCS padding */
213  pad_len = 16 - clear_len % 16;
214  enc_len = clear_len + pad_len;
215  for( i = clear_len; i < enc_len; i++ )
216  state[i] = (unsigned char) pad_len;
217 
218  /* Encrypt */
219  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
220  enc_len, iv, state, state ) ) != 0 )
221  {
222  return( ret );
223  }
224 
225  /* Write length */
226  *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
227  *p++ = (unsigned char)( ( enc_len ) & 0xFF );
228  p = state + enc_len;
229 
230  /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
231  sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
232  p += 32;
233 
234  *tlen = p - start;
235 
236  SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
237 
238  return( 0 );
239 }
240 
241 /*
242  * Load session ticket (see ssl_write_ticket for structure)
243  */
244 static int ssl_parse_ticket( ssl_context *ssl,
245  unsigned char *buf,
246  size_t len )
247 {
248  int ret;
249  ssl_session session;
250  unsigned char *key_name = buf;
251  unsigned char *iv = buf + 16;
252  unsigned char *enc_len_p = iv + 16;
253  unsigned char *ticket = enc_len_p + 2;
254  unsigned char *mac;
255  unsigned char computed_mac[32];
256  size_t enc_len, clear_len, i;
257  unsigned char pad_len, diff;
258 
259  SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
260 
261  if( len < 34 || ssl->ticket_keys == NULL )
263 
264  enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
265  mac = ticket + enc_len;
266 
267  if( len != enc_len + 66 )
269 
270  /* Check name, in constant time though it's not a big secret */
271  diff = 0;
272  for( i = 0; i < 16; i++ )
273  diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
274  /* don't return yet, check the MAC anyway */
275 
276  /* Check mac, with constant-time buffer comparison */
277  sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
278  computed_mac, 0 );
279 
280  for( i = 0; i < 32; i++ )
281  diff |= mac[i] ^ computed_mac[i];
282 
283  /* Now return if ticket is not authentic, since we want to avoid
284  * decrypting arbitrary attacker-chosen data */
285  if( diff != 0 )
287 
288  /* Decrypt */
289  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
290  enc_len, iv, ticket, ticket ) ) != 0 )
291  {
292  return( ret );
293  }
294 
295  /* Check PKCS padding */
296  pad_len = ticket[enc_len - 1];
297 
298  ret = 0;
299  for( i = 2; i < pad_len; i++ )
300  if( ticket[enc_len - i] != pad_len )
302  if( ret != 0 )
303  return( ret );
304 
305  clear_len = enc_len - pad_len;
306 
307  SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
308 
309  /* Actually load session */
310  if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
311  {
312  SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
313  memset( &session, 0, sizeof( ssl_session ) );
314  return( ret );
315  }
316 
317 #if defined(POLARSSL_HAVE_TIME)
318  /* Check if still valid */
319  if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
320  {
321  SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
322  memset( &session, 0, sizeof( ssl_session ) );
324  }
325 #endif
326 
327  /*
328  * Keep the session ID sent by the client, since we MUST send it back to
329  * inform him we're accepting the ticket (RFC 5077 section 3.4)
330  */
331  session.length = ssl->session_negotiate->length;
332  memcpy( &session.id, ssl->session_negotiate->id, session.length );
333 
335  memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
336  memset( &session, 0, sizeof( ssl_session ) );
337 
338  return( 0 );
339 }
340 #endif /* POLARSSL_SSL_SESSION_TICKETS */
341 
342 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
343 /*
344  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
345  * making it act on ssl->hanshake->sni_key_cert instead.
346  */
347 static int ssl_sni_wrapper( ssl_context *ssl,
348  const unsigned char* name, size_t len )
349 {
350  int ret;
351  ssl_key_cert *key_cert_ori = ssl->key_cert;
352 
353  ssl->key_cert = NULL;
354  ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
355  ssl->handshake->sni_key_cert = ssl->key_cert;
356 
357  ssl->key_cert = key_cert_ori;
358 
359  return( ret );
360 }
361 
362 static int ssl_parse_servername_ext( ssl_context *ssl,
363  const unsigned char *buf,
364  size_t len )
365 {
366  int ret;
367  size_t servername_list_size, hostname_len;
368  const unsigned char *p;
369 
370  servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
371  if( servername_list_size + 2 != len )
372  {
373  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
375  }
376 
377  p = buf + 2;
378  while( servername_list_size > 0 )
379  {
380  hostname_len = ( ( p[1] << 8 ) | p[2] );
381  if( hostname_len + 3 > servername_list_size )
382  {
383  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
385  }
386 
387  if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
388  {
389  ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
390  if( ret != 0 )
391  {
395  }
396  return( 0 );
397  }
398 
399  servername_list_size -= hostname_len + 3;
400  p += hostname_len + 3;
401  }
402 
403  if( servername_list_size != 0 )
404  {
405  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
407  }
408 
409  return( 0 );
410 }
411 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
412 
413 static int ssl_parse_renegotiation_info( ssl_context *ssl,
414  const unsigned char *buf,
415  size_t len )
416 {
417  int ret;
418 
420  {
421  if( len != 1 || buf[0] != 0x0 )
422  {
423  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
424 
425  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
426  return( ret );
427 
429  }
430 
432  }
433  else
434  {
435  /* Check verify-data in constant-time. The length OTOH is no secret */
436  if( len != 1 + ssl->verify_data_len ||
437  buf[0] != ssl->verify_data_len ||
438  safer_memcmp( buf + 1, ssl->peer_verify_data,
439  ssl->verify_data_len ) != 0 )
440  {
441  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
442 
443  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
444  return( ret );
445 
447  }
448  }
449 
450  return( 0 );
451 }
452 
453 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
454 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
455  const unsigned char *buf,
456  size_t len )
457 {
458  size_t sig_alg_list_size;
459  const unsigned char *p;
460 
461  sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
462  if( sig_alg_list_size + 2 != len ||
463  sig_alg_list_size %2 != 0 )
464  {
465  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
467  }
468 
469  p = buf + 2;
470  while( sig_alg_list_size > 0 )
471  {
472  /*
473  * For now, just ignore signature algorithm and rely on offered
474  * ciphersuites only. To be fixed later.
475  */
476 #if defined(POLARSSL_SHA512_C)
477  if( p[0] == SSL_HASH_SHA512 )
478  {
480  break;
481  }
482  if( p[0] == SSL_HASH_SHA384 )
483  {
485  break;
486  }
487 #endif
488 #if defined(POLARSSL_SHA256_C)
489  if( p[0] == SSL_HASH_SHA256 )
490  {
492  break;
493  }
494  if( p[0] == SSL_HASH_SHA224 )
495  {
497  break;
498  }
499 #endif
500  if( p[0] == SSL_HASH_SHA1 )
501  {
503  break;
504  }
505  if( p[0] == SSL_HASH_MD5 )
506  {
508  break;
509  }
510 
511  sig_alg_list_size -= 2;
512  p += 2;
513  }
514 
515  SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
516  ssl->handshake->sig_alg ) );
517 
518  return( 0 );
519 }
520 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
521 
522 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
523 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
524  const unsigned char *buf,
525  size_t len )
526 {
527  size_t list_size, our_size;
528  const unsigned char *p;
529  const ecp_curve_info *curve_info, **curves;
530 
531  list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
532  if( list_size + 2 != len ||
533  list_size % 2 != 0 )
534  {
535  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
537  }
538 
539  /* Don't allow our peer to make use allocated too much memory,
540  * and leave room for a final 0 */
541  our_size = list_size / 2 + 1;
542  if( our_size > POLARSSL_ECP_DP_MAX )
543  our_size = POLARSSL_ECP_DP_MAX;
544 
545  if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
547 
548  /* explicit void pointer cast for buggy MS compiler */
549  memset( (void *) curves, 0, our_size * sizeof( *curves ) );
550  ssl->handshake->curves = curves;
551 
552  p = buf + 2;
553  while( list_size > 0 && our_size > 1 )
554  {
555  curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
556 
557  if( curve_info != NULL )
558  {
559  *curves++ = curve_info;
560  our_size--;
561  }
562 
563  list_size -= 2;
564  p += 2;
565  }
566 
567  return( 0 );
568 }
569 
570 static int ssl_parse_supported_point_formats( ssl_context *ssl,
571  const unsigned char *buf,
572  size_t len )
573 {
574  size_t list_size;
575  const unsigned char *p;
576 
577  list_size = buf[0];
578  if( list_size + 1 != len )
579  {
580  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
582  }
583 
584  p = buf + 2;
585  while( list_size > 0 )
586  {
587  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
589  {
590  ssl->handshake->ecdh_ctx.point_format = p[0];
591  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
592  return( 0 );
593  }
594 
595  list_size--;
596  p++;
597  }
598 
599  return( 0 );
600 }
601 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
602 
603 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
604 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
605  const unsigned char *buf,
606  size_t len )
607 {
608  if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
609  {
610  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
612  }
613 
614  ssl->session_negotiate->mfl_code = buf[0];
615 
616  return( 0 );
617 }
618 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
619 
620 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
621 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
622  const unsigned char *buf,
623  size_t len )
624 {
625  if( len != 0 )
626  {
627  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
629  }
630 
631  ((void) buf);
632 
634 
635  return( 0 );
636 }
637 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
638 
639 #if defined(POLARSSL_SSL_SESSION_TICKETS)
640 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
641  unsigned char *buf,
642  size_t len )
643 {
644  int ret;
645 
647  return( 0 );
648 
649  /* Remember the client asked us to send a new ticket */
650  ssl->handshake->new_session_ticket = 1;
651 
652  SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
653 
654  if( len == 0 )
655  return( 0 );
656 
658  {
659  SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
660  return( 0 );
661  }
662 
663  /*
664  * Failures are ok: just ignore the ticket and proceed.
665  */
666  if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
667  {
668  SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
669  return( 0 );
670  }
671 
672  SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
673 
674  ssl->handshake->resume = 1;
675 
676  /* Don't send a new ticket after all, this one is OK */
677  ssl->handshake->new_session_ticket = 0;
678 
679  return( 0 );
680 }
681 #endif /* POLARSSL_SSL_SESSION_TICKETS */
682 
683 /*
684  * Auxiliary functions for ServerHello parsing and related actions
685  */
686 
687 #if defined(POLARSSL_X509_CRT_PARSE_C)
688 /*
689  * Return 1 if the given EC key uses the given curve, 0 otherwise
690  */
691 #if defined(POLARSSL_ECDSA_C)
692 static int ssl_key_matches_curves( pk_context *pk,
693  const ecp_curve_info **curves )
694 {
695  const ecp_curve_info **crv = curves;
696  ecp_group_id grp_id = pk_ec( *pk )->grp.id;
697 
698  while( *crv != NULL )
699  {
700  if( (*crv)->grp_id == grp_id )
701  return( 1 );
702  crv++;
703  }
704 
705  return( 0 );
706 }
707 #endif /* POLARSSL_ECDSA_C */
708 
709 /*
710  * Try picking a certificate for this ciphersuite,
711  * return 0 on success and -1 on failure.
712  */
713 static int ssl_pick_cert( ssl_context *ssl,
714  const ssl_ciphersuite_t * ciphersuite_info )
715 {
716  ssl_key_cert *cur, *list;
717  pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
718 
719 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
720  if( ssl->handshake->sni_key_cert != NULL )
721  list = ssl->handshake->sni_key_cert;
722  else
723 #endif
724  list = ssl->handshake->key_cert;
725 
726  if( pk_alg == POLARSSL_PK_NONE )
727  return( 0 );
728 
729  for( cur = list; cur != NULL; cur = cur->next )
730  {
731  if( ! pk_can_do( cur->key, pk_alg ) )
732  continue;
733 
734 #if defined(POLARSSL_ECDSA_C)
735  if( pk_alg == POLARSSL_PK_ECDSA )
736  {
737  if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
738  break;
739  }
740  else
741 #endif
742  break;
743  }
744 
745  if( cur == NULL )
746  return( -1 );
747 
748  ssl->handshake->key_cert = cur;
749  return( 0 );
750 }
751 #endif /* POLARSSL_X509_CRT_PARSE_C */
752 
753 /*
754  * Check if a given ciphersuite is suitable for use with our config/keys/etc
755  * Sets ciphersuite_info only if the suite matches.
756  */
757 static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
758  const ssl_ciphersuite_t **ciphersuite_info )
759 {
760  const ssl_ciphersuite_t *suite_info;
761 
762  suite_info = ssl_ciphersuite_from_id( suite_id );
763  if( suite_info == NULL )
764  {
765  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", suite_id ) );
767  }
768 
769  if( suite_info->min_minor_ver > ssl->minor_ver ||
770  suite_info->max_minor_ver < ssl->minor_ver )
771  return( 0 );
772 
773 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
774  if( ssl_ciphersuite_uses_ec( suite_info ) &&
775  ( ssl->handshake->curves == NULL ||
776  ssl->handshake->curves[0] == NULL ) )
777  return( 0 );
778 #endif
779 
780 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
781  /* If the ciphersuite requires a pre-shared key and we don't
782  * have one, skip it now rather than failing later */
783  if( ssl_ciphersuite_uses_psk( suite_info ) &&
784  ssl->f_psk == NULL &&
785  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
786  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
787  return( 0 );
788 #endif
789 
790 #if defined(POLARSSL_X509_CRT_PARSE_C)
791  /*
792  * Final check: if ciphersuite requires us to have a
793  * certificate/key of a particular type:
794  * - select the appropriate certificate if we have one, or
795  * - try the next ciphersuite if we don't
796  * This must be done last since we modify the key_cert list.
797  */
798  if( ssl_pick_cert( ssl, suite_info ) != 0 )
799  return( 0 );
800 #endif
801 
802  *ciphersuite_info = suite_info;
803  return( 0 );
804 }
805 
806 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
807 static int ssl_parse_client_hello_v2( ssl_context *ssl )
808 {
809  int ret;
810  unsigned int i, j;
811  size_t n;
812  unsigned int ciph_len, sess_len, chal_len;
813  unsigned char *buf, *p;
814  const int *ciphersuites;
815  const ssl_ciphersuite_t *ciphersuite_info;
816 
817  SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
818 
820  {
821  SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
822 
823  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
824  return( ret );
825 
827  }
828 
829  buf = ssl->in_hdr;
830 
831  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
832 
833  SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
834  buf[2] ) );
835  SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
836  ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
837  SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
838  buf[3], buf[4] ) );
839 
840  /*
841  * SSLv2 Client Hello
842  *
843  * Record layer:
844  * 0 . 1 message length
845  *
846  * SSL layer:
847  * 2 . 2 message type
848  * 3 . 4 protocol version
849  */
850  if( buf[2] != SSL_HS_CLIENT_HELLO ||
851  buf[3] != SSL_MAJOR_VERSION_3 )
852  {
853  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
855  }
856 
857  n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
858 
859  if( n < 17 || n > 512 )
860  {
861  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
863  }
864 
866  ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
867  ? buf[4] : ssl->max_minor_ver;
868 
869  if( ssl->minor_ver < ssl->min_minor_ver )
870  {
871  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
872  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
873  ssl->min_major_ver, ssl->min_minor_ver ) );
874 
878  }
879 
880  ssl->handshake->max_major_ver = buf[3];
881  ssl->handshake->max_minor_ver = buf[4];
882 
883  if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
884  {
885  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
886  return( ret );
887  }
888 
889  ssl->handshake->update_checksum( ssl, buf + 2, n );
890 
891  buf = ssl->in_msg;
892  n = ssl->in_left - 5;
893 
894  /*
895  * 0 . 1 ciphersuitelist length
896  * 2 . 3 session id length
897  * 4 . 5 challenge length
898  * 6 . .. ciphersuitelist
899  * .. . .. session id
900  * .. . .. challenge
901  */
902  SSL_DEBUG_BUF( 4, "record contents", buf, n );
903 
904  ciph_len = ( buf[0] << 8 ) | buf[1];
905  sess_len = ( buf[2] << 8 ) | buf[3];
906  chal_len = ( buf[4] << 8 ) | buf[5];
907 
908  SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
909  ciph_len, sess_len, chal_len ) );
910 
911  /*
912  * Make sure each parameter length is valid
913  */
914  if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
915  {
916  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
918  }
919 
920  if( sess_len > 32 )
921  {
922  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
924  }
925 
926  if( chal_len < 8 || chal_len > 32 )
927  {
928  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
930  }
931 
932  if( n != 6 + ciph_len + sess_len + chal_len )
933  {
934  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
936  }
937 
938  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
939  buf + 6, ciph_len );
940  SSL_DEBUG_BUF( 3, "client hello, session id",
941  buf + 6 + ciph_len, sess_len );
942  SSL_DEBUG_BUF( 3, "client hello, challenge",
943  buf + 6 + ciph_len + sess_len, chal_len );
944 
945  p = buf + 6 + ciph_len;
946  ssl->session_negotiate->length = sess_len;
947  memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
948  memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
949 
950  p += sess_len;
951  memset( ssl->handshake->randbytes, 0, 64 );
952  memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
953 
954  /*
955  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
956  */
957  for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
958  {
959  if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
960  {
961  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
962  if( ssl->renegotiation == SSL_RENEGOTIATION )
963  {
964  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
965 
966  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
967  return( ret );
968 
970  }
972  break;
973  }
974  }
975 
976  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
977  ciphersuite_info = NULL;
978 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
979  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
980  {
981  for( i = 0; ciphersuites[i] != 0; i++ )
982 #else
983  for( i = 0; ciphersuites[i] != 0; i++ )
984  {
985  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
986 #endif
987  {
988  if( p[0] != 0 ||
989  p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
990  p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
991  continue;
992 
993  if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
994  &ciphersuite_info ) ) != 0 )
995  return( ret );
996 
997  if( ciphersuite_info != NULL )
998  goto have_ciphersuite_v2;
999  }
1000  }
1001 
1002  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1003 
1005 
1006 have_ciphersuite_v2:
1007  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1008  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1010 
1011  /*
1012  * SSLv2 Client Hello relevant renegotiation security checks
1013  */
1016  {
1017  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1018 
1019  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1020  return( ret );
1021 
1023  }
1024 
1025  ssl->in_left = 0;
1026  ssl->state++;
1027 
1028  SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1029 
1030  return( 0 );
1031 }
1032 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1033 
1034 static int ssl_parse_client_hello( ssl_context *ssl )
1035 {
1036  int ret;
1037  unsigned int i, j;
1038  size_t n;
1039  unsigned int ciph_len, sess_len;
1040  unsigned int comp_len;
1041  unsigned int ext_len = 0;
1042  unsigned char *buf, *p, *ext;
1043  int renegotiation_info_seen = 0;
1044  int handshake_failure = 0;
1045  const int *ciphersuites;
1046  const ssl_ciphersuite_t *ciphersuite_info;
1047 
1048  SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1049 
1050  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1051  ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1052  {
1053  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1054  return( ret );
1055  }
1056 
1057  buf = ssl->in_hdr;
1058 
1059 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1060  if( ( buf[0] & 0x80 ) != 0 )
1061  return ssl_parse_client_hello_v2( ssl );
1062 #endif
1063 
1064  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1065 
1066  SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1067  buf[0] ) );
1068  SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1069  ( buf[3] << 8 ) | buf[4] ) );
1070  SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1071  buf[1], buf[2] ) );
1072 
1073  /*
1074  * SSLv3 Client Hello
1075  *
1076  * Record layer:
1077  * 0 . 0 message type
1078  * 1 . 2 protocol version
1079  * 3 . 4 message length
1080  */
1081  if( buf[0] != SSL_MSG_HANDSHAKE ||
1082  buf[1] != SSL_MAJOR_VERSION_3 )
1083  {
1084  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1086  }
1087 
1088  n = ( buf[3] << 8 ) | buf[4];
1089 
1090  if( n < 45 || n > 2048 )
1091  {
1092  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1094  }
1095 
1096  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1097  ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1098  {
1099  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1100  return( ret );
1101  }
1102 
1103  buf = ssl->in_msg;
1104  if( !ssl->renegotiation )
1105  n = ssl->in_left - 5;
1106  else
1107  n = ssl->in_msglen;
1108 
1109  ssl->handshake->update_checksum( ssl, buf, n );
1110 
1111  /*
1112  * SSL layer:
1113  * 0 . 0 handshake type
1114  * 1 . 3 handshake length
1115  * 4 . 5 protocol version
1116  * 6 . 9 UNIX time()
1117  * 10 . 37 random bytes
1118  * 38 . 38 session id length
1119  * 39 . 38+x session id
1120  * 39+x . 40+x ciphersuitelist length
1121  * 41+x . .. ciphersuitelist
1122  * .. . .. compression alg.
1123  * .. . .. extensions
1124  */
1125  SSL_DEBUG_BUF( 4, "record contents", buf, n );
1126 
1127  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1128  buf[0] ) );
1129  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1130  ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1131  SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1132  buf[4], buf[5] ) );
1133 
1134  /*
1135  * Check the handshake type and protocol version
1136  */
1137  if( buf[0] != SSL_HS_CLIENT_HELLO ||
1138  buf[4] != SSL_MAJOR_VERSION_3 )
1139  {
1140  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1142  }
1143 
1145  ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1146  ? buf[5] : ssl->max_minor_ver;
1147 
1148  if( ssl->minor_ver < ssl->min_minor_ver )
1149  {
1150  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1151  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
1152  ssl->min_major_ver, ssl->min_minor_ver ) );
1153 
1156 
1158  }
1159 
1160  ssl->handshake->max_major_ver = buf[4];
1161  ssl->handshake->max_minor_ver = buf[5];
1162 
1163  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
1164 
1165  /*
1166  * Check the handshake message length
1167  */
1168  if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1169  {
1170  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1172  }
1173 
1174  /*
1175  * Check the session length
1176  */
1177  sess_len = buf[38];
1178 
1179  if( sess_len > 32 )
1180  {
1181  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1183  }
1184 
1185  ssl->session_negotiate->length = sess_len;
1186  memset( ssl->session_negotiate->id, 0,
1187  sizeof( ssl->session_negotiate->id ) );
1188  memcpy( ssl->session_negotiate->id, buf + 39,
1189  ssl->session_negotiate->length );
1190 
1191  /*
1192  * Check the ciphersuitelist length
1193  */
1194  ciph_len = ( buf[39 + sess_len] << 8 )
1195  | ( buf[40 + sess_len] );
1196 
1197  if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1198  {
1199  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1201  }
1202 
1203  /*
1204  * Check the compression algorithms length
1205  */
1206  comp_len = buf[41 + sess_len + ciph_len];
1207 
1208  if( comp_len < 1 || comp_len > 16 )
1209  {
1210  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1212  }
1213 
1214  /*
1215  * Check the extension length
1216  */
1217  if( n > 42 + sess_len + ciph_len + comp_len )
1218  {
1219  ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1220  | ( buf[43 + sess_len + ciph_len + comp_len] );
1221 
1222  if( ( ext_len > 0 && ext_len < 4 ) ||
1223  n != 44 + sess_len + ciph_len + comp_len + ext_len )
1224  {
1225  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1226  SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1228  }
1229  }
1230 
1232 #if defined(POLARSSL_ZLIB_SUPPORT)
1233  for( i = 0; i < comp_len; ++i )
1234  {
1235  if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
1236  {
1238  break;
1239  }
1240  }
1241 #endif
1242 
1243  SSL_DEBUG_BUF( 3, "client hello, random bytes",
1244  buf + 6, 32 );
1245  SSL_DEBUG_BUF( 3, "client hello, session id",
1246  buf + 38, sess_len );
1247  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1248  buf + 41 + sess_len, ciph_len );
1249  SSL_DEBUG_BUF( 3, "client hello, compression",
1250  buf + 42 + sess_len + ciph_len, comp_len );
1251 
1252  /*
1253  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1254  */
1255  for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1256  {
1257  if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1258  {
1259  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1260  if( ssl->renegotiation == SSL_RENEGOTIATION )
1261  {
1262  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1263 
1264  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1265  return( ret );
1266 
1268  }
1270  break;
1271  }
1272  }
1273 
1274  ext = buf + 44 + sess_len + ciph_len + comp_len;
1275 
1276  while( ext_len )
1277  {
1278  unsigned int ext_id = ( ( ext[0] << 8 )
1279  | ( ext[1] ) );
1280  unsigned int ext_size = ( ( ext[2] << 8 )
1281  | ( ext[3] ) );
1282 
1283  if( ext_size + 4 > ext_len )
1284  {
1285  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1287  }
1288  switch( ext_id )
1289  {
1290 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
1291  case TLS_EXT_SERVERNAME:
1292  SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1293  if( ssl->f_sni == NULL )
1294  break;
1295 
1296  ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1297  if( ret != 0 )
1298  return( ret );
1299  break;
1300 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
1301 
1303  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1304  renegotiation_info_seen = 1;
1305 
1306  ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1307  if( ret != 0 )
1308  return( ret );
1309  break;
1310 
1311 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1312  case TLS_EXT_SIG_ALG:
1313  SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1314  if( ssl->renegotiation == SSL_RENEGOTIATION )
1315  break;
1316 
1317  ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1318  if( ret != 0 )
1319  return( ret );
1320  break;
1321 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1322 
1323 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1325  SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1326 
1327  ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1328  if( ret != 0 )
1329  return( ret );
1330  break;
1331 
1333  SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1335 
1336  ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1337  if( ret != 0 )
1338  return( ret );
1339  break;
1340 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1341 
1342 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1344  SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1345 
1346  ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1347  if( ret != 0 )
1348  return( ret );
1349  break;
1350 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1351 
1352 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1354  SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1355 
1356  ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1357  if( ret != 0 )
1358  return( ret );
1359  break;
1360 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1361 
1362 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1364  SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1365 
1366  ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1367  if( ret != 0 )
1368  return( ret );
1369  break;
1370 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1371 
1372  default:
1373  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1374  ext_id ) );
1375  }
1376 
1377  ext_len -= 4 + ext_size;
1378  ext += 4 + ext_size;
1379 
1380  if( ext_len > 0 && ext_len < 4 )
1381  {
1382  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1384  }
1385  }
1386 
1387  /*
1388  * Renegotiation security checks
1389  */
1392  {
1393  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1394  handshake_failure = 1;
1395  }
1396  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1398  renegotiation_info_seen == 0 )
1399  {
1400  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1401  handshake_failure = 1;
1402  }
1403  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1406  {
1407  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1408  handshake_failure = 1;
1409  }
1410  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1412  renegotiation_info_seen == 1 )
1413  {
1414  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1415  handshake_failure = 1;
1416  }
1417 
1418  if( handshake_failure == 1 )
1419  {
1420  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1421  return( ret );
1422 
1424  }
1425 
1426  /*
1427  * Search for a matching ciphersuite
1428  * (At the end because we need information from the EC-based extensions
1429  * and certificate from the SNI callback triggered by the SNI extension.)
1430  */
1431  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1432  ciphersuite_info = NULL;
1433 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1434  for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1435  {
1436  for( i = 0; ciphersuites[i] != 0; i++ )
1437 #else
1438  for( i = 0; ciphersuites[i] != 0; i++ )
1439  {
1440  for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1441 #endif
1442  {
1443  if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1444  p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1445  continue;
1446 
1447  if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1448  &ciphersuite_info ) ) != 0 )
1449  return( ret );
1450 
1451  if( ciphersuite_info != NULL )
1452  goto have_ciphersuite;
1453  }
1454  }
1455 
1456  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1457 
1458  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1459  return( ret );
1460 
1462 
1463 have_ciphersuite:
1464  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1465  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1467 
1468  ssl->in_left = 0;
1469  ssl->state++;
1470 
1471  SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1472 
1473  return( 0 );
1474 }
1475 
1476 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1477 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1478  unsigned char *buf,
1479  size_t *olen )
1480 {
1481  unsigned char *p = buf;
1482 
1484  {
1485  *olen = 0;
1486  return;
1487  }
1488 
1489  SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1490 
1491  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1492  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1493 
1494  *p++ = 0x00;
1495  *p++ = 0x00;
1496 
1497  *olen = 4;
1498 }
1499 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1500 
1501 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1502 static void ssl_write_session_ticket_ext( ssl_context *ssl,
1503  unsigned char *buf,
1504  size_t *olen )
1505 {
1506  unsigned char *p = buf;
1507 
1508  if( ssl->handshake->new_session_ticket == 0 )
1509  {
1510  *olen = 0;
1511  return;
1512  }
1513 
1514  SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1515 
1516  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1517  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1518 
1519  *p++ = 0x00;
1520  *p++ = 0x00;
1521 
1522  *olen = 4;
1523 }
1524 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1525 
1526 static void ssl_write_renegotiation_ext( ssl_context *ssl,
1527  unsigned char *buf,
1528  size_t *olen )
1529 {
1530  unsigned char *p = buf;
1531 
1533  {
1534  *olen = 0;
1535  return;
1536  }
1537 
1538  SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1539 
1540  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1541  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1542 
1543  *p++ = 0x00;
1544  *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1545  *p++ = ssl->verify_data_len * 2 & 0xFF;
1546 
1547  memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1548  p += ssl->verify_data_len;
1549  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1550  p += ssl->verify_data_len;
1551 
1552  *olen = 5 + ssl->verify_data_len * 2;
1553 }
1554 
1555 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1556 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1557  unsigned char *buf,
1558  size_t *olen )
1559 {
1560  unsigned char *p = buf;
1561 
1563  {
1564  *olen = 0;
1565  return;
1566  }
1567 
1568  SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1569 
1570  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1571  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1572 
1573  *p++ = 0x00;
1574  *p++ = 1;
1575 
1576  *p++ = ssl->session_negotiate->mfl_code;
1577 
1578  *olen = 5;
1579 }
1580 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1581 
1582 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1583 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1584  unsigned char *buf,
1585  size_t *olen )
1586 {
1587  unsigned char *p = buf;
1588  ((void) ssl);
1589 
1590  if( ( ssl->handshake->cli_exts &
1592  {
1593  *olen = 0;
1594  return;
1595  }
1596 
1597  SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1598 
1599  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1600  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1601 
1602  *p++ = 0x00;
1603  *p++ = 2;
1604 
1605  *p++ = 1;
1607 
1608  *olen = 6;
1609 }
1610 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1611 
1612 static int ssl_write_server_hello( ssl_context *ssl )
1613 {
1614 #if defined(POLARSSL_HAVE_TIME)
1615  time_t t;
1616 #endif
1617  int ret;
1618  size_t olen, ext_len = 0, n;
1619  unsigned char *buf, *p;
1620 
1621  SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1622 
1623  if( ssl->f_rng == NULL )
1624  {
1625  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
1626  return( POLARSSL_ERR_SSL_NO_RNG );
1627  }
1628 
1629  /*
1630  * 0 . 0 handshake type
1631  * 1 . 3 handshake length
1632  * 4 . 5 protocol version
1633  * 6 . 9 UNIX time()
1634  * 10 . 37 random bytes
1635  */
1636  buf = ssl->out_msg;
1637  p = buf + 4;
1638 
1639  *p++ = (unsigned char) ssl->major_ver;
1640  *p++ = (unsigned char) ssl->minor_ver;
1641 
1642  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1643  buf[4], buf[5] ) );
1644 
1645 #if defined(POLARSSL_HAVE_TIME)
1646  t = time( NULL );
1647  *p++ = (unsigned char)( t >> 24 );
1648  *p++ = (unsigned char)( t >> 16 );
1649  *p++ = (unsigned char)( t >> 8 );
1650  *p++ = (unsigned char)( t );
1651 
1652  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1653 #else
1654  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1655  return( ret );
1656 
1657  p += 4;
1658 #endif
1659 
1660  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1661  return( ret );
1662 
1663  p += 28;
1664 
1665  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
1666 
1667  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1668 
1669  /*
1670  * Resume is 0 by default, see ssl_handshake_init().
1671  * It may be already set to 1 by ssl_parse_session_ticket_ext().
1672  * If not, try looking up session ID in our cache.
1673  */
1674  if( ssl->handshake->resume == 0 &&
1676  ssl->session_negotiate->length != 0 &&
1677  ssl->f_get_cache != NULL &&
1678  ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1679  {
1680  ssl->handshake->resume = 1;
1681  }
1682 
1683  if( ssl->handshake->resume == 0 )
1684  {
1685  /*
1686  * New session, create a new session id,
1687  * unless we're about to issue a session ticket
1688  */
1689  ssl->state++;
1690 
1691 #if defined(POLARSSL_HAVE_TIME)
1692  ssl->session_negotiate->start = time( NULL );
1693 #endif
1694 
1695 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1696  if( ssl->handshake->new_session_ticket != 0 )
1697  {
1698  ssl->session_negotiate->length = n = 0;
1699  memset( ssl->session_negotiate->id, 0, 32 );
1700  }
1701  else
1702 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1703  {
1704  ssl->session_negotiate->length = n = 32;
1705  if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1706  n ) ) != 0 )
1707  return( ret );
1708  }
1709  }
1710  else
1711  {
1712  /*
1713  * Resuming a session
1714  */
1715  n = ssl->session_negotiate->length;
1717 
1718  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1719  {
1720  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1721  return( ret );
1722  }
1723  }
1724 
1725  /*
1726  * 38 . 38 session id length
1727  * 39 . 38+n session id
1728  * 39+n . 40+n chosen ciphersuite
1729  * 41+n . 41+n chosen compression alg.
1730  * 42+n . 43+n extensions length
1731  * 44+n . 43+n+m extensions
1732  */
1733  *p++ = (unsigned char) ssl->session_negotiate->length;
1734  memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1735  p += ssl->session_negotiate->length;
1736 
1737  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1738  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1739  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1740  ssl->handshake->resume ? "a" : "no" ) );
1741 
1742  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1743  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1744  *p++ = (unsigned char)( ssl->session_negotiate->compression );
1745 
1746  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1748  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
1749  ssl->session_negotiate->compression ) );
1750 
1751  /*
1752  * First write extensions, then the total length
1753  */
1754  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1755  ext_len += olen;
1756 
1757 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1758  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1759  ext_len += olen;
1760 #endif
1761 
1762 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1763  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1764  ext_len += olen;
1765 #endif
1766 
1767 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1768  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1769  ext_len += olen;
1770 #endif
1771 
1772 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1773  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1774  ext_len += olen;
1775 #endif
1776 
1777  SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
1778 
1779  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1780  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1781  p += ext_len;
1782 
1783  ssl->out_msglen = p - buf;
1785  ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1786 
1787  ret = ssl_write_record( ssl );
1788 
1789  SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1790 
1791  return( ret );
1792 }
1793 
1794 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1795  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1796  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1797  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1798 static int ssl_write_certificate_request( ssl_context *ssl )
1799 {
1801  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1802 
1803  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1804 
1805  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1806  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1807  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1808  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1809  {
1810  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1811  ssl->state++;
1812  return( 0 );
1813  }
1814 
1815  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1816  return( ret );
1817 }
1818 #else
1819 static int ssl_write_certificate_request( ssl_context *ssl )
1820 {
1822  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1823  size_t dn_size, total_dn_size; /* excluding length bytes */
1824  size_t ct_len, sa_len; /* including length bytes */
1825  unsigned char *buf, *p;
1826  const x509_crt *crt;
1827 
1828  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1829 
1830  ssl->state++;
1831 
1832  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1833  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1834  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1835  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1836  ssl->authmode == SSL_VERIFY_NONE )
1837  {
1838  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1839  return( 0 );
1840  }
1841 
1842  /*
1843  * 0 . 0 handshake type
1844  * 1 . 3 handshake length
1845  * 4 . 4 cert type count
1846  * 5 .. m-1 cert types
1847  * m .. m+1 sig alg length (TLS 1.2 only)
1848  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1849  * n .. n+1 length of all DNs
1850  * n+2 .. n+3 length of DN 1
1851  * n+4 .. ... Distinguished Name #1
1852  * ... .. ... length of DN 2, etc.
1853  */
1854  buf = ssl->out_msg;
1855  p = buf + 4;
1856 
1857  /*
1858  * Supported certificate types
1859  *
1860  * ClientCertificateType certificate_types<1..2^8-1>;
1861  * enum { (255) } ClientCertificateType;
1862  */
1863  ct_len = 0;
1864 
1865 #if defined(POLARSSL_RSA_C)
1866  p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
1867 #endif
1868 #if defined(POLARSSL_ECDSA_C)
1869  p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
1870 #endif
1871 
1872  p[0] = (unsigned char) ct_len++;
1873  p += ct_len;
1874 
1875  sa_len = 0;
1876 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1877  /*
1878  * Add signature_algorithms for verify (TLS 1.2)
1879  *
1880  * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
1881  *
1882  * struct {
1883  * HashAlgorithm hash;
1884  * SignatureAlgorithm signature;
1885  * } SignatureAndHashAlgorithm;
1886  *
1887  * enum { (255) } HashAlgorithm;
1888  * enum { (255) } SignatureAlgorithm;
1889  */
1890  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1891  {
1892  /*
1893  * Only use current running hash algorithm that is already required
1894  * for requested ciphersuite.
1895  */
1897 
1900  {
1902  }
1903 
1904  /*
1905  * Supported signature algorithms
1906  */
1907 #if defined(POLARSSL_RSA_C)
1908  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1909  p[2 + sa_len++] = SSL_SIG_RSA;
1910 #endif
1911 #if defined(POLARSSL_ECDSA_C)
1912  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1913  p[2 + sa_len++] = SSL_SIG_ECDSA;
1914 #endif
1915 
1916  p[0] = (unsigned char)( sa_len >> 8 );
1917  p[1] = (unsigned char)( sa_len );
1918  sa_len += 2;
1919  p += sa_len;
1920  }
1921 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1922 
1923  /*
1924  * DistinguishedName certificate_authorities<0..2^16-1>;
1925  * opaque DistinguishedName<1..2^16-1>;
1926  */
1927  p += 2;
1928  crt = ssl->ca_chain;
1929 
1930  total_dn_size = 0;
1931  while( crt != NULL )
1932  {
1933  if( p - buf > 4096 )
1934  break;
1935 
1936  dn_size = crt->subject_raw.len;
1937  *p++ = (unsigned char)( dn_size >> 8 );
1938  *p++ = (unsigned char)( dn_size );
1939  memcpy( p, crt->subject_raw.p, dn_size );
1940  p += dn_size;
1941 
1942  SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1943 
1944  total_dn_size += 2 + dn_size;
1945  crt = crt->next;
1946  }
1947 
1948  ssl->out_msglen = p - buf;
1951  ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
1952  ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
1953 
1954  ret = ssl_write_record( ssl );
1955 
1956  SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1957 
1958  return( ret );
1959 }
1960 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1961  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1962  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
1963  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1964 
1965 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1966  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1967 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
1968 {
1969  int ret;
1970 
1971  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
1972  {
1973  SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
1975  }
1976 
1977  if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
1978  pk_ec( *ssl_own_key( ssl ) ),
1979  POLARSSL_ECDH_OURS ) ) != 0 )
1980  {
1981  SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
1982  return( ret );
1983  }
1984 
1985  return( 0 );
1986 }
1987 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
1988  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1989 
1990 static int ssl_write_server_key_exchange( ssl_context *ssl )
1991 {
1992  int ret;
1993  size_t n = 0;
1994  const ssl_ciphersuite_t *ciphersuite_info =
1996 
1997 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1998  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
1999  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2000  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2001  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2002  unsigned char *p = ssl->out_msg + 4;
2003  unsigned char *dig_signed = p;
2004  size_t dig_signed_len = 0, len;
2005  ((void) dig_signed);
2006  ((void) dig_signed_len);
2007 #endif
2008 
2009  SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2010 
2011 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2012  defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2013  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2014  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
2015  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2016  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2017  {
2018  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2019  ssl->state++;
2020  return( 0 );
2021  }
2022 #endif
2023 
2024 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2025  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2026  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2027  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2028  {
2029  ssl_get_ecdh_params_from_cert( ssl );
2030 
2031  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2032  ssl->state++;
2033  return( 0 );
2034  }
2035 #endif
2036 
2037 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2038  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2039  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2040  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2041  {
2042  /* TODO: Support identity hints */
2043  *(p++) = 0x00;
2044  *(p++) = 0x00;
2045 
2046  n += 2;
2047  }
2048 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2049  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2050 
2051 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2052  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2053  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2054  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2055  {
2056  /*
2057  * Ephemeral DH parameters:
2058  *
2059  * struct {
2060  * opaque dh_p<1..2^16-1>;
2061  * opaque dh_g<1..2^16-1>;
2062  * opaque dh_Ys<1..2^16-1>;
2063  * } ServerDHParams;
2064  */
2065  if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
2066  ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
2067  {
2068  SSL_DEBUG_RET( 1, "mpi_copy", ret );
2069  return( ret );
2070  }
2071 
2072  if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
2073  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2074  p,
2075  &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
2076  {
2077  SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2078  return( ret );
2079  }
2080 
2081  dig_signed = p;
2082  dig_signed_len = len;
2083 
2084  p += len;
2085  n += len;
2086 
2087  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2088  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2089  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2090  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2091  }
2092 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2093  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2094 
2095 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2096  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2097  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2098 
2099  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2100  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2101  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2102  {
2103  /*
2104  * Ephemeral ECDH parameters:
2105  *
2106  * struct {
2107  * ECParameters curve_params;
2108  * ECPoint public;
2109  * } ServerECDHParams;
2110  */
2111  if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
2112  ssl->handshake->curves[0]->grp_id ) ) != 0 )
2113  {
2114  SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2115  return( ret );
2116  }
2117 
2118  SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
2119  (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
2120 
2121  if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2122  p, SSL_MAX_CONTENT_LEN - n,
2123  ssl->f_rng, ssl->p_rng ) ) != 0 )
2124  {
2125  SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2126  return( ret );
2127  }
2128 
2129  dig_signed = p;
2130  dig_signed_len = len;
2131 
2132  p += len;
2133  n += len;
2134 
2135  SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2136  }
2137 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2138  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2139  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2140 
2141 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2142  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2143  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2144  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2145  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2146  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2147  {
2148  size_t signature_len = 0;
2149  unsigned int hashlen = 0;
2150  unsigned char hash[64];
2151  md_type_t md_alg = POLARSSL_MD_NONE;
2152 
2153  /*
2154  * Choose hash algorithm. NONE means MD5 + SHA1 here.
2155  */
2156 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2157  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2158  {
2159  md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2160 
2161  if( md_alg == POLARSSL_MD_NONE )
2162  {
2163  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2165  }
2166  }
2167  else
2168 #endif
2169 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2170  defined(POLARSSL_SSL_PROTO_TLS1_1)
2171  if ( ciphersuite_info->key_exchange ==
2173  {
2174  md_alg = POLARSSL_MD_SHA1;
2175  }
2176  else
2177 #endif
2178  {
2179  md_alg = POLARSSL_MD_NONE;
2180  }
2181 
2182  /*
2183  * Compute the hash to be signed
2184  */
2185 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2186  defined(POLARSSL_SSL_PROTO_TLS1_1)
2187  if( md_alg == POLARSSL_MD_NONE )
2188  {
2189  md5_context md5;
2191 
2192  /*
2193  * digitally-signed struct {
2194  * opaque md5_hash[16];
2195  * opaque sha_hash[20];
2196  * };
2197  *
2198  * md5_hash
2199  * MD5(ClientHello.random + ServerHello.random
2200  * + ServerParams);
2201  * sha_hash
2202  * SHA(ClientHello.random + ServerHello.random
2203  * + ServerParams);
2204  */
2205  md5_starts( &md5 );
2206  md5_update( &md5, ssl->handshake->randbytes, 64 );
2207  md5_update( &md5, dig_signed, dig_signed_len );
2208  md5_finish( &md5, hash );
2209 
2210  sha1_starts( &sha1 );
2211  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
2212  sha1_update( &sha1, dig_signed, dig_signed_len );
2213  sha1_finish( &sha1, hash + 16 );
2214 
2215  hashlen = 36;
2216  }
2217  else
2218 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2219  POLARSSL_SSL_PROTO_TLS1_1 */
2220 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2221  defined(POLARSSL_SSL_PROTO_TLS1_2)
2222  if( md_alg != POLARSSL_MD_NONE )
2223  {
2224  md_context_t ctx;
2225 
2226  /* Info from md_alg will be used instead */
2227  hashlen = 0;
2228 
2229  /*
2230  * digitally-signed struct {
2231  * opaque client_random[32];
2232  * opaque server_random[32];
2233  * ServerDHParams params;
2234  * };
2235  */
2236  if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
2237  {
2238  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2239  return( ret );
2240  }
2241 
2242  md_starts( &ctx );
2243  md_update( &ctx, ssl->handshake->randbytes, 64 );
2244  md_update( &ctx, dig_signed, dig_signed_len );
2245  md_finish( &ctx, hash );
2246 
2247  if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2248  {
2249  SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2250  return( ret );
2251  }
2252 
2253  }
2254  else
2255 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2256  POLARSSL_SSL_PROTO_TLS1_2 */
2257  {
2258  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2260  }
2261 
2262  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2263  (unsigned int) ( md_info_from_type( md_alg ) )->size );
2264 
2265  /*
2266  * Make the signature
2267  */
2268  if( ssl_own_key( ssl ) == NULL )
2269  {
2270  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2272  }
2273 
2274 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2275  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2276  {
2277  *(p++) = ssl->handshake->sig_alg;
2278  *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
2279 
2280  n += 2;
2281  }
2282 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2283 
2284  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
2285  p + 2 , &signature_len,
2286  ssl->f_rng, ssl->p_rng ) ) != 0 )
2287  {
2288  SSL_DEBUG_RET( 1, "pk_sign", ret );
2289  return( ret );
2290  }
2291 
2292  *(p++) = (unsigned char)( signature_len >> 8 );
2293  *(p++) = (unsigned char)( signature_len );
2294  n += 2;
2295 
2296  SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
2297 
2298  p += signature_len;
2299  n += signature_len;
2300  }
2301 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2302  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2303  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2304 
2305  ssl->out_msglen = 4 + n;
2308 
2309  ssl->state++;
2310 
2311  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2312  {
2313  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2314  return( ret );
2315  }
2316 
2317  SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2318 
2319  return( 0 );
2320 }
2321 
2322 static int ssl_write_server_hello_done( ssl_context *ssl )
2323 {
2324  int ret;
2325 
2326  SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2327 
2328  ssl->out_msglen = 4;
2331 
2332  ssl->state++;
2333 
2334  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2335  {
2336  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2337  return( ret );
2338  }
2339 
2340  SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2341 
2342  return( 0 );
2343 }
2344 
2345 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2346  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2347 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2348  const unsigned char *end )
2349 {
2351  size_t n;
2352 
2353  /*
2354  * Receive G^Y mod P, premaster = (G^Y)^X mod P
2355  */
2356  if( *p + 2 > end )
2357  {
2358  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2360  }
2361 
2362  n = ( (*p)[0] << 8 ) | (*p)[1];
2363  *p += 2;
2364 
2365  if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
2366  {
2367  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2369  }
2370 
2371  if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
2372  *p, n ) ) != 0 )
2373  {
2374  SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2376  }
2377 
2378  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2379 
2380  return( ret );
2381 }
2382 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2383  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2384 
2385 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2386  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2387 static int ssl_parse_encrypted_pms( ssl_context *ssl,
2388  const unsigned char *p,
2389  const unsigned char *end,
2390  size_t pms_offset )
2391 {
2392  int ret;
2393  size_t len = pk_get_len( ssl_own_key( ssl ) );
2394  unsigned char *pms = ssl->handshake->premaster + pms_offset;
2395 
2396  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
2397  {
2398  SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
2400  }
2401 
2402  /*
2403  * Decrypt the premaster using own private RSA key
2404  */
2405 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2406  defined(POLARSSL_SSL_PROTO_TLS1_2)
2407  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2408  {
2409  if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2410  *p++ != ( ( len ) & 0xFF ) )
2411  {
2412  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2414  }
2415  }
2416 #endif
2417 
2418  if( p + len != end )
2419  {
2420  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2422  }
2423 
2424  ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2425  pms, &ssl->handshake->pmslen,
2426  sizeof(ssl->handshake->premaster),
2427  ssl->f_rng, ssl->p_rng );
2428 
2429  if( ret != 0 || ssl->handshake->pmslen != 48 ||
2430  pms[0] != ssl->handshake->max_major_ver ||
2431  pms[1] != ssl->handshake->max_minor_ver )
2432  {
2433  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2434 
2435  /*
2436  * Protection against Bleichenbacher's attack:
2437  * invalid PKCS#1 v1.5 padding must not cause
2438  * the connection to end immediately; instead,
2439  * send a bad_record_mac later in the handshake.
2440  */
2441  ssl->handshake->pmslen = 48;
2442 
2443  ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
2444  if( ret != 0 )
2445  return( ret );
2446  }
2447 
2448  return( ret );
2449 }
2450 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2451  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2452 
2453 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2454 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2455  const unsigned char *end )
2456 {
2457  int ret = 0;
2458  size_t n;
2459 
2460  if( ssl->f_psk == NULL &&
2461  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2462  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
2463  {
2464  SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2466  }
2467 
2468  /*
2469  * Receive client pre-shared key identity name
2470  */
2471  if( *p + 2 > end )
2472  {
2473  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2475  }
2476 
2477  n = ( (*p)[0] << 8 ) | (*p)[1];
2478  *p += 2;
2479 
2480  if( n < 1 || n > 65535 || *p + n > end )
2481  {
2482  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2484  }
2485 
2486  if( ssl->f_psk != NULL )
2487  {
2488  if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
2490  }
2491 
2492  if( ret == 0 )
2493  {
2494  /* Identity is not a big secret since clients send it in the clear,
2495  * but treat it carefully anyway, just in case */
2496  if( n != ssl->psk_identity_len ||
2497  safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
2498  {
2500  }
2501  }
2502 
2504  {
2505  SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
2506  if( ( ret = ssl_send_alert_message( ssl,
2509  {
2510  return( ret );
2511  }
2512 
2514  }
2515 
2516  *p += n;
2517  ret = 0;
2518 
2519  return( ret );
2520 }
2521 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2522 
2523 static int ssl_parse_client_key_exchange( ssl_context *ssl )
2524 {
2525  int ret;
2526  const ssl_ciphersuite_t *ciphersuite_info;
2527 
2528  ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2529 
2530  SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2531 
2532  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2533  {
2534  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2535  return( ret );
2536  }
2537 
2538  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2539  {
2540  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2542  }
2543 
2544  if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2545  {
2546  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2548  }
2549 
2550 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2551  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2552  {
2553  unsigned char *p = ssl->in_msg + 4;
2554  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2555 
2556  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2557  {
2558  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2559  return( ret );
2560  }
2561 
2562  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2563 
2564  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2565  ssl->handshake->premaster,
2566  &ssl->handshake->pmslen,
2567  ssl->f_rng, ssl->p_rng ) ) != 0 )
2568  {
2569  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2571  }
2572 
2573  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2574  }
2575  else
2576 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2577 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2578  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2579  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2580  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2581  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2582  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2583  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2584  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2585  {
2586  size_t n = ssl->in_msg[3];
2587 
2588  if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2589  n + 4 != ssl->in_hslen )
2590  {
2591  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2593  }
2594 
2595  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2596  ssl->in_msg + 4, n ) ) != 0 )
2597  {
2598  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2600  }
2601 
2602  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2603 
2604  SSL_DEBUG_MSG( 0, ( "ECDH: id %d", ssl->handshake->ecdh_ctx.grp.id ) );
2605  SSL_DEBUG_ECP( 0, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2606  SSL_DEBUG_MPI( 0, "ECDH: d ", &ssl->handshake->ecdh_ctx.d );
2607 
2608  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2609  &ssl->handshake->pmslen,
2610  ssl->handshake->premaster,
2612  ssl->f_rng, ssl->p_rng ) ) != 0 )
2613  {
2614  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2616  }
2617 
2618  SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
2619  }
2620  else
2621 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2622  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2623  POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2624  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2625 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2626  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2627  {
2628  unsigned char *p = ssl->in_msg + 4;
2629  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2630 
2631  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2632  {
2633  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2634  return( ret );
2635  }
2636 
2637  if( ( ret = ssl_psk_derive_premaster( ssl,
2638  ciphersuite_info->key_exchange ) ) != 0 )
2639  {
2640  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2641  return( ret );
2642  }
2643  }
2644  else
2645 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2646 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2647  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2648  {
2649  unsigned char *p = ssl->in_msg + 4;
2650  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2651 
2652  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2653  {
2654  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2655  return( ret );
2656  }
2657 
2658  if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
2659  {
2660  SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
2661  return( ret );
2662  }
2663 
2664  if( ( ret = ssl_psk_derive_premaster( ssl,
2665  ciphersuite_info->key_exchange ) ) != 0 )
2666  {
2667  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2668  return( ret );
2669  }
2670  }
2671  else
2672 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2673 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2674  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2675  {
2676  unsigned char *p = ssl->in_msg + 4;
2677  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2678 
2679  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2680  {
2681  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2682  return( ret );
2683  }
2684  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2685  {
2686  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2687  return( ret );
2688  }
2689 
2690  if( ( ret = ssl_psk_derive_premaster( ssl,
2691  ciphersuite_info->key_exchange ) ) != 0 )
2692  {
2693  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2694  return( ret );
2695  }
2696  }
2697  else
2698 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2699 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2700  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2701  {
2702  unsigned char *p = ssl->in_msg + 4;
2703  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2704 
2705  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2706  {
2707  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2708  return( ret );
2709  }
2710 
2711  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2712  p, end - p ) ) != 0 )
2713  {
2714  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2716  }
2717 
2718  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2719 
2720  if( ( ret = ssl_psk_derive_premaster( ssl,
2721  ciphersuite_info->key_exchange ) ) != 0 )
2722  {
2723  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2724  return( ret );
2725  }
2726  }
2727  else
2728 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2729 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2730  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2731  {
2732  if( ( ret = ssl_parse_encrypted_pms( ssl,
2733  ssl->in_msg + 4,
2734  ssl->in_msg + ssl->in_msglen,
2735  0 ) ) != 0 )
2736  {
2737  SSL_DEBUG_RET( 1, ( "ssl_parse_parse_ecrypted_pms_secret" ), ret );
2738  return( ret );
2739  }
2740  }
2741  else
2742 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2743  {
2744  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2746  }
2747 
2748  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2749  {
2750  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2751  return( ret );
2752  }
2753 
2754  ssl->state++;
2755 
2756  SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2757 
2758  return( 0 );
2759 }
2760 
2761 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2762  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2763  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2764  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2765 static int ssl_parse_certificate_verify( ssl_context *ssl )
2766 {
2768  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2769 
2770  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2771 
2772  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2773  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2774  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2775  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2776  {
2777  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2778  ssl->state++;
2779  return( 0 );
2780  }
2781 
2782  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2783  return( ret );
2784 }
2785 #else
2786 static int ssl_parse_certificate_verify( ssl_context *ssl )
2787 {
2789  size_t sa_len, sig_len;
2790  unsigned char hash[48];
2791  unsigned char *hash_start = hash;
2792  size_t hashlen;
2793 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2794  pk_type_t pk_alg;
2795 #endif
2796  md_type_t md_alg;
2797  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2798 
2799  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2800 
2801  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2802  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2803  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2804  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2805  {
2806  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2807  ssl->state++;
2808  return( 0 );
2809  }
2810 
2811  if( ssl->session_negotiate->peer_cert == NULL )
2812  {
2813  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2814  ssl->state++;
2815  return( 0 );
2816  }
2817 
2818  ssl->handshake->calc_verify( ssl, hash );
2819 
2820  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2821  {
2822  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2823  return( ret );
2824  }
2825 
2826  ssl->state++;
2827 
2828  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2829  {
2830  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2832  }
2833 
2834  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2835  {
2836  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2838  }
2839 
2840  /*
2841  * 0 . 0 handshake type
2842  * 1 . 3 handshake length
2843  * 4 . 5 sig alg (TLS 1.2 only)
2844  * 4+n . 5+n signature length (n = sa_len)
2845  * 6+n . 6+n+m signature (m = sig_len)
2846  */
2847 
2848 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2849  defined(POLARSSL_SSL_PROTO_TLS1_1)
2850  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2851  {
2852  sa_len = 0;
2853 
2854  md_alg = POLARSSL_MD_NONE;
2855  hashlen = 36;
2856 
2857  /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
2858  if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2859  POLARSSL_PK_ECDSA ) )
2860  {
2861  hash_start += 16;
2862  hashlen -= 16;
2863  md_alg = POLARSSL_MD_SHA1;
2864  }
2865  }
2866  else
2867 #endif
2868 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2869  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2870  {
2871  sa_len = 2;
2872 
2873  /*
2874  * Hash
2875  */
2876  if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
2877  {
2878  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2879  " for verify message" ) );
2881  }
2882 
2883  md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
2884 
2885  /* Info from md_alg will be used instead */
2886  hashlen = 0;
2887 
2888  /*
2889  * Signature
2890  */
2891  if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
2892  == POLARSSL_PK_NONE )
2893  {
2894  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2895  " for verify message" ) );
2897  }
2898 
2899  /*
2900  * Check the certificate's key type matches the signature alg
2901  */
2902  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2903  {
2904  SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
2906  }
2907  }
2908  else
2909 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2910  {
2911  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2913  }
2914 
2915  sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
2916 
2917  if( sa_len + sig_len + 6 != ssl->in_hslen )
2918  {
2919  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2921  }
2922 
2923  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
2924  md_alg, hash_start, hashlen,
2925  ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
2926  {
2927  SSL_DEBUG_RET( 1, "pk_verify", ret );
2928  return( ret );
2929  }
2930 
2931  SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2932 
2933  return( ret );
2934 }
2935 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2936  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2937  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2938 
2939 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2940 static int ssl_write_new_session_ticket( ssl_context *ssl )
2941 {
2942  int ret;
2943  size_t tlen;
2944  uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
2945 
2946  SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2947 
2950 
2951  /*
2952  * struct {
2953  * uint32 ticket_lifetime_hint;
2954  * opaque ticket<0..2^16-1>;
2955  * } NewSessionTicket;
2956  *
2957  * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2958  * 8 . 9 ticket_len (n)
2959  * 10 . 9+n ticket content
2960  */
2961 
2962  ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
2963  ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
2964  ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
2965  ssl->out_msg[7] = ( lifetime ) & 0xFF;
2966 
2967  if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2968  {
2969  SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2970  tlen = 0;
2971  }
2972 
2973  ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2974  ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
2975 
2976  ssl->out_msglen = 10 + tlen;
2977 
2978  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2979  {
2980  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2981  return( ret );
2982  }
2983 
2984  /* No need to remember writing a NewSessionTicket any more */
2985  ssl->handshake->new_session_ticket = 0;
2986 
2987  SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2988 
2989  return( 0 );
2990 }
2991 #endif /* POLARSSL_SSL_SESSION_TICKETS */
2992 
2993 /*
2994  * SSL handshake -- server side -- single step
2995  */
2997 {
2998  int ret = 0;
2999 
3000  if( ssl->state == SSL_HANDSHAKE_OVER )
3002 
3003  SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
3004 
3005  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3006  return( ret );
3007 
3008  switch( ssl->state )
3009  {
3010  case SSL_HELLO_REQUEST:
3011  ssl->state = SSL_CLIENT_HELLO;
3012  break;
3013 
3014  /*
3015  * <== ClientHello
3016  */
3017  case SSL_CLIENT_HELLO:
3018  ret = ssl_parse_client_hello( ssl );
3019  break;
3020 
3021  /*
3022  * ==> ServerHello
3023  * Certificate
3024  * ( ServerKeyExchange )
3025  * ( CertificateRequest )
3026  * ServerHelloDone
3027  */
3028  case SSL_SERVER_HELLO:
3029  ret = ssl_write_server_hello( ssl );
3030  break;
3031 
3033  ret = ssl_write_certificate( ssl );
3034  break;
3035 
3037  ret = ssl_write_server_key_exchange( ssl );
3038  break;
3039 
3041  ret = ssl_write_certificate_request( ssl );
3042  break;
3043 
3044  case SSL_SERVER_HELLO_DONE:
3045  ret = ssl_write_server_hello_done( ssl );
3046  break;
3047 
3048  /*
3049  * <== ( Certificate/Alert )
3050  * ClientKeyExchange
3051  * ( CertificateVerify )
3052  * ChangeCipherSpec
3053  * Finished
3054  */
3056  ret = ssl_parse_certificate( ssl );
3057  break;
3058 
3060  ret = ssl_parse_client_key_exchange( ssl );
3061  break;
3062 
3064  ret = ssl_parse_certificate_verify( ssl );
3065  break;
3066 
3068  ret = ssl_parse_change_cipher_spec( ssl );
3069  break;
3070 
3071  case SSL_CLIENT_FINISHED:
3072  ret = ssl_parse_finished( ssl );
3073  break;
3074 
3075  /*
3076  * ==> ( NewSessionTicket )
3077  * ChangeCipherSpec
3078  * Finished
3079  */
3081 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3082  if( ssl->handshake->new_session_ticket != 0 )
3083  ret = ssl_write_new_session_ticket( ssl );
3084  else
3085 #endif
3086  ret = ssl_write_change_cipher_spec( ssl );
3087  break;
3088 
3089  case SSL_SERVER_FINISHED:
3090  ret = ssl_write_finished( ssl );
3091  break;
3092 
3093  case SSL_FLUSH_BUFFERS:
3094  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3095  ssl->state = SSL_HANDSHAKE_WRAPUP;
3096  break;
3097 
3098  case SSL_HANDSHAKE_WRAPUP:
3099  ssl_handshake_wrapup( ssl );
3100  break;
3101 
3102  default:
3103  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3105  }
3106 
3107  return( ret );
3108 }
3109 #endif
const ecp_curve_info ** curves
Definition: ssl.h:511
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:326
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:276
int ssl_ciphersuite_uses_ec(const ssl_ciphersuite_t *info)
int ecdh_make_params(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExhange parameters.
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:287
size_t length
Definition: ssl.h:428
int ciphersuite
Definition: ssl.h:426
mpi P
Definition: dhm.h:146
static size_t pk_get_len(const pk_context *ctx)
Get the length in bytes of the underlying key.
Definition: pk.h:264
size_t in_hslen
Definition: ssl.h:673
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:611
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:333
Memory allocation layer.
int major_ver
Definition: ssl.h:600
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:41
ecp_group_id grp_id
Definition: ecp.h:88
SHA-1 context structure.
Definition: sha1.h:54
void *(* polarssl_malloc)(size_t len)
int compression
Definition: ssl.h:427
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition: ssl.h:133
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:217
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:597
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:87
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
char peer_verify_data[36]
Definition: ssl.h:762
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:318
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:55
Debug functions.
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:627
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:544
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:322
void * p_psk
Definition: ssl.h:638
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:337
Elliptic curves over GF(p)
int ecdh_read_public(ecdh_context *ctx, const unsigned char *buf, size_t blen)
Parse and import the client&#39;s public value.
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:320
#define SSL_HASH_SHA1
Definition: ssl.h:261
ssl_session * session_negotiate
Definition: ssl.h:647
int ssl_parse_certificate(ssl_context *ssl)
mpi P
Definition: ecp.h:135
ssl_key_cert * key_cert
Definition: ssl.h:700
ssl_key_cert * sni_key_cert
Definition: ssl.h:522
size_t out_msglen
Definition: ssl.h:686
mpi GX
Definition: dhm.h:149
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:221
#define SSL_SIG_RSA
Definition: ssl.h:268
int ticket_lifetime
Definition: ssl.h:729
const int * ciphersuite_list[4]
Definition: ssl.h:723
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:618
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
int pk_decrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Decrypt message.
mpi dhm_P
Definition: ssl.h:733
#define AES_DECRYPT
Definition: aes.h:43
#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
Definition: ssl.h:315
#define SSL_RENEGOTIATION
Definition: ssl.h:203
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:553
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
int x509_crt_parse(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:216
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:38
size_t psk_identity_len
Definition: ssl.h:744
unsigned char * out_ctr
Definition: ssl.h:680
mpi X
Definition: dhm.h:148
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:218
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:761
int ecdh_get_params(ecdh_context *ctx, const ecp_keypair *key, ecdh_side side)
Setup an ECDH context from an EC key.
#define SSL_SIG_ECDSA
Definition: ssl.h:269
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
size_t in_msglen
Definition: ssl.h:670
unsigned char * in_hdr
Definition: ssl.h:664
int secure_renegotiation
Definition: ssl.h:758
time_t start
Definition: ssl.h:424
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:79
#define SSL_HASH_MD5
Definition: ssl.h:260
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:213
mpi d
Definition: ecdh.h:51
unsigned char mac_key[16]
Definition: ssl.h:575
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:140
size_t psk_len
Definition: ssl.h:742
unsigned char id[32]
Definition: ssl.h:429
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:99
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:461
unsigned char * psk
Definition: ssl.h:741
size_t len
Definition: dhm.h:145
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:93
#define POLARSSL_ECP_DP_MAX
Number of supported curves (plus one for NONE).
Definition: ecp.h:81
ecp_point Qp
Definition: ecdh.h:53
md_type_t
Definition: md.h:51
#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
Definition: ssl.h:353
int max_minor_ver
Definition: ssl.h:604
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:342
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:323
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:275
ssl_handshake_params * handshake
Definition: ssl.h:649
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:106
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:283
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:543
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:308
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition: ssl.h:104
ecp_group_id id
Definition: ecp.h:134
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:217
int in_msgtype
Definition: ssl.h:669
Container for an X.509 certificate.
Definition: x509_crt.h:53
size_t verify_data_len
Definition: ssl.h:760
mpi dhm_G
Definition: ssl.h:734
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME
Definition: ssl.h:314
mpi G
Definition: dhm.h:147
int point_format
Definition: ecdh.h:55
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret...
Definition: ssl.h:122
int min_minor_ver
Definition: ssl.h:606
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
unsigned char * out_msg
Definition: ssl.h:683
struct _ssl_session ssl_session
Definition: ssl.h:407
#define SSL_MINOR_VERSION_0
Definition: ssl.h:141
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature.
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:130
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:520
ecdh_context ecdh_ctx
Definition: ssl.h:508
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:324
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
void(* polarssl_free)(void *ptr)
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:120
key_exchange_type_t key_exchange
int new_session_ticket
Definition: ssl.h:562
mpi GY
Definition: dhm.h:150
int trunc_hmac
Definition: ssl.h:448
Curve information for use by other modules.
Definition: ecp.h:86
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:622
void md5_starts(md5_context *ctx)
MD5 context setup.
unsigned char ssl_sig_from_pk(pk_context *pk)
int authmode
Definition: ssl.h:718
int ssl_flush_output(ssl_context *ssl)
int ssl_ciphersuite_uses_psk(const ssl_ciphersuite_t *info)
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED
Session ticket has expired.
Definition: ssl.h:132
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:344
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:319
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:196
unsigned char * in_msg
Definition: ssl.h:666
aes_context dec
Definition: ssl.h:574
mpi z
Definition: ecdh.h:54
#define SSL_MINOR_VERSION_3
Definition: ssl.h:144
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:54
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:346
pk_type_t
Public key types.
Definition: pk.h:90
aes_context enc
Definition: ssl.h:573
int ssl_parse_change_cipher_spec(ssl_context *ssl)
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:601
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO
Processing of the ClientHello handshake message failed.
Definition: ssl.h:114
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:253
This structure is used for storing ciphersuite information.
#define SSL_HASH_SHA256
Definition: ssl.h:263
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
#define SSL_VERIFY_NONE
Definition: ssl.h:198
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:44
#define AES_ENCRYPT
Definition: aes.h:42
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Processing of the ClientKeyExchange handshake message failed.
Definition: ssl.h:120
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:108
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:202
size_t in_left
Definition: ssl.h:671
pk_context * key
Definition: ssl.h:586
int session_tickets
Definition: ssl.h:728
int allow_legacy_renegotiation
Definition: ssl.h:722
#define SSL_COMPRESS_NULL
Definition: ssl.h:195
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
int ssl_read_record(ssl_context *ssl)
size_t len
ASN1 length, e.g.
Definition: asn1.h:119
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:56
int out_msgtype
Definition: ssl.h:685
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:191
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:335
size_t nbits
Definition: ecp.h:141
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:186
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:325
#define TLS_EXT_SERVERNAME
Definition: ssl.h:332
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature.
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public.
Definition: ssl.h:121
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:48
size_t mpi_size(const mpi *X)
Return the total size in bytes.
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:215
int min_major_ver
Definition: ssl.h:605
pk_context pk
Container for the public key context.
Definition: x509_crt.h:71
ssl_transform * transform_negotiate
Definition: ssl.h:658
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:207
#define SSL_HASH_SHA224
Definition: ssl.h:262
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:208
SSL/TLS functions.
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY
Unkown identity received (eg, PSK identity)
Definition: ssl.h:134
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:126
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:340
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:615
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:53
int ssl_derive_keys(ssl_context *ssl)
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1565
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
unsigned char mfl_code
Definition: ssl.h:444
const ecp_curve_info * ecp_curve_info_from_tls_id(uint16_t tls_id)
Get curve information from a TLS NamedCurve value.
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:598
dhm_context dhm_ctx
Definition: ssl.h:505
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1579
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:711
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:236
unsigned char * psk_identity
Definition: ssl.h:743
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
unsigned char key_name[16]
Definition: ssl.h:572
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:339
ssl_key_cert * next
Definition: ssl.h:588
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:97
x509_buf subject_raw
The raw subject data (DER).
Definition: x509_crt.h:63
x509_crt * ca_chain
Definition: ssl.h:702
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:98
#define SSL_HASH_SHA512
Definition: ssl.h:265
#define SSL_HASH_SHA384
Definition: ssl.h:264
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int dhm_make_params(dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExchange parameters.
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:637
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:177
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Processing of the CertificateVerify handshake message failed.
Definition: ssl.h:123
int dhm_read_public(dhm_context *ctx, const unsigned char *input, size_t ilen)
Import the peer&#39;s public value G^Y.
unsigned char randbytes[64]
Definition: ssl.h:552
ecp_group grp
Definition: ecdh.h:50
Generic message digest context.
Definition: md.h:130
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN
The server has no ciphersuites in common with the client.
Definition: ssl.h:103
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ecp_point Q
Definition: ecdh.h:52
x509_crt * peer_cert
Definition: ssl.h:433
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:628
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.