PolarSSL v1.3.7
ssl_srv.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 server-side functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #if !defined(POLARSSL_CONFIG_FILE)
27 #include "polarssl/config.h"
28 #else
29 #include POLARSSL_CONFIG_FILE
30 #endif
31 
32 #if defined(POLARSSL_SSL_SRV_C)
33 
34 #include "polarssl/debug.h"
35 #include "polarssl/ssl.h"
36 #if defined(POLARSSL_ECP_C)
37 #include "polarssl/ecp.h"
38 #endif
39 
40 #if defined(POLARSSL_PLATFORM_C)
41 #include "polarssl/platform.h"
42 #else
43 #define polarssl_malloc malloc
44 #define polarssl_free free
45 #endif
46 
47 #include <stdlib.h>
48 #include <stdio.h>
49 
50 #if defined(POLARSSL_HAVE_TIME)
51 #include <time.h>
52 #endif
53 
54 #if defined(POLARSSL_SSL_SESSION_TICKETS)
55 /*
56  * Serialize a session in the following format:
57  * 0 . n-1 session structure, n = sizeof(ssl_session)
58  * n . n+2 peer_cert length = m (0 if no certificate)
59  * n+3 . n+2+m peer cert ASN.1
60  *
61  * Assumes ticket is NULL (always true on server side).
62  */
63 static int ssl_save_session( const ssl_session *session,
64  unsigned char *buf, size_t buf_len,
65  size_t *olen )
66 {
67  unsigned char *p = buf;
68  size_t left = buf_len;
69 #if defined(POLARSSL_X509_CRT_PARSE_C)
70  size_t cert_len;
71 #endif /* POLARSSL_X509_CRT_PARSE_C */
72 
73  if( left < sizeof( ssl_session ) )
74  return( -1 );
75 
76  memcpy( p, session, sizeof( ssl_session ) );
77  p += sizeof( ssl_session );
78  left -= sizeof( ssl_session );
79 
80 #if defined(POLARSSL_X509_CRT_PARSE_C)
81  if( session->peer_cert == NULL )
82  cert_len = 0;
83  else
84  cert_len = session->peer_cert->raw.len;
85 
86  if( left < 3 + cert_len )
87  return( -1 );
88 
89  *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
90  *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
91  *p++ = (unsigned char)( cert_len & 0xFF );
92 
93  if( session->peer_cert != NULL )
94  memcpy( p, session->peer_cert->raw.p, cert_len );
95 
96  p += cert_len;
97 #endif /* POLARSSL_X509_CRT_PARSE_C */
98 
99  *olen = p - buf;
100 
101  return( 0 );
102 }
103 
104 /*
105  * Unserialise session, see ssl_save_session()
106  */
107 static int ssl_load_session( ssl_session *session,
108  const unsigned char *buf, size_t len )
109 {
110  const unsigned char *p = buf;
111  const unsigned char * const end = buf + len;
112 #if defined(POLARSSL_X509_CRT_PARSE_C)
113  size_t cert_len;
114 #endif /* POLARSSL_X509_CRT_PARSE_C */
115 
116  if( p + sizeof( ssl_session ) > end )
118 
119  memcpy( session, p, sizeof( ssl_session ) );
120  p += sizeof( ssl_session );
121 
122 #if defined(POLARSSL_X509_CRT_PARSE_C)
123  if( p + 3 > end )
125 
126  cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
127  p += 3;
128 
129  if( cert_len == 0 )
130  {
131  session->peer_cert = NULL;
132  }
133  else
134  {
135  int ret;
136 
137  if( p + cert_len > end )
139 
140  session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
141 
142  if( session->peer_cert == NULL )
144 
145  x509_crt_init( session->peer_cert );
146 
147  if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 )
148  {
149  x509_crt_free( session->peer_cert );
150  polarssl_free( session->peer_cert );
151  session->peer_cert = NULL;
152  return( ret );
153  }
154 
155  p += cert_len;
156  }
157 #endif /* POLARSSL_X509_CRT_PARSE_C */
158 
159  if( p != end )
161 
162  return( 0 );
163 }
164 
165 /*
166  * Create session ticket, secured as recommended in RFC 5077 section 4:
167  *
168  * struct {
169  * opaque key_name[16];
170  * opaque iv[16];
171  * opaque encrypted_state<0..2^16-1>;
172  * opaque mac[32];
173  * } ticket;
174  *
175  * (the internal state structure differs, however).
176  */
177 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
178 {
179  int ret;
180  unsigned char * const start = ssl->out_msg + 10;
181  unsigned char *p = start;
182  unsigned char *state;
183  unsigned char iv[16];
184  size_t clear_len, enc_len, pad_len, i;
185 
186  *tlen = 0;
187 
188  if( ssl->ticket_keys == NULL )
190 
191  /* Write key name */
192  memcpy( p, ssl->ticket_keys->key_name, 16 );
193  p += 16;
194 
195  /* Generate and write IV (with a copy for aes_crypt) */
196  if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
197  return( ret );
198  memcpy( iv, p, 16 );
199  p += 16;
200 
201  /*
202  * Dump session state
203  *
204  * After the session state itself, we still need room for 16 bytes of
205  * padding and 32 bytes of MAC, so there's only so much room left
206  */
207  state = p + 2;
208  if( ssl_save_session( ssl->session_negotiate, state,
209  SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
210  &clear_len ) != 0 )
211  {
213  }
214  SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
215 
216  /* Apply PKCS padding */
217  pad_len = 16 - clear_len % 16;
218  enc_len = clear_len + pad_len;
219  for( i = clear_len; i < enc_len; i++ )
220  state[i] = (unsigned char) pad_len;
221 
222  /* Encrypt */
223  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
224  enc_len, iv, state, state ) ) != 0 )
225  {
226  return( ret );
227  }
228 
229  /* Write length */
230  *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
231  *p++ = (unsigned char)( ( enc_len ) & 0xFF );
232  p = state + enc_len;
233 
234  /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
235  sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
236  p += 32;
237 
238  *tlen = p - start;
239 
240  SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
241 
242  return( 0 );
243 }
244 
245 /*
246  * Load session ticket (see ssl_write_ticket for structure)
247  */
248 static int ssl_parse_ticket( ssl_context *ssl,
249  unsigned char *buf,
250  size_t len )
251 {
252  int ret;
253  ssl_session session;
254  unsigned char *key_name = buf;
255  unsigned char *iv = buf + 16;
256  unsigned char *enc_len_p = iv + 16;
257  unsigned char *ticket = enc_len_p + 2;
258  unsigned char *mac;
259  unsigned char computed_mac[32];
260  size_t enc_len, clear_len, i;
261  unsigned char pad_len, diff;
262 
263  SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
264 
265  if( len < 34 || ssl->ticket_keys == NULL )
267 
268  enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
269  mac = ticket + enc_len;
270 
271  if( len != enc_len + 66 )
273 
274  /* Check name, in constant time though it's not a big secret */
275  diff = 0;
276  for( i = 0; i < 16; i++ )
277  diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
278  /* don't return yet, check the MAC anyway */
279 
280  /* Check mac, with constant-time buffer comparison */
281  sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
282  computed_mac, 0 );
283 
284  for( i = 0; i < 32; i++ )
285  diff |= mac[i] ^ computed_mac[i];
286 
287  /* Now return if ticket is not authentic, since we want to avoid
288  * decrypting arbitrary attacker-chosen data */
289  if( diff != 0 )
291 
292  /* Decrypt */
293  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
294  enc_len, iv, ticket, ticket ) ) != 0 )
295  {
296  return( ret );
297  }
298 
299  /* Check PKCS padding */
300  pad_len = ticket[enc_len - 1];
301 
302  ret = 0;
303  for( i = 2; i < pad_len; i++ )
304  if( ticket[enc_len - i] != pad_len )
306  if( ret != 0 )
307  return( ret );
308 
309  clear_len = enc_len - pad_len;
310 
311  SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
312 
313  /* Actually load session */
314  if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
315  {
316  SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
317  ssl_session_free( &session );
318  return( ret );
319  }
320 
321 #if defined(POLARSSL_HAVE_TIME)
322  /* Check if still valid */
323  if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
324  {
325  SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
326  ssl_session_free( &session );
328  }
329 #endif
330 
331  /*
332  * Keep the session ID sent by the client, since we MUST send it back to
333  * inform him we're accepting the ticket (RFC 5077 section 3.4)
334  */
335  session.length = ssl->session_negotiate->length;
336  memcpy( &session.id, ssl->session_negotiate->id, session.length );
337 
339  memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
340  memset( &session, 0, sizeof( ssl_session ) );
341 
342  return( 0 );
343 }
344 #endif /* POLARSSL_SSL_SESSION_TICKETS */
345 
346 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
347 /*
348  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
349  * making it act on ssl->hanshake->sni_key_cert instead.
350  */
351 static int ssl_sni_wrapper( ssl_context *ssl,
352  const unsigned char* name, size_t len )
353 {
354  int ret;
355  ssl_key_cert *key_cert_ori = ssl->key_cert;
356 
357  ssl->key_cert = NULL;
358  ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
359  ssl->handshake->sni_key_cert = ssl->key_cert;
360 
361  ssl->key_cert = key_cert_ori;
362 
363  return( ret );
364 }
365 
366 static int ssl_parse_servername_ext( ssl_context *ssl,
367  const unsigned char *buf,
368  size_t len )
369 {
370  int ret;
371  size_t servername_list_size, hostname_len;
372  const unsigned char *p;
373 
374  SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
375 
376  servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
377  if( servername_list_size + 2 != len )
378  {
379  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
381  }
382 
383  p = buf + 2;
384  while( servername_list_size > 0 )
385  {
386  hostname_len = ( ( p[1] << 8 ) | p[2] );
387  if( hostname_len + 3 > servername_list_size )
388  {
389  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
391  }
392 
393  if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
394  {
395  ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
396  if( ret != 0 )
397  {
398  SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
402  }
403  return( 0 );
404  }
405 
406  servername_list_size -= hostname_len + 3;
407  p += hostname_len + 3;
408  }
409 
410  if( servername_list_size != 0 )
411  {
412  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
414  }
415 
416  return( 0 );
417 }
418 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
419 
420 static int ssl_parse_renegotiation_info( ssl_context *ssl,
421  const unsigned char *buf,
422  size_t len )
423 {
424  int ret;
425 
427  {
428  if( len != 1 || buf[0] != 0x0 )
429  {
430  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
431 
432  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
433  return( ret );
434 
436  }
437 
439  }
440  else
441  {
442  /* Check verify-data in constant-time. The length OTOH is no secret */
443  if( len != 1 + ssl->verify_data_len ||
444  buf[0] != ssl->verify_data_len ||
445  safer_memcmp( buf + 1, ssl->peer_verify_data,
446  ssl->verify_data_len ) != 0 )
447  {
448  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
449 
450  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
451  return( ret );
452 
454  }
455  }
456 
457  return( 0 );
458 }
459 
460 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
461 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
462  const unsigned char *buf,
463  size_t len )
464 {
465  size_t sig_alg_list_size;
466  const unsigned char *p;
467 
468  sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
469  if( sig_alg_list_size + 2 != len ||
470  sig_alg_list_size %2 != 0 )
471  {
472  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
474  }
475 
476  p = buf + 2;
477  while( sig_alg_list_size > 0 )
478  {
479  /*
480  * For now, just ignore signature algorithm and rely on offered
481  * ciphersuites only. To be fixed later.
482  */
483 #if defined(POLARSSL_SHA512_C)
484  if( p[0] == SSL_HASH_SHA512 )
485  {
487  break;
488  }
489  if( p[0] == SSL_HASH_SHA384 )
490  {
492  break;
493  }
494 #endif /* POLARSSL_SHA512_C */
495 #if defined(POLARSSL_SHA256_C)
496  if( p[0] == SSL_HASH_SHA256 )
497  {
499  break;
500  }
501  if( p[0] == SSL_HASH_SHA224 )
502  {
504  break;
505  }
506 #endif /* POLARSSL_SHA256_C */
507  if( p[0] == SSL_HASH_SHA1 )
508  {
510  break;
511  }
512  if( p[0] == SSL_HASH_MD5 )
513  {
515  break;
516  }
517 
518  sig_alg_list_size -= 2;
519  p += 2;
520  }
521 
522  SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
523  ssl->handshake->sig_alg ) );
524 
525  return( 0 );
526 }
527 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
528 
529 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
530 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
531  const unsigned char *buf,
532  size_t len )
533 {
534  size_t list_size, our_size;
535  const unsigned char *p;
536  const ecp_curve_info *curve_info, **curves;
537 
538  list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
539  if( list_size + 2 != len ||
540  list_size % 2 != 0 )
541  {
542  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
544  }
545 
546  /* Don't allow our peer to make us allocate too much memory,
547  * and leave room for a final 0 */
548  our_size = list_size / 2 + 1;
549  if( our_size > POLARSSL_ECP_DP_MAX )
550  our_size = POLARSSL_ECP_DP_MAX;
551 
552  if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
554 
555  /* explicit void pointer cast for buggy MS compiler */
556  memset( (void *) curves, 0, our_size * sizeof( *curves ) );
557  ssl->handshake->curves = curves;
558 
559  p = buf + 2;
560  while( list_size > 0 && our_size > 1 )
561  {
562  curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
563 
564  if( curve_info != NULL )
565  {
566  *curves++ = curve_info;
567  our_size--;
568  }
569 
570  list_size -= 2;
571  p += 2;
572  }
573 
574  return( 0 );
575 }
576 
577 static int ssl_parse_supported_point_formats( ssl_context *ssl,
578  const unsigned char *buf,
579  size_t len )
580 {
581  size_t list_size;
582  const unsigned char *p;
583 
584  list_size = buf[0];
585  if( list_size + 1 != len )
586  {
587  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
589  }
590 
591  p = buf + 2;
592  while( list_size > 0 )
593  {
594  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
596  {
597  ssl->handshake->ecdh_ctx.point_format = p[0];
598  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
599  return( 0 );
600  }
601 
602  list_size--;
603  p++;
604  }
605 
606  return( 0 );
607 }
608 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
609 
610 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
611 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
612  const unsigned char *buf,
613  size_t len )
614 {
615  if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
616  {
617  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
619  }
620 
621  ssl->session_negotiate->mfl_code = buf[0];
622 
623  return( 0 );
624 }
625 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
626 
627 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
628 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
629  const unsigned char *buf,
630  size_t len )
631 {
632  if( len != 0 )
633  {
634  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
636  }
637 
638  ((void) buf);
639 
641 
642  return( 0 );
643 }
644 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
645 
646 #if defined(POLARSSL_SSL_SESSION_TICKETS)
647 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
648  unsigned char *buf,
649  size_t len )
650 {
651  int ret;
652 
654  return( 0 );
655 
656  /* Remember the client asked us to send a new ticket */
657  ssl->handshake->new_session_ticket = 1;
658 
659  SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
660 
661  if( len == 0 )
662  return( 0 );
663 
665  {
666  SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
667  return( 0 );
668  }
669 
670  /*
671  * Failures are ok: just ignore the ticket and proceed.
672  */
673  if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
674  {
675  SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
676  return( 0 );
677  }
678 
679  SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
680 
681  ssl->handshake->resume = 1;
682 
683  /* Don't send a new ticket after all, this one is OK */
684  ssl->handshake->new_session_ticket = 0;
685 
686  return( 0 );
687 }
688 #endif /* POLARSSL_SSL_SESSION_TICKETS */
689 
690 #if defined(POLARSSL_SSL_ALPN)
691 static int ssl_parse_alpn_ext( ssl_context *ssl,
692  unsigned char *buf, size_t len )
693 {
694  size_t list_len, cur_len;
695  const unsigned char *theirs, *start, *end;
696  const char **ours;
697 
698  /* If ALPN not configured, just ignore the extension */
699  if( ssl->alpn_list == NULL )
700  return( 0 );
701 
702  /*
703  * opaque ProtocolName<1..2^8-1>;
704  *
705  * struct {
706  * ProtocolName protocol_name_list<2..2^16-1>
707  * } ProtocolNameList;
708  */
709 
710  /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
711  if( len < 4 )
713 
714  list_len = ( buf[0] << 8 ) | buf[1];
715  if( list_len != len - 2 )
717 
718  /*
719  * Use our order of preference
720  */
721  start = buf + 2;
722  end = buf + len;
723  for( ours = ssl->alpn_list; *ours != NULL; ours++ )
724  {
725  for( theirs = start; theirs != end; theirs += cur_len )
726  {
727  /* If the list is well formed, we should get equality first */
728  if( theirs > end )
730 
731  cur_len = *theirs++;
732 
733  /* Empty strings MUST NOT be included */
734  if( cur_len == 0 )
736 
737  if( cur_len == strlen( *ours ) &&
738  memcmp( theirs, *ours, cur_len ) == 0 )
739  {
740  ssl->alpn_chosen = *ours;
741  return( 0 );
742  }
743  }
744  }
745 
746  /* If we get there, no match was found */
750 }
751 #endif /* POLARSSL_SSL_ALPN */
752 
753 /*
754  * Auxiliary functions for ServerHello parsing and related actions
755  */
756 
757 #if defined(POLARSSL_X509_CRT_PARSE_C)
758 /*
759  * Return 1 if the given EC key uses the given curve, 0 otherwise
760  */
761 #if defined(POLARSSL_ECDSA_C)
762 static int ssl_key_matches_curves( pk_context *pk,
763  const ecp_curve_info **curves )
764 {
765  const ecp_curve_info **crv = curves;
766  ecp_group_id grp_id = pk_ec( *pk )->grp.id;
767 
768  while( *crv != NULL )
769  {
770  if( (*crv)->grp_id == grp_id )
771  return( 1 );
772  crv++;
773  }
774 
775  return( 0 );
776 }
777 #endif /* POLARSSL_ECDSA_C */
778 
779 /*
780  * Try picking a certificate for this ciphersuite,
781  * return 0 on success and -1 on failure.
782  */
783 static int ssl_pick_cert( ssl_context *ssl,
784  const ssl_ciphersuite_t * ciphersuite_info )
785 {
786  ssl_key_cert *cur, *list;
787  pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
788 
789 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
790  if( ssl->handshake->sni_key_cert != NULL )
791  list = ssl->handshake->sni_key_cert;
792  else
793 #endif
794  list = ssl->handshake->key_cert;
795 
796  if( pk_alg == POLARSSL_PK_NONE )
797  return( 0 );
798 
799  for( cur = list; cur != NULL; cur = cur->next )
800  {
801  if( ! pk_can_do( cur->key, pk_alg ) )
802  continue;
803 
804  /*
805  * This avoids sending the client a cert it'll reject based on
806  * keyUsage or other extensions.
807  *
808  * It also allows the user to provision different certificates for
809  * different uses based on keyUsage, eg if they want to avoid signing
810  * and decrypting with the same RSA key.
811  */
812  if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
813  SSL_IS_SERVER ) != 0 )
814  {
815  continue;
816  }
817 
818 #if defined(POLARSSL_ECDSA_C)
819  if( pk_alg == POLARSSL_PK_ECDSA )
820  {
821  if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
822  break;
823  }
824  else
825 #endif
826  break;
827  }
828 
829  if( cur == NULL )
830  return( -1 );
831 
832  ssl->handshake->key_cert = cur;
833  return( 0 );
834 }
835 #endif /* POLARSSL_X509_CRT_PARSE_C */
836 
837 /*
838  * Check if a given ciphersuite is suitable for use with our config/keys/etc
839  * Sets ciphersuite_info only if the suite matches.
840  */
841 static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
842  const ssl_ciphersuite_t **ciphersuite_info )
843 {
844  const ssl_ciphersuite_t *suite_info;
845 
846  suite_info = ssl_ciphersuite_from_id( suite_id );
847  if( suite_info == NULL )
848  {
849  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", suite_id ) );
851  }
852 
853  if( suite_info->min_minor_ver > ssl->minor_ver ||
854  suite_info->max_minor_ver < ssl->minor_ver )
855  return( 0 );
856 
857 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
858  if( ssl_ciphersuite_uses_ec( suite_info ) &&
859  ( ssl->handshake->curves == NULL ||
860  ssl->handshake->curves[0] == NULL ) )
861  return( 0 );
862 #endif
863 
864 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
865  /* If the ciphersuite requires a pre-shared key and we don't
866  * have one, skip it now rather than failing later */
867  if( ssl_ciphersuite_uses_psk( suite_info ) &&
868  ssl->f_psk == NULL &&
869  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
870  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
871  return( 0 );
872 #endif
873 
874 #if defined(POLARSSL_X509_CRT_PARSE_C)
875  /*
876  * Final check: if ciphersuite requires us to have a
877  * certificate/key of a particular type:
878  * - select the appropriate certificate if we have one, or
879  * - try the next ciphersuite if we don't
880  * This must be done last since we modify the key_cert list.
881  */
882  if( ssl_pick_cert( ssl, suite_info ) != 0 )
883  return( 0 );
884 #endif
885 
886  *ciphersuite_info = suite_info;
887  return( 0 );
888 }
889 
890 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
891 static int ssl_parse_client_hello_v2( ssl_context *ssl )
892 {
893  int ret;
894  unsigned int i, j;
895  size_t n;
896  unsigned int ciph_len, sess_len, chal_len;
897  unsigned char *buf, *p;
898  const int *ciphersuites;
899  const ssl_ciphersuite_t *ciphersuite_info;
900 
901  SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
902 
904  {
905  SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
906 
907  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
908  return( ret );
909 
911  }
912 
913  buf = ssl->in_hdr;
914 
915  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
916 
917  SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
918  buf[2] ) );
919  SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
920  ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
921  SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
922  buf[3], buf[4] ) );
923 
924  /*
925  * SSLv2 Client Hello
926  *
927  * Record layer:
928  * 0 . 1 message length
929  *
930  * SSL layer:
931  * 2 . 2 message type
932  * 3 . 4 protocol version
933  */
934  if( buf[2] != SSL_HS_CLIENT_HELLO ||
935  buf[3] != SSL_MAJOR_VERSION_3 )
936  {
937  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
939  }
940 
941  n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
942 
943  if( n < 17 || n > 512 )
944  {
945  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
947  }
948 
950  ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
951  ? buf[4] : ssl->max_minor_ver;
952 
953  if( ssl->minor_ver < ssl->min_minor_ver )
954  {
955  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
956  " [%d:%d] < [%d:%d]",
957  ssl->major_ver, ssl->minor_ver,
958  ssl->min_major_ver, ssl->min_minor_ver ) );
959 
963  }
964 
965  ssl->handshake->max_major_ver = buf[3];
966  ssl->handshake->max_minor_ver = buf[4];
967 
968  if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
969  {
970  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
971  return( ret );
972  }
973 
974  ssl->handshake->update_checksum( ssl, buf + 2, n );
975 
976  buf = ssl->in_msg;
977  n = ssl->in_left - 5;
978 
979  /*
980  * 0 . 1 ciphersuitelist length
981  * 2 . 3 session id length
982  * 4 . 5 challenge length
983  * 6 . .. ciphersuitelist
984  * .. . .. session id
985  * .. . .. challenge
986  */
987  SSL_DEBUG_BUF( 4, "record contents", buf, n );
988 
989  ciph_len = ( buf[0] << 8 ) | buf[1];
990  sess_len = ( buf[2] << 8 ) | buf[3];
991  chal_len = ( buf[4] << 8 ) | buf[5];
992 
993  SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
994  ciph_len, sess_len, chal_len ) );
995 
996  /*
997  * Make sure each parameter length is valid
998  */
999  if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
1000  {
1001  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1003  }
1004 
1005  if( sess_len > 32 )
1006  {
1007  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1009  }
1010 
1011  if( chal_len < 8 || chal_len > 32 )
1012  {
1013  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1015  }
1016 
1017  if( n != 6 + ciph_len + sess_len + chal_len )
1018  {
1019  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1021  }
1022 
1023  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1024  buf + 6, ciph_len );
1025  SSL_DEBUG_BUF( 3, "client hello, session id",
1026  buf + 6 + ciph_len, sess_len );
1027  SSL_DEBUG_BUF( 3, "client hello, challenge",
1028  buf + 6 + ciph_len + sess_len, chal_len );
1029 
1030  p = buf + 6 + ciph_len;
1031  ssl->session_negotiate->length = sess_len;
1032  memset( ssl->session_negotiate->id, 0,
1033  sizeof( ssl->session_negotiate->id ) );
1034  memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
1035 
1036  p += sess_len;
1037  memset( ssl->handshake->randbytes, 0, 64 );
1038  memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1039 
1040  /*
1041  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1042  */
1043  for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1044  {
1045  if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
1046  {
1047  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1048  if( ssl->renegotiation == SSL_RENEGOTIATION )
1049  {
1050  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1051 
1052  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1053  return( ret );
1054 
1056  }
1058  break;
1059  }
1060  }
1061 
1062  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1063  ciphersuite_info = NULL;
1064 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1065  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1066  {
1067  for( i = 0; ciphersuites[i] != 0; i++ )
1068 #else
1069  for( i = 0; ciphersuites[i] != 0; i++ )
1070  {
1071  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1072 #endif
1073  {
1074  if( p[0] != 0 ||
1075  p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1076  p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1077  continue;
1078 
1079  if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1080  &ciphersuite_info ) ) != 0 )
1081  return( ret );
1082 
1083  if( ciphersuite_info != NULL )
1084  goto have_ciphersuite_v2;
1085  }
1086  }
1087 
1088  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1089 
1091 
1092 have_ciphersuite_v2:
1093  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1094  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1096 
1097  /*
1098  * SSLv2 Client Hello relevant renegotiation security checks
1099  */
1102  {
1103  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1104 
1105  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1106  return( ret );
1107 
1109  }
1110 
1111  ssl->in_left = 0;
1112  ssl->state++;
1113 
1114  SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1115 
1116  return( 0 );
1117 }
1118 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1119 
1120 static int ssl_parse_client_hello( ssl_context *ssl )
1121 {
1122  int ret;
1123  unsigned int i, j;
1124  size_t n;
1125  unsigned int ciph_len, sess_len;
1126  unsigned int comp_len;
1127  unsigned int ext_len = 0;
1128  unsigned char *buf, *p, *ext;
1129  int renegotiation_info_seen = 0;
1130  int handshake_failure = 0;
1131  const int *ciphersuites;
1132  const ssl_ciphersuite_t *ciphersuite_info;
1133 
1134  SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1135 
1136  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1137  ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1138  {
1139  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1140  return( ret );
1141  }
1142 
1143  buf = ssl->in_hdr;
1144 
1145 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1146  if( ( buf[0] & 0x80 ) != 0 )
1147  return ssl_parse_client_hello_v2( ssl );
1148 #endif
1149 
1150  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1151 
1152  SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1153  buf[0] ) );
1154  SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1155  ( buf[3] << 8 ) | buf[4] ) );
1156  SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1157  buf[1], buf[2] ) );
1158 
1159  /*
1160  * SSLv3/TLS Client Hello
1161  *
1162  * Record layer:
1163  * 0 . 0 message type
1164  * 1 . 2 protocol version
1165  * 3 . 4 message length
1166  */
1167 
1168  /* According to RFC 5246 Appendix E.1, the version here is typically
1169  * "{03,00}, the lowest version number supported by the client, [or] the
1170  * value of ClientHello.client_version", so the only meaningful check here
1171  * is the major version shouldn't be less than 3 */
1172  if( buf[0] != SSL_MSG_HANDSHAKE ||
1173  buf[1] < SSL_MAJOR_VERSION_3 )
1174  {
1175  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1177  }
1178 
1179  n = ( buf[3] << 8 ) | buf[4];
1180 
1181  if( n < 45 || n > SSL_MAX_CONTENT_LEN )
1182  {
1183  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1185  }
1186 
1187  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1188  ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1189  {
1190  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1191  return( ret );
1192  }
1193 
1194  buf = ssl->in_msg;
1195  if( !ssl->renegotiation )
1196  n = ssl->in_left - 5;
1197  else
1198  n = ssl->in_msglen;
1199 
1200  ssl->handshake->update_checksum( ssl, buf, n );
1201 
1202  /*
1203  * SSL layer:
1204  * 0 . 0 handshake type
1205  * 1 . 3 handshake length
1206  * 4 . 5 protocol version
1207  * 6 . 9 UNIX time()
1208  * 10 . 37 random bytes
1209  * 38 . 38 session id length
1210  * 39 . 38+x session id
1211  * 39+x . 40+x ciphersuitelist length
1212  * 41+x . .. ciphersuitelist
1213  * .. . .. compression alg.
1214  * .. . .. extensions
1215  */
1216  SSL_DEBUG_BUF( 4, "record contents", buf, n );
1217 
1218  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1219  buf[0] ) );
1220  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1221  ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1222  SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1223  buf[4], buf[5] ) );
1224 
1225  /*
1226  * Check the handshake type and protocol version
1227  */
1228  if( buf[0] != SSL_HS_CLIENT_HELLO )
1229  {
1230  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1232  }
1233 
1234  ssl->major_ver = buf[4];
1235  ssl->minor_ver = buf[5];
1236 
1237  ssl->handshake->max_major_ver = ssl->major_ver;
1238  ssl->handshake->max_minor_ver = ssl->minor_ver;
1239 
1240  if( ssl->major_ver < ssl->min_major_ver ||
1241  ssl->minor_ver < ssl->min_minor_ver )
1242  {
1243  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1244  " [%d:%d] < [%d:%d]",
1245  ssl->major_ver, ssl->minor_ver,
1246  ssl->min_major_ver, ssl->min_minor_ver ) );
1247 
1250 
1252  }
1253 
1254  if( ssl->major_ver > ssl->max_major_ver )
1255  {
1256  ssl->major_ver = ssl->max_major_ver;
1257  ssl->minor_ver = ssl->max_minor_ver;
1258  }
1259  else if( ssl->minor_ver > ssl->max_minor_ver )
1260  ssl->minor_ver = ssl->max_minor_ver;
1261 
1262  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
1263 
1264  /*
1265  * Check the handshake message length
1266  */
1267  if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1268  {
1269  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1271  }
1272 
1273  /*
1274  * Check the session length
1275  */
1276  sess_len = buf[38];
1277 
1278  if( sess_len > 32 )
1279  {
1280  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1282  }
1283 
1284  ssl->session_negotiate->length = sess_len;
1285  memset( ssl->session_negotiate->id, 0,
1286  sizeof( ssl->session_negotiate->id ) );
1287  memcpy( ssl->session_negotiate->id, buf + 39,
1288  ssl->session_negotiate->length );
1289 
1290  /*
1291  * Check the ciphersuitelist length
1292  */
1293  ciph_len = ( buf[39 + sess_len] << 8 )
1294  | ( buf[40 + sess_len] );
1295 
1296  if( ciph_len < 2 || ( ciph_len % 2 ) != 0 )
1297  {
1298  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1300  }
1301 
1302  /*
1303  * Check the compression algorithms length
1304  */
1305  comp_len = buf[41 + sess_len + ciph_len];
1306 
1307  if( comp_len < 1 || comp_len > 16 )
1308  {
1309  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1311  }
1312 
1313  /*
1314  * Check the extension length
1315  */
1316  if( n > 42 + sess_len + ciph_len + comp_len )
1317  {
1318  ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1319  | ( buf[43 + sess_len + ciph_len + comp_len] );
1320 
1321  if( ( ext_len > 0 && ext_len < 4 ) ||
1322  n != 44 + sess_len + ciph_len + comp_len + ext_len )
1323  {
1324  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1325  SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1327  }
1328  }
1329 
1331 #if defined(POLARSSL_ZLIB_SUPPORT)
1332  for( i = 0; i < comp_len; ++i )
1333  {
1334  if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
1335  {
1337  break;
1338  }
1339  }
1340 #endif
1341 
1342  SSL_DEBUG_BUF( 3, "client hello, random bytes",
1343  buf + 6, 32 );
1344  SSL_DEBUG_BUF( 3, "client hello, session id",
1345  buf + 38, sess_len );
1346  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1347  buf + 41 + sess_len, ciph_len );
1348  SSL_DEBUG_BUF( 3, "client hello, compression",
1349  buf + 42 + sess_len + ciph_len, comp_len );
1350 
1351  /*
1352  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1353  */
1354  for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1355  {
1356  if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1357  {
1358  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1359  if( ssl->renegotiation == SSL_RENEGOTIATION )
1360  {
1361  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1362 
1363  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1364  return( ret );
1365 
1367  }
1369  break;
1370  }
1371  }
1372 
1373  ext = buf + 44 + sess_len + ciph_len + comp_len;
1374 
1375  while( ext_len )
1376  {
1377  unsigned int ext_id = ( ( ext[0] << 8 )
1378  | ( ext[1] ) );
1379  unsigned int ext_size = ( ( ext[2] << 8 )
1380  | ( ext[3] ) );
1381 
1382  if( ext_size + 4 > ext_len )
1383  {
1384  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1386  }
1387  switch( ext_id )
1388  {
1389 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
1390  case TLS_EXT_SERVERNAME:
1391  SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1392  if( ssl->f_sni == NULL )
1393  break;
1394 
1395  ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1396  if( ret != 0 )
1397  return( ret );
1398  break;
1399 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
1400 
1402  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1403  renegotiation_info_seen = 1;
1404 
1405  ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1406  if( ret != 0 )
1407  return( ret );
1408  break;
1409 
1410 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1411  case TLS_EXT_SIG_ALG:
1412  SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1413  if( ssl->renegotiation == SSL_RENEGOTIATION )
1414  break;
1415 
1416  ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1417  if( ret != 0 )
1418  return( ret );
1419  break;
1420 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1421 
1422 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1424  SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1425 
1426  ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1427  if( ret != 0 )
1428  return( ret );
1429  break;
1430 
1432  SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1434 
1435  ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1436  if( ret != 0 )
1437  return( ret );
1438  break;
1439 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1440 
1441 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1443  SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1444 
1445  ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1446  if( ret != 0 )
1447  return( ret );
1448  break;
1449 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1450 
1451 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1453  SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1454 
1455  ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1456  if( ret != 0 )
1457  return( ret );
1458  break;
1459 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1460 
1461 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1463  SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1464 
1465  ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1466  if( ret != 0 )
1467  return( ret );
1468  break;
1469 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1470 
1471 #if defined(POLARSSL_SSL_ALPN)
1472  case TLS_EXT_ALPN:
1473  SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1474 
1475  ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1476  if( ret != 0 )
1477  return( ret );
1478  break;
1479 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1480 
1481  default:
1482  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1483  ext_id ) );
1484  }
1485 
1486  ext_len -= 4 + ext_size;
1487  ext += 4 + ext_size;
1488 
1489  if( ext_len > 0 && ext_len < 4 )
1490  {
1491  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1493  }
1494  }
1495 
1496  /*
1497  * Renegotiation security checks
1498  */
1501  {
1502  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1503  handshake_failure = 1;
1504  }
1505  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1507  renegotiation_info_seen == 0 )
1508  {
1509  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1510  handshake_failure = 1;
1511  }
1512  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1515  {
1516  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1517  handshake_failure = 1;
1518  }
1519  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1521  renegotiation_info_seen == 1 )
1522  {
1523  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1524  handshake_failure = 1;
1525  }
1526 
1527  if( handshake_failure == 1 )
1528  {
1529  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1530  return( ret );
1531 
1533  }
1534 
1535  /*
1536  * Search for a matching ciphersuite
1537  * (At the end because we need information from the EC-based extensions
1538  * and certificate from the SNI callback triggered by the SNI extension.)
1539  */
1540  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1541  ciphersuite_info = NULL;
1542 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1543  for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1544  {
1545  for( i = 0; ciphersuites[i] != 0; i++ )
1546 #else
1547  for( i = 0; ciphersuites[i] != 0; i++ )
1548  {
1549  for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1550 #endif
1551  {
1552  if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1553  p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1554  continue;
1555 
1556  if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1557  &ciphersuite_info ) ) != 0 )
1558  return( ret );
1559 
1560  if( ciphersuite_info != NULL )
1561  goto have_ciphersuite;
1562  }
1563  }
1564 
1565  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1566 
1567  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1568  return( ret );
1569 
1571 
1572 have_ciphersuite:
1573  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1574  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1576 
1577  ssl->in_left = 0;
1578  ssl->state++;
1579 
1580  SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1581 
1582  return( 0 );
1583 }
1584 
1585 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1586 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1587  unsigned char *buf,
1588  size_t *olen )
1589 {
1590  unsigned char *p = buf;
1591 
1593  {
1594  *olen = 0;
1595  return;
1596  }
1597 
1598  SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1599 
1600  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1601  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1602 
1603  *p++ = 0x00;
1604  *p++ = 0x00;
1605 
1606  *olen = 4;
1607 }
1608 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1609 
1610 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1611 static void ssl_write_session_ticket_ext( ssl_context *ssl,
1612  unsigned char *buf,
1613  size_t *olen )
1614 {
1615  unsigned char *p = buf;
1616 
1617  if( ssl->handshake->new_session_ticket == 0 )
1618  {
1619  *olen = 0;
1620  return;
1621  }
1622 
1623  SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1624 
1625  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1626  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1627 
1628  *p++ = 0x00;
1629  *p++ = 0x00;
1630 
1631  *olen = 4;
1632 }
1633 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1634 
1635 static void ssl_write_renegotiation_ext( ssl_context *ssl,
1636  unsigned char *buf,
1637  size_t *olen )
1638 {
1639  unsigned char *p = buf;
1640 
1642  {
1643  *olen = 0;
1644  return;
1645  }
1646 
1647  SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1648 
1649  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1650  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1651 
1652  *p++ = 0x00;
1653  *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1654  *p++ = ssl->verify_data_len * 2 & 0xFF;
1655 
1656  memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1657  p += ssl->verify_data_len;
1658  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1659  p += ssl->verify_data_len;
1660 
1661  *olen = 5 + ssl->verify_data_len * 2;
1662 }
1663 
1664 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1665 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1666  unsigned char *buf,
1667  size_t *olen )
1668 {
1669  unsigned char *p = buf;
1670 
1672  {
1673  *olen = 0;
1674  return;
1675  }
1676 
1677  SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1678 
1679  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1680  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1681 
1682  *p++ = 0x00;
1683  *p++ = 1;
1684 
1685  *p++ = ssl->session_negotiate->mfl_code;
1686 
1687  *olen = 5;
1688 }
1689 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1690 
1691 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1692 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1693  unsigned char *buf,
1694  size_t *olen )
1695 {
1696  unsigned char *p = buf;
1697  ((void) ssl);
1698 
1699  if( ( ssl->handshake->cli_exts &
1701  {
1702  *olen = 0;
1703  return;
1704  }
1705 
1706  SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1707 
1708  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1709  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1710 
1711  *p++ = 0x00;
1712  *p++ = 2;
1713 
1714  *p++ = 1;
1716 
1717  *olen = 6;
1718 }
1719 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1720 
1721 #if defined(POLARSSL_SSL_ALPN )
1722 static void ssl_write_alpn_ext( ssl_context *ssl,
1723  unsigned char *buf, size_t *olen )
1724 {
1725  if( ssl->alpn_chosen == NULL )
1726  {
1727  *olen = 0;
1728  return;
1729  }
1730 
1731  SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
1732 
1733  /*
1734  * 0 . 1 ext identifier
1735  * 2 . 3 ext length
1736  * 4 . 5 protocol list length
1737  * 6 . 6 protocol name length
1738  * 7 . 7+n protocol name
1739  */
1740  buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
1741  buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
1742 
1743  *olen = 7 + strlen( ssl->alpn_chosen );
1744 
1745  buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
1746  buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
1747 
1748  buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
1749  buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
1750 
1751  buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
1752 
1753  memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
1754 }
1755 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1756 
1757 static int ssl_write_server_hello( ssl_context *ssl )
1758 {
1759 #if defined(POLARSSL_HAVE_TIME)
1760  time_t t;
1761 #endif
1762  int ret;
1763  size_t olen, ext_len = 0, n;
1764  unsigned char *buf, *p;
1765 
1766  SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1767 
1768  if( ssl->f_rng == NULL )
1769  {
1770  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
1771  return( POLARSSL_ERR_SSL_NO_RNG );
1772  }
1773 
1774  /*
1775  * 0 . 0 handshake type
1776  * 1 . 3 handshake length
1777  * 4 . 5 protocol version
1778  * 6 . 9 UNIX time()
1779  * 10 . 37 random bytes
1780  */
1781  buf = ssl->out_msg;
1782  p = buf + 4;
1783 
1784  *p++ = (unsigned char) ssl->major_ver;
1785  *p++ = (unsigned char) ssl->minor_ver;
1786 
1787  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1788  buf[4], buf[5] ) );
1789 
1790 #if defined(POLARSSL_HAVE_TIME)
1791  t = time( NULL );
1792  *p++ = (unsigned char)( t >> 24 );
1793  *p++ = (unsigned char)( t >> 16 );
1794  *p++ = (unsigned char)( t >> 8 );
1795  *p++ = (unsigned char)( t );
1796 
1797  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1798 #else
1799  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1800  return( ret );
1801 
1802  p += 4;
1803 #endif /* POLARSSL_HAVE_TIME */
1804 
1805  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1806  return( ret );
1807 
1808  p += 28;
1809 
1810  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
1811 
1812  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1813 
1814  /*
1815  * Resume is 0 by default, see ssl_handshake_init().
1816  * It may be already set to 1 by ssl_parse_session_ticket_ext().
1817  * If not, try looking up session ID in our cache.
1818  */
1819  if( ssl->handshake->resume == 0 &&
1821  ssl->session_negotiate->length != 0 &&
1822  ssl->f_get_cache != NULL &&
1823  ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1824  {
1825  SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
1826  ssl->handshake->resume = 1;
1827  }
1828 
1829  if( ssl->handshake->resume == 0 )
1830  {
1831  /*
1832  * New session, create a new session id,
1833  * unless we're about to issue a session ticket
1834  */
1835  ssl->state++;
1836 
1837 #if defined(POLARSSL_HAVE_TIME)
1838  ssl->session_negotiate->start = time( NULL );
1839 #endif
1840 
1841 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1842  if( ssl->handshake->new_session_ticket != 0 )
1843  {
1844  ssl->session_negotiate->length = n = 0;
1845  memset( ssl->session_negotiate->id, 0, 32 );
1846  }
1847  else
1848 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1849  {
1850  ssl->session_negotiate->length = n = 32;
1851  if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1852  n ) ) != 0 )
1853  return( ret );
1854  }
1855  }
1856  else
1857  {
1858  /*
1859  * Resuming a session
1860  */
1861  n = ssl->session_negotiate->length;
1863 
1864  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1865  {
1866  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1867  return( ret );
1868  }
1869  }
1870 
1871  /*
1872  * 38 . 38 session id length
1873  * 39 . 38+n session id
1874  * 39+n . 40+n chosen ciphersuite
1875  * 41+n . 41+n chosen compression alg.
1876  * 42+n . 43+n extensions length
1877  * 44+n . 43+n+m extensions
1878  */
1879  *p++ = (unsigned char) ssl->session_negotiate->length;
1880  memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1881  p += ssl->session_negotiate->length;
1882 
1883  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1884  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1885  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1886  ssl->handshake->resume ? "a" : "no" ) );
1887 
1888  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1889  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1890  *p++ = (unsigned char)( ssl->session_negotiate->compression );
1891 
1892  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1894  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
1895  ssl->session_negotiate->compression ) );
1896 
1897  /*
1898  * First write extensions, then the total length
1899  */
1900  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1901  ext_len += olen;
1902 
1903 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1904  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1905  ext_len += olen;
1906 #endif
1907 
1908 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1909  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1910  ext_len += olen;
1911 #endif
1912 
1913 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1914  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1915  ext_len += olen;
1916 #endif
1917 
1918 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1919  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1920  ext_len += olen;
1921 #endif
1922 
1923 #if defined(POLARSSL_SSL_ALPN)
1924  ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1925  ext_len += olen;
1926 #endif
1927 
1928  SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
1929 
1930  if( ext_len > 0 )
1931  {
1932  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1933  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1934  p += ext_len;
1935  }
1936 
1937  ssl->out_msglen = p - buf;
1939  ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1940 
1941  ret = ssl_write_record( ssl );
1942 
1943  SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1944 
1945  return( ret );
1946 }
1947 
1948 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1949  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1950  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1951  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1952 static int ssl_write_certificate_request( ssl_context *ssl )
1953 {
1955  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1956 
1957  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1958 
1959  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1960  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1961  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1962  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1963  {
1964  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1965  ssl->state++;
1966  return( 0 );
1967  }
1968 
1969  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1970  return( ret );
1971 }
1972 #else
1973 static int ssl_write_certificate_request( ssl_context *ssl )
1974 {
1976  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1977  size_t dn_size, total_dn_size; /* excluding length bytes */
1978  size_t ct_len, sa_len; /* including length bytes */
1979  unsigned char *buf, *p;
1980  const x509_crt *crt;
1981 
1982  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1983 
1984  ssl->state++;
1985 
1986  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1987  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1988  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1989  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1990  ssl->authmode == SSL_VERIFY_NONE )
1991  {
1992  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1993  return( 0 );
1994  }
1995 
1996  /*
1997  * 0 . 0 handshake type
1998  * 1 . 3 handshake length
1999  * 4 . 4 cert type count
2000  * 5 .. m-1 cert types
2001  * m .. m+1 sig alg length (TLS 1.2 only)
2002  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2003  * n .. n+1 length of all DNs
2004  * n+2 .. n+3 length of DN 1
2005  * n+4 .. ... Distinguished Name #1
2006  * ... .. ... length of DN 2, etc.
2007  */
2008  buf = ssl->out_msg;
2009  p = buf + 4;
2010 
2011  /*
2012  * Supported certificate types
2013  *
2014  * ClientCertificateType certificate_types<1..2^8-1>;
2015  * enum { (255) } ClientCertificateType;
2016  */
2017  ct_len = 0;
2018 
2019 #if defined(POLARSSL_RSA_C)
2020  p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
2021 #endif
2022 #if defined(POLARSSL_ECDSA_C)
2023  p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
2024 #endif
2025 
2026  p[0] = (unsigned char) ct_len++;
2027  p += ct_len;
2028 
2029  sa_len = 0;
2030 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2031  /*
2032  * Add signature_algorithms for verify (TLS 1.2)
2033  *
2034  * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2035  *
2036  * struct {
2037  * HashAlgorithm hash;
2038  * SignatureAlgorithm signature;
2039  * } SignatureAndHashAlgorithm;
2040  *
2041  * enum { (255) } HashAlgorithm;
2042  * enum { (255) } SignatureAlgorithm;
2043  */
2044  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2045  {
2046  /*
2047  * Only use current running hash algorithm that is already required
2048  * for requested ciphersuite.
2049  */
2051 
2054  {
2056  }
2057 
2058  /*
2059  * Supported signature algorithms
2060  */
2061 #if defined(POLARSSL_RSA_C)
2062  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2063  p[2 + sa_len++] = SSL_SIG_RSA;
2064 #endif
2065 #if defined(POLARSSL_ECDSA_C)
2066  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2067  p[2 + sa_len++] = SSL_SIG_ECDSA;
2068 #endif
2069 
2070  p[0] = (unsigned char)( sa_len >> 8 );
2071  p[1] = (unsigned char)( sa_len );
2072  sa_len += 2;
2073  p += sa_len;
2074  }
2075 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2076 
2077  /*
2078  * DistinguishedName certificate_authorities<0..2^16-1>;
2079  * opaque DistinguishedName<1..2^16-1>;
2080  */
2081  p += 2;
2082  crt = ssl->ca_chain;
2083 
2084  total_dn_size = 0;
2085  while( crt != NULL && crt->version != 0 )
2086  {
2087  if( p - buf > 4096 )
2088  break;
2089 
2090  dn_size = crt->subject_raw.len;
2091  *p++ = (unsigned char)( dn_size >> 8 );
2092  *p++ = (unsigned char)( dn_size );
2093  memcpy( p, crt->subject_raw.p, dn_size );
2094  p += dn_size;
2095 
2096  SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
2097 
2098  total_dn_size += 2 + dn_size;
2099  crt = crt->next;
2100  }
2101 
2102  ssl->out_msglen = p - buf;
2105  ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2106  ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
2107 
2108  ret = ssl_write_record( ssl );
2109 
2110  SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2111 
2112  return( ret );
2113 }
2114 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2115  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2116  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2117  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2118 
2119 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2120  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2121 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
2122 {
2123  int ret;
2124 
2125  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
2126  {
2127  SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2129  }
2130 
2131  if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
2132  pk_ec( *ssl_own_key( ssl ) ),
2133  POLARSSL_ECDH_OURS ) ) != 0 )
2134  {
2135  SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
2136  return( ret );
2137  }
2138 
2139  return( 0 );
2140 }
2141 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2142  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2143 
2144 static int ssl_write_server_key_exchange( ssl_context *ssl )
2145 {
2146  int ret;
2147  size_t n = 0;
2148  const ssl_ciphersuite_t *ciphersuite_info =
2150 
2151 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2152  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2153  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2154  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2155  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2156  unsigned char *p = ssl->out_msg + 4;
2157  unsigned char *dig_signed = p;
2158  size_t dig_signed_len = 0, len;
2159  ((void) dig_signed);
2160  ((void) dig_signed_len);
2161 #endif
2162 
2163  SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2164 
2165 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2166  defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2167  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2168  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
2169  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2170  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2171  {
2172  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2173  ssl->state++;
2174  return( 0 );
2175  }
2176 #endif
2177 
2178 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2179  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2180  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2181  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2182  {
2183  ssl_get_ecdh_params_from_cert( ssl );
2184 
2185  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2186  ssl->state++;
2187  return( 0 );
2188  }
2189 #endif
2190 
2191 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2192  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2193  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2194  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2195  {
2196  /* TODO: Support identity hints */
2197  *(p++) = 0x00;
2198  *(p++) = 0x00;
2199 
2200  n += 2;
2201  }
2202 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2203  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2204 
2205 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2206  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2207  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2208  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2209  {
2210  /*
2211  * Ephemeral DH parameters:
2212  *
2213  * struct {
2214  * opaque dh_p<1..2^16-1>;
2215  * opaque dh_g<1..2^16-1>;
2216  * opaque dh_Ys<1..2^16-1>;
2217  * } ServerDHParams;
2218  */
2219  if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
2220  ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
2221  {
2222  SSL_DEBUG_RET( 1, "mpi_copy", ret );
2223  return( ret );
2224  }
2225 
2226  if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
2227  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2228  p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
2229  {
2230  SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2231  return( ret );
2232  }
2233 
2234  dig_signed = p;
2235  dig_signed_len = len;
2236 
2237  p += len;
2238  n += len;
2239 
2240  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2241  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2242  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2243  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2244  }
2245 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2246  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2247 
2248 #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
2249  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2250  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2251  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2252  {
2253  /*
2254  * Ephemeral ECDH parameters:
2255  *
2256  * struct {
2257  * ECParameters curve_params;
2258  * ECPoint public;
2259  * } ServerECDHParams;
2260  */
2261  const ecp_curve_info **curve = NULL;
2262 #if defined(POLARSSL_SSL_SET_CURVES)
2263  const ecp_group_id *gid;
2264 
2265  /* Match our preference list against the offered curves */
2266  for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
2267  for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
2268  if( (*curve)->grp_id == *gid )
2269  goto curve_matching_done;
2270 
2271 curve_matching_done:
2272 #else
2273  curve = ssl->handshake->curves;
2274 #endif
2275 
2276  if( *curve == NULL )
2277  {
2278  SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2280  }
2281 
2282  SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
2283 
2284  if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
2285  (*curve)->grp_id ) ) != 0 )
2286  {
2287  SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2288  return( ret );
2289  }
2290 
2291  if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2292  p, SSL_MAX_CONTENT_LEN - n,
2293  ssl->f_rng, ssl->p_rng ) ) != 0 )
2294  {
2295  SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2296  return( ret );
2297  }
2298 
2299  dig_signed = p;
2300  dig_signed_len = len;
2301 
2302  p += len;
2303  n += len;
2304 
2305  SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2306  }
2307 #endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
2308 
2309 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2310  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2311  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2312  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2313  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2314  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2315  {
2316  size_t signature_len = 0;
2317  unsigned int hashlen = 0;
2318  unsigned char hash[64];
2319  md_type_t md_alg = POLARSSL_MD_NONE;
2320 
2321  /*
2322  * Choose hash algorithm. NONE means MD5 + SHA1 here.
2323  */
2324 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2325  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2326  {
2327  md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2328 
2329  if( md_alg == POLARSSL_MD_NONE )
2330  {
2331  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2333  }
2334  }
2335  else
2336 #endif
2337 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2338  defined(POLARSSL_SSL_PROTO_TLS1_1)
2339  if ( ciphersuite_info->key_exchange ==
2341  {
2342  md_alg = POLARSSL_MD_SHA1;
2343  }
2344  else
2345 #endif
2346  {
2347  md_alg = POLARSSL_MD_NONE;
2348  }
2349 
2350  /*
2351  * Compute the hash to be signed
2352  */
2353 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2354  defined(POLARSSL_SSL_PROTO_TLS1_1)
2355  if( md_alg == POLARSSL_MD_NONE )
2356  {
2357  md5_context md5;
2359 
2360  /*
2361  * digitally-signed struct {
2362  * opaque md5_hash[16];
2363  * opaque sha_hash[20];
2364  * };
2365  *
2366  * md5_hash
2367  * MD5(ClientHello.random + ServerHello.random
2368  * + ServerParams);
2369  * sha_hash
2370  * SHA(ClientHello.random + ServerHello.random
2371  * + ServerParams);
2372  */
2373  md5_starts( &md5 );
2374  md5_update( &md5, ssl->handshake->randbytes, 64 );
2375  md5_update( &md5, dig_signed, dig_signed_len );
2376  md5_finish( &md5, hash );
2377 
2378  sha1_starts( &sha1 );
2379  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
2380  sha1_update( &sha1, dig_signed, dig_signed_len );
2381  sha1_finish( &sha1, hash + 16 );
2382 
2383  hashlen = 36;
2384  }
2385  else
2386 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2387  POLARSSL_SSL_PROTO_TLS1_1 */
2388 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2389  defined(POLARSSL_SSL_PROTO_TLS1_2)
2390  if( md_alg != POLARSSL_MD_NONE )
2391  {
2392  md_context_t ctx;
2393 
2394  /* Info from md_alg will be used instead */
2395  hashlen = 0;
2396 
2397  /*
2398  * digitally-signed struct {
2399  * opaque client_random[32];
2400  * opaque server_random[32];
2401  * ServerDHParams params;
2402  * };
2403  */
2404  if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
2405  {
2406  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2407  return( ret );
2408  }
2409 
2410  md_starts( &ctx );
2411  md_update( &ctx, ssl->handshake->randbytes, 64 );
2412  md_update( &ctx, dig_signed, dig_signed_len );
2413  md_finish( &ctx, hash );
2414 
2415  if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2416  {
2417  SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2418  return( ret );
2419  }
2420 
2421  }
2422  else
2423 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2424  POLARSSL_SSL_PROTO_TLS1_2 */
2425  {
2426  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2428  }
2429 
2430  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2431  (unsigned int) ( md_info_from_type( md_alg ) )->size );
2432 
2433  /*
2434  * Make the signature
2435  */
2436  if( ssl_own_key( ssl ) == NULL )
2437  {
2438  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2440  }
2441 
2442 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2443  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2444  {
2445  *(p++) = ssl->handshake->sig_alg;
2446  *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
2447 
2448  n += 2;
2449  }
2450 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2451 
2452  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
2453  p + 2 , &signature_len,
2454  ssl->f_rng, ssl->p_rng ) ) != 0 )
2455  {
2456  SSL_DEBUG_RET( 1, "pk_sign", ret );
2457  return( ret );
2458  }
2459 
2460  *(p++) = (unsigned char)( signature_len >> 8 );
2461  *(p++) = (unsigned char)( signature_len );
2462  n += 2;
2463 
2464  SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
2465 
2466  p += signature_len;
2467  n += signature_len;
2468  }
2469 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2470  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2471  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2472 
2473  ssl->out_msglen = 4 + n;
2476 
2477  ssl->state++;
2478 
2479  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2480  {
2481  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2482  return( ret );
2483  }
2484 
2485  SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2486 
2487  return( 0 );
2488 }
2489 
2490 static int ssl_write_server_hello_done( ssl_context *ssl )
2491 {
2492  int ret;
2493 
2494  SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2495 
2496  ssl->out_msglen = 4;
2499 
2500  ssl->state++;
2501 
2502  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2503  {
2504  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2505  return( ret );
2506  }
2507 
2508  SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2509 
2510  return( 0 );
2511 }
2512 
2513 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2514  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2515 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2516  const unsigned char *end )
2517 {
2519  size_t n;
2520 
2521  /*
2522  * Receive G^Y mod P, premaster = (G^Y)^X mod P
2523  */
2524  if( *p + 2 > end )
2525  {
2526  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2528  }
2529 
2530  n = ( (*p)[0] << 8 ) | (*p)[1];
2531  *p += 2;
2532 
2533  if( *p + n > end )
2534  {
2535  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2537  }
2538 
2539  if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
2540  {
2541  SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2543  }
2544 
2545  *p += n;
2546 
2547  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2548 
2549  return( ret );
2550 }
2551 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2552  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2553 
2554 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2555  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2556 static int ssl_parse_encrypted_pms( ssl_context *ssl,
2557  const unsigned char *p,
2558  const unsigned char *end,
2559  size_t pms_offset )
2560 {
2561  int ret;
2562  size_t len = pk_get_len( ssl_own_key( ssl ) );
2563  unsigned char *pms = ssl->handshake->premaster + pms_offset;
2564 
2565  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
2566  {
2567  SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
2569  }
2570 
2571  /*
2572  * Decrypt the premaster using own private RSA key
2573  */
2574 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2575  defined(POLARSSL_SSL_PROTO_TLS1_2)
2576  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2577  {
2578  if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2579  *p++ != ( ( len ) & 0xFF ) )
2580  {
2581  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2583  }
2584  }
2585 #endif
2586 
2587  if( p + len != end )
2588  {
2589  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2591  }
2592 
2593  ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2594  pms, &ssl->handshake->pmslen,
2595  sizeof( ssl->handshake->premaster ) - pms_offset,
2596  ssl->f_rng, ssl->p_rng );
2597 
2598  if( ret != 0 || ssl->handshake->pmslen != 48 ||
2599  pms[0] != ssl->handshake->max_major_ver ||
2600  pms[1] != ssl->handshake->max_minor_ver )
2601  {
2602  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2603 
2604  /*
2605  * Protection against Bleichenbacher's attack:
2606  * invalid PKCS#1 v1.5 padding must not cause
2607  * the connection to end immediately; instead,
2608  * send a bad_record_mac later in the handshake.
2609  */
2610  ssl->handshake->pmslen = 48;
2611 
2612  ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
2613  if( ret != 0 )
2614  return( ret );
2615  }
2616 
2617  return( ret );
2618 }
2619 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2620  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2621 
2622 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2623 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2624  const unsigned char *end )
2625 {
2626  int ret = 0;
2627  size_t n;
2628 
2629  if( ssl->f_psk == NULL &&
2630  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2631  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
2632  {
2633  SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2635  }
2636 
2637  /*
2638  * Receive client pre-shared key identity name
2639  */
2640  if( *p + 2 > end )
2641  {
2642  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2644  }
2645 
2646  n = ( (*p)[0] << 8 ) | (*p)[1];
2647  *p += 2;
2648 
2649  if( n < 1 || n > 65535 || *p + n > end )
2650  {
2651  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2653  }
2654 
2655  if( ssl->f_psk != NULL )
2656  {
2657  if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
2659  }
2660 
2661  if( ret == 0 )
2662  {
2663  /* Identity is not a big secret since clients send it in the clear,
2664  * but treat it carefully anyway, just in case */
2665  if( n != ssl->psk_identity_len ||
2666  safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
2667  {
2669  }
2670  }
2671 
2673  {
2674  SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
2675  if( ( ret = ssl_send_alert_message( ssl,
2678  {
2679  return( ret );
2680  }
2681 
2683  }
2684 
2685  *p += n;
2686  ret = 0;
2687 
2688  return( ret );
2689 }
2690 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2691 
2692 static int ssl_parse_client_key_exchange( ssl_context *ssl )
2693 {
2694  int ret;
2695  const ssl_ciphersuite_t *ciphersuite_info;
2696 
2697  ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2698 
2699  SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2700 
2701  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2702  {
2703  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2704  return( ret );
2705  }
2706 
2707  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2708  {
2709  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2711  }
2712 
2713  if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2714  {
2715  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2717  }
2718 
2719 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2720  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2721  {
2722  unsigned char *p = ssl->in_msg + 4;
2723  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2724 
2725  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2726  {
2727  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2728  return( ret );
2729  }
2730 
2731  if( p != end )
2732  {
2733  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2735  }
2736 
2737  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2738 
2739  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2740  ssl->handshake->premaster,
2741  &ssl->handshake->pmslen,
2742  ssl->f_rng, ssl->p_rng ) ) != 0 )
2743  {
2744  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2746  }
2747 
2748  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2749  }
2750  else
2751 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2752 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2753  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2754  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2755  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2756  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2757  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2758  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2759  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2760  {
2761  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2762  ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 )
2763  {
2764  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2766  }
2767 
2768  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2769 
2770  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2771  &ssl->handshake->pmslen,
2772  ssl->handshake->premaster,
2774  ssl->f_rng, ssl->p_rng ) ) != 0 )
2775  {
2776  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2778  }
2779 
2780  SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
2781  }
2782  else
2783 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2784  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2785  POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2786  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2787 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2788  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2789  {
2790  unsigned char *p = ssl->in_msg + 4;
2791  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2792 
2793  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2794  {
2795  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2796  return( ret );
2797  }
2798 
2799  if( p != end )
2800  {
2801  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2803  }
2804 
2805  if( ( ret = ssl_psk_derive_premaster( ssl,
2806  ciphersuite_info->key_exchange ) ) != 0 )
2807  {
2808  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2809  return( ret );
2810  }
2811  }
2812  else
2813 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2814 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2815  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2816  {
2817  unsigned char *p = ssl->in_msg + 4;
2818  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2819 
2820  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2821  {
2822  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2823  return( ret );
2824  }
2825 
2826  if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
2827  {
2828  SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
2829  return( ret );
2830  }
2831 
2832  if( ( ret = ssl_psk_derive_premaster( ssl,
2833  ciphersuite_info->key_exchange ) ) != 0 )
2834  {
2835  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2836  return( ret );
2837  }
2838  }
2839  else
2840 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2841 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2842  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2843  {
2844  unsigned char *p = ssl->in_msg + 4;
2845  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2846 
2847  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2848  {
2849  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2850  return( ret );
2851  }
2852  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2853  {
2854  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2855  return( ret );
2856  }
2857 
2858  if( p != end )
2859  {
2860  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2862  }
2863 
2864  if( ( ret = ssl_psk_derive_premaster( ssl,
2865  ciphersuite_info->key_exchange ) ) != 0 )
2866  {
2867  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2868  return( ret );
2869  }
2870  }
2871  else
2872 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2873 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2874  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2875  {
2876  unsigned char *p = ssl->in_msg + 4;
2877  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2878 
2879  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2880  {
2881  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2882  return( ret );
2883  }
2884 
2885  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2886  p, end - p ) ) != 0 )
2887  {
2888  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2890  }
2891 
2892  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2893 
2894  if( ( ret = ssl_psk_derive_premaster( ssl,
2895  ciphersuite_info->key_exchange ) ) != 0 )
2896  {
2897  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2898  return( ret );
2899  }
2900  }
2901  else
2902 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2903 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2904  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2905  {
2906  if( ( ret = ssl_parse_encrypted_pms( ssl,
2907  ssl->in_msg + 4,
2908  ssl->in_msg + ssl->in_hslen,
2909  0 ) ) != 0 )
2910  {
2911  SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
2912  return( ret );
2913  }
2914  }
2915  else
2916 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2917  {
2918  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2920  }
2921 
2922  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2923  {
2924  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2925  return( ret );
2926  }
2927 
2928  ssl->state++;
2929 
2930  SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2931 
2932  return( 0 );
2933 }
2934 
2935 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2936  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2937  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2938  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2939 static int ssl_parse_certificate_verify( ssl_context *ssl )
2940 {
2942  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2943 
2944  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2945 
2946  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2947  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2948  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2949  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2950  {
2951  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2952  ssl->state++;
2953  return( 0 );
2954  }
2955 
2956  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2957  return( ret );
2958 }
2959 #else
2960 static int ssl_parse_certificate_verify( ssl_context *ssl )
2961 {
2963  size_t sa_len, sig_len;
2964  unsigned char hash[48];
2965  unsigned char *hash_start = hash;
2966  size_t hashlen;
2967 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2968  pk_type_t pk_alg;
2969 #endif
2970  md_type_t md_alg;
2971  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2972 
2973  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2974 
2975  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2976  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2977  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2978  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2979  {
2980  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2981  ssl->state++;
2982  return( 0 );
2983  }
2984 
2985  if( ssl->session_negotiate->peer_cert == NULL )
2986  {
2987  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2988  ssl->state++;
2989  return( 0 );
2990  }
2991 
2992  ssl->handshake->calc_verify( ssl, hash );
2993 
2994  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2995  {
2996  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2997  return( ret );
2998  }
2999 
3000  ssl->state++;
3001 
3002  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3003  {
3004  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3006  }
3007 
3008  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
3009  {
3010  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3012  }
3013 
3014  /*
3015  * 0 . 0 handshake type
3016  * 1 . 3 handshake length
3017  * 4 . 5 sig alg (TLS 1.2 only)
3018  * 4+n . 5+n signature length (n = sa_len)
3019  * 6+n . 6+n+m signature (m = sig_len)
3020  */
3021 
3022 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3023  defined(POLARSSL_SSL_PROTO_TLS1_1)
3024  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
3025  {
3026  sa_len = 0;
3027 
3028  md_alg = POLARSSL_MD_NONE;
3029  hashlen = 36;
3030 
3031  /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3032  if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
3033  POLARSSL_PK_ECDSA ) )
3034  {
3035  hash_start += 16;
3036  hashlen -= 16;
3037  md_alg = POLARSSL_MD_SHA1;
3038  }
3039  }
3040  else
3041 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 ||
3042  POLARSSL_SSL_PROTO_TLS1_1 */
3043 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3044  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
3045  {
3046  sa_len = 2;
3047 
3048  /*
3049  * Hash
3050  */
3051  if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
3052  {
3053  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3054  " for verify message" ) );
3056  }
3057 
3058  md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
3059 
3060  /* Info from md_alg will be used instead */
3061  hashlen = 0;
3062 
3063  /*
3064  * Signature
3065  */
3066  if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
3067  == POLARSSL_PK_NONE )
3068  {
3069  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3070  " for verify message" ) );
3072  }
3073 
3074  /*
3075  * Check the certificate's key type matches the signature alg
3076  */
3077  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
3078  {
3079  SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3081  }
3082  }
3083  else
3084 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3085  {
3086  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3088  }
3089 
3090  sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
3091 
3092  if( sa_len + sig_len + 6 != ssl->in_hslen )
3093  {
3094  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3096  }
3097 
3098  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
3099  md_alg, hash_start, hashlen,
3100  ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
3101  {
3102  SSL_DEBUG_RET( 1, "pk_verify", ret );
3103  return( ret );
3104  }
3105 
3106  SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3107 
3108  return( ret );
3109 }
3110 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
3111  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3112  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
3113 
3114 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3115 static int ssl_write_new_session_ticket( ssl_context *ssl )
3116 {
3117  int ret;
3118  size_t tlen;
3119  uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
3120 
3121  SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3122 
3125 
3126  /*
3127  * struct {
3128  * uint32 ticket_lifetime_hint;
3129  * opaque ticket<0..2^16-1>;
3130  * } NewSessionTicket;
3131  *
3132  * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3133  * 8 . 9 ticket_len (n)
3134  * 10 . 9+n ticket content
3135  */
3136 
3137  ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
3138  ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
3139  ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
3140  ssl->out_msg[7] = ( lifetime ) & 0xFF;
3141 
3142  if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
3143  {
3144  SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
3145  tlen = 0;
3146  }
3147 
3148  ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
3149  ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
3150 
3151  ssl->out_msglen = 10 + tlen;
3152 
3153  /*
3154  * Morally equivalent to updating ssl->state, but NewSessionTicket and
3155  * ChangeCipherSpec share the same state.
3156  */
3157  ssl->handshake->new_session_ticket = 0;
3158 
3159  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3160  {
3161  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3162  return( ret );
3163  }
3164 
3165  SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3166 
3167  return( 0 );
3168 }
3169 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3170 
3171 /*
3172  * SSL handshake -- server side -- single step
3173  */
3175 {
3176  int ret = 0;
3177 
3178  if( ssl->state == SSL_HANDSHAKE_OVER )
3180 
3181  SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
3182 
3183  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3184  return( ret );
3185 
3186  switch( ssl->state )
3187  {
3188  case SSL_HELLO_REQUEST:
3189  ssl->state = SSL_CLIENT_HELLO;
3190  break;
3191 
3192  /*
3193  * <== ClientHello
3194  */
3195  case SSL_CLIENT_HELLO:
3196  ret = ssl_parse_client_hello( ssl );
3197  break;
3198 
3199  /*
3200  * ==> ServerHello
3201  * Certificate
3202  * ( ServerKeyExchange )
3203  * ( CertificateRequest )
3204  * ServerHelloDone
3205  */
3206  case SSL_SERVER_HELLO:
3207  ret = ssl_write_server_hello( ssl );
3208  break;
3209 
3211  ret = ssl_write_certificate( ssl );
3212  break;
3213 
3215  ret = ssl_write_server_key_exchange( ssl );
3216  break;
3217 
3219  ret = ssl_write_certificate_request( ssl );
3220  break;
3221 
3222  case SSL_SERVER_HELLO_DONE:
3223  ret = ssl_write_server_hello_done( ssl );
3224  break;
3225 
3226  /*
3227  * <== ( Certificate/Alert )
3228  * ClientKeyExchange
3229  * ( CertificateVerify )
3230  * ChangeCipherSpec
3231  * Finished
3232  */
3234  ret = ssl_parse_certificate( ssl );
3235  break;
3236 
3238  ret = ssl_parse_client_key_exchange( ssl );
3239  break;
3240 
3242  ret = ssl_parse_certificate_verify( ssl );
3243  break;
3244 
3246  ret = ssl_parse_change_cipher_spec( ssl );
3247  break;
3248 
3249  case SSL_CLIENT_FINISHED:
3250  ret = ssl_parse_finished( ssl );
3251  break;
3252 
3253  /*
3254  * ==> ( NewSessionTicket )
3255  * ChangeCipherSpec
3256  * Finished
3257  */
3259 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3260  if( ssl->handshake->new_session_ticket != 0 )
3261  ret = ssl_write_new_session_ticket( ssl );
3262  else
3263 #endif
3264  ret = ssl_write_change_cipher_spec( ssl );
3265  break;
3266 
3267  case SSL_SERVER_FINISHED:
3268  ret = ssl_write_finished( ssl );
3269  break;
3270 
3271  case SSL_FLUSH_BUFFERS:
3272  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3273  ssl->state = SSL_HANDSHAKE_WRAPUP;
3274  break;
3275 
3276  case SSL_HANDSHAKE_WRAPUP:
3277  ssl_handshake_wrapup( ssl );
3278  break;
3279 
3280  default:
3281  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3283  }
3284 
3285  return( ret );
3286 }
3287 #endif /* POLARSSL_SSL_SRV_C */
const ecp_curve_info ** curves
Definition: ssl.h:535
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:348
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:297
int ssl_ciphersuite_uses_ec(const ssl_ciphersuite_t *info)
int ecdh_make_params(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExhange parameters.
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:308
size_t length
Definition: ssl.h:452
int ciphersuite
Definition: ssl.h:450
mpi P
Definition: dhm.h:146
static size_t pk_get_len(const pk_context *ctx)
Get the length in bytes of the underlying key.
Definition: pk.h:269
size_t in_hslen
Definition: ssl.h:697
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:635
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:355
int major_ver
Definition: ssl.h:624
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:63
SHA-1 context structure.
Definition: sha1.h:58
int compression
Definition: ssl.h:451
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition: ssl.h:143
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:234
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:621
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:91
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
char peer_verify_data[36]
Definition: ssl.h:797
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:340
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:59
#define TLS_EXT_ALPN
Definition: ssl.h:366
Debug functions.
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:651
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:568
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:344
void * p_psk
Definition: ssl.h:662
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:359
Elliptic curves over GF(p)
int ecdh_read_public(ecdh_context *ctx, const unsigned char *buf, size_t blen)
Parse and import the client&#39;s public value.
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:342
#define SSL_HASH_SHA1
Definition: ssl.h:282
ssl_session * session_negotiate
Definition: ssl.h:671
int ssl_parse_certificate(ssl_context *ssl)
ssl_key_cert * key_cert
Definition: ssl.h:724
ssl_key_cert * sni_key_cert
Definition: ssl.h:546
size_t out_msglen
Definition: ssl.h:710
mpi GX
Definition: dhm.h:149
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:232
#define SSL_SIG_RSA
Definition: ssl.h:289
int ticket_lifetime
Definition: ssl.h:756
const int * ciphersuite_list[4]
Definition: ssl.h:747
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:642
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
int pk_decrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Decrypt message.
mpi dhm_P
Definition: ssl.h:760
#define AES_DECRYPT
Definition: aes.h:47
#define polarssl_free
Definition: platform.h:91
#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
Definition: ssl.h:336
#define SSL_RENEGOTIATION
Definition: ssl.h:214
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:577
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
int x509_crt_parse(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:233
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
x509_crt * cert
Definition: ssl.h:609
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:60
size_t psk_identity_len
Definition: ssl.h:771
unsigned char * out_ctr
Definition: ssl.h:704
mpi X
Definition: dhm.h:148
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:229
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:796
int ecdh_get_params(ecdh_context *ctx, const ecp_keypair *key, ecdh_side side)
Setup an ECDH context from an EC key.
#define SSL_SIG_ECDSA
Definition: ssl.h:290
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
size_t in_msglen
Definition: ssl.h:694
unsigned char * in_hdr
Definition: ssl.h:688
int secure_renegotiation
Definition: ssl.h:793
time_t start
Definition: ssl.h:448
PolarSSL Platform abstraction layer.
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:84
#define SSL_HASH_MD5
Definition: ssl.h:281
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:224
unsigned char mac_key[16]
Definition: ssl.h:599
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:151
size_t psk_len
Definition: ssl.h:769
unsigned char id[32]
Definition: ssl.h:453
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:109
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:485
unsigned char * psk
Definition: ssl.h:768
size_t len
Definition: dhm.h:145
int max_major_ver
Definition: ssl.h:627
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:97
#define POLARSSL_ECP_DP_MAX
Number of supported curves (plus one for NONE).
Definition: ecp.h:82
ecp_point Qp
Definition: ecdh.h:53
md_type_t
Definition: md.h:51
#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
Definition: ssl.h:377
const char ** alpn_list
Definition: ssl.h:786
int max_minor_ver
Definition: ssl.h:628
const char * alpn_chosen
Definition: ssl.h:787
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:364
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:345
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:296
ssl_handshake_params * handshake
Definition: ssl.h:673
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:116
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:304
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:567
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:329
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition: ssl.h:114
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:228
int in_msgtype
Definition: ssl.h:693
Container for an X.509 certificate.
Definition: x509_crt.h:57
size_t verify_data_len
Definition: ssl.h:795
mpi dhm_G
Definition: ssl.h:761
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME
Definition: ssl.h:335
mpi G
Definition: dhm.h:147
#define SSL_IS_SERVER
Definition: ssl.h:205
int point_format
Definition: ecdh.h:55
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret...
Definition: ssl.h:132
int min_minor_ver
Definition: ssl.h:630
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
unsigned char * out_msg
Definition: ssl.h:707
struct _ssl_session ssl_session
Definition: ssl.h:431
#define SSL_MINOR_VERSION_0
Definition: ssl.h:152
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature.
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:140
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:544
ecdh_context ecdh_ctx
Definition: ssl.h:532
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:346
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:124
key_exchange_type_t key_exchange
int new_session_ticket
Definition: ssl.h:586
mpi GY
Definition: dhm.h:150
int trunc_hmac
Definition: ssl.h:472
Curve information for use by other modules.
Definition: ecp.h:87
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:646
void md5_starts(md5_context *ctx)
MD5 context setup.
unsigned char ssl_sig_from_pk(pk_context *pk)
#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
Definition: ssl.h:337
int authmode
Definition: ssl.h:742
int ssl_flush_output(ssl_context *ssl)
int ssl_ciphersuite_uses_psk(const ssl_ciphersuite_t *info)
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED
Session ticket has expired.
Definition: ssl.h:142
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:368
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:341
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:207
unsigned char * in_msg
Definition: ssl.h:690
aes_context dec
Definition: ssl.h:598
mpi z
Definition: ecdh.h:54
#define SSL_MINOR_VERSION_3
Definition: ssl.h:155
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:58
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:370
int ssl_check_cert_usage(const x509_crt *cert, const ssl_ciphersuite_t *ciphersuite, int cert_endpoint)
pk_type_t
Public key types.
Definition: pk.h:95
aes_context enc
Definition: ssl.h:597
int ssl_parse_change_cipher_spec(ssl_context *ssl)
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:625
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO
Processing of the ClientHello handshake message failed.
Definition: ssl.h:124
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:274
This structure is used for storing ciphersuite information.
#define SSL_HASH_SHA256
Definition: ssl.h:284
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
#define SSL_VERIFY_NONE
Definition: ssl.h:209
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:66
#define AES_ENCRYPT
Definition: aes.h:46
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Processing of the ClientKeyExchange handshake message failed.
Definition: ssl.h:130
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:118
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:213
size_t in_left
Definition: ssl.h:695
pk_context * key
Definition: ssl.h:610
int session_tickets
Definition: ssl.h:755
int allow_legacy_renegotiation
Definition: ssl.h:746
#define SSL_COMPRESS_NULL
Definition: ssl.h:206
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
int ssl_read_record(ssl_context *ssl)
size_t len
ASN1 length, e.g.
Definition: asn1.h:123
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:57
int out_msgtype
Definition: ssl.h:709
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:202
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:357
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:197
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:347
#define TLS_EXT_SERVERNAME
Definition: ssl.h:354
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature.
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public.
Definition: ssl.h:131
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:70
size_t mpi_size(const mpi *X)
Return the total size in bytes.
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:226
int min_major_ver
Definition: ssl.h:629
pk_context pk
Container for the public key context.
Definition: x509_crt.h:75
ssl_transform * transform_negotiate
Definition: ssl.h:682
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:218
#define SSL_HASH_SHA224
Definition: ssl.h:283
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:219
SSL/TLS functions.
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY
Unknown identity received (eg, PSK identity)
Definition: ssl.h:144
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:136
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:362
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:639
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:75
int ssl_derive_keys(ssl_context *ssl)
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1664
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
unsigned char mfl_code
Definition: ssl.h:468
const ecp_curve_info * ecp_curve_info_from_tls_id(uint16_t tls_id)
Get curve information from a TLS NamedCurve value.
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int version
The X.509 version.
Definition: x509_crt.h:62
int renegotiation
Definition: ssl.h:622
dhm_context dhm_ctx
Definition: ssl.h:529
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1691
#define polarssl_malloc
Definition: platform.h:90
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:735
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:255
unsigned char * psk_identity
Definition: ssl.h:770
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
unsigned char key_name[16]
Definition: ssl.h:596
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:361
ssl_key_cert * next
Definition: ssl.h:612
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:107
x509_buf subject_raw
The raw subject data (DER).
Definition: x509_crt.h:67
x509_crt * ca_chain
Definition: ssl.h:726
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:108
#define SSL_HASH_SHA512
Definition: ssl.h:286
#define SSL_HASH_SHA384
Definition: ssl.h:285
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int dhm_make_params(dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExchange parameters.
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:661
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:182
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Processing of the CertificateVerify handshake message failed.
Definition: ssl.h:133
int dhm_read_public(dhm_context *ctx, const unsigned char *input, size_t ilen)
Import the peer&#39;s public value G^Y.
unsigned char randbytes[64]
Definition: ssl.h:576
ecp_group grp
Definition: ecdh.h:50
Generic message digest context.
Definition: md.h:132
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN
The server has no ciphersuites in common with the client.
Definition: ssl.h:113
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ecp_point Q
Definition: ecdh.h:52
x509_crt * peer_cert
Definition: ssl.h:457
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:652
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.