PolarSSL v1.3.2
ssl_srv.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 server-side functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_SRV_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 #if defined(POLARSSL_ECP_C)
33 #include "polarssl/ecp.h"
34 #endif
35 
36 #if defined(POLARSSL_MEMORY_C)
37 #include "polarssl/memory.h"
38 #else
39 #define polarssl_malloc malloc
40 #define polarssl_free free
41 #endif
42 
43 #include <stdlib.h>
44 #include <stdio.h>
45 
46 #if defined(POLARSSL_HAVE_TIME)
47 #include <time.h>
48 #endif
49 
50 #if defined(POLARSSL_SSL_SESSION_TICKETS)
51 /*
52  * Serialize a session in the following format:
53  * 0 . n-1 session structure, n = sizeof(ssl_session)
54  * n . n+2 peer_cert length = m (0 if no certificate)
55  * n+3 . n+2+m peer cert ASN.1
56  *
57  * Assumes ticket is NULL (always true on server side).
58  */
59 static int ssl_save_session( const ssl_session *session,
60  unsigned char *buf, size_t buf_len,
61  size_t *olen )
62 {
63  unsigned char *p = buf;
64  size_t left = buf_len;
65 #if defined(POLARSSL_X509_CRT_PARSE_C)
66  size_t cert_len;
67 #endif /* POLARSSL_X509_CRT_PARSE_C */
68 
69  if( left < sizeof( ssl_session ) )
70  return( -1 );
71 
72  memcpy( p, session, sizeof( ssl_session ) );
73  p += sizeof( ssl_session );
74  left -= sizeof( ssl_session );
75 
76 #if defined(POLARSSL_X509_CRT_PARSE_C)
77  if( session->peer_cert == NULL )
78  cert_len = 0;
79  else
80  cert_len = session->peer_cert->raw.len;
81 
82  if( left < 3 + cert_len )
83  return( -1 );
84 
85  *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
86  *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
87  *p++ = (unsigned char)( cert_len & 0xFF );
88 
89  if( session->peer_cert != NULL )
90  memcpy( p, session->peer_cert->raw.p, cert_len );
91 
92  p += cert_len;
93 #endif /* POLARSSL_X509_CRT_PARSE_C */
94 
95  *olen = p - buf;
96 
97  return( 0 );
98 }
99 
100 /*
101  * Unserialise session, see ssl_save_session()
102  */
103 static int ssl_load_session( ssl_session *session,
104  const unsigned char *buf, size_t len )
105 {
106  const unsigned char *p = buf;
107  const unsigned char * const end = buf + len;
108 #if defined(POLARSSL_X509_CRT_PARSE_C)
109  size_t cert_len;
110 #endif /* POLARSSL_X509_CRT_PARSE_C */
111 
112  if( p + sizeof( ssl_session ) > end )
114 
115  memcpy( session, p, sizeof( ssl_session ) );
116  p += sizeof( ssl_session );
117 
118 #if defined(POLARSSL_X509_CRT_PARSE_C)
119  if( p + 3 > end )
121 
122  cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
123  p += 3;
124 
125  if( cert_len == 0 )
126  {
127  session->peer_cert = NULL;
128  }
129  else
130  {
131  int ret;
132 
133  if( p + cert_len > end )
135 
136  session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
137 
138  if( session->peer_cert == NULL )
140 
141  x509_crt_init( session->peer_cert );
142 
143  if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 )
144  {
145  x509_crt_free( session->peer_cert );
146  polarssl_free( session->peer_cert );
147  session->peer_cert = NULL;
148  return( ret );
149  }
150 
151  p += cert_len;
152  }
153 #endif /* POLARSSL_X509_CRT_PARSE_C */
154 
155  if( p != end )
157 
158  return( 0 );
159 }
160 
161 /*
162  * Create session ticket, secured as recommended in RFC 5077 section 4:
163  *
164  * struct {
165  * opaque key_name[16];
166  * opaque iv[16];
167  * opaque encrypted_state<0..2^16-1>;
168  * opaque mac[32];
169  * } ticket;
170  *
171  * (the internal state structure differs, however).
172  */
173 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
174 {
175  int ret;
176  unsigned char * const start = ssl->out_msg + 10;
177  unsigned char *p = start;
178  unsigned char *state;
179  unsigned char iv[16];
180  size_t clear_len, enc_len, pad_len, i;
181 
182  *tlen = 0;
183 
184  if( ssl->ticket_keys == NULL )
186 
187  /* Write key name */
188  memcpy( p, ssl->ticket_keys->key_name, 16 );
189  p += 16;
190 
191  /* Generate and write IV (with a copy for aes_crypt) */
192  if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
193  return( ret );
194  memcpy( iv, p, 16 );
195  p += 16;
196 
197  /*
198  * Dump session state
199  *
200  * After the session state itself, we still need room for 16 bytes of
201  * padding and 32 bytes of MAC, so there's only so much room left
202  */
203  state = p + 2;
204  if( ssl_save_session( ssl->session_negotiate, state,
205  SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
206  &clear_len ) != 0 )
207  {
209  }
210  SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
211 
212  /* Apply PKCS padding */
213  pad_len = 16 - clear_len % 16;
214  enc_len = clear_len + pad_len;
215  for( i = clear_len; i < enc_len; i++ )
216  state[i] = (unsigned char) pad_len;
217 
218  /* Encrypt */
219  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
220  enc_len, iv, state, state ) ) != 0 )
221  {
222  return( ret );
223  }
224 
225  /* Write length */
226  *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
227  *p++ = (unsigned char)( ( enc_len ) & 0xFF );
228  p = state + enc_len;
229 
230  /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
231  sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
232  p += 32;
233 
234  *tlen = p - start;
235 
236  SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
237 
238  return( 0 );
239 }
240 
241 /*
242  * Load session ticket (see ssl_write_ticket for structure)
243  */
244 static int ssl_parse_ticket( ssl_context *ssl,
245  unsigned char *buf,
246  size_t len )
247 {
248  int ret;
249  ssl_session session;
250  unsigned char *key_name = buf;
251  unsigned char *iv = buf + 16;
252  unsigned char *enc_len_p = iv + 16;
253  unsigned char *ticket = enc_len_p + 2;
254  unsigned char *mac;
255  unsigned char computed_mac[32];
256  size_t enc_len, clear_len, i;
257  unsigned char pad_len, diff;
258 
259  SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
260 
261  if( len < 34 || ssl->ticket_keys == NULL )
263 
264  enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
265  mac = ticket + enc_len;
266 
267  if( len != enc_len + 66 )
269 
270  /* Check name, in constant time though it's not a big secret */
271  diff = 0;
272  for( i = 0; i < 16; i++ )
273  diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
274  /* don't return yet, check the MAC anyway */
275 
276  /* Check mac, with constant-time buffer comparison */
277  sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
278  computed_mac, 0 );
279 
280  for( i = 0; i < 32; i++ )
281  diff |= mac[i] ^ computed_mac[i];
282 
283  /* Now return if ticket is not authentic, since we want to avoid
284  * decrypting arbitrary attacker-chosen data */
285  if( diff != 0 )
287 
288  /* Decrypt */
289  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
290  enc_len, iv, ticket, ticket ) ) != 0 )
291  {
292  return( ret );
293  }
294 
295  /* Check PKCS padding */
296  pad_len = ticket[enc_len - 1];
297 
298  ret = 0;
299  for( i = 2; i < pad_len; i++ )
300  if( ticket[enc_len - i] != pad_len )
302  if( ret != 0 )
303  return( ret );
304 
305  clear_len = enc_len - pad_len;
306 
307  SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
308 
309  /* Actually load session */
310  if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
311  {
312  SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
313  memset( &session, 0, sizeof( ssl_session ) );
314  return( ret );
315  }
316 
317 #if defined(POLARSSL_HAVE_TIME)
318  /* Check if still valid */
319  if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
320  {
321  SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
322  memset( &session, 0, sizeof( ssl_session ) );
324  }
325 #endif
326 
327  /*
328  * Keep the session ID sent by the client, since we MUST send it back to
329  * inform him we're accepting the ticket (RFC 5077 section 3.4)
330  */
331  session.length = ssl->session_negotiate->length;
332  memcpy( &session.id, ssl->session_negotiate->id, session.length );
333 
335  memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
336  memset( &session, 0, sizeof( ssl_session ) );
337 
338  return( 0 );
339 }
340 #endif /* POLARSSL_SSL_SESSION_TICKETS */
341 
342 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
343 /*
344  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
345  * making it act on ssl->hanshake->sni_key_cert instead.
346  */
347 static int ssl_sni_wrapper( ssl_context *ssl,
348  const unsigned char* name, size_t len )
349 {
350  int ret;
351  ssl_key_cert *key_cert_ori = ssl->key_cert;
352 
353  ssl->key_cert = NULL;
354  ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
355  ssl->handshake->sni_key_cert = ssl->key_cert;
356 
357  ssl->key_cert = key_cert_ori;
358 
359  return( ret );
360 }
361 
362 static int ssl_parse_servername_ext( ssl_context *ssl,
363  const unsigned char *buf,
364  size_t len )
365 {
366  int ret;
367  size_t servername_list_size, hostname_len;
368  const unsigned char *p;
369 
370  servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
371  if( servername_list_size + 2 != len )
372  {
373  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
375  }
376 
377  p = buf + 2;
378  while( servername_list_size > 0 )
379  {
380  hostname_len = ( ( p[1] << 8 ) | p[2] );
381  if( hostname_len + 3 > servername_list_size )
382  {
383  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
385  }
386 
387  if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
388  {
389  ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
390  if( ret != 0 )
391  {
395  }
396  return( 0 );
397  }
398 
399  servername_list_size -= hostname_len + 3;
400  p += hostname_len + 3;
401  }
402 
403  if( servername_list_size != 0 )
404  {
405  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
407  }
408 
409  return( 0 );
410 }
411 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
412 
413 static int ssl_parse_renegotiation_info( ssl_context *ssl,
414  const unsigned char *buf,
415  size_t len )
416 {
417  int ret;
418 
420  {
421  if( len != 1 || buf[0] != 0x0 )
422  {
423  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
424 
425  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
426  return( ret );
427 
429  }
430 
432  }
433  else
434  {
435  /* Check verify-data in constant-time. The length OTOH is no secret */
436  if( len != 1 + ssl->verify_data_len ||
437  buf[0] != ssl->verify_data_len ||
438  safer_memcmp( buf + 1, ssl->peer_verify_data,
439  ssl->verify_data_len ) != 0 )
440  {
441  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
442 
443  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
444  return( ret );
445 
447  }
448  }
449 
450  return( 0 );
451 }
452 
453 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
454 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
455  const unsigned char *buf,
456  size_t len )
457 {
458  size_t sig_alg_list_size;
459  const unsigned char *p;
460 
461  sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
462  if( sig_alg_list_size + 2 != len ||
463  sig_alg_list_size %2 != 0 )
464  {
465  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
467  }
468 
469  p = buf + 2;
470  while( sig_alg_list_size > 0 )
471  {
472  /*
473  * For now, just ignore signature algorithm and rely on offered
474  * ciphersuites only. To be fixed later.
475  */
476 #if defined(POLARSSL_SHA512_C)
477  if( p[0] == SSL_HASH_SHA512 )
478  {
480  break;
481  }
482  if( p[0] == SSL_HASH_SHA384 )
483  {
485  break;
486  }
487 #endif
488 #if defined(POLARSSL_SHA256_C)
489  if( p[0] == SSL_HASH_SHA256 )
490  {
492  break;
493  }
494  if( p[0] == SSL_HASH_SHA224 )
495  {
497  break;
498  }
499 #endif
500  if( p[0] == SSL_HASH_SHA1 )
501  {
503  break;
504  }
505  if( p[0] == SSL_HASH_MD5 )
506  {
508  break;
509  }
510 
511  sig_alg_list_size -= 2;
512  p += 2;
513  }
514 
515  SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
516  ssl->handshake->sig_alg ) );
517 
518  return( 0 );
519 }
520 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
521 
522 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
523 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
524  const unsigned char *buf,
525  size_t len )
526 {
527  size_t list_size, our_size;
528  const unsigned char *p;
529  const ecp_curve_info *curve_info, **curves;
530 
531  list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
532  if( list_size + 2 != len ||
533  list_size % 2 != 0 )
534  {
535  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
537  }
538 
539  /* Don't allow our peer to make use allocated too much memory,
540  * and leave room for a final 0 */
541  our_size = list_size / 2 + 1;
542  if( our_size > POLARSSL_ECP_DP_MAX )
543  our_size = POLARSSL_ECP_DP_MAX;
544 
545  if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
547 
548  /* explicit void pointer cast for buggy MS compiler */
549  memset( (void *) curves, 0, our_size * sizeof( *curves ) );
550  ssl->handshake->curves = curves;
551 
552  p = buf + 2;
553  while( list_size > 0 && our_size > 1 )
554  {
555  curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
556 
557  if( curve_info != NULL )
558  {
559  *curves++ = curve_info;
560  our_size--;
561  }
562 
563  list_size -= 2;
564  p += 2;
565  }
566 
567  return( 0 );
568 }
569 
570 static int ssl_parse_supported_point_formats( ssl_context *ssl,
571  const unsigned char *buf,
572  size_t len )
573 {
574  size_t list_size;
575  const unsigned char *p;
576 
577  list_size = buf[0];
578  if( list_size + 1 != len )
579  {
580  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
582  }
583 
584  p = buf + 2;
585  while( list_size > 0 )
586  {
587  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
589  {
590  ssl->handshake->ecdh_ctx.point_format = p[0];
591  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
592  return( 0 );
593  }
594 
595  list_size--;
596  p++;
597  }
598 
599  return( 0 );
600 }
601 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
602 
603 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
604 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
605  const unsigned char *buf,
606  size_t len )
607 {
608  if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
609  {
610  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
612  }
613 
614  ssl->session_negotiate->mfl_code = buf[0];
615 
616  return( 0 );
617 }
618 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
619 
620 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
621 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
622  const unsigned char *buf,
623  size_t len )
624 {
625  if( len != 0 )
626  {
627  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
629  }
630 
631  ((void) buf);
632 
634 
635  return( 0 );
636 }
637 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
638 
639 #if defined(POLARSSL_SSL_SESSION_TICKETS)
640 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
641  unsigned char *buf,
642  size_t len )
643 {
644  int ret;
645 
647  return( 0 );
648 
649  /* Remember the client asked us to send a new ticket */
650  ssl->handshake->new_session_ticket = 1;
651 
652  SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
653 
654  if( len == 0 )
655  return( 0 );
656 
658  {
659  SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
660  return( 0 );
661  }
662 
663  /*
664  * Failures are ok: just ignore the ticket and proceed.
665  */
666  if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
667  {
668  SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
669  return( 0 );
670  }
671 
672  SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
673 
674  ssl->handshake->resume = 1;
675 
676  /* Don't send a new ticket after all, this one is OK */
677  ssl->handshake->new_session_ticket = 0;
678 
679  return( 0 );
680 }
681 #endif /* POLARSSL_SSL_SESSION_TICKETS */
682 
683 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
684 static int ssl_parse_client_hello_v2( ssl_context *ssl )
685 {
686  int ret;
687  unsigned int i, j;
688  size_t n;
689  unsigned int ciph_len, sess_len, chal_len;
690  unsigned char *buf, *p;
691  const int *ciphersuites;
692  const ssl_ciphersuite_t *ciphersuite_info;
693 
694  SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
695 
697  {
698  SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
699 
700  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
701  return( ret );
702 
704  }
705 
706  buf = ssl->in_hdr;
707 
708  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
709 
710  SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
711  buf[2] ) );
712  SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
713  ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
714  SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
715  buf[3], buf[4] ) );
716 
717  /*
718  * SSLv2 Client Hello
719  *
720  * Record layer:
721  * 0 . 1 message length
722  *
723  * SSL layer:
724  * 2 . 2 message type
725  * 3 . 4 protocol version
726  */
727  if( buf[2] != SSL_HS_CLIENT_HELLO ||
728  buf[3] != SSL_MAJOR_VERSION_3 )
729  {
730  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
732  }
733 
734  n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
735 
736  if( n < 17 || n > 512 )
737  {
738  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
740  }
741 
743  ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
744  ? buf[4] : ssl->max_minor_ver;
745 
746  if( ssl->minor_ver < ssl->min_minor_ver )
747  {
748  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
749  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
750  ssl->min_major_ver, ssl->min_minor_ver ) );
751 
755  }
756 
757  ssl->handshake->max_major_ver = buf[3];
758  ssl->handshake->max_minor_ver = buf[4];
759 
760  if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
761  {
762  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
763  return( ret );
764  }
765 
766  ssl->handshake->update_checksum( ssl, buf + 2, n );
767 
768  buf = ssl->in_msg;
769  n = ssl->in_left - 5;
770 
771  /*
772  * 0 . 1 ciphersuitelist length
773  * 2 . 3 session id length
774  * 4 . 5 challenge length
775  * 6 . .. ciphersuitelist
776  * .. . .. session id
777  * .. . .. challenge
778  */
779  SSL_DEBUG_BUF( 4, "record contents", buf, n );
780 
781  ciph_len = ( buf[0] << 8 ) | buf[1];
782  sess_len = ( buf[2] << 8 ) | buf[3];
783  chal_len = ( buf[4] << 8 ) | buf[5];
784 
785  SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
786  ciph_len, sess_len, chal_len ) );
787 
788  /*
789  * Make sure each parameter length is valid
790  */
791  if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
792  {
793  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
795  }
796 
797  if( sess_len > 32 )
798  {
799  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
801  }
802 
803  if( chal_len < 8 || chal_len > 32 )
804  {
805  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
807  }
808 
809  if( n != 6 + ciph_len + sess_len + chal_len )
810  {
811  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
813  }
814 
815  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
816  buf + 6, ciph_len );
817  SSL_DEBUG_BUF( 3, "client hello, session id",
818  buf + 6 + ciph_len, sess_len );
819  SSL_DEBUG_BUF( 3, "client hello, challenge",
820  buf + 6 + ciph_len + sess_len, chal_len );
821 
822  p = buf + 6 + ciph_len;
823  ssl->session_negotiate->length = sess_len;
824  memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
825  memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
826 
827  p += sess_len;
828  memset( ssl->handshake->randbytes, 0, 64 );
829  memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
830 
831  /*
832  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
833  */
834  for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
835  {
836  if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
837  {
838  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
839  if( ssl->renegotiation == SSL_RENEGOTIATION )
840  {
841  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
842 
843  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
844  return( ret );
845 
847  }
849  break;
850  }
851  }
852 
853  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
854  for( i = 0; ciphersuites[i] != 0; i++ )
855  {
856  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
857  {
858  // Only allow non-ECC ciphersuites as we do not have extensions
859  //
860  if( p[0] == 0 && p[1] == 0 &&
861  ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
862  p[2] == ( ciphersuites[i] & 0xFF ) )
863  {
864  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
865 
866  if( ciphersuite_info == NULL )
867  {
868  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
869  ciphersuites[i] ) );
871  }
872 
873  if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
874  ciphersuite_info->max_minor_ver < ssl->minor_ver )
875  continue;
876 
877  goto have_ciphersuite_v2;
878  }
879  }
880  }
881 
882  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
883 
885 
886 have_ciphersuite_v2:
887  ssl->session_negotiate->ciphersuite = ciphersuites[i];
888  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
890 
891  /*
892  * SSLv2 Client Hello relevant renegotiation security checks
893  */
896  {
897  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
898 
899  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
900  return( ret );
901 
903  }
904 
905  ssl->in_left = 0;
906  ssl->state++;
907 
908  SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
909 
910  return( 0 );
911 }
912 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
913 
914 #if defined(POLARSSL_X509_CRT_PARSE_C)
915 #if defined(POLARSSL_ECDSA_C)
916 static int ssl_key_matches_curves( pk_context *pk,
917  const ecp_curve_info **curves )
918 {
919  const ecp_curve_info **crv = curves;
920  ecp_group_id grp_id = pk_ec( *pk )->grp.id;
921 
922  while( *crv != NULL )
923  {
924  if( (*crv)->grp_id == grp_id )
925  return( 1 );
926  crv++;
927  }
928 
929  return( 0 );
930 }
931 #endif /* POLARSSL_ECDSA_C */
932 
933 /*
934  * Try picking a certificate for this ciphersuite,
935  * return 0 on success and -1 on failure.
936  */
937 static int ssl_pick_cert( ssl_context *ssl,
938  const ssl_ciphersuite_t * ciphersuite_info )
939 {
940  ssl_key_cert *cur, *list;
941  pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
942 
943 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
944  if( ssl->handshake->sni_key_cert != NULL )
945  list = ssl->handshake->sni_key_cert;
946  else
947 #endif
948  list = ssl->handshake->key_cert;
949 
950  if( pk_alg == POLARSSL_PK_NONE )
951  return( 0 );
952 
953  for( cur = list; cur != NULL; cur = cur->next )
954  {
955  if( ! pk_can_do( cur->key, pk_alg ) )
956  continue;
957 
958 #if defined(POLARSSL_ECDSA_C)
959  if( pk_alg == POLARSSL_PK_ECDSA )
960  {
961  if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
962  break;
963  }
964  else
965 #endif
966  break;
967  }
968 
969  if( cur == NULL )
970  return( -1 );
971 
972  ssl->handshake->key_cert = cur;
973  return( 0 );
974 }
975 #endif /* POLARSSL_X509_CRT_PARSE_C */
976 
977 static int ssl_parse_client_hello( ssl_context *ssl )
978 {
979  int ret;
980  unsigned int i, j;
981  size_t n;
982  unsigned int ciph_len, sess_len;
983  unsigned int comp_len;
984  unsigned int ext_len = 0;
985  unsigned char *buf, *p, *ext;
986  int renegotiation_info_seen = 0;
987  int handshake_failure = 0;
988  const int *ciphersuites;
989  const ssl_ciphersuite_t *ciphersuite_info;
990 
991  SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
992 
993  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
994  ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
995  {
996  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
997  return( ret );
998  }
999 
1000  buf = ssl->in_hdr;
1001 
1002 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1003  if( ( buf[0] & 0x80 ) != 0 )
1004  return ssl_parse_client_hello_v2( ssl );
1005 #endif
1006 
1007  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1008 
1009  SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1010  buf[0] ) );
1011  SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1012  ( buf[3] << 8 ) | buf[4] ) );
1013  SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1014  buf[1], buf[2] ) );
1015 
1016  /*
1017  * SSLv3 Client Hello
1018  *
1019  * Record layer:
1020  * 0 . 0 message type
1021  * 1 . 2 protocol version
1022  * 3 . 4 message length
1023  */
1024  if( buf[0] != SSL_MSG_HANDSHAKE ||
1025  buf[1] != SSL_MAJOR_VERSION_3 )
1026  {
1027  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1029  }
1030 
1031  n = ( buf[3] << 8 ) | buf[4];
1032 
1033  if( n < 45 || n > 2048 )
1034  {
1035  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1037  }
1038 
1039  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1040  ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1041  {
1042  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1043  return( ret );
1044  }
1045 
1046  buf = ssl->in_msg;
1047  if( !ssl->renegotiation )
1048  n = ssl->in_left - 5;
1049  else
1050  n = ssl->in_msglen;
1051 
1052  ssl->handshake->update_checksum( ssl, buf, n );
1053 
1054  /*
1055  * SSL layer:
1056  * 0 . 0 handshake type
1057  * 1 . 3 handshake length
1058  * 4 . 5 protocol version
1059  * 6 . 9 UNIX time()
1060  * 10 . 37 random bytes
1061  * 38 . 38 session id length
1062  * 39 . 38+x session id
1063  * 39+x . 40+x ciphersuitelist length
1064  * 41+x . .. ciphersuitelist
1065  * .. . .. compression alg.
1066  * .. . .. extensions
1067  */
1068  SSL_DEBUG_BUF( 4, "record contents", buf, n );
1069 
1070  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1071  buf[0] ) );
1072  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1073  ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1074  SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1075  buf[4], buf[5] ) );
1076 
1077  /*
1078  * Check the handshake type and protocol version
1079  */
1080  if( buf[0] != SSL_HS_CLIENT_HELLO ||
1081  buf[4] != SSL_MAJOR_VERSION_3 )
1082  {
1083  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1085  }
1086 
1088  ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1089  ? buf[5] : ssl->max_minor_ver;
1090 
1091  if( ssl->minor_ver < ssl->min_minor_ver )
1092  {
1093  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1094  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
1095  ssl->min_major_ver, ssl->min_minor_ver ) );
1096 
1099 
1101  }
1102 
1103  ssl->handshake->max_major_ver = buf[4];
1104  ssl->handshake->max_minor_ver = buf[5];
1105 
1106  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
1107 
1108  /*
1109  * Check the handshake message length
1110  */
1111  if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1112  {
1113  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1115  }
1116 
1117  /*
1118  * Check the session length
1119  */
1120  sess_len = buf[38];
1121 
1122  if( sess_len > 32 )
1123  {
1124  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1126  }
1127 
1128  ssl->session_negotiate->length = sess_len;
1129  memset( ssl->session_negotiate->id, 0,
1130  sizeof( ssl->session_negotiate->id ) );
1131  memcpy( ssl->session_negotiate->id, buf + 39,
1132  ssl->session_negotiate->length );
1133 
1134  /*
1135  * Check the ciphersuitelist length
1136  */
1137  ciph_len = ( buf[39 + sess_len] << 8 )
1138  | ( buf[40 + sess_len] );
1139 
1140  if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1141  {
1142  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1144  }
1145 
1146  /*
1147  * Check the compression algorithms length
1148  */
1149  comp_len = buf[41 + sess_len + ciph_len];
1150 
1151  if( comp_len < 1 || comp_len > 16 )
1152  {
1153  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1155  }
1156 
1157  /*
1158  * Check the extension length
1159  */
1160  if( n > 42 + sess_len + ciph_len + comp_len )
1161  {
1162  ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1163  | ( buf[43 + sess_len + ciph_len + comp_len] );
1164 
1165  if( ( ext_len > 0 && ext_len < 4 ) ||
1166  n != 44 + sess_len + ciph_len + comp_len + ext_len )
1167  {
1168  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1169  SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1171  }
1172  }
1173 
1175 #if defined(POLARSSL_ZLIB_SUPPORT)
1176  for( i = 0; i < comp_len; ++i )
1177  {
1178  if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
1179  {
1181  break;
1182  }
1183  }
1184 #endif
1185 
1186  SSL_DEBUG_BUF( 3, "client hello, random bytes",
1187  buf + 6, 32 );
1188  SSL_DEBUG_BUF( 3, "client hello, session id",
1189  buf + 38, sess_len );
1190  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1191  buf + 41 + sess_len, ciph_len );
1192  SSL_DEBUG_BUF( 3, "client hello, compression",
1193  buf + 42 + sess_len + ciph_len, comp_len );
1194 
1195  /*
1196  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1197  */
1198  for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1199  {
1200  if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1201  {
1202  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1203  if( ssl->renegotiation == SSL_RENEGOTIATION )
1204  {
1205  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1206 
1207  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1208  return( ret );
1209 
1211  }
1213  break;
1214  }
1215  }
1216 
1217  ext = buf + 44 + sess_len + ciph_len + comp_len;
1218 
1219  while( ext_len )
1220  {
1221  unsigned int ext_id = ( ( ext[0] << 8 )
1222  | ( ext[1] ) );
1223  unsigned int ext_size = ( ( ext[2] << 8 )
1224  | ( ext[3] ) );
1225 
1226  if( ext_size + 4 > ext_len )
1227  {
1228  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1230  }
1231  switch( ext_id )
1232  {
1233 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
1234  case TLS_EXT_SERVERNAME:
1235  SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1236  if( ssl->f_sni == NULL )
1237  break;
1238 
1239  ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1240  if( ret != 0 )
1241  return( ret );
1242  break;
1243 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
1244 
1246  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1247  renegotiation_info_seen = 1;
1248 
1249  ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1250  if( ret != 0 )
1251  return( ret );
1252  break;
1253 
1254 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1255  case TLS_EXT_SIG_ALG:
1256  SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1257  if( ssl->renegotiation == SSL_RENEGOTIATION )
1258  break;
1259 
1260  ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1261  if( ret != 0 )
1262  return( ret );
1263  break;
1264 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1265 
1266 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1268  SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1269 
1270  ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1271  if( ret != 0 )
1272  return( ret );
1273  break;
1274 
1276  SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1278 
1279  ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1280  if( ret != 0 )
1281  return( ret );
1282  break;
1283 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1284 
1285 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1287  SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1288 
1289  ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1290  if( ret != 0 )
1291  return( ret );
1292  break;
1293 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1294 
1295 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1297  SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1298 
1299  ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1300  if( ret != 0 )
1301  return( ret );
1302  break;
1303 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1304 
1305 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1307  SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1308 
1309  ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1310  if( ret != 0 )
1311  return( ret );
1312  break;
1313 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1314 
1315  default:
1316  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1317  ext_id ) );
1318  }
1319 
1320  ext_len -= 4 + ext_size;
1321  ext += 4 + ext_size;
1322 
1323  if( ext_len > 0 && ext_len < 4 )
1324  {
1325  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1327  }
1328  }
1329 
1330  /*
1331  * Renegotiation security checks
1332  */
1335  {
1336  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1337  handshake_failure = 1;
1338  }
1339  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1341  renegotiation_info_seen == 0 )
1342  {
1343  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1344  handshake_failure = 1;
1345  }
1346  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1349  {
1350  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1351  handshake_failure = 1;
1352  }
1353  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1355  renegotiation_info_seen == 1 )
1356  {
1357  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1358  handshake_failure = 1;
1359  }
1360 
1361  if( handshake_failure == 1 )
1362  {
1363  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1364  return( ret );
1365 
1367  }
1368 
1369  /*
1370  * Search for a matching ciphersuite
1371  * (At the end because we need information from the EC-based extensions
1372  * and certificate from the SNI callback triggered by the SNI extension.)
1373  */
1374  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1375  for( i = 0; ciphersuites[i] != 0; i++ )
1376  {
1377  for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1378  j += 2, p += 2 )
1379  {
1380  if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1381  p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
1382  {
1383  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
1384 
1385  if( ciphersuite_info == NULL )
1386  {
1387  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found",
1388  ciphersuites[i] ) );
1390  }
1391 
1392  if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1393  ciphersuite_info->max_minor_ver < ssl->minor_ver )
1394  continue;
1395 
1396 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1397  if( ssl_ciphersuite_uses_ec( ciphersuite_info ) &&
1398  ( ssl->handshake->curves == NULL ||
1399  ssl->handshake->curves[0] == NULL ) )
1400  continue;
1401 #endif
1402 
1403 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1404  /* If the ciphersuite requires a pre-shared key and we don't
1405  * have one, skip it now rather than failing later */
1406  if( ssl_ciphersuite_uses_psk( ciphersuite_info ) &&
1407  ssl->f_psk == NULL &&
1408  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
1409  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
1410  continue;
1411 #endif
1412 
1413 #if defined(POLARSSL_X509_CRT_PARSE_C)
1414  /*
1415  * Final check: if ciphersuite requires us to have a
1416  * certificate/key of a particular type:
1417  * - select the appropriate certificate if we have one, or
1418  * - try the next ciphersuite if we don't
1419  * This must be done last since we modify the key_cert list.
1420  */
1421  if( ssl_pick_cert( ssl, ciphersuite_info ) != 0 )
1422  continue;
1423 #endif
1424 
1425  goto have_ciphersuite;
1426  }
1427  }
1428  }
1429 
1430  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1431 
1432  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1433  return( ret );
1434 
1436 
1437 have_ciphersuite:
1438  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1439  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1441 
1442  ssl->in_left = 0;
1443  ssl->state++;
1444 
1445  SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1446 
1447  return( 0 );
1448 }
1449 
1450 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1451 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1452  unsigned char *buf,
1453  size_t *olen )
1454 {
1455  unsigned char *p = buf;
1456 
1458  {
1459  *olen = 0;
1460  return;
1461  }
1462 
1463  SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1464 
1465  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1466  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1467 
1468  *p++ = 0x00;
1469  *p++ = 0x00;
1470 
1471  *olen = 4;
1472 }
1473 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1474 
1475 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1476 static void ssl_write_session_ticket_ext( ssl_context *ssl,
1477  unsigned char *buf,
1478  size_t *olen )
1479 {
1480  unsigned char *p = buf;
1481 
1482  if( ssl->handshake->new_session_ticket == 0 )
1483  {
1484  *olen = 0;
1485  return;
1486  }
1487 
1488  SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1489 
1490  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1491  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1492 
1493  *p++ = 0x00;
1494  *p++ = 0x00;
1495 
1496  *olen = 4;
1497 }
1498 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1499 
1500 static void ssl_write_renegotiation_ext( ssl_context *ssl,
1501  unsigned char *buf,
1502  size_t *olen )
1503 {
1504  unsigned char *p = buf;
1505 
1507  {
1508  *olen = 0;
1509  return;
1510  }
1511 
1512  SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1513 
1514  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1515  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1516 
1517  *p++ = 0x00;
1518  *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1519  *p++ = ssl->verify_data_len * 2 & 0xFF;
1520 
1521  memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1522  p += ssl->verify_data_len;
1523  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1524  p += ssl->verify_data_len;
1525 
1526  *olen = 5 + ssl->verify_data_len * 2;
1527 }
1528 
1529 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1530 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1531  unsigned char *buf,
1532  size_t *olen )
1533 {
1534  unsigned char *p = buf;
1535 
1537  {
1538  *olen = 0;
1539  return;
1540  }
1541 
1542  SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1543 
1544  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1545  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1546 
1547  *p++ = 0x00;
1548  *p++ = 1;
1549 
1550  *p++ = ssl->session_negotiate->mfl_code;
1551 
1552  *olen = 5;
1553 }
1554 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1555 
1556 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1557 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1558  unsigned char *buf,
1559  size_t *olen )
1560 {
1561  unsigned char *p = buf;
1562  ((void) ssl);
1563 
1564  if( ( ssl->handshake->cli_exts &
1566  {
1567  *olen = 0;
1568  return;
1569  }
1570 
1571  SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1572 
1573  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1574  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1575 
1576  *p++ = 0x00;
1577  *p++ = 2;
1578 
1579  *p++ = 1;
1581 
1582  *olen = 6;
1583 }
1584 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1585 
1586 static int ssl_write_server_hello( ssl_context *ssl )
1587 {
1588 #if defined(POLARSSL_HAVE_TIME)
1589  time_t t;
1590 #endif
1591  int ret;
1592  size_t olen, ext_len = 0, n;
1593  unsigned char *buf, *p;
1594 
1595  SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1596 
1597  /*
1598  * 0 . 0 handshake type
1599  * 1 . 3 handshake length
1600  * 4 . 5 protocol version
1601  * 6 . 9 UNIX time()
1602  * 10 . 37 random bytes
1603  */
1604  buf = ssl->out_msg;
1605  p = buf + 4;
1606 
1607  *p++ = (unsigned char) ssl->major_ver;
1608  *p++ = (unsigned char) ssl->minor_ver;
1609 
1610  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1611  buf[4], buf[5] ) );
1612 
1613 #if defined(POLARSSL_HAVE_TIME)
1614  t = time( NULL );
1615  *p++ = (unsigned char)( t >> 24 );
1616  *p++ = (unsigned char)( t >> 16 );
1617  *p++ = (unsigned char)( t >> 8 );
1618  *p++ = (unsigned char)( t );
1619 
1620  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1621 #else
1622  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1623  return( ret );
1624 
1625  p += 4;
1626 #endif
1627 
1628  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1629  return( ret );
1630 
1631  p += 28;
1632 
1633  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
1634 
1635  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1636 
1637  /*
1638  * Resume is 0 by default, see ssl_handshake_init().
1639  * It may be already set to 1 by ssl_parse_session_ticket_ext().
1640  * If not, try looking up session ID in our cache.
1641  */
1642  if( ssl->handshake->resume == 0 &&
1644  ssl->session_negotiate->length != 0 &&
1645  ssl->f_get_cache != NULL &&
1646  ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1647  {
1648  ssl->handshake->resume = 1;
1649  }
1650 
1651  if( ssl->handshake->resume == 0 )
1652  {
1653  /*
1654  * New session, create a new session id,
1655  * unless we're about to issue a session ticket
1656  */
1657  ssl->state++;
1658 
1659 #if defined(POLARSSL_HAVE_TIME)
1660  ssl->session_negotiate->start = time( NULL );
1661 #endif
1662 
1663 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1664  if( ssl->handshake->new_session_ticket != 0 )
1665  {
1666  ssl->session_negotiate->length = n = 0;
1667  memset( ssl->session_negotiate->id, 0, 32 );
1668  }
1669  else
1670 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1671  {
1672  ssl->session_negotiate->length = n = 32;
1673  if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1674  n ) ) != 0 )
1675  return( ret );
1676  }
1677  }
1678  else
1679  {
1680  /*
1681  * Resuming a session
1682  */
1683  n = ssl->session_negotiate->length;
1685 
1686  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1687  {
1688  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1689  return( ret );
1690  }
1691  }
1692 
1693  /*
1694  * 38 . 38 session id length
1695  * 39 . 38+n session id
1696  * 39+n . 40+n chosen ciphersuite
1697  * 41+n . 41+n chosen compression alg.
1698  * 42+n . 43+n extensions length
1699  * 44+n . 43+n+m extensions
1700  */
1701  *p++ = (unsigned char) ssl->session_negotiate->length;
1702  memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1703  p += ssl->session_negotiate->length;
1704 
1705  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1706  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1707  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1708  ssl->handshake->resume ? "a" : "no" ) );
1709 
1710  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1711  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1712  *p++ = (unsigned char)( ssl->session_negotiate->compression );
1713 
1714  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1716  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
1717  ssl->session_negotiate->compression ) );
1718 
1719  /*
1720  * First write extensions, then the total length
1721  */
1722  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1723  ext_len += olen;
1724 
1725 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1726  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1727  ext_len += olen;
1728 #endif
1729 
1730 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1731  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1732  ext_len += olen;
1733 #endif
1734 
1735 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1736  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1737  ext_len += olen;
1738 #endif
1739 
1740 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1741  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1742  ext_len += olen;
1743 #endif
1744 
1745  SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
1746 
1747  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1748  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1749  p += ext_len;
1750 
1751  ssl->out_msglen = p - buf;
1753  ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1754 
1755  ret = ssl_write_record( ssl );
1756 
1757  SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1758 
1759  return( ret );
1760 }
1761 
1762 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1763  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1764  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1765  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1766 static int ssl_write_certificate_request( ssl_context *ssl )
1767 {
1769  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1770 
1771  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1772 
1773  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1774  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1775  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1776  {
1777  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1778  ssl->state++;
1779  return( 0 );
1780  }
1781 
1782  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1783  return( ret );
1784 }
1785 #else
1786 static int ssl_write_certificate_request( ssl_context *ssl )
1787 {
1789  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1790  size_t dn_size, total_dn_size; /* excluding length bytes */
1791  size_t ct_len, sa_len; /* including length bytes */
1792  unsigned char *buf, *p;
1793  const x509_crt *crt;
1794 
1795  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1796 
1797  ssl->state++;
1798 
1799  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1800  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1801  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1802  ssl->authmode == SSL_VERIFY_NONE )
1803  {
1804  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1805  return( 0 );
1806  }
1807 
1808  /*
1809  * 0 . 0 handshake type
1810  * 1 . 3 handshake length
1811  * 4 . 4 cert type count
1812  * 5 .. m-1 cert types
1813  * m .. m+1 sig alg length (TLS 1.2 only)
1814  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1815  * n .. n+1 length of all DNs
1816  * n+2 .. n+3 length of DN 1
1817  * n+4 .. ... Distinguished Name #1
1818  * ... .. ... length of DN 2, etc.
1819  */
1820  buf = ssl->out_msg;
1821  p = buf + 4;
1822 
1823  /*
1824  * Supported certificate types
1825  *
1826  * ClientCertificateType certificate_types<1..2^8-1>;
1827  * enum { (255) } ClientCertificateType;
1828  */
1829  ct_len = 0;
1830 
1831 #if defined(POLARSSL_RSA_C)
1832  p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
1833 #endif
1834 #if defined(POLARSSL_ECDSA_C)
1835  p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
1836 #endif
1837 
1838  p[0] = (unsigned char) ct_len++;
1839  p += ct_len;
1840 
1841  sa_len = 0;
1842 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1843  /*
1844  * Add signature_algorithms for verify (TLS 1.2)
1845  *
1846  * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
1847  *
1848  * struct {
1849  * HashAlgorithm hash;
1850  * SignatureAlgorithm signature;
1851  * } SignatureAndHashAlgorithm;
1852  *
1853  * enum { (255) } HashAlgorithm;
1854  * enum { (255) } SignatureAlgorithm;
1855  */
1856  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1857  {
1858  /*
1859  * Only use current running hash algorithm that is already required
1860  * for requested ciphersuite.
1861  */
1863 
1866  {
1868  }
1869 
1870  /*
1871  * Supported signature algorithms
1872  */
1873 #if defined(POLARSSL_RSA_C)
1874  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1875  p[2 + sa_len++] = SSL_SIG_RSA;
1876 #endif
1877 #if defined(POLARSSL_ECDSA_C)
1878  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1879  p[2 + sa_len++] = SSL_SIG_ECDSA;
1880 #endif
1881 
1882  p[0] = (unsigned char)( sa_len >> 8 );
1883  p[1] = (unsigned char)( sa_len );
1884  sa_len += 2;
1885  p += sa_len;
1886  }
1887 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1888 
1889  /*
1890  * DistinguishedName certificate_authorities<0..2^16-1>;
1891  * opaque DistinguishedName<1..2^16-1>;
1892  */
1893  p += 2;
1894  crt = ssl->ca_chain;
1895 
1896  total_dn_size = 0;
1897  while( crt != NULL )
1898  {
1899  if( p - buf > 4096 )
1900  break;
1901 
1902  dn_size = crt->subject_raw.len;
1903  *p++ = (unsigned char)( dn_size >> 8 );
1904  *p++ = (unsigned char)( dn_size );
1905  memcpy( p, crt->subject_raw.p, dn_size );
1906  p += dn_size;
1907 
1908  SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1909 
1910  total_dn_size += 2 + dn_size;
1911  crt = crt->next;
1912  }
1913 
1914  ssl->out_msglen = p - buf;
1917  ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
1918  ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
1919 
1920  ret = ssl_write_record( ssl );
1921 
1922  SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1923 
1924  return( ret );
1925 }
1926 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1927  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1928  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
1929 
1930 static int ssl_write_server_key_exchange( ssl_context *ssl )
1931 {
1932  int ret;
1933  size_t n = 0;
1934  const ssl_ciphersuite_t *ciphersuite_info =
1936 
1937 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1938  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
1939  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1940  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1941  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1942  unsigned char *p = ssl->out_msg + 4;
1943  unsigned char *dig_signed = p;
1944  size_t dig_signed_len = 0, len;
1945  ((void) dig_signed);
1946  ((void) dig_signed_len);
1947 #endif
1948 
1949  SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1950 
1951  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
1952  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1953  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1954  {
1955  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1956  ssl->state++;
1957  return( 0 );
1958  }
1959 
1960 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
1961  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1962  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1963  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1964  {
1965  /* TODO: Support identity hints */
1966  *(p++) = 0x00;
1967  *(p++) = 0x00;
1968 
1969  n += 2;
1970  }
1971 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
1972  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1973 
1974 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1975  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1976  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1977  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1978  {
1979  /*
1980  * Ephemeral DH parameters:
1981  *
1982  * struct {
1983  * opaque dh_p<1..2^16-1>;
1984  * opaque dh_g<1..2^16-1>;
1985  * opaque dh_Ys<1..2^16-1>;
1986  * } ServerDHParams;
1987  */
1988  if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1989  ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1990  {
1991  SSL_DEBUG_RET( 1, "mpi_copy", ret );
1992  return( ret );
1993  }
1994 
1995  if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1996  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1997  p,
1998  &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
1999  {
2000  SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2001  return( ret );
2002  }
2003 
2004  dig_signed = p;
2005  dig_signed_len = len;
2006 
2007  p += len;
2008  n += len;
2009 
2010  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2011  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2012  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2013  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2014  }
2015 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2016  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2017 
2018 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2019  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2020  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2021 
2022  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2023  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2024  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2025  {
2026  /*
2027  * Ephemeral ECDH parameters:
2028  *
2029  * struct {
2030  * ECParameters curve_params;
2031  * ECPoint public;
2032  * } ServerECDHParams;
2033  */
2034  if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
2035  ssl->handshake->curves[0]->grp_id ) ) != 0 )
2036  {
2037  SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2038  return( ret );
2039  }
2040 
2041  SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
2042  (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
2043 
2044  if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2045  p, SSL_MAX_CONTENT_LEN - n,
2046  ssl->f_rng, ssl->p_rng ) ) != 0 )
2047  {
2048  SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2049  return( ret );
2050  }
2051 
2052  dig_signed = p;
2053  dig_signed_len = len;
2054 
2055  p += len;
2056  n += len;
2057 
2058  SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2059  }
2060 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2061  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2062  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2063 
2064 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2065  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2066  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2067  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2068  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2069  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2070  {
2071  size_t signature_len = 0;
2072  unsigned int hashlen = 0;
2073  unsigned char hash[64];
2074  md_type_t md_alg = POLARSSL_MD_NONE;
2075 
2076  /*
2077  * Choose hash algorithm. NONE means MD5 + SHA1 here.
2078  */
2079 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2080  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2081  {
2082  md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2083 
2084  if( md_alg == POLARSSL_MD_NONE )
2085  {
2086  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2088  }
2089  }
2090  else
2091 #endif
2092 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2093  defined(POLARSSL_SSL_PROTO_TLS1_1)
2094  if ( ciphersuite_info->key_exchange ==
2096  {
2097  md_alg = POLARSSL_MD_SHA1;
2098  }
2099  else
2100 #endif
2101  {
2102  md_alg = POLARSSL_MD_NONE;
2103  }
2104 
2105  /*
2106  * Compute the hash to be signed
2107  */
2108 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2109  defined(POLARSSL_SSL_PROTO_TLS1_1)
2110  if( md_alg == POLARSSL_MD_NONE )
2111  {
2112  md5_context md5;
2114 
2115  /*
2116  * digitally-signed struct {
2117  * opaque md5_hash[16];
2118  * opaque sha_hash[20];
2119  * };
2120  *
2121  * md5_hash
2122  * MD5(ClientHello.random + ServerHello.random
2123  * + ServerParams);
2124  * sha_hash
2125  * SHA(ClientHello.random + ServerHello.random
2126  * + ServerParams);
2127  */
2128  md5_starts( &md5 );
2129  md5_update( &md5, ssl->handshake->randbytes, 64 );
2130  md5_update( &md5, dig_signed, dig_signed_len );
2131  md5_finish( &md5, hash );
2132 
2133  sha1_starts( &sha1 );
2134  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
2135  sha1_update( &sha1, dig_signed, dig_signed_len );
2136  sha1_finish( &sha1, hash + 16 );
2137 
2138  hashlen = 36;
2139  }
2140  else
2141 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2142  POLARSSL_SSL_PROTO_TLS1_1 */
2143 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2144  defined(POLARSSL_SSL_PROTO_TLS1_2)
2145  if( md_alg != POLARSSL_MD_NONE )
2146  {
2147  md_context_t ctx;
2148 
2149  /* Info from md_alg will be used instead */
2150  hashlen = 0;
2151 
2152  /*
2153  * digitally-signed struct {
2154  * opaque client_random[32];
2155  * opaque server_random[32];
2156  * ServerDHParams params;
2157  * };
2158  */
2159  if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
2160  {
2161  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2162  return( ret );
2163  }
2164 
2165  md_starts( &ctx );
2166  md_update( &ctx, ssl->handshake->randbytes, 64 );
2167  md_update( &ctx, dig_signed, dig_signed_len );
2168  md_finish( &ctx, hash );
2169 
2170  if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2171  {
2172  SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2173  return( ret );
2174  }
2175 
2176  }
2177  else
2178 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2179  POLARSSL_SSL_PROTO_TLS1_2 */
2180  {
2181  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2183  }
2184 
2185  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2186  (unsigned int) ( md_info_from_type( md_alg ) )->size );
2187 
2188  /*
2189  * Make the signature
2190  */
2191  if( ssl_own_key( ssl ) == NULL )
2192  {
2193  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2195  }
2196 
2197 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2198  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2199  {
2200  *(p++) = ssl->handshake->sig_alg;
2201  *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
2202 
2203  n += 2;
2204  }
2205 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2206 
2207  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
2208  p + 2 , &signature_len,
2209  ssl->f_rng, ssl->p_rng ) ) != 0 )
2210  {
2211  SSL_DEBUG_RET( 1, "pk_sign", ret );
2212  return( ret );
2213  }
2214 
2215  *(p++) = (unsigned char)( signature_len >> 8 );
2216  *(p++) = (unsigned char)( signature_len );
2217  n += 2;
2218 
2219  SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
2220 
2221  p += signature_len;
2222  n += signature_len;
2223  }
2224 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2225  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2226  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2227 
2228  ssl->out_msglen = 4 + n;
2231 
2232  ssl->state++;
2233 
2234  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2235  {
2236  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2237  return( ret );
2238  }
2239 
2240  SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2241 
2242  return( 0 );
2243 }
2244 
2245 static int ssl_write_server_hello_done( ssl_context *ssl )
2246 {
2247  int ret;
2248 
2249  SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2250 
2251  ssl->out_msglen = 4;
2254 
2255  ssl->state++;
2256 
2257  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2258  {
2259  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2260  return( ret );
2261  }
2262 
2263  SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2264 
2265  return( 0 );
2266 }
2267 
2268 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2269  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2270 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2271  const unsigned char *end )
2272 {
2274  size_t n;
2275 
2276  /*
2277  * Receive G^Y mod P, premaster = (G^Y)^X mod P
2278  */
2279  if( *p + 2 > end )
2280  {
2281  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2283  }
2284 
2285  n = ( (*p)[0] << 8 ) | (*p)[1];
2286  *p += 2;
2287 
2288  if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
2289  {
2290  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2292  }
2293 
2294  if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
2295  *p, n ) ) != 0 )
2296  {
2297  SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2299  }
2300 
2301  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2302 
2303  return( ret );
2304 }
2305 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2306  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2307 
2308 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2309  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2310 static int ssl_parse_encrypted_pms( ssl_context *ssl,
2311  const unsigned char *p,
2312  const unsigned char *end,
2313  size_t pms_offset )
2314 {
2315  int ret;
2316  size_t len = pk_get_len( ssl_own_key( ssl ) );
2317  unsigned char *pms = ssl->handshake->premaster + pms_offset;
2318 
2319  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
2320  {
2321  SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
2323  }
2324 
2325  /*
2326  * Decrypt the premaster using own private RSA key
2327  */
2328 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2329  defined(POLARSSL_SSL_PROTO_TLS1_2)
2330  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2331  {
2332  if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2333  *p++ != ( ( len ) & 0xFF ) )
2334  {
2335  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2337  }
2338  }
2339 #endif
2340 
2341  if( p + len != end )
2342  {
2343  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2345  }
2346 
2347  ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2348  pms, &ssl->handshake->pmslen,
2349  sizeof(ssl->handshake->premaster),
2350  ssl->f_rng, ssl->p_rng );
2351 
2352  if( ret != 0 || ssl->handshake->pmslen != 48 ||
2353  pms[0] != ssl->handshake->max_major_ver ||
2354  pms[1] != ssl->handshake->max_minor_ver )
2355  {
2356  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2357 
2358  /*
2359  * Protection against Bleichenbacher's attack:
2360  * invalid PKCS#1 v1.5 padding must not cause
2361  * the connection to end immediately; instead,
2362  * send a bad_record_mac later in the handshake.
2363  */
2364  ssl->handshake->pmslen = 48;
2365 
2366  ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
2367  if( ret != 0 )
2368  return( ret );
2369  }
2370 
2371  return( ret );
2372 }
2373 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2374  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2375 
2376 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2377 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2378  const unsigned char *end )
2379 {
2380  int ret = 0;
2381  size_t n;
2382 
2383  if( ssl->f_psk == NULL &&
2384  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2385  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
2386  {
2387  SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2389  }
2390 
2391  /*
2392  * Receive client pre-shared key identity name
2393  */
2394  if( *p + 2 > end )
2395  {
2396  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2398  }
2399 
2400  n = ( (*p)[0] << 8 ) | (*p)[1];
2401  *p += 2;
2402 
2403  if( n < 1 || n > 65535 || *p + n > end )
2404  {
2405  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2407  }
2408 
2409  if( ssl->f_psk != NULL )
2410  {
2411  if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
2413  }
2414 
2415  if( ret == 0 )
2416  {
2417  /* Identity is not a big secret since clients send it in the clear,
2418  * but treat it carefully anyway, just in case */
2419  if( n != ssl->psk_identity_len ||
2420  safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
2421  {
2423  }
2424  }
2425 
2427  {
2428  SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
2429  if( ( ret = ssl_send_alert_message( ssl,
2432  {
2433  return( ret );
2434  }
2435 
2437  }
2438 
2439  *p += n;
2440  ret = 0;
2441 
2442  return( ret );
2443 }
2444 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2445 
2446 static int ssl_parse_client_key_exchange( ssl_context *ssl )
2447 {
2448  int ret;
2449  const ssl_ciphersuite_t *ciphersuite_info;
2450 
2451  ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2452 
2453  SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2454 
2455  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2456  {
2457  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2458  return( ret );
2459  }
2460 
2461  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2462  {
2463  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2465  }
2466 
2467  if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2468  {
2469  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2471  }
2472 
2473 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2474  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2475  {
2476  unsigned char *p = ssl->in_msg + 4;
2477  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2478 
2479  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2480  {
2481  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2482  return( ret );
2483  }
2484 
2485  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2486 
2487  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2488  ssl->handshake->premaster,
2489  &ssl->handshake->pmslen,
2490  ssl->f_rng, ssl->p_rng ) ) != 0 )
2491  {
2492  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2494  }
2495 
2496  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2497  }
2498  else
2499 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2500 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2501  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2502  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2503  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2504  {
2505  size_t n = ssl->in_msg[3];
2506 
2507  if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2508  n + 4 != ssl->in_hslen )
2509  {
2510  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2512  }
2513 
2514  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2515  ssl->in_msg + 4, n ) ) != 0 )
2516  {
2517  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2519  }
2520 
2521  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2522 
2523  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2524  &ssl->handshake->pmslen,
2525  ssl->handshake->premaster,
2527  ssl->f_rng, ssl->p_rng ) ) != 0 )
2528  {
2529  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2531  }
2532 
2533  SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
2534  }
2535  else
2536 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2537  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2538 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2539  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2540  {
2541  unsigned char *p = ssl->in_msg + 4;
2542  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2543 
2544  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2545  {
2546  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2547  return( ret );
2548  }
2549 
2550  if( ( ret = ssl_psk_derive_premaster( ssl,
2551  ciphersuite_info->key_exchange ) ) != 0 )
2552  {
2553  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2554  return( ret );
2555  }
2556  }
2557  else
2558 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2559 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2560  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2561  {
2562  unsigned char *p = ssl->in_msg + 4;
2563  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2564 
2565  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2566  {
2567  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2568  return( ret );
2569  }
2570 
2571  if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
2572  {
2573  SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
2574  return( ret );
2575  }
2576 
2577  if( ( ret = ssl_psk_derive_premaster( ssl,
2578  ciphersuite_info->key_exchange ) ) != 0 )
2579  {
2580  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2581  return( ret );
2582  }
2583  }
2584  else
2585 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2586 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2587  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2588  {
2589  unsigned char *p = ssl->in_msg + 4;
2590  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2591 
2592  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2593  {
2594  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2595  return( ret );
2596  }
2597  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2598  {
2599  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2600  return( ret );
2601  }
2602 
2603  if( ( ret = ssl_psk_derive_premaster( ssl,
2604  ciphersuite_info->key_exchange ) ) != 0 )
2605  {
2606  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2607  return( ret );
2608  }
2609  }
2610  else
2611 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2612 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2613  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2614  {
2615  unsigned char *p = ssl->in_msg + 4;
2616  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2617 
2618  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2619  {
2620  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2621  return( ret );
2622  }
2623 
2624  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2625  p, end - p ) ) != 0 )
2626  {
2627  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2629  }
2630 
2631  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2632 
2633  if( ( ret = ssl_psk_derive_premaster( ssl,
2634  ciphersuite_info->key_exchange ) ) != 0 )
2635  {
2636  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2637  return( ret );
2638  }
2639  }
2640  else
2641 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2642 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2643  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2644  {
2645  if( ( ret = ssl_parse_encrypted_pms( ssl,
2646  ssl->in_msg + 4,
2647  ssl->in_msg + ssl->in_msglen,
2648  0 ) ) != 0 )
2649  {
2650  SSL_DEBUG_RET( 1, ( "ssl_parse_parse_ecrypted_pms_secret" ), ret );
2651  return( ret );
2652  }
2653  }
2654  else
2655 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2656  {
2657  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2659  }
2660 
2661  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2662  {
2663  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2664  return( ret );
2665  }
2666 
2667  ssl->state++;
2668 
2669  SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2670 
2671  return( 0 );
2672 }
2673 
2674 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2675  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2676  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2677  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2678 static int ssl_parse_certificate_verify( ssl_context *ssl )
2679 {
2681  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2682 
2683  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2684 
2685  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2686  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2687  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2688  {
2689  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2690  ssl->state++;
2691  return( 0 );
2692  }
2693 
2694  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2695  return( ret );
2696 }
2697 #else
2698 static int ssl_parse_certificate_verify( ssl_context *ssl )
2699 {
2701  size_t sa_len, sig_len;
2702  unsigned char hash[48];
2703  unsigned char *hash_start = hash;
2704  size_t hashlen;
2705 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2706  pk_type_t pk_alg;
2707 #endif
2708  md_type_t md_alg;
2709  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2710 
2711  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2712 
2713  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2714  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2715  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2716  {
2717  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2718  ssl->state++;
2719  return( 0 );
2720  }
2721 
2722  if( ssl->session_negotiate->peer_cert == NULL )
2723  {
2724  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2725  ssl->state++;
2726  return( 0 );
2727  }
2728 
2729  ssl->handshake->calc_verify( ssl, hash );
2730 
2731  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2732  {
2733  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2734  return( ret );
2735  }
2736 
2737  ssl->state++;
2738 
2739  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2740  {
2741  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2743  }
2744 
2745  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2746  {
2747  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2749  }
2750 
2751  /*
2752  * 0 . 0 handshake type
2753  * 1 . 3 handshake length
2754  * 4 . 5 sig alg (TLS 1.2 only)
2755  * 4+n . 5+n signature length (n = sa_len)
2756  * 6+n . 6+n+m signature (m = sig_len)
2757  */
2758 
2759 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2760  defined(POLARSSL_SSL_PROTO_TLS1_1)
2761  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2762  {
2763  sa_len = 0;
2764 
2765  md_alg = POLARSSL_MD_NONE;
2766  hashlen = 36;
2767 
2768  /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
2769  if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2770  POLARSSL_PK_ECDSA ) )
2771  {
2772  hash_start += 16;
2773  hashlen -= 16;
2774  md_alg = POLARSSL_MD_SHA1;
2775  }
2776  }
2777  else
2778 #endif
2779 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2780  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2781  {
2782  sa_len = 2;
2783 
2784  /*
2785  * Hash
2786  */
2787  if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
2788  {
2789  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2790  " for verify message" ) );
2792  }
2793 
2794  md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
2795 
2796  /* Info from md_alg will be used instead */
2797  hashlen = 0;
2798 
2799  /*
2800  * Signature
2801  */
2802  if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
2803  == POLARSSL_PK_NONE )
2804  {
2805  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2806  " for verify message" ) );
2808  }
2809 
2810  /*
2811  * Check the certificate's key type matches the signature alg
2812  */
2813  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2814  {
2815  SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
2817  }
2818  }
2819  else
2820 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2821  {
2822  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2824  }
2825 
2826  sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
2827 
2828  if( sa_len + sig_len + 6 != ssl->in_hslen )
2829  {
2830  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2832  }
2833 
2834  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
2835  md_alg, hash_start, hashlen,
2836  ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
2837  {
2838  SSL_DEBUG_RET( 1, "pk_verify", ret );
2839  return( ret );
2840  }
2841 
2842  SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2843 
2844  return( ret );
2845 }
2846 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2847  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2848  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2849 
2850 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2851 static int ssl_write_new_session_ticket( ssl_context *ssl )
2852 {
2853  int ret;
2854  size_t tlen;
2855  uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
2856 
2857  SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2858 
2861 
2862  /*
2863  * struct {
2864  * uint32 ticket_lifetime_hint;
2865  * opaque ticket<0..2^16-1>;
2866  * } NewSessionTicket;
2867  *
2868  * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2869  * 8 . 9 ticket_len (n)
2870  * 10 . 9+n ticket content
2871  */
2872 
2873  ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
2874  ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
2875  ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
2876  ssl->out_msg[7] = ( lifetime ) & 0xFF;
2877 
2878  if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2879  {
2880  SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2881  tlen = 0;
2882  }
2883 
2884  ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2885  ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
2886 
2887  ssl->out_msglen = 10 + tlen;
2888 
2889  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2890  {
2891  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2892  return( ret );
2893  }
2894 
2895  /* No need to remember writing a NewSessionTicket any more */
2896  ssl->handshake->new_session_ticket = 0;
2897 
2898  SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2899 
2900  return( 0 );
2901 }
2902 #endif /* POLARSSL_SSL_SESSION_TICKETS */
2903 
2904 /*
2905  * SSL handshake -- server side -- single step
2906  */
2908 {
2909  int ret = 0;
2910 
2911  if( ssl->state == SSL_HANDSHAKE_OVER )
2913 
2914  SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2915 
2916  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2917  return( ret );
2918 
2919  switch( ssl->state )
2920  {
2921  case SSL_HELLO_REQUEST:
2922  ssl->state = SSL_CLIENT_HELLO;
2923  break;
2924 
2925  /*
2926  * <== ClientHello
2927  */
2928  case SSL_CLIENT_HELLO:
2929  ret = ssl_parse_client_hello( ssl );
2930  break;
2931 
2932  /*
2933  * ==> ServerHello
2934  * Certificate
2935  * ( ServerKeyExchange )
2936  * ( CertificateRequest )
2937  * ServerHelloDone
2938  */
2939  case SSL_SERVER_HELLO:
2940  ret = ssl_write_server_hello( ssl );
2941  break;
2942 
2944  ret = ssl_write_certificate( ssl );
2945  break;
2946 
2948  ret = ssl_write_server_key_exchange( ssl );
2949  break;
2950 
2952  ret = ssl_write_certificate_request( ssl );
2953  break;
2954 
2955  case SSL_SERVER_HELLO_DONE:
2956  ret = ssl_write_server_hello_done( ssl );
2957  break;
2958 
2959  /*
2960  * <== ( Certificate/Alert )
2961  * ClientKeyExchange
2962  * ( CertificateVerify )
2963  * ChangeCipherSpec
2964  * Finished
2965  */
2967  ret = ssl_parse_certificate( ssl );
2968  break;
2969 
2971  ret = ssl_parse_client_key_exchange( ssl );
2972  break;
2973 
2975  ret = ssl_parse_certificate_verify( ssl );
2976  break;
2977 
2979  ret = ssl_parse_change_cipher_spec( ssl );
2980  break;
2981 
2982  case SSL_CLIENT_FINISHED:
2983  ret = ssl_parse_finished( ssl );
2984  break;
2985 
2986  /*
2987  * ==> ( NewSessionTicket )
2988  * ChangeCipherSpec
2989  * Finished
2990  */
2992 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2993  if( ssl->handshake->new_session_ticket != 0 )
2994  ret = ssl_write_new_session_ticket( ssl );
2995  else
2996 #endif
2997  ret = ssl_write_change_cipher_spec( ssl );
2998  break;
2999 
3000  case SSL_SERVER_FINISHED:
3001  ret = ssl_write_finished( ssl );
3002  break;
3003 
3004  case SSL_FLUSH_BUFFERS:
3005  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3006  ssl->state = SSL_HANDSHAKE_WRAPUP;
3007  break;
3008 
3009  case SSL_HANDSHAKE_WRAPUP:
3010  ssl_handshake_wrapup( ssl );
3011  break;
3012 
3013  default:
3014  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3016  }
3017 
3018  return( ret );
3019 }
3020 #endif
const ecp_curve_info ** curves
Definition: ssl.h:511
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:326
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:276
int ssl_ciphersuite_uses_ec(const ssl_ciphersuite_t *info)
int ecdh_make_params(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExhange parameters.
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:287
size_t length
Definition: ssl.h:428
int ciphersuite
Definition: ssl.h:426
mpi P
Definition: dhm.h:146
static size_t pk_get_len(const pk_context *ctx)
Get the length in bytes of the underlying key.
Definition: pk.h:264
size_t in_hslen
Definition: ssl.h:673
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:611
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:333
Memory allocation layer.
int major_ver
Definition: ssl.h:600
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:41
ecp_group_id grp_id
Definition: ecp.h:79
SHA-1 context structure.
Definition: sha1.h:54
void *(* polarssl_malloc)(size_t len)
int compression
Definition: ssl.h:427
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:175
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:597
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:87
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
char peer_verify_data[36]
Definition: ssl.h:762
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:318
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:55
Debug functions.
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:627
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:544
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:322
void * p_psk
Definition: ssl.h:638
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:337
Elliptic curves over GF(p)
int ecdh_read_public(ecdh_context *ctx, const unsigned char *buf, size_t blen)
Parse and import the client&#39;s public value.
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:320
#define SSL_HASH_SHA1
Definition: ssl.h:261
ssl_session * session_negotiate
Definition: ssl.h:647
int ssl_parse_certificate(ssl_context *ssl)
mpi P
Definition: ecp.h:120
ssl_key_cert * key_cert
Definition: ssl.h:700
ssl_key_cert * sni_key_cert
Definition: ssl.h:522
size_t out_msglen
Definition: ssl.h:686
mpi GX
Definition: dhm.h:149
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:221
#define SSL_SIG_RSA
Definition: ssl.h:268
int ticket_lifetime
Definition: ssl.h:729
const int * ciphersuite_list[4]
Definition: ssl.h:723
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:618
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
int pk_decrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Decrypt message.
mpi dhm_P
Definition: ssl.h:733
#define AES_DECRYPT
Definition: aes.h:42
#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
Definition: ssl.h:315
#define SSL_RENEGOTIATION
Definition: ssl.h:203
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:553
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
int x509_crt_parse(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:174
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:38
size_t psk_identity_len
Definition: ssl.h:744
unsigned char * out_ctr
Definition: ssl.h:680
mpi X
Definition: dhm.h:148
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:218
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:761
#define SSL_SIG_ECDSA
Definition: ssl.h:269
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
size_t in_msglen
Definition: ssl.h:670
unsigned char * in_hdr
Definition: ssl.h:664
int secure_renegotiation
Definition: ssl.h:758
time_t start
Definition: ssl.h:424
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:79
#define SSL_HASH_MD5
Definition: ssl.h:260
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:213
unsigned char mac_key[16]
Definition: ssl.h:575
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:140
size_t psk_len
Definition: ssl.h:742
unsigned char id[32]
Definition: ssl.h:429
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:99
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:461
unsigned char * psk
Definition: ssl.h:741
size_t len
Definition: dhm.h:145
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:93
#define POLARSSL_ECP_DP_MAX
Number of supported curves (plus one for NONE)
Definition: ecp.h:72
ecp_point Qp
Definition: ecdh.h:44
md_type_t
Definition: md.h:51
#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
Definition: ssl.h:353
int max_minor_ver
Definition: ssl.h:604
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:342
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:323
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:275
ssl_handshake_params * handshake
Definition: ssl.h:649
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:106
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:283
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:543
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:308
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:217
int in_msgtype
Definition: ssl.h:669
Container for an X.509 certificate.
Definition: x509_crt.h:53
size_t verify_data_len
Definition: ssl.h:760
mpi dhm_G
Definition: ssl.h:734
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME
Definition: ssl.h:314
mpi G
Definition: dhm.h:147
int point_format
Definition: ecdh.h:46
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret...
Definition: ssl.h:122
int min_minor_ver
Definition: ssl.h:606
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
unsigned char * out_msg
Definition: ssl.h:683
struct _ssl_session ssl_session
Definition: ssl.h:407
#define SSL_MINOR_VERSION_0
Definition: ssl.h:141
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature.
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:130
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:520
ecdh_context ecdh_ctx
Definition: ssl.h:508
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:324
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
void(* polarssl_free)(void *ptr)
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:120
key_exchange_type_t key_exchange
int new_session_ticket
Definition: ssl.h:562
mpi GY
Definition: dhm.h:150
int trunc_hmac
Definition: ssl.h:448
Curve information for use by other modules.
Definition: ecp.h:77
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:622
void md5_starts(md5_context *ctx)
MD5 context setup.
unsigned char ssl_sig_from_pk(pk_context *pk)
int authmode
Definition: ssl.h:718
int ssl_flush_output(ssl_context *ssl)
int ssl_ciphersuite_uses_psk(const ssl_ciphersuite_t *info)
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED
Session ticket has expired.
Definition: ssl.h:132
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:344
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:319
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:196
unsigned char * in_msg
Definition: ssl.h:666
aes_context dec
Definition: ssl.h:574
mpi z
Definition: ecdh.h:45
#define SSL_MINOR_VERSION_3
Definition: ssl.h:144
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:54
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:346
pk_type_t
Public key types.
Definition: pk.h:90
aes_context enc
Definition: ssl.h:573
int ssl_parse_change_cipher_spec(ssl_context *ssl)
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:601
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO
Processing of the ClientHello handshake message failed.
Definition: ssl.h:114
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:253
This structure is used for storing ciphersuite information.
#define SSL_HASH_SHA256
Definition: ssl.h:263
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
#define SSL_VERIFY_NONE
Definition: ssl.h:198
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:44
#define AES_ENCRYPT
Definition: aes.h:41
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Processing of the ClientKeyExchange handshake message failed.
Definition: ssl.h:120
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:108
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:202
size_t in_left
Definition: ssl.h:671
pk_context * key
Definition: ssl.h:586
int session_tickets
Definition: ssl.h:728
int allow_legacy_renegotiation
Definition: ssl.h:722
#define SSL_COMPRESS_NULL
Definition: ssl.h:195
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
int ssl_read_record(ssl_context *ssl)
size_t len
ASN1 length, e.g.
Definition: asn1.h:119
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:56
int out_msgtype
Definition: ssl.h:685
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:191
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:335
size_t nbits
Definition: ecp.h:126
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:186
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:325
#define TLS_EXT_SERVERNAME
Definition: ssl.h:332
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature.
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public.
Definition: ssl.h:121
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:48
size_t mpi_size(const mpi *X)
Return the total size in bytes.
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:215
int min_major_ver
Definition: ssl.h:605
pk_context pk
Container for the public key context.
Definition: x509_crt.h:71
ssl_transform * transform_negotiate
Definition: ssl.h:658
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:207
#define SSL_HASH_SHA224
Definition: ssl.h:262
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:208
SSL/TLS functions.
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY
Unkown identity received (eg, PSK identity)
Definition: ssl.h:134
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:126
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:340
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:615
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:53
int ssl_derive_keys(ssl_context *ssl)
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1560
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
unsigned char mfl_code
Definition: ssl.h:444
const ecp_curve_info * ecp_curve_info_from_tls_id(uint16_t tls_id)
Get curve information from a TLS NamedCurve value.
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:598
dhm_context dhm_ctx
Definition: ssl.h:505
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1574
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:711
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:236
unsigned char * psk_identity
Definition: ssl.h:743
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
unsigned char key_name[16]
Definition: ssl.h:572
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:339
ssl_key_cert * next
Definition: ssl.h:588
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:97
x509_buf subject_raw
The raw subject data (DER).
Definition: x509_crt.h:63
x509_crt * ca_chain
Definition: ssl.h:702
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:98
#define SSL_HASH_SHA512
Definition: ssl.h:265
#define SSL_HASH_SHA384
Definition: ssl.h:264
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int dhm_make_params(dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExchange parameters.
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:637
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:177
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Processing of the CertificateVerify handshake message failed.
Definition: ssl.h:123
int dhm_read_public(dhm_context *ctx, const unsigned char *input, size_t ilen)
Import the peer&#39;s public value G^Y.
unsigned char randbytes[64]
Definition: ssl.h:552
ecp_group grp
Definition: ecdh.h:41
Generic message digest context.
Definition: md.h:129
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN
The server has no ciphersuites in common with the client.
Definition: ssl.h:103
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ecp_point Q
Definition: ecdh.h:43
x509_crt * peer_cert
Definition: ssl.h:433
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:628
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.