PolarSSL v1.3.2
ssl_cli.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 client-side functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_CLI_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 
33 #if defined(POLARSSL_MEMORY_C)
34 #include "polarssl/memory.h"
35 #else
36 #define polarssl_malloc malloc
37 #define polarssl_free free
38 #endif
39 
40 #include <stdlib.h>
41 #include <stdio.h>
42 
43 #if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
44 #include <basetsd.h>
45 typedef UINT32 uint32_t;
46 #else
47 #include <inttypes.h>
48 #endif
49 
50 #if defined(POLARSSL_HAVE_TIME)
51 #include <time.h>
52 #endif
53 
54 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
55 static void ssl_write_hostname_ext( ssl_context *ssl,
56  unsigned char *buf,
57  size_t *olen )
58 {
59  unsigned char *p = buf;
60 
61  *olen = 0;
62 
63  if ( ssl->hostname == NULL )
64  return;
65 
66  SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
67  ssl->hostname ) );
68 
69  /*
70  * struct {
71  * NameType name_type;
72  * select (name_type) {
73  * case host_name: HostName;
74  * } name;
75  * } ServerName;
76  *
77  * enum {
78  * host_name(0), (255)
79  * } NameType;
80  *
81  * opaque HostName<1..2^16-1>;
82  *
83  * struct {
84  * ServerName server_name_list<1..2^16-1>
85  * } ServerNameList;
86  */
87  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
88  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
89 
90  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
91  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
92 
93  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
94  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
95 
96  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
97  *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
98  *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
99 
100  memcpy( p, ssl->hostname, ssl->hostname_len );
101 
102  *olen = ssl->hostname_len + 9;
103 }
104 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
105 
106 static void ssl_write_renegotiation_ext( ssl_context *ssl,
107  unsigned char *buf,
108  size_t *olen )
109 {
110  unsigned char *p = buf;
111 
112  *olen = 0;
113 
114  if( ssl->renegotiation != SSL_RENEGOTIATION )
115  return;
116 
117  SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
118 
119  /*
120  * Secure renegotiation
121  */
122  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
123  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
124 
125  *p++ = 0x00;
126  *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
127  *p++ = ssl->verify_data_len & 0xFF;
128 
129  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
130 
131  *olen = 5 + ssl->verify_data_len;
132 }
133 
134 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
135 static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
136  unsigned char *buf,
137  size_t *olen )
138 {
139  unsigned char *p = buf;
140  unsigned char *sig_alg_list = buf + 6;
141  size_t sig_alg_len = 0;
142 
143  *olen = 0;
144 
145  if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
146  return;
147 
148  SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
149 
150  /*
151  * Prepare signature_algorithms extension (TLS 1.2)
152  */
153 #if defined(POLARSSL_RSA_C)
154 #if defined(POLARSSL_SHA512_C)
155  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
156  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
157  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
158  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
159 #endif
160 #if defined(POLARSSL_SHA256_C)
161  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
162  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
163  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
164  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
165 #endif
166 #if defined(POLARSSL_SHA1_C)
167  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
168  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
169 #endif
170 #if defined(POLARSSL_MD5_C)
171  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
172  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
173 #endif
174 #endif /* POLARSSL_RSA_C */
175 #if defined(POLARSSL_ECDSA_C)
176 #if defined(POLARSSL_SHA512_C)
177  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
178  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
179  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
180  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
181 #endif
182 #if defined(POLARSSL_SHA256_C)
183  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
184  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
185  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
186  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
187 #endif
188 #if defined(POLARSSL_SHA1_C)
189  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
190  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
191 #endif
192 #if defined(POLARSSL_MD5_C)
193  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
194  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
195 #endif
196 #endif /* POLARSSL_ECDSA_C */
197 
198  /*
199  * enum {
200  * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
201  * sha512(6), (255)
202  * } HashAlgorithm;
203  *
204  * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
205  * SignatureAlgorithm;
206  *
207  * struct {
208  * HashAlgorithm hash;
209  * SignatureAlgorithm signature;
210  * } SignatureAndHashAlgorithm;
211  *
212  * SignatureAndHashAlgorithm
213  * supported_signature_algorithms<2..2^16-2>;
214  */
215  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
216  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
217 
218  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
219  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
220 
221  *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
222  *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
223 
224  *olen = 6 + sig_alg_len;
225 }
226 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
227 
228 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
229 static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
230  unsigned char *buf,
231  size_t *olen )
232 {
233  unsigned char *p = buf;
234  unsigned char elliptic_curve_list[20];
235  size_t elliptic_curve_len = 0;
236  const ecp_curve_info *curve;
237  ((void) ssl);
238 
239  *olen = 0;
240 
241  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
242 
243  for( curve = ecp_curve_list();
244  curve->grp_id != POLARSSL_ECP_DP_NONE;
245  curve++ )
246  {
247  elliptic_curve_list[elliptic_curve_len++] = curve->tls_id >> 8;
248  elliptic_curve_list[elliptic_curve_len++] = curve->tls_id & 0xFF;
249  }
250 
251  if( elliptic_curve_len == 0 )
252  return;
253 
254  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
255  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
256 
257  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
258  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
259 
260  *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
261  *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
262 
263  memcpy( p, elliptic_curve_list, elliptic_curve_len );
264 
265  *olen = 6 + elliptic_curve_len;
266 }
267 
268 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
269  unsigned char *buf,
270  size_t *olen )
271 {
272  unsigned char *p = buf;
273  ((void) ssl);
274 
275  *olen = 0;
276 
277  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
278 
279  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
280  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
281 
282  *p++ = 0x00;
283  *p++ = 2;
284 
285  *p++ = 1;
287 
288  *olen = 6;
289 }
290 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
291 
292 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
293 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
294  unsigned char *buf,
295  size_t *olen )
296 {
297  unsigned char *p = buf;
298 
299  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
300  *olen = 0;
301  return;
302  }
303 
304  SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
305 
306  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
307  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
308 
309  *p++ = 0x00;
310  *p++ = 1;
311 
312  *p++ = ssl->mfl_code;
313 
314  *olen = 5;
315 }
316 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
317 
318 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
319 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
320  unsigned char *buf, size_t *olen )
321 {
322  unsigned char *p = buf;
323 
324  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
325  {
326  *olen = 0;
327  return;
328  }
329 
330  SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
331 
332  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
333  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
334 
335  *p++ = 0x00;
336  *p++ = 0x00;
337 
338  *olen = 4;
339 }
340 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
341 
342 #if defined(POLARSSL_SSL_SESSION_TICKETS)
343 static void ssl_write_session_ticket_ext( ssl_context *ssl,
344  unsigned char *buf, size_t *olen )
345 {
346  unsigned char *p = buf;
347  size_t tlen = ssl->session_negotiate->ticket_len;
348 
350  {
351  *olen = 0;
352  return;
353  }
354 
355  SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
356 
357  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
358  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
359 
360  *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
361  *p++ = (unsigned char)( ( tlen ) & 0xFF );
362 
363  *olen = 4;
364 
365  if( ssl->session_negotiate->ticket == NULL ||
366  ssl->session_negotiate->ticket_len == 0 )
367  {
368  return;
369  }
370 
371  SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
372 
373  memcpy( p, ssl->session_negotiate->ticket, tlen );
374 
375  *olen += tlen;
376 }
377 #endif /* POLARSSL_SSL_SESSION_TICKETS */
378 
379 static int ssl_write_client_hello( ssl_context *ssl )
380 {
381  int ret;
382  size_t i, n, olen, ext_len = 0;
383  unsigned char *buf;
384  unsigned char *p, *q;
385 #if defined(POLARSSL_HAVE_TIME)
386  time_t t;
387 #endif
388  const int *ciphersuites;
389  const ssl_ciphersuite_t *ciphersuite_info;
390 
391  SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
392 
394  {
395  ssl->major_ver = ssl->min_major_ver;
396  ssl->minor_ver = ssl->min_minor_ver;
397  }
398 
399  if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
400  {
403  }
404 
405  /*
406  * 0 . 0 handshake type
407  * 1 . 3 handshake length
408  * 4 . 5 highest version supported
409  * 6 . 9 current UNIX time
410  * 10 . 37 random bytes
411  */
412  buf = ssl->out_msg;
413  p = buf + 4;
414 
415  *p++ = (unsigned char) ssl->max_major_ver;
416  *p++ = (unsigned char) ssl->max_minor_ver;
417 
418  SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
419  buf[4], buf[5] ) );
420 
421 #if defined(POLARSSL_HAVE_TIME)
422  t = time( NULL );
423  *p++ = (unsigned char)( t >> 24 );
424  *p++ = (unsigned char)( t >> 16 );
425  *p++ = (unsigned char)( t >> 8 );
426  *p++ = (unsigned char)( t );
427 
428  SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
429 #else
430  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
431  return( ret );
432 
433  p += 4;
434 #endif
435 
436  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
437  return( ret );
438 
439  p += 28;
440 
441  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
442 
443  SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
444 
445  /*
446  * 38 . 38 session id length
447  * 39 . 39+n session id
448  * 40+n . 41+n ciphersuitelist length
449  * 42+n . .. ciphersuitelist
450  * .. . .. compression methods length
451  * .. . .. compression methods
452  * .. . .. extensions length
453  * .. . .. extensions
454  */
455  n = ssl->session_negotiate->length;
456 
457  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
458  ssl->handshake->resume == 0 )
459  {
460  n = 0;
461  }
462 
463 #if defined(POLARSSL_SSL_SESSION_TICKETS)
464  /*
465  * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
466  * generate and include a Session ID in the TLS ClientHello."
467  */
468  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
469  ssl->session_negotiate->ticket != NULL &&
470  ssl->session_negotiate->ticket_len != 0 )
471  {
472  ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
473 
474  if( ret != 0 )
475  return( ret );
476 
477  ssl->session_negotiate->length = n = 32;
478  }
479 #endif /* POLARSSL_SSL_SESSION_TICKETS */
480 
481  *p++ = (unsigned char) n;
482 
483  for( i = 0; i < n; i++ )
484  *p++ = ssl->session_negotiate->id[i];
485 
486  SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
487  SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
488 
489  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
490  n = 0;
491  q = p;
492 
493  // Skip writing ciphersuite length for now
494  p += 2;
495 
496  /*
497  * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
498  */
500  {
501  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
502  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
503  n++;
504  }
505 
506  for( i = 0; ciphersuites[i] != 0; i++ )
507  {
508  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
509 
510  if( ciphersuite_info == NULL )
511  continue;
512 
513  if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
514  ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
515  continue;
516 
517  SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
518  ciphersuites[i] ) );
519 
520  n++;
521  *p++ = (unsigned char)( ciphersuites[i] >> 8 );
522  *p++ = (unsigned char)( ciphersuites[i] );
523  }
524 
525  *q++ = (unsigned char)( n >> 7 );
526  *q++ = (unsigned char)( n << 1 );
527 
528  SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
529 
530 
531 #if defined(POLARSSL_ZLIB_SUPPORT)
532  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
533  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
535 
536  *p++ = 2;
537  *p++ = SSL_COMPRESS_DEFLATE;
538  *p++ = SSL_COMPRESS_NULL;
539 #else
540  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
541  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
542 
543  *p++ = 1;
544  *p++ = SSL_COMPRESS_NULL;
545 #endif
546 
547  // First write extensions, then the total length
548  //
549 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
550  ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
551  ext_len += olen;
552 #endif
553 
554  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
555  ext_len += olen;
556 
557 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
558  ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
559  ext_len += olen;
560 #endif
561 
562 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
563  ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
564  ext_len += olen;
565 
566  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
567  ext_len += olen;
568 #endif
569 
570 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
571  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
572  ext_len += olen;
573 #endif
574 
575 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
576  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
577  ext_len += olen;
578 #endif
579 
580 #if defined(POLARSSL_SSL_SESSION_TICKETS)
581  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
582  ext_len += olen;
583 #endif
584 
585  SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
586  ext_len ) );
587 
588  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
589  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
590  p += ext_len;
591 
592  ssl->out_msglen = p - buf;
594  ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
595 
596  ssl->state++;
597 
598  if( ( ret = ssl_write_record( ssl ) ) != 0 )
599  {
600  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
601  return( ret );
602  }
603 
604  SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
605 
606  return( 0 );
607 }
608 
609 static int ssl_parse_renegotiation_info( ssl_context *ssl,
610  const unsigned char *buf,
611  size_t len )
612 {
613  int ret;
614 
616  {
617  if( len != 1 || buf[0] != 0x0 )
618  {
619  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
620 
621  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
622  return( ret );
623 
625  }
626 
628  }
629  else
630  {
631  /* Check verify-data in constant-time. The length OTOH is no secret */
632  if( len != 1 + ssl->verify_data_len * 2 ||
633  buf[0] != ssl->verify_data_len * 2 ||
634  safer_memcmp( buf + 1,
635  ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
636  safer_memcmp( buf + 1 + ssl->verify_data_len,
637  ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
638  {
639  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
640 
641  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
642  return( ret );
643 
645  }
646  }
647 
648  return( 0 );
649 }
650 
651 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
652 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
653  const unsigned char *buf,
654  size_t len )
655 {
656  /*
657  * server should use the extension only if we did,
658  * and if so the server's value should match ours (and len is always 1)
659  */
660  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
661  len != 1 ||
662  buf[0] != ssl->mfl_code )
663  {
665  }
666 
667  return( 0 );
668 }
669 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
670 
671 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
672 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
673  const unsigned char *buf,
674  size_t len )
675 {
676  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
677  len != 0 )
678  {
680  }
681 
682  ((void) buf);
683 
685 
686  return( 0 );
687 }
688 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
689 
690 #if defined(POLARSSL_SSL_SESSION_TICKETS)
691 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
692  const unsigned char *buf,
693  size_t len )
694 {
696  len != 0 )
697  {
699  }
700 
701  ((void) buf);
702 
703  ssl->handshake->new_session_ticket = 1;
704 
705  return( 0 );
706 }
707 #endif /* POLARSSL_SSL_SESSION_TICKETS */
708 
709 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
710 static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
711  const unsigned char *buf,
712  size_t len )
713 {
714  size_t list_size;
715  const unsigned char *p;
716 
717  list_size = buf[0];
718  if( list_size + 1 != len )
719  {
720  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
722  }
723 
724  p = buf + 2;
725  while( list_size > 0 )
726  {
727  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
729  {
730  ssl->handshake->ecdh_ctx.point_format = p[0];
731  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
732  return( 0 );
733  }
734 
735  list_size--;
736  p++;
737  }
738 
739  return( 0 );
740 }
741 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
742 
743 static int ssl_parse_server_hello( ssl_context *ssl )
744 {
745  int ret, i, comp;
746  size_t n;
747  size_t ext_len = 0;
748  unsigned char *buf, *ext;
749  int renegotiation_info_seen = 0;
750  int handshake_failure = 0;
751 #if defined(POLARSSL_DEBUG_C)
752  uint32_t t;
753 #endif
754 
755  SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
756 
757  /*
758  * 0 . 0 handshake type
759  * 1 . 3 handshake length
760  * 4 . 5 protocol version
761  * 6 . 9 UNIX time()
762  * 10 . 37 random bytes
763  */
764  buf = ssl->in_msg;
765 
766  if( ( ret = ssl_read_record( ssl ) ) != 0 )
767  {
768  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
769  return( ret );
770  }
771 
772  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
773  {
774  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
776  }
777 
778  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
779  buf[4], buf[5] ) );
780 
781  if( ssl->in_hslen < 42 ||
782  buf[0] != SSL_HS_SERVER_HELLO ||
783  buf[4] != SSL_MAJOR_VERSION_3 )
784  {
785  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
787  }
788 
789  if( buf[5] > ssl->max_minor_ver )
790  {
791  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
793  }
794 
795  ssl->minor_ver = buf[5];
796 
797  if( ssl->minor_ver < ssl->min_minor_ver )
798  {
799  SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
800  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
801  buf[4], buf[5] ) );
802 
805 
807  }
808 
809 #if defined(POLARSSL_DEBUG_C)
810  t = ( (uint32_t) buf[6] << 24 )
811  | ( (uint32_t) buf[7] << 16 )
812  | ( (uint32_t) buf[8] << 8 )
813  | ( (uint32_t) buf[9] );
814  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
815 #endif
816 
817  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
818 
819  n = buf[38];
820 
821  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
822 
823  if( n > 32 )
824  {
825  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
827  }
828 
829  /*
830  * 38 . 38 session id length
831  * 39 . 38+n session id
832  * 39+n . 40+n chosen ciphersuite
833  * 41+n . 41+n chosen compression alg.
834  * 42+n . 43+n extensions length
835  * 44+n . 44+n+m extensions
836  */
837  if( ssl->in_hslen > 42 + n )
838  {
839  ext_len = ( ( buf[42 + n] << 8 )
840  | ( buf[43 + n] ) );
841 
842  if( ( ext_len > 0 && ext_len < 4 ) ||
843  ssl->in_hslen != 44 + n + ext_len )
844  {
845  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
847  }
848  }
849 
850  i = ( buf[39 + n] << 8 ) | buf[40 + n];
851  comp = buf[41 + n];
852 
853  /*
854  * Initialize update checksum functions
855  */
858 
859  if( ssl->transform_negotiate->ciphersuite_info == NULL )
860  {
861  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
862  ssl->ciphersuite_list[ssl->minor_ver][i] ) );
864  }
865 
866  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
867  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
868 
869  /*
870  * Check if the session can be resumed
871  */
872  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
873  ssl->handshake->resume == 0 || n == 0 ||
874  ssl->session_negotiate->ciphersuite != i ||
875  ssl->session_negotiate->compression != comp ||
876  ssl->session_negotiate->length != n ||
877  memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
878  {
879  ssl->state++;
880  ssl->handshake->resume = 0;
881 #if defined(POLARSSL_HAVE_TIME)
882  ssl->session_negotiate->start = time( NULL );
883 #endif
884  ssl->session_negotiate->ciphersuite = i;
885  ssl->session_negotiate->compression = comp;
886  ssl->session_negotiate->length = n;
887  memcpy( ssl->session_negotiate->id, buf + 39, n );
888  }
889  else
890  {
892 
893  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
894  {
895  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
896  return( ret );
897  }
898  }
899 
900  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
901  ssl->handshake->resume ? "a" : "no" ) );
902 
903  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
904  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
905 
906  i = 0;
907  while( 1 )
908  {
909  if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
910  {
911  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
913  }
914 
915  if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
917  {
918  break;
919  }
920  }
921 
922  if( comp != SSL_COMPRESS_NULL
923 #if defined(POLARSSL_ZLIB_SUPPORT)
924  && comp != SSL_COMPRESS_DEFLATE
925 #endif
926  )
927  {
928  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
930  }
931  ssl->session_negotiate->compression = comp;
932 
933  ext = buf + 44 + n;
934 
935  SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
936 
937  while( ext_len )
938  {
939  unsigned int ext_id = ( ( ext[0] << 8 )
940  | ( ext[1] ) );
941  unsigned int ext_size = ( ( ext[2] << 8 )
942  | ( ext[3] ) );
943 
944  if( ext_size + 4 > ext_len )
945  {
946  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
948  }
949 
950  switch( ext_id )
951  {
953  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
954  renegotiation_info_seen = 1;
955 
956  if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ) ) != 0 )
957  return( ret );
958 
959  break;
960 
961 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
963  SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
964 
965  if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
966  ext + 4, ext_size ) ) != 0 )
967  {
968  return( ret );
969  }
970 
971  break;
972 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
973 
974 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
976  SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
977 
978  if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
979  ext + 4, ext_size ) ) != 0 )
980  {
981  return( ret );
982  }
983 
984  break;
985 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
986 
987 #if defined(POLARSSL_SSL_SESSION_TICKETS)
989  SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
990 
991  if( ( ret = ssl_parse_session_ticket_ext( ssl,
992  ext + 4, ext_size ) ) != 0 )
993  {
994  return( ret );
995  }
996 
997  break;
998 #endif /* POLARSSL_SSL_SESSION_TICKETS */
999 
1000 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1002  SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1003 
1004  if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1005  ext + 4, ext_size ) ) != 0 )
1006  {
1007  return( ret );
1008  }
1009 
1010  break;
1011 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1012 
1013  default:
1014  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1015  ext_id ) );
1016  }
1017 
1018  ext_len -= 4 + ext_size;
1019  ext += 4 + ext_size;
1020 
1021  if( ext_len > 0 && ext_len < 4 )
1022  {
1023  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1025  }
1026  }
1027 
1028  /*
1029  * Renegotiation security checks
1030  */
1033  {
1034  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1035  handshake_failure = 1;
1036  }
1037  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1039  renegotiation_info_seen == 0 )
1040  {
1041  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1042  handshake_failure = 1;
1043  }
1044  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1047  {
1048  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1049  handshake_failure = 1;
1050  }
1051  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1053  renegotiation_info_seen == 1 )
1054  {
1055  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1056  handshake_failure = 1;
1057  }
1058 
1059  if( handshake_failure == 1 )
1060  {
1061  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1062  return( ret );
1063 
1065  }
1066 
1067  SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1068 
1069  return( 0 );
1070 }
1071 
1072 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1073  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1074 static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
1075  unsigned char *end )
1076 {
1078 
1079  /*
1080  * Ephemeral DH parameters:
1081  *
1082  * struct {
1083  * opaque dh_p<1..2^16-1>;
1084  * opaque dh_g<1..2^16-1>;
1085  * opaque dh_Ys<1..2^16-1>;
1086  * } ServerDHParams;
1087  */
1088  if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1089  {
1090  SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
1091  return( ret );
1092  }
1093 
1094  if( ssl->handshake->dhm_ctx.len < 64 ||
1095  ssl->handshake->dhm_ctx.len > 512 )
1096  {
1097  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
1099  }
1100 
1101  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1102  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1103  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1104 
1105  return( ret );
1106 }
1107 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1108  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1109 
1110 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1111  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1112  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1113 static int ssl_parse_server_ecdh_params( ssl_context *ssl,
1114  unsigned char **p,
1115  unsigned char *end )
1116 {
1118 
1119  /*
1120  * Ephemeral ECDH parameters:
1121  *
1122  * struct {
1123  * ECParameters curve_params;
1124  * ECPoint public;
1125  * } ServerECDHParams;
1126  */
1127  if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
1128  (const unsigned char **) p, end ) ) != 0 )
1129  {
1130  SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
1131  return( ret );
1132  }
1133 
1134  SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
1135  (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
1136 
1137  if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1138  ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1139  {
1140  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDH length)" ) );
1142  }
1143 
1144  SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1145 
1146  return( ret );
1147 }
1148 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1149  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1150  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1151 
1152 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1153 static int ssl_parse_server_psk_hint( ssl_context *ssl,
1154  unsigned char **p,
1155  unsigned char *end )
1156 {
1158  size_t len;
1159  ((void) ssl);
1160 
1161  /*
1162  * PSK parameters:
1163  *
1164  * opaque psk_identity_hint<0..2^16-1>;
1165  */
1166  len = (*p)[0] << 8 | (*p)[1];
1167  *p += 2;
1168 
1169  if( (*p) + len > end )
1170  {
1171  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1173  }
1174 
1175  // TODO: Retrieve PSK identity hint and callback to app
1176  //
1177  *p += len;
1178  ret = 0;
1179 
1180  return( ret );
1181 }
1182 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1183 
1184 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
1185  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1186 /*
1187  * Generate a pre-master secret and encrypt it with the server's RSA key
1188  */
1189 static int ssl_write_encrypted_pms( ssl_context *ssl,
1190  size_t offset, size_t *olen,
1191  size_t pms_offset )
1192 {
1193  int ret;
1194  size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
1195  unsigned char *p = ssl->handshake->premaster + pms_offset;
1196 
1197  /*
1198  * Generate (part of) the pre-master as
1199  * struct {
1200  * ProtocolVersion client_version;
1201  * opaque random[46];
1202  * } PreMasterSecret;
1203  */
1204  p[0] = (unsigned char) ssl->max_major_ver;
1205  p[1] = (unsigned char) ssl->max_minor_ver;
1206 
1207  if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
1208  {
1209  SSL_DEBUG_RET( 1, "f_rng", ret );
1210  return( ret );
1211  }
1212 
1213  ssl->handshake->pmslen = 48;
1214 
1215  /*
1216  * Now write it out, encrypted
1217  */
1218  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1219  POLARSSL_PK_RSA ) )
1220  {
1221  SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1223  }
1224 
1225  if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
1226  p, ssl->handshake->pmslen,
1227  ssl->out_msg + offset + len_bytes, olen,
1228  SSL_MAX_CONTENT_LEN - offset - len_bytes,
1229  ssl->f_rng, ssl->p_rng ) ) != 0 )
1230  {
1231  SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1232  return( ret );
1233  }
1234 
1235 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1236  defined(POLARSSL_SSL_PROTO_TLS1_2)
1237  if( len_bytes == 2 )
1238  {
1239  ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1240  ssl->out_msg[offset+1] = (unsigned char)( *olen );
1241  *olen += 2;
1242  }
1243 #endif
1244 
1245  return( 0 );
1246 }
1247 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
1248  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1249 
1250 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1251 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1252  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1253  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1254 static int ssl_parse_signature_algorithm( ssl_context *ssl,
1255  unsigned char **p,
1256  unsigned char *end,
1257  md_type_t *md_alg,
1258  pk_type_t *pk_alg )
1259 {
1260  ((void) ssl);
1261  *md_alg = POLARSSL_MD_NONE;
1262  *pk_alg = POLARSSL_PK_NONE;
1263 
1264  /* Only in TLS 1.2 */
1265  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1266  {
1267  return( 0 );
1268  }
1269 
1270  if( (*p) + 2 > end )
1272 
1273  /*
1274  * Get hash algorithm
1275  */
1276  if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
1277  {
1278  SSL_DEBUG_MSG( 2, ( "Server used unsupported "
1279  "HashAlgorithm %d", *(p)[0] ) );
1281  }
1282 
1283  /*
1284  * Get signature algorithm
1285  */
1286  if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
1287  {
1288  SSL_DEBUG_MSG( 2, ( "server used unsupported "
1289  "SignatureAlgorithm %d", (*p)[1] ) );
1291  }
1292 
1293  SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1294  SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
1295  *p += 2;
1296 
1297  return( 0 );
1298 }
1299 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1300  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1301  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1302 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1303 
1304 static int ssl_parse_server_key_exchange( ssl_context *ssl )
1305 {
1306  int ret;
1307  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1308  unsigned char *p, *end;
1309 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1310  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1311  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1312  size_t sig_len, params_len;
1313  unsigned char hash[64];
1314  md_type_t md_alg = POLARSSL_MD_NONE;
1315  size_t hashlen;
1316  pk_type_t pk_alg = POLARSSL_PK_NONE;
1317 #endif
1318 
1319  SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
1320 
1321 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1322  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1323  {
1324  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1325  ssl->state++;
1326  return( 0 );
1327  }
1328  ((void) p);
1329  ((void) end);
1330 #endif
1331 
1332  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1333  {
1334  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1335  return( ret );
1336  }
1337 
1338  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1339  {
1340  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1342  }
1343 
1344  /*
1345  * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
1346  * doesn't use a psk_identity_hint
1347  */
1348  if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
1349  {
1350  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1351  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1352  {
1353  ssl->record_read = 1;
1354  goto exit;
1355  }
1356 
1357  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1359  }
1360 
1361  p = ssl->in_msg + 4;
1362  end = ssl->in_msg + ssl->in_hslen;
1363  SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 );
1364 
1365 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1366  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1367  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1368  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1369  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1370  {
1371  if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
1372  {
1373  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1375  }
1376  } /* FALLTROUGH */
1377 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1378 
1379 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
1380  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1381  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1382  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1383  ; /* nothing more to do */
1384  else
1385 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
1386  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1387 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1388  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1389  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1390  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1391  {
1392  if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
1393  {
1394  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1396  }
1397  }
1398  else
1399 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1400  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1401 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1402  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1403  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1404  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1405  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1406  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1407  {
1408  if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
1409  {
1410  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1412  }
1413  }
1414  else
1415 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1416  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1417  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1418  {
1419  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1421  }
1422 
1423 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1424  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1425  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1426  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1427  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1428  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1429  {
1430  params_len = p - ( ssl->in_msg + 4 );
1431 
1432  /*
1433  * Handle the digitally-signed structure
1434  */
1435 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1436  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1437  {
1438  if( ssl_parse_signature_algorithm( ssl, &p, end,
1439  &md_alg, &pk_alg ) != 0 )
1440  {
1441  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1443  }
1444 
1445  if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
1446  {
1447  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1449  }
1450  }
1451  else
1452 #endif
1453 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1454  defined(POLARSSL_SSL_PROTO_TLS1_1)
1455  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
1456  {
1457  pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
1458 
1459  /* Default hash for ECDSA is SHA-1 */
1460  if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
1461  md_alg = POLARSSL_MD_SHA1;
1462  }
1463  else
1464 #endif
1465  {
1466  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1468  }
1469 
1470  /*
1471  * Read signature
1472  */
1473  sig_len = ( p[0] << 8 ) | p[1];
1474  p += 2;
1475 
1476  if( end != p + sig_len )
1477  {
1478  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1480  }
1481 
1482  SSL_DEBUG_BUF( 3, "signature", p, sig_len );
1483 
1484  /*
1485  * Compute the hash that has been signed
1486  */
1487 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1488  defined(POLARSSL_SSL_PROTO_TLS1_1)
1489  if( md_alg == POLARSSL_MD_NONE )
1490  {
1491  md5_context md5;
1493 
1494  hashlen = 36;
1495 
1496  /*
1497  * digitally-signed struct {
1498  * opaque md5_hash[16];
1499  * opaque sha_hash[20];
1500  * };
1501  *
1502  * md5_hash
1503  * MD5(ClientHello.random + ServerHello.random
1504  * + ServerParams);
1505  * sha_hash
1506  * SHA(ClientHello.random + ServerHello.random
1507  * + ServerParams);
1508  */
1509  md5_starts( &md5 );
1510  md5_update( &md5, ssl->handshake->randbytes, 64 );
1511  md5_update( &md5, ssl->in_msg + 4, params_len );
1512  md5_finish( &md5, hash );
1513 
1514  sha1_starts( &sha1 );
1515  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1516  sha1_update( &sha1, ssl->in_msg + 4, params_len );
1517  sha1_finish( &sha1, hash + 16 );
1518  }
1519  else
1520 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
1521  POLARSSL_SSL_PROTO_TLS1_1 */
1522 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1523  defined(POLARSSL_SSL_PROTO_TLS1_2)
1524  if( md_alg != POLARSSL_MD_NONE )
1525  {
1526  md_context_t ctx;
1527 
1528  /* Info from md_alg will be used instead */
1529  hashlen = 0;
1530 
1531  /*
1532  * digitally-signed struct {
1533  * opaque client_random[32];
1534  * opaque server_random[32];
1535  * ServerDHParams params;
1536  * };
1537  */
1538  if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1539  {
1540  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1541  return( ret );
1542  }
1543 
1544  md_starts( &ctx );
1545  md_update( &ctx, ssl->handshake->randbytes, 64 );
1546  md_update( &ctx, ssl->in_msg + 4, params_len );
1547  md_finish( &ctx, hash );
1548  md_free_ctx( &ctx );
1549  }
1550  else
1551 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1552  POLARSSL_SSL_PROTO_TLS1_2 */
1553  {
1554  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1556  }
1557 
1558  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
1559  (unsigned int) ( md_info_from_type( md_alg ) )->size );
1560 
1561  /*
1562  * Verify signature
1563  */
1564  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
1565  {
1566  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1568  }
1569 
1570  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
1571  md_alg, hash, hashlen, p, sig_len ) ) != 0 )
1572  {
1573  SSL_DEBUG_RET( 1, "pk_verify", ret );
1574  return( ret );
1575  }
1576  }
1577 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1578  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1579  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1580 
1581 exit:
1582  ssl->state++;
1583 
1584  SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
1585 
1586  return( 0 );
1587 }
1588 
1589 static int ssl_parse_certificate_request( ssl_context *ssl )
1590 {
1591  int ret;
1592  unsigned char *buf, *p;
1593  size_t n = 0, m = 0;
1594  size_t cert_type_len = 0, dn_len = 0;
1595 
1596  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1597 
1598  /*
1599  * 0 . 0 handshake type
1600  * 1 . 3 handshake length
1601  * 4 . 4 cert type count
1602  * 5 .. m-1 cert types
1603  * m .. m+1 sig alg length (TLS 1.2 only)
1604  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1605  * n .. n+1 length of all DNs
1606  * n+2 .. n+3 length of DN 1
1607  * n+4 .. ... Distinguished Name #1
1608  * ... .. ... length of DN 2, etc.
1609  */
1610  if( ssl->record_read == 0 )
1611  {
1612  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1613  {
1614  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1615  return( ret );
1616  }
1617 
1618  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1619  {
1620  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1622  }
1623 
1624  ssl->record_read = 1;
1625  }
1626 
1627  ssl->client_auth = 0;
1628  ssl->state++;
1629 
1630  if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
1631  ssl->client_auth++;
1632 
1633  SSL_DEBUG_MSG( 3, ( "got %s certificate request",
1634  ssl->client_auth ? "a" : "no" ) );
1635 
1636  if( ssl->client_auth == 0 )
1637  goto exit;
1638 
1639  ssl->record_read = 0;
1640 
1641  // TODO: handshake_failure alert for an anonymous server to request
1642  // client authentication
1643 
1644  buf = ssl->in_msg;
1645 
1646  // Retrieve cert types
1647  //
1648  cert_type_len = buf[4];
1649  n = cert_type_len;
1650 
1651  if( ssl->in_hslen < 6 + n )
1652  {
1653  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1655  }
1656 
1657  p = buf + 5;
1658  while( cert_type_len > 0 )
1659  {
1660 #if defined(POLARSSL_RSA_C)
1661  if( *p == SSL_CERT_TYPE_RSA_SIGN &&
1663  {
1665  break;
1666  }
1667  else
1668 #endif
1669 #if defined(POLARSSL_ECDSA_C)
1670  if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
1672  {
1674  break;
1675  }
1676  else
1677 #endif
1678  {
1679  ; /* Unsupported cert type, ignore */
1680  }
1681 
1682  cert_type_len--;
1683  p++;
1684  }
1685 
1686 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1687  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1688  {
1689  /* Ignored, see comments about hash in write_certificate_verify */
1690  // TODO: should check the signature part against our pk_key though
1691  size_t sig_alg_len = ( ( buf[5 + n] << 8 )
1692  | ( buf[6 + n] ) );
1693 
1694  p = buf + 7 + n;
1695  m += 2;
1696  n += sig_alg_len;
1697 
1698  if( ssl->in_hslen < 6 + n )
1699  {
1700  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1702  }
1703  }
1704 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1705 
1706  /* Ignore certificate_authorities, we only have one cert anyway */
1707  // TODO: should not send cert if no CA matches
1708  dn_len = ( ( buf[5 + m + n] << 8 )
1709  | ( buf[6 + m + n] ) );
1710 
1711  n += dn_len;
1712  if( ssl->in_hslen != 7 + m + n )
1713  {
1714  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1716  }
1717 
1718 exit:
1719  SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1720 
1721  return( 0 );
1722 }
1723 
1724 static int ssl_parse_server_hello_done( ssl_context *ssl )
1725 {
1726  int ret;
1727 
1728  SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
1729 
1730  if( ssl->record_read == 0 )
1731  {
1732  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1733  {
1734  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1735  return( ret );
1736  }
1737 
1738  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1739  {
1740  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1742  }
1743  }
1744  ssl->record_read = 0;
1745 
1746  if( ssl->in_hslen != 4 ||
1747  ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
1748  {
1749  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1751  }
1752 
1753  ssl->state++;
1754 
1755  SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
1756 
1757  return( 0 );
1758 }
1759 
1760 static int ssl_write_client_key_exchange( ssl_context *ssl )
1761 {
1762  int ret;
1763  size_t i, n;
1764  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1765 
1766  SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
1767 
1768 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
1769  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
1770  {
1771  /*
1772  * DHM key exchange -- send G^X mod P
1773  */
1774  n = ssl->handshake->dhm_ctx.len;
1775 
1776  ssl->out_msg[4] = (unsigned char)( n >> 8 );
1777  ssl->out_msg[5] = (unsigned char)( n );
1778  i = 6;
1779 
1780  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
1781  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1782  &ssl->out_msg[i], n,
1783  ssl->f_rng, ssl->p_rng );
1784  if( ret != 0 )
1785  {
1786  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
1787  return( ret );
1788  }
1789 
1790  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1791  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1792 
1793  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1794 
1795  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1796  ssl->handshake->premaster,
1797  &ssl->handshake->pmslen,
1798  ssl->f_rng, ssl->p_rng ) ) != 0 )
1799  {
1800  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1801  return( ret );
1802  }
1803 
1804  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1805  }
1806  else
1807 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
1808 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1809  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1810  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1811  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1812  {
1813  /*
1814  * ECDH key exchange -- send client public value
1815  */
1816  i = 4;
1817 
1818  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
1819  &n,
1820  &ssl->out_msg[i], 1000,
1821  ssl->f_rng, ssl->p_rng );
1822  if( ret != 0 )
1823  {
1824  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
1825  return( ret );
1826  }
1827 
1828  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
1829 
1830  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
1831  &ssl->handshake->pmslen,
1832  ssl->handshake->premaster,
1834  ssl->f_rng, ssl->p_rng ) ) != 0 )
1835  {
1836  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
1837  return( ret );
1838  }
1839 
1840  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
1841  }
1842  else
1843 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1844  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1845 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1846  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1847  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1848  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1849  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1850  {
1851  /*
1852  * opaque psk_identity<0..2^16-1>;
1853  */
1854  if( ssl->psk == NULL || ssl->psk_identity == NULL )
1856 
1857  i = 4;
1858  n = ssl->psk_identity_len;
1859  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
1860  ssl->out_msg[i++] = (unsigned char)( n );
1861 
1862  memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
1863  i += ssl->psk_identity_len;
1864 
1865 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
1866  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
1867  {
1868  n = 0;
1869  }
1870  else
1871 #endif
1872 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1873  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1874  {
1875  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
1876  return( ret );
1877  }
1878  else
1879 #endif
1880 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1881  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1882  {
1883  /*
1884  * ClientDiffieHellmanPublic public (DHM send G^X mod P)
1885  */
1886  n = ssl->handshake->dhm_ctx.len;
1887  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
1888  ssl->out_msg[i++] = (unsigned char)( n );
1889 
1890  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
1891  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1892  &ssl->out_msg[i], n,
1893  ssl->f_rng, ssl->p_rng );
1894  if( ret != 0 )
1895  {
1896  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
1897  return( ret );
1898  }
1899  }
1900  else
1901 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1902 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1903  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1904  {
1905  /*
1906  * ClientECDiffieHellmanPublic public;
1907  */
1908  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
1909  &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
1910  ssl->f_rng, ssl->p_rng );
1911  if( ret != 0 )
1912  {
1913  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
1914  return( ret );
1915  }
1916 
1917  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
1918  }
1919  else
1920 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1921  {
1922  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1924  }
1925 
1926  if( ( ret = ssl_psk_derive_premaster( ssl,
1927  ciphersuite_info->key_exchange ) ) != 0 )
1928  {
1929  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
1930  return( ret );
1931  }
1932  }
1933  else
1934 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1935 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1936  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1937  {
1938  i = 4;
1939  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
1940  return( ret );
1941  }
1942  else
1943 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
1944  {
1945  ((void) ciphersuite_info);
1946  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1948  }
1949 
1950  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1951  {
1952  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1953  return( ret );
1954  }
1955 
1956  ssl->out_msglen = i + n;
1959 
1960  ssl->state++;
1961 
1962  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1963  {
1964  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1965  return( ret );
1966  }
1967 
1968  SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
1969 
1970  return( 0 );
1971 }
1972 
1973 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1974  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1975  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1976  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1977 static int ssl_write_certificate_verify( ssl_context *ssl )
1978 {
1980  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1981 
1982  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1983 
1984  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1985  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1986  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1987  {
1988  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
1989  ssl->state++;
1990  return( 0 );
1991  }
1992 
1993  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1994  return( ret );
1995 }
1996 #else
1997 static int ssl_write_certificate_verify( ssl_context *ssl )
1998 {
2000  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2001  size_t n = 0, offset = 0;
2002  unsigned char hash[48];
2003  unsigned char *hash_start = hash;
2004  md_type_t md_alg = POLARSSL_MD_NONE;
2005  unsigned int hashlen;
2006 
2007  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2008 
2009  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2010  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2011  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2012  {
2013  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2014  ssl->state++;
2015  return( 0 );
2016  }
2017 
2018  if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
2019  {
2020  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2021  ssl->state++;
2022  return( 0 );
2023  }
2024 
2025  if( ssl_own_key( ssl ) == NULL )
2026  {
2027  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2029  }
2030 
2031  /*
2032  * Make an RSA signature of the handshake digests
2033  */
2034  ssl->handshake->calc_verify( ssl, hash );
2035 
2036 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2037  defined(POLARSSL_SSL_PROTO_TLS1_1)
2038  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2039  {
2040  /*
2041  * digitally-signed struct {
2042  * opaque md5_hash[16];
2043  * opaque sha_hash[20];
2044  * };
2045  *
2046  * md5_hash
2047  * MD5(handshake_messages);
2048  *
2049  * sha_hash
2050  * SHA(handshake_messages);
2051  */
2052  hashlen = 36;
2053  md_alg = POLARSSL_MD_NONE;
2054 
2055  /*
2056  * For ECDSA, default hash is SHA-1 only
2057  */
2058  if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
2059  {
2060  hash_start += 16;
2061  hashlen -= 16;
2062  md_alg = POLARSSL_MD_SHA1;
2063  }
2064  }
2065  else
2066 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2067  POLARSSL_SSL_PROTO_TLS1_1 */
2068 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2069  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2070  {
2071  /*
2072  * digitally-signed struct {
2073  * opaque handshake_messages[handshake_messages_length];
2074  * };
2075  *
2076  * Taking shortcut here. We assume that the server always allows the
2077  * PRF Hash function and has sent it in the allowed signature
2078  * algorithms list received in the Certificate Request message.
2079  *
2080  * Until we encounter a server that does not, we will take this
2081  * shortcut.
2082  *
2083  * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2084  * in order to satisfy 'weird' needs from the server side.
2085  */
2088  {
2089  md_alg = POLARSSL_MD_SHA384;
2090  ssl->out_msg[4] = SSL_HASH_SHA384;
2091  }
2092  else
2093  {
2094  md_alg = POLARSSL_MD_SHA256;
2095  ssl->out_msg[4] = SSL_HASH_SHA256;
2096  }
2097  ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
2098 
2099  /* Info from md_alg will be used instead */
2100  hashlen = 0;
2101  offset = 2;
2102  }
2103  else
2104 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2105  {
2106  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2108  }
2109 
2110  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
2111  ssl->out_msg + 6 + offset, &n,
2112  ssl->f_rng, ssl->p_rng ) ) != 0 )
2113  {
2114  SSL_DEBUG_RET( 1, "pk_sign", ret );
2115  return( ret );
2116  }
2117 
2118  ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2119  ssl->out_msg[5 + offset] = (unsigned char)( n );
2120 
2121  ssl->out_msglen = 6 + n + offset;
2124 
2125  ssl->state++;
2126 
2127  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2128  {
2129  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2130  return( ret );
2131  }
2132 
2133  SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
2134 
2135  return( ret );
2136 }
2137 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2138  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2139  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2140 
2141 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2142 static int ssl_parse_new_session_ticket( ssl_context *ssl )
2143 {
2144  int ret;
2145  uint32_t lifetime;
2146  size_t ticket_len;
2147  unsigned char *ticket;
2148 
2149  SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2150 
2151  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2152  {
2153  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2154  return( ret );
2155  }
2156 
2157  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2158  {
2159  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2161  }
2162 
2163  /*
2164  * struct {
2165  * uint32 ticket_lifetime_hint;
2166  * opaque ticket<0..2^16-1>;
2167  * } NewSessionTicket;
2168  *
2169  * 0 . 0 handshake message type
2170  * 1 . 3 handshake message length
2171  * 4 . 7 ticket_lifetime_hint
2172  * 8 . 9 ticket_len (n)
2173  * 10 . 9+n ticket content
2174  */
2175  if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
2176  ssl->in_hslen < 10 )
2177  {
2178  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2180  }
2181 
2182  lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
2183  ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] );
2184 
2185  ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
2186 
2187  if( ticket_len + 10 != ssl->in_hslen )
2188  {
2189  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2191  }
2192 
2193  SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
2194 
2195  /* We're not waiting for a NewSessionTicket message any more */
2196  ssl->handshake->new_session_ticket = 0;
2197 
2198  /*
2199  * Zero-length ticket means the server changed his mind and doesn't want
2200  * to send a ticket after all, so just forget it
2201  */
2202  if( ticket_len == 0)
2203  return( 0 );
2204 
2206  ssl->session_negotiate->ticket = NULL;
2207  ssl->session_negotiate->ticket_len = 0;
2208 
2209  if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
2210  {
2211  SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
2213  }
2214 
2215  memcpy( ticket, ssl->in_msg + 10, ticket_len );
2216 
2217  ssl->session_negotiate->ticket = ticket;
2218  ssl->session_negotiate->ticket_len = ticket_len;
2219  ssl->session_negotiate->ticket_lifetime = lifetime;
2220 
2221  /*
2222  * RFC 5077 section 3.4:
2223  * "If the client receives a session ticket from the server, then it
2224  * discards any Session ID that was sent in the ServerHello."
2225  */
2226  SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
2227  ssl->session_negotiate->length = 0;
2228 
2229  SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2230 
2231  return( 0 );
2232 }
2233 #endif /* POLARSSL_SSL_SESSION_TICKETS */
2234 
2235 /*
2236  * SSL handshake -- client side -- single step
2237  */
2239 {
2240  int ret = 0;
2241 
2242  if( ssl->state == SSL_HANDSHAKE_OVER )
2244 
2245  SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
2246 
2247  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2248  return( ret );
2249 
2250  switch( ssl->state )
2251  {
2252  case SSL_HELLO_REQUEST:
2253  ssl->state = SSL_CLIENT_HELLO;
2254  break;
2255 
2256  /*
2257  * ==> ClientHello
2258  */
2259  case SSL_CLIENT_HELLO:
2260  ret = ssl_write_client_hello( ssl );
2261  break;
2262 
2263  /*
2264  * <== ServerHello
2265  * Certificate
2266  * ( ServerKeyExchange )
2267  * ( CertificateRequest )
2268  * ServerHelloDone
2269  */
2270  case SSL_SERVER_HELLO:
2271  ret = ssl_parse_server_hello( ssl );
2272  break;
2273 
2275  ret = ssl_parse_certificate( ssl );
2276  break;
2277 
2279  ret = ssl_parse_server_key_exchange( ssl );
2280  break;
2281 
2283  ret = ssl_parse_certificate_request( ssl );
2284  break;
2285 
2286  case SSL_SERVER_HELLO_DONE:
2287  ret = ssl_parse_server_hello_done( ssl );
2288  break;
2289 
2290  /*
2291  * ==> ( Certificate/Alert )
2292  * ClientKeyExchange
2293  * ( CertificateVerify )
2294  * ChangeCipherSpec
2295  * Finished
2296  */
2298  ret = ssl_write_certificate( ssl );
2299  break;
2300 
2302  ret = ssl_write_client_key_exchange( ssl );
2303  break;
2304 
2306  ret = ssl_write_certificate_verify( ssl );
2307  break;
2308 
2310  ret = ssl_write_change_cipher_spec( ssl );
2311  break;
2312 
2313  case SSL_CLIENT_FINISHED:
2314  ret = ssl_write_finished( ssl );
2315  break;
2316 
2317  /*
2318  * <== ( NewSessionTicket )
2319  * ChangeCipherSpec
2320  * Finished
2321  */
2323 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2324  if( ssl->handshake->new_session_ticket != 0 )
2325  ret = ssl_parse_new_session_ticket( ssl );
2326  else
2327 #endif
2328  ret = ssl_parse_change_cipher_spec( ssl );
2329  break;
2330 
2331  case SSL_SERVER_FINISHED:
2332  ret = ssl_parse_finished( ssl );
2333  break;
2334 
2335  case SSL_FLUSH_BUFFERS:
2336  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2337  ssl->state = SSL_HANDSHAKE_WRAPUP;
2338  break;
2339 
2340  case SSL_HANDSHAKE_WRAPUP:
2341  ssl_handshake_wrapup( ssl );
2342  break;
2343 
2344  default:
2345  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2347  }
2348 
2349  return( ret );
2350 }
2351 #endif
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:326
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:276
unsigned char * hostname
Definition: ssl.h:751
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:287
unsigned char mfl_code
Definition: ssl.h:693
size_t length
Definition: ssl.h:428
int ciphersuite
Definition: ssl.h:426
mpi P
Definition: dhm.h:146
int trunc_hmac
Definition: ssl.h:725
int ecdh_make_public(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and export the client&#39;s public value.
size_t in_hslen
Definition: ssl.h:673
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:611
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:333
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Processing of the ServerKeyExchange handshake message failed.
Definition: ssl.h:118
int record_read
Definition: ssl.h:675
Memory allocation layer.
int major_ver
Definition: ssl.h:600
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:41
ecp_group_id grp_id
Definition: ecp.h:79
SHA-1 context structure.
Definition: sha1.h:54
void *(* polarssl_malloc)(size_t len)
int compression
Definition: ssl.h:427
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition: ssl.h:133
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Processing of the ServerHelloDone handshake message failed.
Definition: ssl.h:119
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:175
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:597
#define POLARSSL_MPI_MAX_SIZE
Maximum number of bytes for usable MPIs.
Definition: bignum.h:87
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
char peer_verify_data[36]
Definition: ssl.h:762
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:318
const ecp_curve_info * ecp_curve_list(void)
Return the list of supported curves with associated info.
Debug functions.
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:544
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:322
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:337
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO
Processing of the ServerHello handshake message failed.
Definition: ssl.h:115
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:320
size_t ticket_len
Definition: ssl.h:439
#define SSL_HASH_SHA1
Definition: ssl.h:261
ssl_session * session_negotiate
Definition: ssl.h:647
int ssl_parse_certificate(ssl_context *ssl)
size_t out_msglen
Definition: ssl.h:686
mpi GX
Definition: dhm.h:149
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:221
#define SSL_SIG_RSA
Definition: ssl.h:268
const int * ciphersuite_list[4]
Definition: ssl.h:723
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:618
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
#define SSL_RENEGOTIATION
Definition: ssl.h:203
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:553
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:174
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
Processing of the NewSessionTicket handshake message failed.
Definition: ssl.h:131
int ssl_write_finished(ssl_context *ssl)
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:38
size_t psk_identity_len
Definition: ssl.h:744
mpi X
Definition: dhm.h:148
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:218
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:761
#define SSL_SIG_ECDSA
Definition: ssl.h:269
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:166
int secure_renegotiation
Definition: ssl.h:758
time_t start
Definition: ssl.h:424
#define SSL_HASH_MD5
Definition: ssl.h:260
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:213
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:140
unsigned char id[32]
Definition: ssl.h:429
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:461
unsigned char * psk
Definition: ssl.h:741
size_t len
Definition: dhm.h:145
int max_major_ver
Definition: ssl.h:603
ecp_point Qp
Definition: ecdh.h:44
md_type_t
Definition: md.h:51
int max_minor_ver
Definition: ssl.h:604
int dhm_read_params(dhm_context *ctx, unsigned char **p, const unsigned char *end)
Parse the ServerKeyExchange parameters.
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:342
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:275
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:323
ssl_handshake_params * handshake
Definition: ssl.h:649
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:283
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:308
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:217
int in_msgtype
Definition: ssl.h:669
size_t verify_data_len
Definition: ssl.h:760
mpi G
Definition: dhm.h:147
int point_format
Definition: ecdh.h:46
int min_minor_ver
Definition: ssl.h:606
unsigned char * out_msg
Definition: ssl.h:683
#define SSL_MINOR_VERSION_0
Definition: ssl.h:141
int client_auth
Definition: ssl.h:719
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature.
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:130
ecdh_context ecdh_ctx
Definition: ssl.h:508
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:324
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1566
void(* polarssl_free)(void *ptr)
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:110
unsigned char * ticket
Definition: ssl.h:438
key_exchange_type_t key_exchange
int new_session_ticket
Definition: ssl.h:562
mpi GY
Definition: dhm.h:150
int trunc_hmac
Definition: ssl.h:448
Curve information for use by other modules.
Definition: ecp.h:77
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void md5_starts(md5_context *ctx)
MD5 context setup.
unsigned char ssl_sig_from_pk(pk_context *pk)
int ssl_flush_output(ssl_context *ssl)
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:344
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:319
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:196
unsigned char * in_msg
Definition: ssl.h:666
mpi z
Definition: ecdh.h:45
#define SSL_MINOR_VERSION_3
Definition: ssl.h:144
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:54
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:346
pk_type_t
Public key types.
Definition: pk.h:90
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Processing of the CertificateRequest handshake message failed.
Definition: ssl.h:117
int ssl_parse_change_cipher_spec(ssl_context *ssl)
size_t hostname_len
Definition: ssl.h:752
int ecdh_read_params(ecdh_context *ctx, const unsigned char **buf, const unsigned char *end)
Parse the ServerKeyExhange parameters.
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:601
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:253
This structure is used for storing ciphersuite information.
#define SSL_HASH_SHA256
Definition: ssl.h:263
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:44
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:108
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:202
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:169
int session_tickets
Definition: ssl.h:728
int allow_legacy_renegotiation
Definition: ssl.h:722
#define SSL_COMPRESS_NULL
Definition: ssl.h:195
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
int ssl_read_record(ssl_context *ssl)
int out_msgtype
Definition: ssl.h:685
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:335
size_t nbits
Definition: ecp.h:126
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:186
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:325
#define TLS_EXT_SERVERNAME
Definition: ssl.h:332
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature.
int dhm_make_public(dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Create own private value X and export G^X.
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:48
size_t mpi_size(const mpi *X)
Return the total size in bytes.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:215
int pk_encrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Encrypt message.
int min_major_ver
Definition: ssl.h:605
pk_context pk
Container for the public key context.
Definition: x509_crt.h:71
ssl_transform * transform_negotiate
Definition: ssl.h:658
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:207
#define SSL_HASH_SHA224
Definition: ssl.h:262
uint32_t ticket_lifetime
Definition: ssl.h:440
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:208
SSL/TLS functions.
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:126
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:340
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:53
uint16_t tls_id
Definition: ecp.h:80
int ssl_derive_keys(ssl_context *ssl)
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1560
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:598
dhm_context dhm_ctx
Definition: ssl.h:505
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1574
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:236
unsigned char * psk_identity
Definition: ssl.h:743
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:339
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:97
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:98
#define SSL_HASH_SHA512
Definition: ssl.h:265
#define SSL_HASH_SHA384
Definition: ssl.h:264
int ssl_write_record(ssl_context *ssl)
unsigned char randbytes[64]
Definition: ssl.h:552
ecp_group grp
Definition: ecdh.h:41
Generic message digest context.
Definition: md.h:129
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ecp_point Q
Definition: ecdh.h:43
x509_crt * peer_cert
Definition: ssl.h:433
md_type_t ssl_md_alg_from_hash(unsigned char hash)
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.