PolarSSL v1.3.7
ssl_cli.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 client-side functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #if !defined(POLARSSL_CONFIG_FILE)
27 #include "polarssl/config.h"
28 #else
29 #include POLARSSL_CONFIG_FILE
30 #endif
31 
32 #if defined(POLARSSL_SSL_CLI_C)
33 
34 #include "polarssl/debug.h"
35 #include "polarssl/ssl.h"
36 
37 #if defined(POLARSSL_PLATFORM_C)
38 #include "polarssl/platform.h"
39 #else
40 #define polarssl_malloc malloc
41 #define polarssl_free free
42 #endif
43 
44 #include <stdlib.h>
45 #include <stdio.h>
46 
47 #if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
48 #include <basetsd.h>
49 typedef UINT32 uint32_t;
50 #else
51 #include <inttypes.h>
52 #endif
53 
54 #if defined(POLARSSL_HAVE_TIME)
55 #include <time.h>
56 #endif
57 
58 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
59 static void ssl_write_hostname_ext( ssl_context *ssl,
60  unsigned char *buf,
61  size_t *olen )
62 {
63  unsigned char *p = buf;
64 
65  *olen = 0;
66 
67  if ( ssl->hostname == NULL )
68  return;
69 
70  SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
71  ssl->hostname ) );
72 
73  /*
74  * struct {
75  * NameType name_type;
76  * select (name_type) {
77  * case host_name: HostName;
78  * } name;
79  * } ServerName;
80  *
81  * enum {
82  * host_name(0), (255)
83  * } NameType;
84  *
85  * opaque HostName<1..2^16-1>;
86  *
87  * struct {
88  * ServerName server_name_list<1..2^16-1>
89  * } ServerNameList;
90  */
91  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
92  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
93 
94  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
95  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
96 
97  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
98  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
99 
100  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
101  *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
102  *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
103 
104  memcpy( p, ssl->hostname, ssl->hostname_len );
105 
106  *olen = ssl->hostname_len + 9;
107 }
108 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
109 
110 static void ssl_write_renegotiation_ext( ssl_context *ssl,
111  unsigned char *buf,
112  size_t *olen )
113 {
114  unsigned char *p = buf;
115 
116  *olen = 0;
117 
118  if( ssl->renegotiation != SSL_RENEGOTIATION )
119  return;
120 
121  SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
122 
123  /*
124  * Secure renegotiation
125  */
126  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
127  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
128 
129  *p++ = 0x00;
130  *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
131  *p++ = ssl->verify_data_len & 0xFF;
132 
133  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
134 
135  *olen = 5 + ssl->verify_data_len;
136 }
137 
138 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
139 static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
140  unsigned char *buf,
141  size_t *olen )
142 {
143  unsigned char *p = buf;
144  unsigned char *sig_alg_list = buf + 6;
145  size_t sig_alg_len = 0;
146 
147  *olen = 0;
148 
149  if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
150  return;
151 
152  SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
153 
154  /*
155  * Prepare signature_algorithms extension (TLS 1.2)
156  */
157 #if defined(POLARSSL_RSA_C)
158 #if defined(POLARSSL_SHA512_C)
159  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
160  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
161  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
162  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
163 #endif
164 #if defined(POLARSSL_SHA256_C)
165  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
166  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
167  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
168  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
169 #endif
170 #if defined(POLARSSL_SHA1_C)
171  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
172  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
173 #endif
174 #if defined(POLARSSL_MD5_C)
175  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
176  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
177 #endif
178 #endif /* POLARSSL_RSA_C */
179 #if defined(POLARSSL_ECDSA_C)
180 #if defined(POLARSSL_SHA512_C)
181  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
182  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
183  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
184  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
185 #endif
186 #if defined(POLARSSL_SHA256_C)
187  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
188  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
189  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
190  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
191 #endif
192 #if defined(POLARSSL_SHA1_C)
193  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
194  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
195 #endif
196 #if defined(POLARSSL_MD5_C)
197  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
198  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
199 #endif
200 #endif /* POLARSSL_ECDSA_C */
201 
202  /*
203  * enum {
204  * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
205  * sha512(6), (255)
206  * } HashAlgorithm;
207  *
208  * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
209  * SignatureAlgorithm;
210  *
211  * struct {
212  * HashAlgorithm hash;
213  * SignatureAlgorithm signature;
214  * } SignatureAndHashAlgorithm;
215  *
216  * SignatureAndHashAlgorithm
217  * supported_signature_algorithms<2..2^16-2>;
218  */
219  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
220  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
221 
222  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
223  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
224 
225  *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
226  *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
227 
228  *olen = 6 + sig_alg_len;
229 }
230 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
231 
232 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
233 static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
234  unsigned char *buf,
235  size_t *olen )
236 {
237  unsigned char *p = buf;
238  unsigned char *elliptic_curve_list = p + 6;
239  size_t elliptic_curve_len = 0;
240  const ecp_curve_info *info;
241 #if defined(POLARSSL_SSL_SET_CURVES)
242  const ecp_group_id *grp_id;
243 #else
244  ((void) ssl);
245 #endif
246 
247  *olen = 0;
248 
249  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
250 
251 #if defined(POLARSSL_SSL_SET_CURVES)
252  for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
253  {
254  info = ecp_curve_info_from_grp_id( *grp_id );
255 #else
256  for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
257  {
258 #endif
259 
260  elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
261  elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
262  }
263 
264  if( elliptic_curve_len == 0 )
265  return;
266 
267  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
268  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
269 
270  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
271  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
272 
273  *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
274  *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
275 
276  *olen = 6 + elliptic_curve_len;
277 }
278 
279 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
280  unsigned char *buf,
281  size_t *olen )
282 {
283  unsigned char *p = buf;
284  ((void) ssl);
285 
286  *olen = 0;
287 
288  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
289 
290  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
291  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
292 
293  *p++ = 0x00;
294  *p++ = 2;
295 
296  *p++ = 1;
298 
299  *olen = 6;
300 }
301 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
302 
303 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
304 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
305  unsigned char *buf,
306  size_t *olen )
307 {
308  unsigned char *p = buf;
309 
310  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
311  *olen = 0;
312  return;
313  }
314 
315  SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
316 
317  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
318  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
319 
320  *p++ = 0x00;
321  *p++ = 1;
322 
323  *p++ = ssl->mfl_code;
324 
325  *olen = 5;
326 }
327 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
328 
329 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
330 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
331  unsigned char *buf, size_t *olen )
332 {
333  unsigned char *p = buf;
334 
335  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
336  {
337  *olen = 0;
338  return;
339  }
340 
341  SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
342 
343  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
344  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
345 
346  *p++ = 0x00;
347  *p++ = 0x00;
348 
349  *olen = 4;
350 }
351 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
352 
353 #if defined(POLARSSL_SSL_SESSION_TICKETS)
354 static void ssl_write_session_ticket_ext( ssl_context *ssl,
355  unsigned char *buf, size_t *olen )
356 {
357  unsigned char *p = buf;
358  size_t tlen = ssl->session_negotiate->ticket_len;
359 
361  {
362  *olen = 0;
363  return;
364  }
365 
366  SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
367 
368  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
369  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
370 
371  *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
372  *p++ = (unsigned char)( ( tlen ) & 0xFF );
373 
374  *olen = 4;
375 
376  if( ssl->session_negotiate->ticket == NULL ||
377  ssl->session_negotiate->ticket_len == 0 )
378  {
379  return;
380  }
381 
382  SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
383 
384  memcpy( p, ssl->session_negotiate->ticket, tlen );
385 
386  *olen += tlen;
387 }
388 #endif /* POLARSSL_SSL_SESSION_TICKETS */
389 
390 #if defined(POLARSSL_SSL_ALPN)
391 static void ssl_write_alpn_ext( ssl_context *ssl,
392  unsigned char *buf, size_t *olen )
393 {
394  unsigned char *p = buf;
395  const char **cur;
396 
397  if( ssl->alpn_list == NULL )
398  {
399  *olen = 0;
400  return;
401  }
402 
403  SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
404 
405  *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
406  *p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
407 
408  /*
409  * opaque ProtocolName<1..2^8-1>;
410  *
411  * struct {
412  * ProtocolName protocol_name_list<2..2^16-1>
413  * } ProtocolNameList;
414  */
415 
416  /* Skip writing extension and list length for now */
417  p += 4;
418 
419  for( cur = ssl->alpn_list; *cur != NULL; cur++ )
420  {
421  *p = (unsigned char)( strlen( *cur ) & 0xFF );
422  memcpy( p + 1, *cur, *p );
423  p += 1 + *p;
424  }
425 
426  *olen = p - buf;
427 
428  /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
429  buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
430  buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
431 
432  /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
433  buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
434  buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
435 }
436 #endif /* POLARSSL_SSL_ALPN */
437 
438 static int ssl_write_client_hello( ssl_context *ssl )
439 {
440  int ret;
441  size_t i, n, olen, ext_len = 0;
442  unsigned char *buf;
443  unsigned char *p, *q;
444 #if defined(POLARSSL_HAVE_TIME)
445  time_t t;
446 #endif
447  const int *ciphersuites;
448  const ssl_ciphersuite_t *ciphersuite_info;
449 
450  SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
451 
452  if( ssl->f_rng == NULL )
453  {
454  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
455  return( POLARSSL_ERR_SSL_NO_RNG );
456  }
457 
459  {
460  ssl->major_ver = ssl->min_major_ver;
461  ssl->minor_ver = ssl->min_minor_ver;
462  }
463 
464  if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
465  {
468  }
469 
470  /*
471  * 0 . 0 handshake type
472  * 1 . 3 handshake length
473  * 4 . 5 highest version supported
474  * 6 . 9 current UNIX time
475  * 10 . 37 random bytes
476  */
477  buf = ssl->out_msg;
478  p = buf + 4;
479 
480  *p++ = (unsigned char) ssl->max_major_ver;
481  *p++ = (unsigned char) ssl->max_minor_ver;
482 
483  SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
484  buf[4], buf[5] ) );
485 
486 #if defined(POLARSSL_HAVE_TIME)
487  t = time( NULL );
488  *p++ = (unsigned char)( t >> 24 );
489  *p++ = (unsigned char)( t >> 16 );
490  *p++ = (unsigned char)( t >> 8 );
491  *p++ = (unsigned char)( t );
492 
493  SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
494 #else
495  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
496  return( ret );
497 
498  p += 4;
499 #endif /* POLARSSL_HAVE_TIME */
500 
501  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
502  return( ret );
503 
504  p += 28;
505 
506  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
507 
508  SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
509 
510  /*
511  * 38 . 38 session id length
512  * 39 . 39+n session id
513  * 40+n . 41+n ciphersuitelist length
514  * 42+n . .. ciphersuitelist
515  * .. . .. compression methods length
516  * .. . .. compression methods
517  * .. . .. extensions length
518  * .. . .. extensions
519  */
520  n = ssl->session_negotiate->length;
521 
522  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
523  ssl->handshake->resume == 0 )
524  {
525  n = 0;
526  }
527 
528 #if defined(POLARSSL_SSL_SESSION_TICKETS)
529  /*
530  * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
531  * generate and include a Session ID in the TLS ClientHello."
532  */
533  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
534  ssl->session_negotiate->ticket != NULL &&
535  ssl->session_negotiate->ticket_len != 0 )
536  {
537  ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
538 
539  if( ret != 0 )
540  return( ret );
541 
542  ssl->session_negotiate->length = n = 32;
543  }
544 #endif /* POLARSSL_SSL_SESSION_TICKETS */
545 
546  *p++ = (unsigned char) n;
547 
548  for( i = 0; i < n; i++ )
549  *p++ = ssl->session_negotiate->id[i];
550 
551  SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
552  SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
553 
554  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
555  n = 0;
556  q = p;
557 
558  // Skip writing ciphersuite length for now
559  p += 2;
560 
561  /*
562  * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
563  */
565  {
566  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
567  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
568  n++;
569  }
570 
571  for( i = 0; ciphersuites[i] != 0; i++ )
572  {
573  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
574 
575  if( ciphersuite_info == NULL )
576  continue;
577 
578  if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
579  ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
580  continue;
581 
582  SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
583  ciphersuites[i] ) );
584 
585  n++;
586  *p++ = (unsigned char)( ciphersuites[i] >> 8 );
587  *p++ = (unsigned char)( ciphersuites[i] );
588  }
589 
590  *q++ = (unsigned char)( n >> 7 );
591  *q++ = (unsigned char)( n << 1 );
592 
593  SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
594 
595 
596 #if defined(POLARSSL_ZLIB_SUPPORT)
597  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
598  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
600 
601  *p++ = 2;
602  *p++ = SSL_COMPRESS_DEFLATE;
603  *p++ = SSL_COMPRESS_NULL;
604 #else
605  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
606  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
607 
608  *p++ = 1;
609  *p++ = SSL_COMPRESS_NULL;
610 #endif /* POLARSSL_ZLIB_SUPPORT */
611 
612  // First write extensions, then the total length
613  //
614 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
615  ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
616  ext_len += olen;
617 #endif
618 
619  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
620  ext_len += olen;
621 
622 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
623  ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
624  ext_len += olen;
625 #endif
626 
627 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
628  ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
629  ext_len += olen;
630 
631  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
632  ext_len += olen;
633 #endif
634 
635 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
636  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
637  ext_len += olen;
638 #endif
639 
640 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
641  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
642  ext_len += olen;
643 #endif
644 
645 #if defined(POLARSSL_SSL_SESSION_TICKETS)
646  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
647  ext_len += olen;
648 #endif
649 
650 #if defined(POLARSSL_SSL_ALPN)
651  ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
652  ext_len += olen;
653 #endif
654 
655  SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
656  ext_len ) );
657 
658  if( ext_len > 0 )
659  {
660  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
661  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
662  p += ext_len;
663  }
664 
665  ssl->out_msglen = p - buf;
667  ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
668 
669  ssl->state++;
670 
671  if( ( ret = ssl_write_record( ssl ) ) != 0 )
672  {
673  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
674  return( ret );
675  }
676 
677  SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
678 
679  return( 0 );
680 }
681 
682 static int ssl_parse_renegotiation_info( ssl_context *ssl,
683  const unsigned char *buf,
684  size_t len )
685 {
686  int ret;
687 
689  {
690  if( len != 1 || buf[0] != 0x0 )
691  {
692  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
693 
694  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
695  return( ret );
696 
698  }
699 
701  }
702  else
703  {
704  /* Check verify-data in constant-time. The length OTOH is no secret */
705  if( len != 1 + ssl->verify_data_len * 2 ||
706  buf[0] != ssl->verify_data_len * 2 ||
707  safer_memcmp( buf + 1,
708  ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
709  safer_memcmp( buf + 1 + ssl->verify_data_len,
710  ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
711  {
712  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
713 
714  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
715  return( ret );
716 
718  }
719  }
720 
721  return( 0 );
722 }
723 
724 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
725 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
726  const unsigned char *buf,
727  size_t len )
728 {
729  /*
730  * server should use the extension only if we did,
731  * and if so the server's value should match ours (and len is always 1)
732  */
733  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
734  len != 1 ||
735  buf[0] != ssl->mfl_code )
736  {
738  }
739 
740  return( 0 );
741 }
742 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
743 
744 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
745 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
746  const unsigned char *buf,
747  size_t len )
748 {
749  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
750  len != 0 )
751  {
753  }
754 
755  ((void) buf);
756 
758 
759  return( 0 );
760 }
761 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
762 
763 #if defined(POLARSSL_SSL_SESSION_TICKETS)
764 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
765  const unsigned char *buf,
766  size_t len )
767 {
769  len != 0 )
770  {
772  }
773 
774  ((void) buf);
775 
776  ssl->handshake->new_session_ticket = 1;
777 
778  return( 0 );
779 }
780 #endif /* POLARSSL_SSL_SESSION_TICKETS */
781 
782 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
783 static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
784  const unsigned char *buf,
785  size_t len )
786 {
787  size_t list_size;
788  const unsigned char *p;
789 
790  list_size = buf[0];
791  if( list_size + 1 != len )
792  {
793  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
795  }
796 
797  p = buf + 2;
798  while( list_size > 0 )
799  {
800  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
802  {
803  ssl->handshake->ecdh_ctx.point_format = p[0];
804  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
805  return( 0 );
806  }
807 
808  list_size--;
809  p++;
810  }
811 
812  return( 0 );
813 }
814 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
815 
816 #if defined(POLARSSL_SSL_ALPN)
817 static int ssl_parse_alpn_ext( ssl_context *ssl,
818  const unsigned char *buf, size_t len )
819 {
820  size_t list_len, name_len;
821  const char **p;
822 
823  /* If we didn't send it, the server shouldn't send it */
824  if( ssl->alpn_list == NULL )
826 
827  /*
828  * opaque ProtocolName<1..2^8-1>;
829  *
830  * struct {
831  * ProtocolName protocol_name_list<2..2^16-1>
832  * } ProtocolNameList;
833  *
834  * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
835  */
836 
837  /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
838  if( len < 4 )
840 
841  list_len = ( buf[0] << 8 ) | buf[1];
842  if( list_len != len - 2 )
844 
845  name_len = buf[2];
846  if( name_len != list_len - 1 )
848 
849  /* Check that the server chosen protocol was in our list and save it */
850  for( p = ssl->alpn_list; *p != NULL; p++ )
851  {
852  if( name_len == strlen( *p ) &&
853  memcmp( buf + 3, *p, name_len ) == 0 )
854  {
855  ssl->alpn_chosen = *p;
856  return( 0 );
857  }
858  }
859 
861 }
862 #endif /* POLARSSL_SSL_ALPN */
863 
864 static int ssl_parse_server_hello( ssl_context *ssl )
865 {
866  int ret, i, comp;
867  size_t n;
868  size_t ext_len = 0;
869  unsigned char *buf, *ext;
870  int renegotiation_info_seen = 0;
871  int handshake_failure = 0;
872 #if defined(POLARSSL_DEBUG_C)
873  uint32_t t;
874 #endif
875 
876  SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
877 
878  /*
879  * 0 . 0 handshake type
880  * 1 . 3 handshake length
881  * 4 . 5 protocol version
882  * 6 . 9 UNIX time()
883  * 10 . 37 random bytes
884  */
885  buf = ssl->in_msg;
886 
887  if( ( ret = ssl_read_record( ssl ) ) != 0 )
888  {
889  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
890  return( ret );
891  }
892 
893  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
894  {
895  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
897  }
898 
899  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
900  buf[4], buf[5] ) );
901 
902  if( ssl->in_hslen < 42 ||
903  buf[0] != SSL_HS_SERVER_HELLO ||
904  buf[4] != SSL_MAJOR_VERSION_3 )
905  {
906  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
908  }
909 
910  if( buf[5] > ssl->max_minor_ver )
911  {
912  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
914  }
915 
916  ssl->minor_ver = buf[5];
917 
918  if( ssl->minor_ver < ssl->min_minor_ver )
919  {
920  SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
921  " [%d:%d] < [%d:%d]", ssl->major_ver,
922  ssl->minor_ver, buf[4], buf[5] ) );
923 
926 
928  }
929 
930 #if defined(POLARSSL_DEBUG_C)
931  t = ( (uint32_t) buf[6] << 24 )
932  | ( (uint32_t) buf[7] << 16 )
933  | ( (uint32_t) buf[8] << 8 )
934  | ( (uint32_t) buf[9] );
935  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
936 #endif
937 
938  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
939 
940  n = buf[38];
941 
942  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
943 
944  if( n > 32 )
945  {
946  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
948  }
949 
950  /*
951  * 38 . 38 session id length
952  * 39 . 38+n session id
953  * 39+n . 40+n chosen ciphersuite
954  * 41+n . 41+n chosen compression alg.
955  * 42+n . 43+n extensions length
956  * 44+n . 44+n+m extensions
957  */
958  if( ssl->in_hslen > 42 + n )
959  {
960  ext_len = ( ( buf[42 + n] << 8 )
961  | ( buf[43 + n] ) );
962 
963  if( ( ext_len > 0 && ext_len < 4 ) ||
964  ssl->in_hslen != 44 + n + ext_len )
965  {
966  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
968  }
969  }
970 
971  i = ( buf[39 + n] << 8 ) | buf[40 + n];
972  comp = buf[41 + n];
973 
974  /*
975  * Initialize update checksum functions
976  */
978 
979  if( ssl->transform_negotiate->ciphersuite_info == NULL )
980  {
981  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
983  }
984 
986 
987  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
988  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
989 
990  /*
991  * Check if the session can be resumed
992  */
993  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
994  ssl->handshake->resume == 0 || n == 0 ||
995  ssl->session_negotiate->ciphersuite != i ||
996  ssl->session_negotiate->compression != comp ||
997  ssl->session_negotiate->length != n ||
998  memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
999  {
1000  ssl->state++;
1001  ssl->handshake->resume = 0;
1002 #if defined(POLARSSL_HAVE_TIME)
1003  ssl->session_negotiate->start = time( NULL );
1004 #endif
1005  ssl->session_negotiate->ciphersuite = i;
1006  ssl->session_negotiate->compression = comp;
1007  ssl->session_negotiate->length = n;
1008  memcpy( ssl->session_negotiate->id, buf + 39, n );
1009  }
1010  else
1011  {
1013 
1014  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1015  {
1016  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1017  return( ret );
1018  }
1019  }
1020 
1021  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1022  ssl->handshake->resume ? "a" : "no" ) );
1023 
1024  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
1025  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
1026 
1027  i = 0;
1028  while( 1 )
1029  {
1030  if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
1031  {
1032  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1034  }
1035 
1036  if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
1038  {
1039  break;
1040  }
1041  }
1042 
1043  if( comp != SSL_COMPRESS_NULL
1044 #if defined(POLARSSL_ZLIB_SUPPORT)
1045  && comp != SSL_COMPRESS_DEFLATE
1046 #endif
1047  )
1048  {
1049  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1051  }
1052  ssl->session_negotiate->compression = comp;
1053 
1054  ext = buf + 44 + n;
1055 
1056  SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1057 
1058  while( ext_len )
1059  {
1060  unsigned int ext_id = ( ( ext[0] << 8 )
1061  | ( ext[1] ) );
1062  unsigned int ext_size = ( ( ext[2] << 8 )
1063  | ( ext[3] ) );
1064 
1065  if( ext_size + 4 > ext_len )
1066  {
1067  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1069  }
1070 
1071  switch( ext_id )
1072  {
1074  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1075  renegotiation_info_seen = 1;
1076 
1077  if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1078  ext_size ) ) != 0 )
1079  return( ret );
1080 
1081  break;
1082 
1083 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1085  SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1086 
1087  if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1088  ext + 4, ext_size ) ) != 0 )
1089  {
1090  return( ret );
1091  }
1092 
1093  break;
1094 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1095 
1096 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1098  SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
1099 
1100  if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1101  ext + 4, ext_size ) ) != 0 )
1102  {
1103  return( ret );
1104  }
1105 
1106  break;
1107 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1108 
1109 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1111  SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
1112 
1113  if( ( ret = ssl_parse_session_ticket_ext( ssl,
1114  ext + 4, ext_size ) ) != 0 )
1115  {
1116  return( ret );
1117  }
1118 
1119  break;
1120 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1121 
1122 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1124  SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1125 
1126  if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1127  ext + 4, ext_size ) ) != 0 )
1128  {
1129  return( ret );
1130  }
1131 
1132  break;
1133 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1134 
1135 #if defined(POLARSSL_SSL_ALPN)
1136  case TLS_EXT_ALPN:
1137  SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1138 
1139  if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1140  return( ret );
1141 
1142  break;
1143 #endif /* POLARSSL_SSL_ALPN */
1144 
1145  default:
1146  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1147  ext_id ) );
1148  }
1149 
1150  ext_len -= 4 + ext_size;
1151  ext += 4 + ext_size;
1152 
1153  if( ext_len > 0 && ext_len < 4 )
1154  {
1155  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1157  }
1158  }
1159 
1160  /*
1161  * Renegotiation security checks
1162  */
1165  {
1166  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1167  handshake_failure = 1;
1168  }
1169  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1171  renegotiation_info_seen == 0 )
1172  {
1173  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1174  handshake_failure = 1;
1175  }
1176  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1179  {
1180  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1181  handshake_failure = 1;
1182  }
1183  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1185  renegotiation_info_seen == 1 )
1186  {
1187  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1188  handshake_failure = 1;
1189  }
1190 
1191  if( handshake_failure == 1 )
1192  {
1193  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1194  return( ret );
1195 
1197  }
1198 
1199  SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1200 
1201  return( 0 );
1202 }
1203 
1204 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1205  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1206 static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
1207  unsigned char *end )
1208 {
1210 
1211  /*
1212  * Ephemeral DH parameters:
1213  *
1214  * struct {
1215  * opaque dh_p<1..2^16-1>;
1216  * opaque dh_g<1..2^16-1>;
1217  * opaque dh_Ys<1..2^16-1>;
1218  * } ServerDHParams;
1219  */
1220  if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1221  {
1222  SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
1223  return( ret );
1224  }
1225 
1226  if( ssl->handshake->dhm_ctx.len < 64 ||
1227  ssl->handshake->dhm_ctx.len > 512 )
1228  {
1229  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
1231  }
1232 
1233  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1234  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1235  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1236 
1237  return( ret );
1238 }
1239 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1240  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1241 
1242 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1243  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1244  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1245  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1246  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1247 static int ssl_check_server_ecdh_params( const ssl_context *ssl )
1248 {
1249  const ecp_curve_info *curve_info;
1250 
1251  curve_info = ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
1252  if( curve_info == NULL )
1253  {
1254  SSL_DEBUG_MSG( 1, ( "Should never happen" ) );
1255  return( -1 );
1256  }
1257 
1258  SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
1259 
1260 #if defined(POLARSSL_SSL_ECP_SET_CURVES)
1261  if( ! ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) )
1262 #else
1263  if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1264  ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1265 #endif
1266  return( -1 );
1267 
1268  SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1269 
1270  return( 0 );
1271 }
1272 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1273  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1274  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1275  POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1276  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1277 
1278 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1279  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1280  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1281 static int ssl_parse_server_ecdh_params( ssl_context *ssl,
1282  unsigned char **p,
1283  unsigned char *end )
1284 {
1286 
1287  /*
1288  * Ephemeral ECDH parameters:
1289  *
1290  * struct {
1291  * ECParameters curve_params;
1292  * ECPoint public;
1293  * } ServerECDHParams;
1294  */
1295  if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
1296  (const unsigned char **) p, end ) ) != 0 )
1297  {
1298  SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
1299  return( ret );
1300  }
1301 
1302  if( ssl_check_server_ecdh_params( ssl ) != 0 )
1303  {
1304  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
1306  }
1307 
1308  return( ret );
1309 }
1310 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1311  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1312  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1313 
1314 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1315 static int ssl_parse_server_psk_hint( ssl_context *ssl,
1316  unsigned char **p,
1317  unsigned char *end )
1318 {
1320  size_t len;
1321  ((void) ssl);
1322 
1323  /*
1324  * PSK parameters:
1325  *
1326  * opaque psk_identity_hint<0..2^16-1>;
1327  */
1328  len = (*p)[0] << 8 | (*p)[1];
1329  *p += 2;
1330 
1331  if( (*p) + len > end )
1332  {
1333  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1335  }
1336 
1337  // TODO: Retrieve PSK identity hint and callback to app
1338  //
1339  *p += len;
1340  ret = 0;
1341 
1342  return( ret );
1343 }
1344 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1345 
1346 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
1347  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1348 /*
1349  * Generate a pre-master secret and encrypt it with the server's RSA key
1350  */
1351 static int ssl_write_encrypted_pms( ssl_context *ssl,
1352  size_t offset, size_t *olen,
1353  size_t pms_offset )
1354 {
1355  int ret;
1356  size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
1357  unsigned char *p = ssl->handshake->premaster + pms_offset;
1358 
1359  /*
1360  * Generate (part of) the pre-master as
1361  * struct {
1362  * ProtocolVersion client_version;
1363  * opaque random[46];
1364  * } PreMasterSecret;
1365  */
1366  p[0] = (unsigned char) ssl->max_major_ver;
1367  p[1] = (unsigned char) ssl->max_minor_ver;
1368 
1369  if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
1370  {
1371  SSL_DEBUG_RET( 1, "f_rng", ret );
1372  return( ret );
1373  }
1374 
1375  ssl->handshake->pmslen = 48;
1376 
1377  /*
1378  * Now write it out, encrypted
1379  */
1380  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1381  POLARSSL_PK_RSA ) )
1382  {
1383  SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1385  }
1386 
1387  if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
1388  p, ssl->handshake->pmslen,
1389  ssl->out_msg + offset + len_bytes, olen,
1390  SSL_MAX_CONTENT_LEN - offset - len_bytes,
1391  ssl->f_rng, ssl->p_rng ) ) != 0 )
1392  {
1393  SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1394  return( ret );
1395  }
1396 
1397 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1398  defined(POLARSSL_SSL_PROTO_TLS1_2)
1399  if( len_bytes == 2 )
1400  {
1401  ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1402  ssl->out_msg[offset+1] = (unsigned char)( *olen );
1403  *olen += 2;
1404  }
1405 #endif
1406 
1407  return( 0 );
1408 }
1409 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
1410  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1411 
1412 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1413 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1414  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1415  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1416 static int ssl_parse_signature_algorithm( ssl_context *ssl,
1417  unsigned char **p,
1418  unsigned char *end,
1419  md_type_t *md_alg,
1420  pk_type_t *pk_alg )
1421 {
1422  ((void) ssl);
1423  *md_alg = POLARSSL_MD_NONE;
1424  *pk_alg = POLARSSL_PK_NONE;
1425 
1426  /* Only in TLS 1.2 */
1427  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1428  {
1429  return( 0 );
1430  }
1431 
1432  if( (*p) + 2 > end )
1434 
1435  /*
1436  * Get hash algorithm
1437  */
1438  if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
1439  {
1440  SSL_DEBUG_MSG( 2, ( "Server used unsupported "
1441  "HashAlgorithm %d", *(p)[0] ) );
1443  }
1444 
1445  /*
1446  * Get signature algorithm
1447  */
1448  if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
1449  {
1450  SSL_DEBUG_MSG( 2, ( "server used unsupported "
1451  "SignatureAlgorithm %d", (*p)[1] ) );
1453  }
1454 
1455  SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1456  SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
1457  *p += 2;
1458 
1459  return( 0 );
1460 }
1461 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1462  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1463  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1464 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1465 
1466 
1467 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1468  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1469 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
1470 {
1471  int ret;
1472  const ecp_keypair *peer_key;
1473 
1474  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1475  POLARSSL_PK_ECKEY ) )
1476  {
1477  SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
1479  }
1480 
1481  peer_key = pk_ec( ssl->session_negotiate->peer_cert->pk );
1482 
1483  if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
1484  POLARSSL_ECDH_THEIRS ) ) != 0 )
1485  {
1486  SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
1487  return( ret );
1488  }
1489 
1490  if( ssl_check_server_ecdh_params( ssl ) != 0 )
1491  {
1492  SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
1494  }
1495 
1496  return( ret );
1497 }
1498 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
1499  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1500 
1501 static int ssl_parse_server_key_exchange( ssl_context *ssl )
1502 {
1503  int ret;
1504  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1505  unsigned char *p, *end;
1506 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1507  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1508  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1509  size_t sig_len, params_len;
1510  unsigned char hash[64];
1511  md_type_t md_alg = POLARSSL_MD_NONE;
1512  size_t hashlen;
1513  pk_type_t pk_alg = POLARSSL_PK_NONE;
1514 #endif
1515 
1516  SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
1517 
1518 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1519  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1520  {
1521  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1522  ssl->state++;
1523  return( 0 );
1524  }
1525  ((void) p);
1526  ((void) end);
1527 #endif
1528 
1529 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1530  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1531  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
1532  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
1533  {
1534  if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
1535  {
1536  SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
1537  return( ret );
1538  }
1539 
1540  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1541  ssl->state++;
1542  return( 0 );
1543  }
1544  ((void) p);
1545  ((void) end);
1546 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1547  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1548 
1549  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1550  {
1551  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1552  return( ret );
1553  }
1554 
1555  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1556  {
1557  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1559  }
1560 
1561  /*
1562  * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
1563  * doesn't use a psk_identity_hint
1564  */
1565  if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
1566  {
1567  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1568  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1569  {
1570  ssl->record_read = 1;
1571  goto exit;
1572  }
1573 
1574  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1576  }
1577 
1578  p = ssl->in_msg + 4;
1579  end = ssl->in_msg + ssl->in_hslen;
1580  SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 );
1581 
1582 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1583  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1584  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1585  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1586  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1587  {
1588  if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
1589  {
1590  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1592  }
1593  } /* FALLTROUGH */
1594 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1595 
1596 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
1597  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1598  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1599  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1600  ; /* nothing more to do */
1601  else
1602 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
1603  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1604 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1605  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1606  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1607  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1608  {
1609  if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
1610  {
1611  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1613  }
1614  }
1615  else
1616 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1617  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1618 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1619  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1620  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1621  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1622  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1623  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1624  {
1625  if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
1626  {
1627  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1629  }
1630  }
1631  else
1632 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1633  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1634  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1635  {
1636  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1638  }
1639 
1640 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1641  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1642  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1643  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1644  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1645  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1646  {
1647  params_len = p - ( ssl->in_msg + 4 );
1648 
1649  /*
1650  * Handle the digitally-signed structure
1651  */
1652 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1653  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1654  {
1655  if( ssl_parse_signature_algorithm( ssl, &p, end,
1656  &md_alg, &pk_alg ) != 0 )
1657  {
1658  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1660  }
1661 
1662  if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
1663  {
1664  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1666  }
1667  }
1668  else
1669 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1670 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1671  defined(POLARSSL_SSL_PROTO_TLS1_1)
1672  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
1673  {
1674  pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
1675 
1676  /* Default hash for ECDSA is SHA-1 */
1677  if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
1678  md_alg = POLARSSL_MD_SHA1;
1679  }
1680  else
1681 #endif
1682  {
1683  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1685  }
1686 
1687  /*
1688  * Read signature
1689  */
1690  sig_len = ( p[0] << 8 ) | p[1];
1691  p += 2;
1692 
1693  if( end != p + sig_len )
1694  {
1695  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1697  }
1698 
1699  SSL_DEBUG_BUF( 3, "signature", p, sig_len );
1700 
1701  /*
1702  * Compute the hash that has been signed
1703  */
1704 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1705  defined(POLARSSL_SSL_PROTO_TLS1_1)
1706  if( md_alg == POLARSSL_MD_NONE )
1707  {
1708  md5_context md5;
1710 
1711  hashlen = 36;
1712 
1713  /*
1714  * digitally-signed struct {
1715  * opaque md5_hash[16];
1716  * opaque sha_hash[20];
1717  * };
1718  *
1719  * md5_hash
1720  * MD5(ClientHello.random + ServerHello.random
1721  * + ServerParams);
1722  * sha_hash
1723  * SHA(ClientHello.random + ServerHello.random
1724  * + ServerParams);
1725  */
1726  md5_starts( &md5 );
1727  md5_update( &md5, ssl->handshake->randbytes, 64 );
1728  md5_update( &md5, ssl->in_msg + 4, params_len );
1729  md5_finish( &md5, hash );
1730 
1731  sha1_starts( &sha1 );
1732  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1733  sha1_update( &sha1, ssl->in_msg + 4, params_len );
1734  sha1_finish( &sha1, hash + 16 );
1735  }
1736  else
1737 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
1738  POLARSSL_SSL_PROTO_TLS1_1 */
1739 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1740  defined(POLARSSL_SSL_PROTO_TLS1_2)
1741  if( md_alg != POLARSSL_MD_NONE )
1742  {
1743  md_context_t ctx;
1744 
1745  /* Info from md_alg will be used instead */
1746  hashlen = 0;
1747 
1748  /*
1749  * digitally-signed struct {
1750  * opaque client_random[32];
1751  * opaque server_random[32];
1752  * ServerDHParams params;
1753  * };
1754  */
1755  if( ( ret = md_init_ctx( &ctx,
1756  md_info_from_type( md_alg ) ) ) != 0 )
1757  {
1758  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1759  return( ret );
1760  }
1761 
1762  md_starts( &ctx );
1763  md_update( &ctx, ssl->handshake->randbytes, 64 );
1764  md_update( &ctx, ssl->in_msg + 4, params_len );
1765  md_finish( &ctx, hash );
1766  md_free_ctx( &ctx );
1767  }
1768  else
1769 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1770  POLARSSL_SSL_PROTO_TLS1_2 */
1771  {
1772  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1774  }
1775 
1776  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
1777  (unsigned int) ( md_info_from_type( md_alg ) )->size );
1778 
1779  /*
1780  * Verify signature
1781  */
1782  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
1783  {
1784  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1786  }
1787 
1788  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
1789  md_alg, hash, hashlen, p, sig_len ) ) != 0 )
1790  {
1791  SSL_DEBUG_RET( 1, "pk_verify", ret );
1792  return( ret );
1793  }
1794  }
1795 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1796  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1797  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1798 
1799 exit:
1800  ssl->state++;
1801 
1802  SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
1803 
1804  return( 0 );
1805 }
1806 
1807 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1808  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1809  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1810  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1811 static int ssl_parse_certificate_request( ssl_context *ssl )
1812 {
1814  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1815 
1816  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1817 
1818  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1819  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1820  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1821  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1822  {
1823  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
1824  ssl->state++;
1825  return( 0 );
1826  }
1827 
1828  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1829  return( ret );
1830 }
1831 #else
1832 static int ssl_parse_certificate_request( ssl_context *ssl )
1833 {
1834  int ret;
1835  unsigned char *buf, *p;
1836  size_t n = 0, m = 0;
1837  size_t cert_type_len = 0, dn_len = 0;
1838  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1839 
1840  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1841 
1842  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1843  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1844  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1845  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1846  {
1847  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
1848  ssl->state++;
1849  return( 0 );
1850  }
1851 
1852  /*
1853  * 0 . 0 handshake type
1854  * 1 . 3 handshake length
1855  * 4 . 4 cert type count
1856  * 5 .. m-1 cert types
1857  * m .. m+1 sig alg length (TLS 1.2 only)
1858  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1859  * n .. n+1 length of all DNs
1860  * n+2 .. n+3 length of DN 1
1861  * n+4 .. ... Distinguished Name #1
1862  * ... .. ... length of DN 2, etc.
1863  */
1864  if( ssl->record_read == 0 )
1865  {
1866  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1867  {
1868  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1869  return( ret );
1870  }
1871 
1872  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1873  {
1874  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1876  }
1877 
1878  ssl->record_read = 1;
1879  }
1880 
1881  ssl->client_auth = 0;
1882  ssl->state++;
1883 
1884  if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
1885  ssl->client_auth++;
1886 
1887  SSL_DEBUG_MSG( 3, ( "got %s certificate request",
1888  ssl->client_auth ? "a" : "no" ) );
1889 
1890  if( ssl->client_auth == 0 )
1891  goto exit;
1892 
1893  ssl->record_read = 0;
1894 
1895  // TODO: handshake_failure alert for an anonymous server to request
1896  // client authentication
1897 
1898  buf = ssl->in_msg;
1899 
1900  // Retrieve cert types
1901  //
1902  cert_type_len = buf[4];
1903  n = cert_type_len;
1904 
1905  if( ssl->in_hslen < 6 + n )
1906  {
1907  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1909  }
1910 
1911  p = buf + 5;
1912  while( cert_type_len > 0 )
1913  {
1914 #if defined(POLARSSL_RSA_C)
1915  if( *p == SSL_CERT_TYPE_RSA_SIGN &&
1917  {
1919  break;
1920  }
1921  else
1922 #endif
1923 #if defined(POLARSSL_ECDSA_C)
1924  if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
1926  {
1928  break;
1929  }
1930  else
1931 #endif
1932  {
1933  ; /* Unsupported cert type, ignore */
1934  }
1935 
1936  cert_type_len--;
1937  p++;
1938  }
1939 
1940 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1941  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1942  {
1943  /* Ignored, see comments about hash in write_certificate_verify */
1944  // TODO: should check the signature part against our pk_key though
1945  size_t sig_alg_len = ( ( buf[5 + n] << 8 )
1946  | ( buf[6 + n] ) );
1947 
1948  p = buf + 7 + n;
1949  m += 2;
1950  n += sig_alg_len;
1951 
1952  if( ssl->in_hslen < 6 + n )
1953  {
1954  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1956  }
1957  }
1958 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1959 
1960  /* Ignore certificate_authorities, we only have one cert anyway */
1961  // TODO: should not send cert if no CA matches
1962  dn_len = ( ( buf[5 + m + n] << 8 )
1963  | ( buf[6 + m + n] ) );
1964 
1965  n += dn_len;
1966  if( ssl->in_hslen != 7 + m + n )
1967  {
1968  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1970  }
1971 
1972 exit:
1973  SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1974 
1975  return( 0 );
1976 }
1977 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1978  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1979  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
1980  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1981 
1982 static int ssl_parse_server_hello_done( ssl_context *ssl )
1983 {
1984  int ret;
1985 
1986  SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
1987 
1988  if( ssl->record_read == 0 )
1989  {
1990  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1991  {
1992  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1993  return( ret );
1994  }
1995 
1996  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1997  {
1998  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2000  }
2001  }
2002  ssl->record_read = 0;
2003 
2004  if( ssl->in_hslen != 4 ||
2005  ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
2006  {
2007  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2009  }
2010 
2011  ssl->state++;
2012 
2013  SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
2014 
2015  return( 0 );
2016 }
2017 
2018 static int ssl_write_client_key_exchange( ssl_context *ssl )
2019 {
2020  int ret;
2021  size_t i, n;
2022  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2023 
2024  SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
2025 
2026 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2027  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2028  {
2029  /*
2030  * DHM key exchange -- send G^X mod P
2031  */
2032  n = ssl->handshake->dhm_ctx.len;
2033 
2034  ssl->out_msg[4] = (unsigned char)( n >> 8 );
2035  ssl->out_msg[5] = (unsigned char)( n );
2036  i = 6;
2037 
2038  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
2039  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2040  &ssl->out_msg[i], n,
2041  ssl->f_rng, ssl->p_rng );
2042  if( ret != 0 )
2043  {
2044  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
2045  return( ret );
2046  }
2047 
2048  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2049  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2050 
2051  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2052 
2053  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2054  ssl->handshake->premaster,
2055  &ssl->handshake->pmslen,
2056  ssl->f_rng, ssl->p_rng ) ) != 0 )
2057  {
2058  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2059  return( ret );
2060  }
2061 
2062  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2063  }
2064  else
2065 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2066 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2067  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2068  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2069  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2070  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2071  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2072  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2073  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2074  {
2075  /*
2076  * ECDH key exchange -- send client public value
2077  */
2078  i = 4;
2079 
2080  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
2081  &n,
2082  &ssl->out_msg[i], 1000,
2083  ssl->f_rng, ssl->p_rng );
2084  if( ret != 0 )
2085  {
2086  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
2087  return( ret );
2088  }
2089 
2090  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2091 
2092  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2093  &ssl->handshake->pmslen,
2094  ssl->handshake->premaster,
2096  ssl->f_rng, ssl->p_rng ) ) != 0 )
2097  {
2098  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2099  return( ret );
2100  }
2101 
2102  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
2103  }
2104  else
2105 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2106  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2107  POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2108  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2109 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2110  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2111  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2112  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2113  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2114  {
2115  /*
2116  * opaque psk_identity<0..2^16-1>;
2117  */
2118  if( ssl->psk == NULL || ssl->psk_identity == NULL )
2120 
2121  i = 4;
2122  n = ssl->psk_identity_len;
2123  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2124  ssl->out_msg[i++] = (unsigned char)( n );
2125 
2126  memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
2127  i += ssl->psk_identity_len;
2128 
2129 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2130  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2131  {
2132  n = 0;
2133  }
2134  else
2135 #endif
2136 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2137  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2138  {
2139  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
2140  return( ret );
2141  }
2142  else
2143 #endif
2144 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2145  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2146  {
2147  /*
2148  * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2149  */
2150  n = ssl->handshake->dhm_ctx.len;
2151  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2152  ssl->out_msg[i++] = (unsigned char)( n );
2153 
2154  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
2155  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2156  &ssl->out_msg[i], n,
2157  ssl->f_rng, ssl->p_rng );
2158  if( ret != 0 )
2159  {
2160  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
2161  return( ret );
2162  }
2163  }
2164  else
2165 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2166 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2167  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2168  {
2169  /*
2170  * ClientECDiffieHellmanPublic public;
2171  */
2172  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2173  &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
2174  ssl->f_rng, ssl->p_rng );
2175  if( ret != 0 )
2176  {
2177  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
2178  return( ret );
2179  }
2180 
2181  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2182  }
2183  else
2184 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2185  {
2186  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2188  }
2189 
2190  if( ( ret = ssl_psk_derive_premaster( ssl,
2191  ciphersuite_info->key_exchange ) ) != 0 )
2192  {
2193  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2194  return( ret );
2195  }
2196  }
2197  else
2198 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2199 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2200  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2201  {
2202  i = 4;
2203  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
2204  return( ret );
2205  }
2206  else
2207 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2208  {
2209  ((void) ciphersuite_info);
2210  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2212  }
2213 
2214  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2215  {
2216  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2217  return( ret );
2218  }
2219 
2220  ssl->out_msglen = i + n;
2223 
2224  ssl->state++;
2225 
2226  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2227  {
2228  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2229  return( ret );
2230  }
2231 
2232  SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
2233 
2234  return( 0 );
2235 }
2236 
2237 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2238  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2239  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2240  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2241 static int ssl_write_certificate_verify( ssl_context *ssl )
2242 {
2244  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2245 
2246  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2247 
2248  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2249  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2250  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2251  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2252  {
2253  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2254  ssl->state++;
2255  return( 0 );
2256  }
2257 
2258  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2259  return( ret );
2260 }
2261 #else
2262 static int ssl_write_certificate_verify( ssl_context *ssl )
2263 {
2265  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2266  size_t n = 0, offset = 0;
2267  unsigned char hash[48];
2268  unsigned char *hash_start = hash;
2269  md_type_t md_alg = POLARSSL_MD_NONE;
2270  unsigned int hashlen;
2271 
2272  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2273 
2274  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2275  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2276  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2277  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2278  {
2279  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2280  ssl->state++;
2281  return( 0 );
2282  }
2283 
2284  if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
2285  {
2286  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2287  ssl->state++;
2288  return( 0 );
2289  }
2290 
2291  if( ssl_own_key( ssl ) == NULL )
2292  {
2293  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2295  }
2296 
2297  /*
2298  * Make an RSA signature of the handshake digests
2299  */
2300  ssl->handshake->calc_verify( ssl, hash );
2301 
2302 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2303  defined(POLARSSL_SSL_PROTO_TLS1_1)
2304  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2305  {
2306  /*
2307  * digitally-signed struct {
2308  * opaque md5_hash[16];
2309  * opaque sha_hash[20];
2310  * };
2311  *
2312  * md5_hash
2313  * MD5(handshake_messages);
2314  *
2315  * sha_hash
2316  * SHA(handshake_messages);
2317  */
2318  hashlen = 36;
2319  md_alg = POLARSSL_MD_NONE;
2320 
2321  /*
2322  * For ECDSA, default hash is SHA-1 only
2323  */
2324  if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
2325  {
2326  hash_start += 16;
2327  hashlen -= 16;
2328  md_alg = POLARSSL_MD_SHA1;
2329  }
2330  }
2331  else
2332 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2333  POLARSSL_SSL_PROTO_TLS1_1 */
2334 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2335  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2336  {
2337  /*
2338  * digitally-signed struct {
2339  * opaque handshake_messages[handshake_messages_length];
2340  * };
2341  *
2342  * Taking shortcut here. We assume that the server always allows the
2343  * PRF Hash function and has sent it in the allowed signature
2344  * algorithms list received in the Certificate Request message.
2345  *
2346  * Until we encounter a server that does not, we will take this
2347  * shortcut.
2348  *
2349  * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2350  * in order to satisfy 'weird' needs from the server side.
2351  */
2354  {
2355  md_alg = POLARSSL_MD_SHA384;
2356  ssl->out_msg[4] = SSL_HASH_SHA384;
2357  }
2358  else
2359  {
2360  md_alg = POLARSSL_MD_SHA256;
2361  ssl->out_msg[4] = SSL_HASH_SHA256;
2362  }
2363  ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
2364 
2365  /* Info from md_alg will be used instead */
2366  hashlen = 0;
2367  offset = 2;
2368  }
2369  else
2370 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2371  {
2372  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2374  }
2375 
2376  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
2377  ssl->out_msg + 6 + offset, &n,
2378  ssl->f_rng, ssl->p_rng ) ) != 0 )
2379  {
2380  SSL_DEBUG_RET( 1, "pk_sign", ret );
2381  return( ret );
2382  }
2383 
2384  ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2385  ssl->out_msg[5 + offset] = (unsigned char)( n );
2386 
2387  ssl->out_msglen = 6 + n + offset;
2390 
2391  ssl->state++;
2392 
2393  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2394  {
2395  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2396  return( ret );
2397  }
2398 
2399  SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
2400 
2401  return( ret );
2402 }
2403 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2404  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2405  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2406 
2407 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2408 static int ssl_parse_new_session_ticket( ssl_context *ssl )
2409 {
2410  int ret;
2411  uint32_t lifetime;
2412  size_t ticket_len;
2413  unsigned char *ticket;
2414 
2415  SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2416 
2417  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2418  {
2419  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2420  return( ret );
2421  }
2422 
2423  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2424  {
2425  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2427  }
2428 
2429  /*
2430  * struct {
2431  * uint32 ticket_lifetime_hint;
2432  * opaque ticket<0..2^16-1>;
2433  * } NewSessionTicket;
2434  *
2435  * 0 . 0 handshake message type
2436  * 1 . 3 handshake message length
2437  * 4 . 7 ticket_lifetime_hint
2438  * 8 . 9 ticket_len (n)
2439  * 10 . 9+n ticket content
2440  */
2441  if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
2442  ssl->in_hslen < 10 )
2443  {
2444  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2446  }
2447 
2448  lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
2449  ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] );
2450 
2451  ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
2452 
2453  if( ticket_len + 10 != ssl->in_hslen )
2454  {
2455  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2457  }
2458 
2459  SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
2460 
2461  /* We're not waiting for a NewSessionTicket message any more */
2462  ssl->handshake->new_session_ticket = 0;
2463 
2464  /*
2465  * Zero-length ticket means the server changed his mind and doesn't want
2466  * to send a ticket after all, so just forget it
2467  */
2468  if( ticket_len == 0)
2469  return( 0 );
2470 
2472  ssl->session_negotiate->ticket = NULL;
2473  ssl->session_negotiate->ticket_len = 0;
2474 
2475  if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
2476  {
2477  SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
2479  }
2480 
2481  memcpy( ticket, ssl->in_msg + 10, ticket_len );
2482 
2483  ssl->session_negotiate->ticket = ticket;
2484  ssl->session_negotiate->ticket_len = ticket_len;
2485  ssl->session_negotiate->ticket_lifetime = lifetime;
2486 
2487  /*
2488  * RFC 5077 section 3.4:
2489  * "If the client receives a session ticket from the server, then it
2490  * discards any Session ID that was sent in the ServerHello."
2491  */
2492  SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
2493  ssl->session_negotiate->length = 0;
2494 
2495  SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2496 
2497  return( 0 );
2498 }
2499 #endif /* POLARSSL_SSL_SESSION_TICKETS */
2500 
2501 /*
2502  * SSL handshake -- client side -- single step
2503  */
2505 {
2506  int ret = 0;
2507 
2508  if( ssl->state == SSL_HANDSHAKE_OVER )
2510 
2511  SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
2512 
2513  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2514  return( ret );
2515 
2516  switch( ssl->state )
2517  {
2518  case SSL_HELLO_REQUEST:
2519  ssl->state = SSL_CLIENT_HELLO;
2520  break;
2521 
2522  /*
2523  * ==> ClientHello
2524  */
2525  case SSL_CLIENT_HELLO:
2526  ret = ssl_write_client_hello( ssl );
2527  break;
2528 
2529  /*
2530  * <== ServerHello
2531  * Certificate
2532  * ( ServerKeyExchange )
2533  * ( CertificateRequest )
2534  * ServerHelloDone
2535  */
2536  case SSL_SERVER_HELLO:
2537  ret = ssl_parse_server_hello( ssl );
2538  break;
2539 
2541  ret = ssl_parse_certificate( ssl );
2542  break;
2543 
2545  ret = ssl_parse_server_key_exchange( ssl );
2546  break;
2547 
2549  ret = ssl_parse_certificate_request( ssl );
2550  break;
2551 
2552  case SSL_SERVER_HELLO_DONE:
2553  ret = ssl_parse_server_hello_done( ssl );
2554  break;
2555 
2556  /*
2557  * ==> ( Certificate/Alert )
2558  * ClientKeyExchange
2559  * ( CertificateVerify )
2560  * ChangeCipherSpec
2561  * Finished
2562  */
2564  ret = ssl_write_certificate( ssl );
2565  break;
2566 
2568  ret = ssl_write_client_key_exchange( ssl );
2569  break;
2570 
2572  ret = ssl_write_certificate_verify( ssl );
2573  break;
2574 
2576  ret = ssl_write_change_cipher_spec( ssl );
2577  break;
2578 
2579  case SSL_CLIENT_FINISHED:
2580  ret = ssl_write_finished( ssl );
2581  break;
2582 
2583  /*
2584  * <== ( NewSessionTicket )
2585  * ChangeCipherSpec
2586  * Finished
2587  */
2589 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2590  if( ssl->handshake->new_session_ticket != 0 )
2591  ret = ssl_parse_new_session_ticket( ssl );
2592  else
2593 #endif
2594  ret = ssl_parse_change_cipher_spec( ssl );
2595  break;
2596 
2597  case SSL_SERVER_FINISHED:
2598  ret = ssl_parse_finished( ssl );
2599  break;
2600 
2601  case SSL_FLUSH_BUFFERS:
2602  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2603  ssl->state = SSL_HANDSHAKE_WRAPUP;
2604  break;
2605 
2606  case SSL_HANDSHAKE_WRAPUP:
2607  ssl_handshake_wrapup( ssl );
2608  break;
2609 
2610  default:
2611  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2613  }
2614 
2615  return( ret );
2616 }
2617 #endif /* POLARSSL_SSL_CLI_C */
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:348
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:297
unsigned char * hostname
Definition: ssl.h:778
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:308
unsigned char mfl_code
Definition: ssl.h:717
size_t length
Definition: ssl.h:452
int ciphersuite
Definition: ssl.h:450
mpi P
Definition: dhm.h:146
int trunc_hmac
Definition: ssl.h:752
int ecdh_make_public(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and export the client&#39;s public value.
size_t in_hslen
Definition: ssl.h:697
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:635
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:355
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Processing of the ServerKeyExchange handshake message failed.
Definition: ssl.h:128
int record_read
Definition: ssl.h:699
int major_ver
Definition: ssl.h:624
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:63
ecp_group_id grp_id
Definition: ecp.h:89
SHA-1 context structure.
Definition: sha1.h:58
int compression
Definition: ssl.h:451
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition: ssl.h:143
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Processing of the ServerHelloDone handshake message failed.
Definition: ssl.h:129
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:234
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:621
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:91
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
char peer_verify_data[36]
Definition: ssl.h:797
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:340
const ecp_curve_info * ecp_curve_list(void)
Get the list of supported curves in order of preferrence (full information)
#define TLS_EXT_ALPN
Definition: ssl.h:366
Debug functions.
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:568
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:344
const char * name
Definition: ecp.h:92
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:359
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO
Processing of the ServerHello handshake message failed.
Definition: ssl.h:125
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:342
size_t ticket_len
Definition: ssl.h:463
#define SSL_HASH_SHA1
Definition: ssl.h:282
ssl_session * session_negotiate
Definition: ssl.h:671
int ssl_parse_certificate(ssl_context *ssl)
size_t out_msglen
Definition: ssl.h:710
mpi GX
Definition: dhm.h:149
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:232
#define SSL_SIG_RSA
Definition: ssl.h:289
const int * ciphersuite_list[4]
Definition: ssl.h:747
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:642
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
#define polarssl_free
Definition: platform.h:91
#define SSL_RENEGOTIATION
Definition: ssl.h:214
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:577
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:233
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
Processing of the NewSessionTicket handshake message failed.
Definition: ssl.h:141
int ssl_write_finished(ssl_context *ssl)
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:60
size_t psk_identity_len
Definition: ssl.h:771
mpi X
Definition: dhm.h:148
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:229
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:796
int ecdh_get_params(ecdh_context *ctx, const ecp_keypair *key, ecdh_side side)
Setup an ECDH context from an EC key.
ECP key pair structure.
Definition: ecp.h:163
#define SSL_SIG_ECDSA
Definition: ssl.h:290
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:177
int secure_renegotiation
Definition: ssl.h:793
time_t start
Definition: ssl.h:448
PolarSSL Platform abstraction layer.
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:84
#define SSL_HASH_MD5
Definition: ssl.h:281
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:224
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:151
unsigned char id[32]
Definition: ssl.h:453
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:485
unsigned char * psk
Definition: ssl.h:768
size_t len
Definition: dhm.h:145
int max_major_ver
Definition: ssl.h:627
ecp_point Qp
Definition: ecdh.h:53
md_type_t
Definition: md.h:51
const char ** alpn_list
Definition: ssl.h:786
int max_minor_ver
Definition: ssl.h:628
const char * alpn_chosen
Definition: ssl.h:787
int dhm_read_params(dhm_context *ctx, unsigned char **p, const unsigned char *end)
Parse the ServerKeyExchange parameters.
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:364
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:296
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:345
ssl_handshake_params * handshake
Definition: ssl.h:673
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:304
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:329
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition: ssl.h:114
ecp_group_id id
Definition: ecp.h:138
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:228
int in_msgtype
Definition: ssl.h:693
size_t verify_data_len
Definition: ssl.h:795
mpi G
Definition: dhm.h:147
int point_format
Definition: ecdh.h:55
int min_minor_ver
Definition: ssl.h:630
unsigned char * out_msg
Definition: ssl.h:707
#define SSL_MINOR_VERSION_0
Definition: ssl.h:152
int client_auth
Definition: ssl.h:743
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature.
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:140
ecdh_context ecdh_ctx
Definition: ssl.h:532
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:346
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1670
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:120
const ecp_curve_info * ecp_curve_info_from_grp_id(ecp_group_id grp_id)
Get curve information from an internal group identifier.
unsigned char * ticket
Definition: ssl.h:462
key_exchange_type_t key_exchange
int new_session_ticket
Definition: ssl.h:586
mpi GY
Definition: dhm.h:150
int trunc_hmac
Definition: ssl.h:472
Curve information for use by other modules.
Definition: ecp.h:87
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void md5_starts(md5_context *ctx)
MD5 context setup.
unsigned char ssl_sig_from_pk(pk_context *pk)
int ssl_flush_output(ssl_context *ssl)
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:368
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:341
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:207
unsigned char * in_msg
Definition: ssl.h:690
mpi z
Definition: ecdh.h:54
#define SSL_MINOR_VERSION_3
Definition: ssl.h:155
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:58
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:370
pk_type_t
Public key types.
Definition: pk.h:95
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Processing of the CertificateRequest handshake message failed.
Definition: ssl.h:127
int ssl_parse_change_cipher_spec(ssl_context *ssl)
size_t hostname_len
Definition: ssl.h:779
int ecdh_read_params(ecdh_context *ctx, const unsigned char **buf, const unsigned char *end)
Parse the ServerKeyExhange parameters.
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:625
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:274
This structure is used for storing ciphersuite information.
#define SSL_HASH_SHA256
Definition: ssl.h:284
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:66
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:118
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:213
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:180
int session_tickets
Definition: ssl.h:755
int allow_legacy_renegotiation
Definition: ssl.h:746
#define SSL_COMPRESS_NULL
Definition: ssl.h:206
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
int ssl_read_record(ssl_context *ssl)
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:57
int out_msgtype
Definition: ssl.h:709
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:357
size_t nbits
Definition: ecp.h:145
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:197
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:347
#define TLS_EXT_SERVERNAME
Definition: ssl.h:354
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature.
int dhm_make_public(dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Create own private value X and export G^X.
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:70
size_t mpi_size(const mpi *X)
Return the total size in bytes.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:226
int pk_encrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Encrypt message.
int min_major_ver
Definition: ssl.h:629
pk_context pk
Container for the public key context.
Definition: x509_crt.h:75
ssl_transform * transform_negotiate
Definition: ssl.h:682
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:218
#define SSL_HASH_SHA224
Definition: ssl.h:283
uint32_t ticket_lifetime
Definition: ssl.h:464
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:219
SSL/TLS functions.
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:136
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:362
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:75
uint16_t tls_id
Definition: ecp.h:90
int ssl_derive_keys(ssl_context *ssl)
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1664
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:622
dhm_context dhm_ctx
Definition: ssl.h:529
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1691
#define polarssl_malloc
Definition: platform.h:90
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:255
unsigned char * psk_identity
Definition: ssl.h:770
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:361
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:107
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:126
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:108
#define SSL_HASH_SHA512
Definition: ssl.h:286
#define SSL_HASH_SHA384
Definition: ssl.h:285
int ssl_write_record(ssl_context *ssl)
unsigned char randbytes[64]
Definition: ssl.h:576
ecp_group grp
Definition: ecdh.h:50
Generic message digest context.
Definition: md.h:132
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ecp_point Q
Definition: ecdh.h:52
x509_crt * peer_cert
Definition: ssl.h:457
md_type_t ssl_md_alg_from_hash(unsigned char hash)
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.