PolarSSL v1.3.9
ssl_srv.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 server-side functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #if !defined(POLARSSL_CONFIG_FILE)
27 #include "polarssl/config.h"
28 #else
29 #include POLARSSL_CONFIG_FILE
30 #endif
31 
32 #if defined(POLARSSL_SSL_SRV_C)
33 
34 #include "polarssl/debug.h"
35 #include "polarssl/ssl.h"
36 #if defined(POLARSSL_ECP_C)
37 #include "polarssl/ecp.h"
38 #endif
39 
40 #if defined(POLARSSL_PLATFORM_C)
41 #include "polarssl/platform.h"
42 #else
43 #define polarssl_malloc malloc
44 #define polarssl_free free
45 #endif
46 
47 #include <stdlib.h>
48 #include <stdio.h>
49 
50 #if defined(POLARSSL_HAVE_TIME)
51 #include <time.h>
52 #endif
53 
54 #if defined(POLARSSL_SSL_SESSION_TICKETS)
55 /* Implementation that should never be optimized out by the compiler */
56 static void polarssl_zeroize( void *v, size_t n ) {
57  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
58 }
59 
60 /*
61  * Serialize a session in the following format:
62  * 0 . n-1 session structure, n = sizeof(ssl_session)
63  * n . n+2 peer_cert length = m (0 if no certificate)
64  * n+3 . n+2+m peer cert ASN.1
65  *
66  * Assumes ticket is NULL (always true on server side).
67  */
68 static int ssl_save_session( const ssl_session *session,
69  unsigned char *buf, size_t buf_len,
70  size_t *olen )
71 {
72  unsigned char *p = buf;
73  size_t left = buf_len;
74 #if defined(POLARSSL_X509_CRT_PARSE_C)
75  size_t cert_len;
76 #endif /* POLARSSL_X509_CRT_PARSE_C */
77 
78  if( left < sizeof( ssl_session ) )
79  return( -1 );
80 
81  memcpy( p, session, sizeof( ssl_session ) );
82  p += sizeof( ssl_session );
83  left -= sizeof( ssl_session );
84 
85 #if defined(POLARSSL_X509_CRT_PARSE_C)
86  if( session->peer_cert == NULL )
87  cert_len = 0;
88  else
89  cert_len = session->peer_cert->raw.len;
90 
91  if( left < 3 + cert_len )
92  return( -1 );
93 
94  *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
95  *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
96  *p++ = (unsigned char)( cert_len & 0xFF );
97 
98  if( session->peer_cert != NULL )
99  memcpy( p, session->peer_cert->raw.p, cert_len );
100 
101  p += cert_len;
102 #endif /* POLARSSL_X509_CRT_PARSE_C */
103 
104  *olen = p - buf;
105 
106  return( 0 );
107 }
108 
109 /*
110  * Unserialise session, see ssl_save_session()
111  */
112 static int ssl_load_session( ssl_session *session,
113  const unsigned char *buf, size_t len )
114 {
115  const unsigned char *p = buf;
116  const unsigned char * const end = buf + len;
117 #if defined(POLARSSL_X509_CRT_PARSE_C)
118  size_t cert_len;
119 #endif /* POLARSSL_X509_CRT_PARSE_C */
120 
121  if( p + sizeof( ssl_session ) > end )
123 
124  memcpy( session, p, sizeof( ssl_session ) );
125  p += sizeof( ssl_session );
126 
127 #if defined(POLARSSL_X509_CRT_PARSE_C)
128  if( p + 3 > end )
130 
131  cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
132  p += 3;
133 
134  if( cert_len == 0 )
135  {
136  session->peer_cert = NULL;
137  }
138  else
139  {
140  int ret;
141 
142  if( p + cert_len > end )
144 
145  session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
146 
147  if( session->peer_cert == NULL )
149 
150  x509_crt_init( session->peer_cert );
151 
152  if( ( ret = x509_crt_parse_der( session->peer_cert,
153  p, cert_len ) ) != 0 )
154  {
155  x509_crt_free( session->peer_cert );
156  polarssl_free( session->peer_cert );
157  session->peer_cert = NULL;
158  return( ret );
159  }
160 
161  p += cert_len;
162  }
163 #endif /* POLARSSL_X509_CRT_PARSE_C */
164 
165  if( p != end )
167 
168  return( 0 );
169 }
170 
171 /*
172  * Create session ticket, secured as recommended in RFC 5077 section 4:
173  *
174  * struct {
175  * opaque key_name[16];
176  * opaque iv[16];
177  * opaque encrypted_state<0..2^16-1>;
178  * opaque mac[32];
179  * } ticket;
180  *
181  * (the internal state structure differs, however).
182  */
183 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
184 {
185  int ret;
186  unsigned char * const start = ssl->out_msg + 10;
187  unsigned char *p = start;
188  unsigned char *state;
189  unsigned char iv[16];
190  size_t clear_len, enc_len, pad_len, i;
191 
192  *tlen = 0;
193 
194  if( ssl->ticket_keys == NULL )
196 
197  /* Write key name */
198  memcpy( p, ssl->ticket_keys->key_name, 16 );
199  p += 16;
200 
201  /* Generate and write IV (with a copy for aes_crypt) */
202  if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
203  return( ret );
204  memcpy( iv, p, 16 );
205  p += 16;
206 
207  /*
208  * Dump session state
209  *
210  * After the session state itself, we still need room for 16 bytes of
211  * padding and 32 bytes of MAC, so there's only so much room left
212  */
213  state = p + 2;
214  if( ssl_save_session( ssl->session_negotiate, state,
215  SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48,
216  &clear_len ) != 0 )
217  {
219  }
220  SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
221 
222  /* Apply PKCS padding */
223  pad_len = 16 - clear_len % 16;
224  enc_len = clear_len + pad_len;
225  for( i = clear_len; i < enc_len; i++ )
226  state[i] = (unsigned char) pad_len;
227 
228  /* Encrypt */
229  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
230  enc_len, iv, state, state ) ) != 0 )
231  {
232  return( ret );
233  }
234 
235  /* Write length */
236  *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
237  *p++ = (unsigned char)( ( enc_len ) & 0xFF );
238  p = state + enc_len;
239 
240  /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
241  sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
242  p += 32;
243 
244  *tlen = p - start;
245 
246  SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
247 
248  return( 0 );
249 }
250 
251 /*
252  * Load session ticket (see ssl_write_ticket for structure)
253  */
254 static int ssl_parse_ticket( ssl_context *ssl,
255  unsigned char *buf,
256  size_t len )
257 {
258  int ret;
259  ssl_session session;
260  unsigned char *key_name = buf;
261  unsigned char *iv = buf + 16;
262  unsigned char *enc_len_p = iv + 16;
263  unsigned char *ticket = enc_len_p + 2;
264  unsigned char *mac;
265  unsigned char computed_mac[32];
266  size_t enc_len, clear_len, i;
267  unsigned char pad_len, diff;
268 
269  SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
270 
271  if( len < 34 || ssl->ticket_keys == NULL )
273 
274  enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
275  mac = ticket + enc_len;
276 
277  if( len != enc_len + 66 )
279 
280  /* Check name, in constant time though it's not a big secret */
281  diff = 0;
282  for( i = 0; i < 16; i++ )
283  diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
284  /* don't return yet, check the MAC anyway */
285 
286  /* Check mac, with constant-time buffer comparison */
287  sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
288  computed_mac, 0 );
289 
290  for( i = 0; i < 32; i++ )
291  diff |= mac[i] ^ computed_mac[i];
292 
293  /* Now return if ticket is not authentic, since we want to avoid
294  * decrypting arbitrary attacker-chosen data */
295  if( diff != 0 )
297 
298  /* Decrypt */
299  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
300  enc_len, iv, ticket, ticket ) ) != 0 )
301  {
302  return( ret );
303  }
304 
305  /* Check PKCS padding */
306  pad_len = ticket[enc_len - 1];
307 
308  ret = 0;
309  for( i = 2; i < pad_len; i++ )
310  if( ticket[enc_len - i] != pad_len )
312  if( ret != 0 )
313  return( ret );
314 
315  clear_len = enc_len - pad_len;
316 
317  SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
318 
319  /* Actually load session */
320  if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
321  {
322  SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
323  ssl_session_free( &session );
324  return( ret );
325  }
326 
327 #if defined(POLARSSL_HAVE_TIME)
328  /* Check if still valid */
329  if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
330  {
331  SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
332  ssl_session_free( &session );
334  }
335 #endif
336 
337  /*
338  * Keep the session ID sent by the client, since we MUST send it back to
339  * inform him we're accepting the ticket (RFC 5077 section 3.4)
340  */
341  session.length = ssl->session_negotiate->length;
342  memcpy( &session.id, ssl->session_negotiate->id, session.length );
343 
345  memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
346 
347  /* Zeroize instead of free as we copied the content */
348  polarssl_zeroize( &session, sizeof( ssl_session ) );
349 
350  return( 0 );
351 }
352 #endif /* POLARSSL_SSL_SESSION_TICKETS */
353 
354 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
355 /*
356  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
357  * making it act on ssl->hanshake->sni_key_cert instead.
358  */
359 static int ssl_sni_wrapper( ssl_context *ssl,
360  const unsigned char* name, size_t len )
361 {
362  int ret;
363  ssl_key_cert *key_cert_ori = ssl->key_cert;
364 
365  ssl->key_cert = NULL;
366  ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
367  ssl->handshake->sni_key_cert = ssl->key_cert;
368 
369  ssl->key_cert = key_cert_ori;
370 
371  return( ret );
372 }
373 
374 static int ssl_parse_servername_ext( ssl_context *ssl,
375  const unsigned char *buf,
376  size_t len )
377 {
378  int ret;
379  size_t servername_list_size, hostname_len;
380  const unsigned char *p;
381 
382  SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
383 
384  servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
385  if( servername_list_size + 2 != len )
386  {
387  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
389  }
390 
391  p = buf + 2;
392  while( servername_list_size > 0 )
393  {
394  hostname_len = ( ( p[1] << 8 ) | p[2] );
395  if( hostname_len + 3 > servername_list_size )
396  {
397  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
399  }
400 
401  if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
402  {
403  ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
404  if( ret != 0 )
405  {
406  SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
410  }
411  return( 0 );
412  }
413 
414  servername_list_size -= hostname_len + 3;
415  p += hostname_len + 3;
416  }
417 
418  if( servername_list_size != 0 )
419  {
420  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
422  }
423 
424  return( 0 );
425 }
426 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
427 
428 static int ssl_parse_renegotiation_info( ssl_context *ssl,
429  const unsigned char *buf,
430  size_t len )
431 {
432  int ret;
433 
435  {
436  if( len != 1 || buf[0] != 0x0 )
437  {
438  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
439 
440  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
441  return( ret );
442 
444  }
445 
447  }
448  else
449  {
450  /* Check verify-data in constant-time. The length OTOH is no secret */
451  if( len != 1 + ssl->verify_data_len ||
452  buf[0] != ssl->verify_data_len ||
453  safer_memcmp( buf + 1, ssl->peer_verify_data,
454  ssl->verify_data_len ) != 0 )
455  {
456  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
457 
458  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
459  return( ret );
460 
462  }
463  }
464 
465  return( 0 );
466 }
467 
468 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
469 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
470  const unsigned char *buf,
471  size_t len )
472 {
473  size_t sig_alg_list_size;
474  const unsigned char *p;
475  const unsigned char *end = buf + len;
476  const int *md_cur;
477 
478 
479  sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
480  if( sig_alg_list_size + 2 != len ||
481  sig_alg_list_size % 2 != 0 )
482  {
483  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
485  }
486 
487  /*
488  * For now, ignore the SignatureAlgorithm part and rely on offered
489  * ciphersuites only for that part. To be fixed later.
490  *
491  * So, just look at the HashAlgorithm part.
492  */
493  for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
494  for( p = buf + 2; p < end; p += 2 ) {
495  if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
496  ssl->handshake->sig_alg = p[0];
497  goto have_sig_alg;
498  }
499  }
500  }
501 
502  /* Some key echanges do not need signatures at all */
503  SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
504  return( 0 );
505 
506 have_sig_alg:
507  SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
508  ssl->handshake->sig_alg ) );
509 
510  return( 0 );
511 }
512 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
513 
514 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
515 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
516  const unsigned char *buf,
517  size_t len )
518 {
519  size_t list_size, our_size;
520  const unsigned char *p;
521  const ecp_curve_info *curve_info, **curves;
522 
523  list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
524  if( list_size + 2 != len ||
525  list_size % 2 != 0 )
526  {
527  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
529  }
530 
531  /* Should never happen unless client duplicates the extension */
532  if( ssl->handshake->curves != NULL )
533  {
534  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
536  }
537 
538  /* Don't allow our peer to make us allocate too much memory,
539  * and leave room for a final 0 */
540  our_size = list_size / 2 + 1;
541  if( our_size > POLARSSL_ECP_DP_MAX )
542  our_size = POLARSSL_ECP_DP_MAX;
543 
544  if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
546 
547  /* explicit void pointer cast for buggy MS compiler */
548  memset( (void *) curves, 0, our_size * sizeof( *curves ) );
549  ssl->handshake->curves = curves;
550 
551  p = buf + 2;
552  while( list_size > 0 && our_size > 1 )
553  {
554  curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
555 
556  if( curve_info != NULL )
557  {
558  *curves++ = curve_info;
559  our_size--;
560  }
561 
562  list_size -= 2;
563  p += 2;
564  }
565 
566  return( 0 );
567 }
568 
569 static int ssl_parse_supported_point_formats( ssl_context *ssl,
570  const unsigned char *buf,
571  size_t len )
572 {
573  size_t list_size;
574  const unsigned char *p;
575 
576  list_size = buf[0];
577  if( list_size + 1 != len )
578  {
579  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
581  }
582 
583  p = buf + 2;
584  while( list_size > 0 )
585  {
586  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
588  {
589  ssl->handshake->ecdh_ctx.point_format = p[0];
590  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
591  return( 0 );
592  }
593 
594  list_size--;
595  p++;
596  }
597 
598  return( 0 );
599 }
600 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
601 
602 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
603 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
604  const unsigned char *buf,
605  size_t len )
606 {
607  if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
608  {
609  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
611  }
612 
613  ssl->session_negotiate->mfl_code = buf[0];
614 
615  return( 0 );
616 }
617 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
618 
619 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
620 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
621  const unsigned char *buf,
622  size_t len )
623 {
624  if( len != 0 )
625  {
626  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
628  }
629 
630  ((void) buf);
631 
633 
634  return( 0 );
635 }
636 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
637 
638 #if defined(POLARSSL_SSL_SESSION_TICKETS)
639 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
640  unsigned char *buf,
641  size_t len )
642 {
643  int ret;
644 
646  return( 0 );
647 
648  /* Remember the client asked us to send a new ticket */
649  ssl->handshake->new_session_ticket = 1;
650 
651  SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
652 
653  if( len == 0 )
654  return( 0 );
655 
657  {
658  SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
659  return( 0 );
660  }
661 
662  /*
663  * Failures are ok: just ignore the ticket and proceed.
664  */
665  if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
666  {
667  SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
668  return( 0 );
669  }
670 
671  SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
672 
673  ssl->handshake->resume = 1;
674 
675  /* Don't send a new ticket after all, this one is OK */
676  ssl->handshake->new_session_ticket = 0;
677 
678  return( 0 );
679 }
680 #endif /* POLARSSL_SSL_SESSION_TICKETS */
681 
682 #if defined(POLARSSL_SSL_ALPN)
683 static int ssl_parse_alpn_ext( ssl_context *ssl,
684  const unsigned char *buf, size_t len )
685 {
686  size_t list_len, cur_len, ours_len;
687  const unsigned char *theirs, *start, *end;
688  const char **ours;
689 
690  /* If ALPN not configured, just ignore the extension */
691  if( ssl->alpn_list == NULL )
692  return( 0 );
693 
694  /*
695  * opaque ProtocolName<1..2^8-1>;
696  *
697  * struct {
698  * ProtocolName protocol_name_list<2..2^16-1>
699  * } ProtocolNameList;
700  */
701 
702  /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
703  if( len < 4 )
705 
706  list_len = ( buf[0] << 8 ) | buf[1];
707  if( list_len != len - 2 )
709 
710  /*
711  * Use our order of preference
712  */
713  start = buf + 2;
714  end = buf + len;
715  for( ours = ssl->alpn_list; *ours != NULL; ours++ )
716  {
717  ours_len = strlen( *ours );
718  for( theirs = start; theirs != end; theirs += cur_len )
719  {
720  /* If the list is well formed, we should get equality first */
721  if( theirs > end )
723 
724  cur_len = *theirs++;
725 
726  /* Empty strings MUST NOT be included */
727  if( cur_len == 0 )
729 
730  if( cur_len == ours_len &&
731  memcmp( theirs, *ours, cur_len ) == 0 )
732  {
733  ssl->alpn_chosen = *ours;
734  return( 0 );
735  }
736  }
737  }
738 
739  /* If we get there, no match was found */
743 }
744 #endif /* POLARSSL_SSL_ALPN */
745 
746 /*
747  * Auxiliary functions for ServerHello parsing and related actions
748  */
749 
750 #if defined(POLARSSL_X509_CRT_PARSE_C)
751 /*
752  * Return 1 if the given EC key uses the given curve, 0 otherwise
753  */
754 #if defined(POLARSSL_ECDSA_C)
755 static int ssl_key_matches_curves( pk_context *pk,
756  const ecp_curve_info **curves )
757 {
758  const ecp_curve_info **crv = curves;
759  ecp_group_id grp_id = pk_ec( *pk )->grp.id;
760 
761  while( *crv != NULL )
762  {
763  if( (*crv)->grp_id == grp_id )
764  return( 1 );
765  crv++;
766  }
767 
768  return( 0 );
769 }
770 #endif /* POLARSSL_ECDSA_C */
771 
772 /*
773  * Try picking a certificate for this ciphersuite,
774  * return 0 on success and -1 on failure.
775  */
776 static int ssl_pick_cert( ssl_context *ssl,
777  const ssl_ciphersuite_t * ciphersuite_info )
778 {
779  ssl_key_cert *cur, *list;
780  pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
781 
782 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
783  if( ssl->handshake->sni_key_cert != NULL )
784  list = ssl->handshake->sni_key_cert;
785  else
786 #endif
787  list = ssl->handshake->key_cert;
788 
789  if( pk_alg == POLARSSL_PK_NONE )
790  return( 0 );
791 
792  for( cur = list; cur != NULL; cur = cur->next )
793  {
794  if( ! pk_can_do( cur->key, pk_alg ) )
795  continue;
796 
797  /*
798  * This avoids sending the client a cert it'll reject based on
799  * keyUsage or other extensions.
800  *
801  * It also allows the user to provision different certificates for
802  * different uses based on keyUsage, eg if they want to avoid signing
803  * and decrypting with the same RSA key.
804  */
805  if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
806  SSL_IS_SERVER ) != 0 )
807  {
808  continue;
809  }
810 
811 #if defined(POLARSSL_ECDSA_C)
812  if( pk_alg == POLARSSL_PK_ECDSA )
813  {
814  if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
815  break;
816  }
817  else
818 #endif
819  break;
820  }
821 
822  if( cur == NULL )
823  return( -1 );
824 
825  ssl->handshake->key_cert = cur;
826  return( 0 );
827 }
828 #endif /* POLARSSL_X509_CRT_PARSE_C */
829 
830 /*
831  * Check if a given ciphersuite is suitable for use with our config/keys/etc
832  * Sets ciphersuite_info only if the suite matches.
833  */
834 static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
835  const ssl_ciphersuite_t **ciphersuite_info )
836 {
837  const ssl_ciphersuite_t *suite_info;
838 
839  suite_info = ssl_ciphersuite_from_id( suite_id );
840  if( suite_info == NULL )
841  {
842  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", suite_id ) );
844  }
845 
846  if( suite_info->min_minor_ver > ssl->minor_ver ||
847  suite_info->max_minor_ver < ssl->minor_ver )
848  return( 0 );
849 
850 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
851  if( ssl_ciphersuite_uses_ec( suite_info ) &&
852  ( ssl->handshake->curves == NULL ||
853  ssl->handshake->curves[0] == NULL ) )
854  return( 0 );
855 #endif
856 
857 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
858  /* If the ciphersuite requires a pre-shared key and we don't
859  * have one, skip it now rather than failing later */
860  if( ssl_ciphersuite_uses_psk( suite_info ) &&
861  ssl->f_psk == NULL &&
862  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
863  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
864  return( 0 );
865 #endif
866 
867 #if defined(POLARSSL_X509_CRT_PARSE_C)
868  /*
869  * Final check: if ciphersuite requires us to have a
870  * certificate/key of a particular type:
871  * - select the appropriate certificate if we have one, or
872  * - try the next ciphersuite if we don't
873  * This must be done last since we modify the key_cert list.
874  */
875  if( ssl_pick_cert( ssl, suite_info ) != 0 )
876  return( 0 );
877 #endif
878 
879  *ciphersuite_info = suite_info;
880  return( 0 );
881 }
882 
883 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
884 static int ssl_parse_client_hello_v2( ssl_context *ssl )
885 {
886  int ret;
887  unsigned int i, j;
888  size_t n;
889  unsigned int ciph_len, sess_len, chal_len;
890  unsigned char *buf, *p;
891  const int *ciphersuites;
892  const ssl_ciphersuite_t *ciphersuite_info;
893 
894  SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
895 
897  {
898  SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
899 
900  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
901  return( ret );
902 
904  }
905 
906  buf = ssl->in_hdr;
907 
908  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
909 
910  SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
911  buf[2] ) );
912  SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
913  ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
914  SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
915  buf[3], buf[4] ) );
916 
917  /*
918  * SSLv2 Client Hello
919  *
920  * Record layer:
921  * 0 . 1 message length
922  *
923  * SSL layer:
924  * 2 . 2 message type
925  * 3 . 4 protocol version
926  */
927  if( buf[2] != SSL_HS_CLIENT_HELLO ||
928  buf[3] != SSL_MAJOR_VERSION_3 )
929  {
930  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
932  }
933 
934  n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
935 
936  if( n < 17 || n > 512 )
937  {
938  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
940  }
941 
943  ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
944  ? buf[4] : ssl->max_minor_ver;
945 
946  if( ssl->minor_ver < ssl->min_minor_ver )
947  {
948  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
949  " [%d:%d] < [%d:%d]",
950  ssl->major_ver, ssl->minor_ver,
951  ssl->min_major_ver, ssl->min_minor_ver ) );
952 
956  }
957 
958  ssl->handshake->max_major_ver = buf[3];
959  ssl->handshake->max_minor_ver = buf[4];
960 
961  if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
962  {
963  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
964  return( ret );
965  }
966 
967  ssl->handshake->update_checksum( ssl, buf + 2, n );
968 
969  buf = ssl->in_msg;
970  n = ssl->in_left - 5;
971 
972  /*
973  * 0 . 1 ciphersuitelist length
974  * 2 . 3 session id length
975  * 4 . 5 challenge length
976  * 6 . .. ciphersuitelist
977  * .. . .. session id
978  * .. . .. challenge
979  */
980  SSL_DEBUG_BUF( 4, "record contents", buf, n );
981 
982  ciph_len = ( buf[0] << 8 ) | buf[1];
983  sess_len = ( buf[2] << 8 ) | buf[3];
984  chal_len = ( buf[4] << 8 ) | buf[5];
985 
986  SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
987  ciph_len, sess_len, chal_len ) );
988 
989  /*
990  * Make sure each parameter length is valid
991  */
992  if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
993  {
994  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
996  }
997 
998  if( sess_len > 32 )
999  {
1000  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1002  }
1003 
1004  if( chal_len < 8 || chal_len > 32 )
1005  {
1006  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1008  }
1009 
1010  if( n != 6 + ciph_len + sess_len + chal_len )
1011  {
1012  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1014  }
1015 
1016  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1017  buf + 6, ciph_len );
1018  SSL_DEBUG_BUF( 3, "client hello, session id",
1019  buf + 6 + ciph_len, sess_len );
1020  SSL_DEBUG_BUF( 3, "client hello, challenge",
1021  buf + 6 + ciph_len + sess_len, chal_len );
1022 
1023  p = buf + 6 + ciph_len;
1024  ssl->session_negotiate->length = sess_len;
1025  memset( ssl->session_negotiate->id, 0,
1026  sizeof( ssl->session_negotiate->id ) );
1027  memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
1028 
1029  p += sess_len;
1030  memset( ssl->handshake->randbytes, 0, 64 );
1031  memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1032 
1033  /*
1034  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1035  */
1036  for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1037  {
1038  if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
1039  {
1040  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1041  if( ssl->renegotiation == SSL_RENEGOTIATION )
1042  {
1043  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1044 
1045  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1046  return( ret );
1047 
1049  }
1051  break;
1052  }
1053  }
1054 
1055  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1056  ciphersuite_info = NULL;
1057 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1058  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1059  {
1060  for( i = 0; ciphersuites[i] != 0; i++ )
1061 #else
1062  for( i = 0; ciphersuites[i] != 0; i++ )
1063  {
1064  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1065 #endif
1066  {
1067  if( p[0] != 0 ||
1068  p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1069  p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1070  continue;
1071 
1072  if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1073  &ciphersuite_info ) ) != 0 )
1074  return( ret );
1075 
1076  if( ciphersuite_info != NULL )
1077  goto have_ciphersuite_v2;
1078  }
1079  }
1080 
1081  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1082 
1084 
1085 have_ciphersuite_v2:
1086  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1087  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1089 
1090  /*
1091  * SSLv2 Client Hello relevant renegotiation security checks
1092  */
1095  {
1096  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1097 
1098  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1099  return( ret );
1100 
1102  }
1103 
1104  ssl->in_left = 0;
1105  ssl->state++;
1106 
1107  SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1108 
1109  return( 0 );
1110 }
1111 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1112 
1113 static int ssl_parse_client_hello( ssl_context *ssl )
1114 {
1115  int ret;
1116  unsigned int i, j;
1117  size_t n;
1118  unsigned int ciph_len, sess_len;
1119  unsigned int comp_len;
1120  unsigned int ext_len = 0;
1121  unsigned char *buf, *p, *ext;
1122  int renegotiation_info_seen = 0;
1123  int handshake_failure = 0;
1124  const int *ciphersuites;
1125  const ssl_ciphersuite_t *ciphersuite_info;
1126 
1127  SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1128 
1129  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1130  ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1131  {
1132  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1133  return( ret );
1134  }
1135 
1136  buf = ssl->in_hdr;
1137 
1138 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1139  if( ( buf[0] & 0x80 ) != 0 )
1140  return ssl_parse_client_hello_v2( ssl );
1141 #endif
1142 
1143  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1144 
1145  SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1146  buf[0] ) );
1147  SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1148  ( buf[3] << 8 ) | buf[4] ) );
1149  SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1150  buf[1], buf[2] ) );
1151 
1152  /*
1153  * SSLv3/TLS Client Hello
1154  *
1155  * Record layer:
1156  * 0 . 0 message type
1157  * 1 . 2 protocol version
1158  * 3 . 4 message length
1159  */
1160 
1161  /* According to RFC 5246 Appendix E.1, the version here is typically
1162  * "{03,00}, the lowest version number supported by the client, [or] the
1163  * value of ClientHello.client_version", so the only meaningful check here
1164  * is the major version shouldn't be less than 3 */
1165  if( buf[0] != SSL_MSG_HANDSHAKE ||
1166  buf[1] < SSL_MAJOR_VERSION_3 )
1167  {
1168  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1170  }
1171 
1172  n = ( buf[3] << 8 ) | buf[4];
1173 
1174  if( n < 45 || n > SSL_MAX_CONTENT_LEN )
1175  {
1176  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1178  }
1179 
1180  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1181  ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1182  {
1183  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1184  return( ret );
1185  }
1186 
1187  buf = ssl->in_msg;
1188  if( !ssl->renegotiation )
1189  n = ssl->in_left - 5;
1190  else
1191  n = ssl->in_msglen;
1192 
1193  ssl->handshake->update_checksum( ssl, buf, n );
1194 
1195  /*
1196  * SSL layer:
1197  * 0 . 0 handshake type
1198  * 1 . 3 handshake length
1199  * 4 . 5 protocol version
1200  * 6 . 9 UNIX time()
1201  * 10 . 37 random bytes
1202  * 38 . 38 session id length
1203  * 39 . 38+x session id
1204  * 39+x . 40+x ciphersuitelist length
1205  * 41+x . 40+y ciphersuitelist
1206  * 41+y . 41+y compression alg length
1207  * 42+y . 41+z compression algs
1208  * .. . .. extensions
1209  */
1210  SSL_DEBUG_BUF( 4, "record contents", buf, n );
1211 
1212  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1213  buf[0] ) );
1214  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1215  ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1216  SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1217  buf[4], buf[5] ) );
1218 
1219  /*
1220  * Check the handshake type and protocol version
1221  */
1222  if( buf[0] != SSL_HS_CLIENT_HELLO )
1223  {
1224  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1226  }
1227 
1228  ssl->major_ver = buf[4];
1229  ssl->minor_ver = buf[5];
1230 
1231  ssl->handshake->max_major_ver = ssl->major_ver;
1232  ssl->handshake->max_minor_ver = ssl->minor_ver;
1233 
1234  if( ssl->major_ver < ssl->min_major_ver ||
1235  ssl->minor_ver < ssl->min_minor_ver )
1236  {
1237  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1238  " [%d:%d] < [%d:%d]",
1239  ssl->major_ver, ssl->minor_ver,
1240  ssl->min_major_ver, ssl->min_minor_ver ) );
1241 
1244 
1246  }
1247 
1248  if( ssl->major_ver > ssl->max_major_ver )
1249  {
1250  ssl->major_ver = ssl->max_major_ver;
1251  ssl->minor_ver = ssl->max_minor_ver;
1252  }
1253  else if( ssl->minor_ver > ssl->max_minor_ver )
1254  ssl->minor_ver = ssl->max_minor_ver;
1255 
1256  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
1257 
1258  /*
1259  * Check the handshake message length
1260  */
1261  if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1262  {
1263  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1265  }
1266 
1267  /*
1268  * Check the session length
1269  */
1270  sess_len = buf[38];
1271 
1272  if( sess_len > 32 || sess_len > n - 42 )
1273  {
1274  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1276  }
1277 
1278  ssl->session_negotiate->length = sess_len;
1279  memset( ssl->session_negotiate->id, 0,
1280  sizeof( ssl->session_negotiate->id ) );
1281  memcpy( ssl->session_negotiate->id, buf + 39,
1282  ssl->session_negotiate->length );
1283 
1284  /*
1285  * Check the ciphersuitelist length
1286  */
1287  ciph_len = ( buf[39 + sess_len] << 8 )
1288  | ( buf[40 + sess_len] );
1289 
1290  if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
1291  {
1292  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1294  }
1295 
1296  /*
1297  * Check the compression algorithms length
1298  */
1299  comp_len = buf[41 + sess_len + ciph_len];
1300 
1301  if( comp_len < 1 || comp_len > 16 ||
1302  comp_len > n - 42 - sess_len - ciph_len )
1303  {
1304  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1306  }
1307 
1308  /*
1309  * Check the extension length
1310  */
1311  if( n > 42 + sess_len + ciph_len + comp_len )
1312  {
1313  ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1314  | ( buf[43 + sess_len + ciph_len + comp_len] );
1315 
1316  if( ( ext_len > 0 && ext_len < 4 ) ||
1317  n != 44 + sess_len + ciph_len + comp_len + ext_len )
1318  {
1319  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1320  SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1322  }
1323  }
1324 
1326 #if defined(POLARSSL_ZLIB_SUPPORT)
1327  for( i = 0; i < comp_len; ++i )
1328  {
1329  if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
1330  {
1332  break;
1333  }
1334  }
1335 #endif
1336 
1337  SSL_DEBUG_BUF( 3, "client hello, random bytes",
1338  buf + 6, 32 );
1339  SSL_DEBUG_BUF( 3, "client hello, session id",
1340  buf + 38, sess_len );
1341  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1342  buf + 41 + sess_len, ciph_len );
1343  SSL_DEBUG_BUF( 3, "client hello, compression",
1344  buf + 42 + sess_len + ciph_len, comp_len );
1345 
1346  /*
1347  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1348  */
1349  for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1350  {
1351  if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1352  {
1353  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1354  if( ssl->renegotiation == SSL_RENEGOTIATION )
1355  {
1356  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1357 
1358  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1359  return( ret );
1360 
1362  }
1364  break;
1365  }
1366  }
1367 
1368  ext = buf + 44 + sess_len + ciph_len + comp_len;
1369 
1370  while( ext_len )
1371  {
1372  unsigned int ext_id = ( ( ext[0] << 8 )
1373  | ( ext[1] ) );
1374  unsigned int ext_size = ( ( ext[2] << 8 )
1375  | ( ext[3] ) );
1376 
1377  if( ext_size + 4 > ext_len )
1378  {
1379  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1381  }
1382  switch( ext_id )
1383  {
1384 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
1385  case TLS_EXT_SERVERNAME:
1386  SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1387  if( ssl->f_sni == NULL )
1388  break;
1389 
1390  ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1391  if( ret != 0 )
1392  return( ret );
1393  break;
1394 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
1395 
1397  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1398  renegotiation_info_seen = 1;
1399 
1400  ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1401  if( ret != 0 )
1402  return( ret );
1403  break;
1404 
1405 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1406  case TLS_EXT_SIG_ALG:
1407  SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1408  if( ssl->renegotiation == SSL_RENEGOTIATION )
1409  break;
1410 
1411  ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1412  if( ret != 0 )
1413  return( ret );
1414  break;
1415 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1416 
1417 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1419  SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1420 
1421  ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1422  if( ret != 0 )
1423  return( ret );
1424  break;
1425 
1427  SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1429 
1430  ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1431  if( ret != 0 )
1432  return( ret );
1433  break;
1434 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1435 
1436 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1438  SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1439 
1440  ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1441  if( ret != 0 )
1442  return( ret );
1443  break;
1444 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1445 
1446 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1448  SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1449 
1450  ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1451  if( ret != 0 )
1452  return( ret );
1453  break;
1454 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1455 
1456 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1458  SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1459 
1460  ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1461  if( ret != 0 )
1462  return( ret );
1463  break;
1464 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1465 
1466 #if defined(POLARSSL_SSL_ALPN)
1467  case TLS_EXT_ALPN:
1468  SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1469 
1470  ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1471  if( ret != 0 )
1472  return( ret );
1473  break;
1474 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1475 
1476  default:
1477  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1478  ext_id ) );
1479  }
1480 
1481  ext_len -= 4 + ext_size;
1482  ext += 4 + ext_size;
1483 
1484  if( ext_len > 0 && ext_len < 4 )
1485  {
1486  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1488  }
1489  }
1490 
1491  /*
1492  * Renegotiation security checks
1493  */
1496  {
1497  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1498  handshake_failure = 1;
1499  }
1500  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1502  renegotiation_info_seen == 0 )
1503  {
1504  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1505  handshake_failure = 1;
1506  }
1507  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1510  {
1511  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1512  handshake_failure = 1;
1513  }
1514  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1516  renegotiation_info_seen == 1 )
1517  {
1518  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1519  handshake_failure = 1;
1520  }
1521 
1522  if( handshake_failure == 1 )
1523  {
1524  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1525  return( ret );
1526 
1528  }
1529 
1530  /*
1531  * Search for a matching ciphersuite
1532  * (At the end because we need information from the EC-based extensions
1533  * and certificate from the SNI callback triggered by the SNI extension.)
1534  */
1535  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1536  ciphersuite_info = NULL;
1537 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1538  for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1539  {
1540  for( i = 0; ciphersuites[i] != 0; i++ )
1541 #else
1542  for( i = 0; ciphersuites[i] != 0; i++ )
1543  {
1544  for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1545 #endif
1546  {
1547  if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1548  p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1549  continue;
1550 
1551  if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1552  &ciphersuite_info ) ) != 0 )
1553  return( ret );
1554 
1555  if( ciphersuite_info != NULL )
1556  goto have_ciphersuite;
1557  }
1558  }
1559 
1560  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1561 
1562  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1563  return( ret );
1564 
1566 
1567 have_ciphersuite:
1568  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1569  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1571 
1572  ssl->in_left = 0;
1573  ssl->state++;
1574 
1575  SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1576 
1577  return( 0 );
1578 }
1579 
1580 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1581 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1582  unsigned char *buf,
1583  size_t *olen )
1584 {
1585  unsigned char *p = buf;
1586 
1588  {
1589  *olen = 0;
1590  return;
1591  }
1592 
1593  SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1594 
1595  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1596  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1597 
1598  *p++ = 0x00;
1599  *p++ = 0x00;
1600 
1601  *olen = 4;
1602 }
1603 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1604 
1605 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1606 static void ssl_write_session_ticket_ext( ssl_context *ssl,
1607  unsigned char *buf,
1608  size_t *olen )
1609 {
1610  unsigned char *p = buf;
1611 
1612  if( ssl->handshake->new_session_ticket == 0 )
1613  {
1614  *olen = 0;
1615  return;
1616  }
1617 
1618  SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1619 
1620  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1621  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1622 
1623  *p++ = 0x00;
1624  *p++ = 0x00;
1625 
1626  *olen = 4;
1627 }
1628 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1629 
1630 static void ssl_write_renegotiation_ext( ssl_context *ssl,
1631  unsigned char *buf,
1632  size_t *olen )
1633 {
1634  unsigned char *p = buf;
1635 
1637  {
1638  *olen = 0;
1639  return;
1640  }
1641 
1642  SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1643 
1644  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1645  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1646 
1647  *p++ = 0x00;
1648  *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1649  *p++ = ssl->verify_data_len * 2 & 0xFF;
1650 
1651  memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1652  p += ssl->verify_data_len;
1653  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1654  p += ssl->verify_data_len;
1655 
1656  *olen = 5 + ssl->verify_data_len * 2;
1657 }
1658 
1659 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1660 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1661  unsigned char *buf,
1662  size_t *olen )
1663 {
1664  unsigned char *p = buf;
1665 
1667  {
1668  *olen = 0;
1669  return;
1670  }
1671 
1672  SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1673 
1674  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1675  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1676 
1677  *p++ = 0x00;
1678  *p++ = 1;
1679 
1680  *p++ = ssl->session_negotiate->mfl_code;
1681 
1682  *olen = 5;
1683 }
1684 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1685 
1686 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1687 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1688  unsigned char *buf,
1689  size_t *olen )
1690 {
1691  unsigned char *p = buf;
1692  ((void) ssl);
1693 
1694  if( ( ssl->handshake->cli_exts &
1696  {
1697  *olen = 0;
1698  return;
1699  }
1700 
1701  SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1702 
1703  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1704  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1705 
1706  *p++ = 0x00;
1707  *p++ = 2;
1708 
1709  *p++ = 1;
1711 
1712  *olen = 6;
1713 }
1714 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1715 
1716 #if defined(POLARSSL_SSL_ALPN )
1717 static void ssl_write_alpn_ext( ssl_context *ssl,
1718  unsigned char *buf, size_t *olen )
1719 {
1720  if( ssl->alpn_chosen == NULL )
1721  {
1722  *olen = 0;
1723  return;
1724  }
1725 
1726  SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
1727 
1728  /*
1729  * 0 . 1 ext identifier
1730  * 2 . 3 ext length
1731  * 4 . 5 protocol list length
1732  * 6 . 6 protocol name length
1733  * 7 . 7+n protocol name
1734  */
1735  buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
1736  buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
1737 
1738  *olen = 7 + strlen( ssl->alpn_chosen );
1739 
1740  buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
1741  buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
1742 
1743  buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
1744  buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
1745 
1746  buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
1747 
1748  memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
1749 }
1750 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1751 
1752 static int ssl_write_server_hello( ssl_context *ssl )
1753 {
1754 #if defined(POLARSSL_HAVE_TIME)
1755  time_t t;
1756 #endif
1757  int ret;
1758  size_t olen, ext_len = 0, n;
1759  unsigned char *buf, *p;
1760 
1761  SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1762 
1763  if( ssl->f_rng == NULL )
1764  {
1765  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
1766  return( POLARSSL_ERR_SSL_NO_RNG );
1767  }
1768 
1769  /*
1770  * 0 . 0 handshake type
1771  * 1 . 3 handshake length
1772  * 4 . 5 protocol version
1773  * 6 . 9 UNIX time()
1774  * 10 . 37 random bytes
1775  */
1776  buf = ssl->out_msg;
1777  p = buf + 4;
1778 
1779  *p++ = (unsigned char) ssl->major_ver;
1780  *p++ = (unsigned char) ssl->minor_ver;
1781 
1782  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1783  buf[4], buf[5] ) );
1784 
1785 #if defined(POLARSSL_HAVE_TIME)
1786  t = time( NULL );
1787  *p++ = (unsigned char)( t >> 24 );
1788  *p++ = (unsigned char)( t >> 16 );
1789  *p++ = (unsigned char)( t >> 8 );
1790  *p++ = (unsigned char)( t );
1791 
1792  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1793 #else
1794  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1795  return( ret );
1796 
1797  p += 4;
1798 #endif /* POLARSSL_HAVE_TIME */
1799 
1800  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1801  return( ret );
1802 
1803  p += 28;
1804 
1805  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
1806 
1807  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1808 
1809  /*
1810  * Resume is 0 by default, see ssl_handshake_init().
1811  * It may be already set to 1 by ssl_parse_session_ticket_ext().
1812  * If not, try looking up session ID in our cache.
1813  */
1814  if( ssl->handshake->resume == 0 &&
1816  ssl->session_negotiate->length != 0 &&
1817  ssl->f_get_cache != NULL &&
1818  ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1819  {
1820  SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
1821  ssl->handshake->resume = 1;
1822  }
1823 
1824  if( ssl->handshake->resume == 0 )
1825  {
1826  /*
1827  * New session, create a new session id,
1828  * unless we're about to issue a session ticket
1829  */
1830  ssl->state++;
1831 
1832 #if defined(POLARSSL_HAVE_TIME)
1833  ssl->session_negotiate->start = time( NULL );
1834 #endif
1835 
1836 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1837  if( ssl->handshake->new_session_ticket != 0 )
1838  {
1839  ssl->session_negotiate->length = n = 0;
1840  memset( ssl->session_negotiate->id, 0, 32 );
1841  }
1842  else
1843 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1844  {
1845  ssl->session_negotiate->length = n = 32;
1846  if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1847  n ) ) != 0 )
1848  return( ret );
1849  }
1850  }
1851  else
1852  {
1853  /*
1854  * Resuming a session
1855  */
1856  n = ssl->session_negotiate->length;
1858 
1859  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1860  {
1861  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1862  return( ret );
1863  }
1864  }
1865 
1866  /*
1867  * 38 . 38 session id length
1868  * 39 . 38+n session id
1869  * 39+n . 40+n chosen ciphersuite
1870  * 41+n . 41+n chosen compression alg.
1871  * 42+n . 43+n extensions length
1872  * 44+n . 43+n+m extensions
1873  */
1874  *p++ = (unsigned char) ssl->session_negotiate->length;
1875  memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1876  p += ssl->session_negotiate->length;
1877 
1878  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1879  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1880  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1881  ssl->handshake->resume ? "a" : "no" ) );
1882 
1883  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1884  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1885  *p++ = (unsigned char)( ssl->session_negotiate->compression );
1886 
1887  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1889  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
1890  ssl->session_negotiate->compression ) );
1891 
1892  /*
1893  * First write extensions, then the total length
1894  */
1895  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1896  ext_len += olen;
1897 
1898 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1899  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1900  ext_len += olen;
1901 #endif
1902 
1903 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1904  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1905  ext_len += olen;
1906 #endif
1907 
1908 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1909  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1910  ext_len += olen;
1911 #endif
1912 
1913 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1914  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1915  ext_len += olen;
1916 #endif
1917 
1918 #if defined(POLARSSL_SSL_ALPN)
1919  ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1920  ext_len += olen;
1921 #endif
1922 
1923  SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
1924 
1925  if( ext_len > 0 )
1926  {
1927  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1928  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1929  p += ext_len;
1930  }
1931 
1932  ssl->out_msglen = p - buf;
1934  ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1935 
1936  ret = ssl_write_record( ssl );
1937 
1938  SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1939 
1940  return( ret );
1941 }
1942 
1943 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1944  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1945  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1946  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1947 static int ssl_write_certificate_request( ssl_context *ssl )
1948 {
1949  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1950 
1951  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1952 
1953  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1954  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1955  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1956  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1957  {
1958  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1959  ssl->state++;
1960  return( 0 );
1961  }
1962 
1963  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1965 }
1966 #else
1967 static int ssl_write_certificate_request( ssl_context *ssl )
1968 {
1970  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1971  size_t dn_size, total_dn_size; /* excluding length bytes */
1972  size_t ct_len, sa_len; /* including length bytes */
1973  unsigned char *buf, *p;
1974  const x509_crt *crt;
1975 
1976  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1977 
1978  ssl->state++;
1979 
1980  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1981  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1982  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1983  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1984  ssl->authmode == SSL_VERIFY_NONE )
1985  {
1986  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1987  return( 0 );
1988  }
1989 
1990  /*
1991  * 0 . 0 handshake type
1992  * 1 . 3 handshake length
1993  * 4 . 4 cert type count
1994  * 5 .. m-1 cert types
1995  * m .. m+1 sig alg length (TLS 1.2 only)
1996  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1997  * n .. n+1 length of all DNs
1998  * n+2 .. n+3 length of DN 1
1999  * n+4 .. ... Distinguished Name #1
2000  * ... .. ... length of DN 2, etc.
2001  */
2002  buf = ssl->out_msg;
2003  p = buf + 4;
2004 
2005  /*
2006  * Supported certificate types
2007  *
2008  * ClientCertificateType certificate_types<1..2^8-1>;
2009  * enum { (255) } ClientCertificateType;
2010  */
2011  ct_len = 0;
2012 
2013 #if defined(POLARSSL_RSA_C)
2014  p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
2015 #endif
2016 #if defined(POLARSSL_ECDSA_C)
2017  p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
2018 #endif
2019 
2020  p[0] = (unsigned char) ct_len++;
2021  p += ct_len;
2022 
2023  sa_len = 0;
2024 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2025  /*
2026  * Add signature_algorithms for verify (TLS 1.2)
2027  *
2028  * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2029  *
2030  * struct {
2031  * HashAlgorithm hash;
2032  * SignatureAlgorithm signature;
2033  * } SignatureAndHashAlgorithm;
2034  *
2035  * enum { (255) } HashAlgorithm;
2036  * enum { (255) } SignatureAlgorithm;
2037  */
2038  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2039  {
2040  /*
2041  * Only use current running hash algorithm that is already required
2042  * for requested ciphersuite.
2043  */
2045 
2048  {
2050  }
2051 
2052  /*
2053  * Supported signature algorithms
2054  */
2055 #if defined(POLARSSL_RSA_C)
2056  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2057  p[2 + sa_len++] = SSL_SIG_RSA;
2058 #endif
2059 #if defined(POLARSSL_ECDSA_C)
2060  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2061  p[2 + sa_len++] = SSL_SIG_ECDSA;
2062 #endif
2063 
2064  p[0] = (unsigned char)( sa_len >> 8 );
2065  p[1] = (unsigned char)( sa_len );
2066  sa_len += 2;
2067  p += sa_len;
2068  }
2069 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2070 
2071  /*
2072  * DistinguishedName certificate_authorities<0..2^16-1>;
2073  * opaque DistinguishedName<1..2^16-1>;
2074  */
2075  p += 2;
2076  crt = ssl->ca_chain;
2077 
2078  total_dn_size = 0;
2079  while( crt != NULL && crt->version != 0 )
2080  {
2081  if( p - buf > 4096 )
2082  break;
2083 
2084  dn_size = crt->subject_raw.len;
2085  *p++ = (unsigned char)( dn_size >> 8 );
2086  *p++ = (unsigned char)( dn_size );
2087  memcpy( p, crt->subject_raw.p, dn_size );
2088  p += dn_size;
2089 
2090  SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
2091 
2092  total_dn_size += 2 + dn_size;
2093  crt = crt->next;
2094  }
2095 
2096  ssl->out_msglen = p - buf;
2099  ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2100  ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
2101 
2102  ret = ssl_write_record( ssl );
2103 
2104  SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2105 
2106  return( ret );
2107 }
2108 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2109  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2110  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2111  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2112 
2113 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2114  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2115 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
2116 {
2117  int ret;
2118 
2119  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
2120  {
2121  SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2123  }
2124 
2125  if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
2126  pk_ec( *ssl_own_key( ssl ) ),
2127  POLARSSL_ECDH_OURS ) ) != 0 )
2128  {
2129  SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
2130  return( ret );
2131  }
2132 
2133  return( 0 );
2134 }
2135 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2136  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2137 
2138 static int ssl_write_server_key_exchange( ssl_context *ssl )
2139 {
2140  int ret;
2141  size_t n = 0;
2142  const ssl_ciphersuite_t *ciphersuite_info =
2144 
2145 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2146  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2147  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2148  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2149  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2150  unsigned char *p = ssl->out_msg + 4;
2151  unsigned char *dig_signed = p;
2152  size_t dig_signed_len = 0, len;
2153  ((void) dig_signed);
2154  ((void) dig_signed_len);
2155 #endif
2156 
2157  SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2158 
2159 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2160  defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2161  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2162  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
2163  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2164  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2165  {
2166  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2167  ssl->state++;
2168  return( 0 );
2169  }
2170 #endif
2171 
2172 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2173  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2174  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2175  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2176  {
2177  ssl_get_ecdh_params_from_cert( ssl );
2178 
2179  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2180  ssl->state++;
2181  return( 0 );
2182  }
2183 #endif
2184 
2185 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2186  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2187  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2188  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2189  {
2190  /* TODO: Support identity hints */
2191  *(p++) = 0x00;
2192  *(p++) = 0x00;
2193 
2194  n += 2;
2195  }
2196 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2197  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2198 
2199 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2200  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2201  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2202  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2203  {
2204  /*
2205  * Ephemeral DH parameters:
2206  *
2207  * struct {
2208  * opaque dh_p<1..2^16-1>;
2209  * opaque dh_g<1..2^16-1>;
2210  * opaque dh_Ys<1..2^16-1>;
2211  * } ServerDHParams;
2212  */
2213  if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
2214  ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
2215  {
2216  SSL_DEBUG_RET( 1, "mpi_copy", ret );
2217  return( ret );
2218  }
2219 
2220  if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
2221  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2222  p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
2223  {
2224  SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2225  return( ret );
2226  }
2227 
2228  dig_signed = p;
2229  dig_signed_len = len;
2230 
2231  p += len;
2232  n += len;
2233 
2234  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2235  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2236  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2237  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2238  }
2239 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2240  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2241 
2242 #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
2243  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2244  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2245  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2246  {
2247  /*
2248  * Ephemeral ECDH parameters:
2249  *
2250  * struct {
2251  * ECParameters curve_params;
2252  * ECPoint public;
2253  * } ServerECDHParams;
2254  */
2255  const ecp_curve_info **curve = NULL;
2256 #if defined(POLARSSL_SSL_SET_CURVES)
2257  const ecp_group_id *gid;
2258 
2259  /* Match our preference list against the offered curves */
2260  for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
2261  for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
2262  if( (*curve)->grp_id == *gid )
2263  goto curve_matching_done;
2264 
2265 curve_matching_done:
2266 #else
2267  curve = ssl->handshake->curves;
2268 #endif
2269 
2270  if( *curve == NULL )
2271  {
2272  SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2274  }
2275 
2276  SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
2277 
2278  if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
2279  (*curve)->grp_id ) ) != 0 )
2280  {
2281  SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2282  return( ret );
2283  }
2284 
2285  if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2286  p, SSL_MAX_CONTENT_LEN - n,
2287  ssl->f_rng, ssl->p_rng ) ) != 0 )
2288  {
2289  SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2290  return( ret );
2291  }
2292 
2293  dig_signed = p;
2294  dig_signed_len = len;
2295 
2296  p += len;
2297  n += len;
2298 
2299  SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2300  }
2301 #endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
2302 
2303 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2304  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2305  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2306  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2307  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2308  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2309  {
2310  size_t signature_len = 0;
2311  unsigned int hashlen = 0;
2312  unsigned char hash[64];
2313  md_type_t md_alg = POLARSSL_MD_NONE;
2314 
2315  /*
2316  * Choose hash algorithm. NONE means MD5 + SHA1 here.
2317  */
2318 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2319  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2320  {
2321  md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2322 
2323  if( md_alg == POLARSSL_MD_NONE )
2324  {
2325  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2327  }
2328  }
2329  else
2330 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2331 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2332  defined(POLARSSL_SSL_PROTO_TLS1_1)
2333  if( ciphersuite_info->key_exchange ==
2335  {
2336  md_alg = POLARSSL_MD_SHA1;
2337  }
2338  else
2339 #endif
2340  {
2341  md_alg = POLARSSL_MD_NONE;
2342  }
2343 
2344  /*
2345  * Compute the hash to be signed
2346  */
2347 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2348  defined(POLARSSL_SSL_PROTO_TLS1_1)
2349  if( md_alg == POLARSSL_MD_NONE )
2350  {
2351  md5_context md5;
2353 
2354  md5_init( &md5 );
2355  sha1_init( &sha1 );
2356 
2357  /*
2358  * digitally-signed struct {
2359  * opaque md5_hash[16];
2360  * opaque sha_hash[20];
2361  * };
2362  *
2363  * md5_hash
2364  * MD5(ClientHello.random + ServerHello.random
2365  * + ServerParams);
2366  * sha_hash
2367  * SHA(ClientHello.random + ServerHello.random
2368  * + ServerParams);
2369  */
2370  md5_starts( &md5 );
2371  md5_update( &md5, ssl->handshake->randbytes, 64 );
2372  md5_update( &md5, dig_signed, dig_signed_len );
2373  md5_finish( &md5, hash );
2374 
2375  sha1_starts( &sha1 );
2376  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
2377  sha1_update( &sha1, dig_signed, dig_signed_len );
2378  sha1_finish( &sha1, hash + 16 );
2379 
2380  hashlen = 36;
2381 
2382  md5_free( &md5 );
2383  sha1_free( &sha1 );
2384  }
2385  else
2386 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2387  POLARSSL_SSL_PROTO_TLS1_1 */
2388 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2389  defined(POLARSSL_SSL_PROTO_TLS1_2)
2390  if( md_alg != POLARSSL_MD_NONE )
2391  {
2392  md_context_t ctx;
2393  const md_info_t *md_info = md_info_from_type( md_alg );
2394 
2395  md_init( &ctx );
2396 
2397  /* Info from md_alg will be used instead */
2398  hashlen = 0;
2399 
2400  /*
2401  * digitally-signed struct {
2402  * opaque client_random[32];
2403  * opaque server_random[32];
2404  * ServerDHParams params;
2405  * };
2406  */
2407  if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 )
2408  {
2409  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2410  return( ret );
2411  }
2412 
2413  md_starts( &ctx );
2414  md_update( &ctx, ssl->handshake->randbytes, 64 );
2415  md_update( &ctx, dig_signed, dig_signed_len );
2416  md_finish( &ctx, hash );
2417  md_free( &ctx );
2418  }
2419  else
2420 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2421  POLARSSL_SSL_PROTO_TLS1_2 */
2422  {
2423  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2425  }
2426 
2427  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2428  (unsigned int) ( md_info_from_type( md_alg ) )->size );
2429 
2430  /*
2431  * Make the signature
2432  */
2433  if( ssl_own_key( ssl ) == NULL )
2434  {
2435  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2437  }
2438 
2439 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2440  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2441  {
2442  *(p++) = ssl->handshake->sig_alg;
2443  *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
2444 
2445  n += 2;
2446  }
2447 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2448 
2449  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
2450  p + 2 , &signature_len,
2451  ssl->f_rng, ssl->p_rng ) ) != 0 )
2452  {
2453  SSL_DEBUG_RET( 1, "pk_sign", ret );
2454  return( ret );
2455  }
2456 
2457  *(p++) = (unsigned char)( signature_len >> 8 );
2458  *(p++) = (unsigned char)( signature_len );
2459  n += 2;
2460 
2461  SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
2462 
2463  p += signature_len;
2464  n += signature_len;
2465  }
2466 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2467  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2468  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2469 
2470  ssl->out_msglen = 4 + n;
2473 
2474  ssl->state++;
2475 
2476  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2477  {
2478  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2479  return( ret );
2480  }
2481 
2482  SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2483 
2484  return( 0 );
2485 }
2486 
2487 static int ssl_write_server_hello_done( ssl_context *ssl )
2488 {
2489  int ret;
2490 
2491  SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2492 
2493  ssl->out_msglen = 4;
2496 
2497  ssl->state++;
2498 
2499  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2500  {
2501  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2502  return( ret );
2503  }
2504 
2505  SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2506 
2507  return( 0 );
2508 }
2509 
2510 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2511  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2512 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2513  const unsigned char *end )
2514 {
2516  size_t n;
2517 
2518  /*
2519  * Receive G^Y mod P, premaster = (G^Y)^X mod P
2520  */
2521  if( *p + 2 > end )
2522  {
2523  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2525  }
2526 
2527  n = ( (*p)[0] << 8 ) | (*p)[1];
2528  *p += 2;
2529 
2530  if( *p + n > end )
2531  {
2532  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2534  }
2535 
2536  if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
2537  {
2538  SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2540  }
2541 
2542  *p += n;
2543 
2544  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2545 
2546  return( ret );
2547 }
2548 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2549  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2550 
2551 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2552  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2553 static int ssl_parse_encrypted_pms( ssl_context *ssl,
2554  const unsigned char *p,
2555  const unsigned char *end,
2556  size_t pms_offset )
2557 {
2558  int ret;
2559  size_t len = pk_get_len( ssl_own_key( ssl ) );
2560  unsigned char *pms = ssl->handshake->premaster + pms_offset;
2561 
2562  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
2563  {
2564  SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
2566  }
2567 
2568  /*
2569  * Decrypt the premaster using own private RSA key
2570  */
2571 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2572  defined(POLARSSL_SSL_PROTO_TLS1_2)
2573  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2574  {
2575  if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2576  *p++ != ( ( len ) & 0xFF ) )
2577  {
2578  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2580  }
2581  }
2582 #endif
2583 
2584  if( p + len != end )
2585  {
2586  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2588  }
2589 
2590  ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2591  pms, &ssl->handshake->pmslen,
2592  sizeof( ssl->handshake->premaster ) - pms_offset,
2593  ssl->f_rng, ssl->p_rng );
2594 
2595  if( ret != 0 || ssl->handshake->pmslen != 48 ||
2596  pms[0] != ssl->handshake->max_major_ver ||
2597  pms[1] != ssl->handshake->max_minor_ver )
2598  {
2599  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2600 
2601  /*
2602  * Protection against Bleichenbacher's attack:
2603  * invalid PKCS#1 v1.5 padding must not cause
2604  * the connection to end immediately; instead,
2605  * send a bad_record_mac later in the handshake.
2606  */
2607  ssl->handshake->pmslen = 48;
2608 
2609  ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
2610  if( ret != 0 )
2611  return( ret );
2612  }
2613 
2614  return( ret );
2615 }
2616 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2617  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2618 
2619 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2620 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2621  const unsigned char *end )
2622 {
2623  int ret = 0;
2624  size_t n;
2625 
2626  if( ssl->f_psk == NULL &&
2627  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2628  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
2629  {
2630  SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2632  }
2633 
2634  /*
2635  * Receive client pre-shared key identity name
2636  */
2637  if( *p + 2 > end )
2638  {
2639  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2641  }
2642 
2643  n = ( (*p)[0] << 8 ) | (*p)[1];
2644  *p += 2;
2645 
2646  if( n < 1 || n > 65535 || *p + n > end )
2647  {
2648  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2650  }
2651 
2652  if( ssl->f_psk != NULL )
2653  {
2654  if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 )
2656  }
2657  else
2658  {
2659  /* Identity is not a big secret since clients send it in the clear,
2660  * but treat it carefully anyway, just in case */
2661  if( n != ssl->psk_identity_len ||
2662  safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
2663  {
2665  }
2666  }
2667 
2669  {
2670  SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
2671  if( ( ret = ssl_send_alert_message( ssl,
2674  {
2675  return( ret );
2676  }
2677 
2679  }
2680 
2681  *p += n;
2682 
2683  return( 0 );
2684 }
2685 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2686 
2687 static int ssl_parse_client_key_exchange( ssl_context *ssl )
2688 {
2689  int ret;
2690  const ssl_ciphersuite_t *ciphersuite_info;
2691 
2692  ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2693 
2694  SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2695 
2696  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2697  {
2698  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2699  return( ret );
2700  }
2701 
2702  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2703  {
2704  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2706  }
2707 
2708  if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2709  {
2710  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2712  }
2713 
2714 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2715  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2716  {
2717  unsigned char *p = ssl->in_msg + 4;
2718  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2719 
2720  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2721  {
2722  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2723  return( ret );
2724  }
2725 
2726  if( p != end )
2727  {
2728  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2730  }
2731 
2733 
2734  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2735  ssl->handshake->premaster,
2736  &ssl->handshake->pmslen,
2737  ssl->f_rng, ssl->p_rng ) ) != 0 )
2738  {
2739  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2741  }
2742 
2743  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2744  }
2745  else
2746 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2747 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2748  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2749  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2750  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2751  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2752  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2753  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2754  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2755  {
2756  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2757  ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 )
2758  {
2759  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2761  }
2762 
2763  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2764 
2765  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2766  &ssl->handshake->pmslen,
2767  ssl->handshake->premaster,
2769  ssl->f_rng, ssl->p_rng ) ) != 0 )
2770  {
2771  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2773  }
2774 
2775  SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
2776  }
2777  else
2778 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2779  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2780  POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2781  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2782 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2783  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2784  {
2785  unsigned char *p = ssl->in_msg + 4;
2786  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2787 
2788  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2789  {
2790  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2791  return( ret );
2792  }
2793 
2794  if( p != end )
2795  {
2796  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2798  }
2799 
2800  if( ( ret = ssl_psk_derive_premaster( ssl,
2801  ciphersuite_info->key_exchange ) ) != 0 )
2802  {
2803  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2804  return( ret );
2805  }
2806  }
2807  else
2808 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2809 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2810  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2811  {
2812  unsigned char *p = ssl->in_msg + 4;
2813  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2814 
2815  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2816  {
2817  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2818  return( ret );
2819  }
2820 
2821  if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
2822  {
2823  SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
2824  return( ret );
2825  }
2826 
2827  if( ( ret = ssl_psk_derive_premaster( ssl,
2828  ciphersuite_info->key_exchange ) ) != 0 )
2829  {
2830  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2831  return( ret );
2832  }
2833  }
2834  else
2835 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2836 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2837  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2838  {
2839  unsigned char *p = ssl->in_msg + 4;
2840  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2841 
2842  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2843  {
2844  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2845  return( ret );
2846  }
2847  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2848  {
2849  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2850  return( ret );
2851  }
2852 
2853  if( p != end )
2854  {
2855  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2857  }
2858 
2859  if( ( ret = ssl_psk_derive_premaster( ssl,
2860  ciphersuite_info->key_exchange ) ) != 0 )
2861  {
2862  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2863  return( ret );
2864  }
2865  }
2866  else
2867 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2868 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2869  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2870  {
2871  unsigned char *p = ssl->in_msg + 4;
2872  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2873 
2874  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2875  {
2876  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2877  return( ret );
2878  }
2879 
2880  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2881  p, end - p ) ) != 0 )
2882  {
2883  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2885  }
2886 
2887  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2888 
2889  if( ( ret = ssl_psk_derive_premaster( ssl,
2890  ciphersuite_info->key_exchange ) ) != 0 )
2891  {
2892  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2893  return( ret );
2894  }
2895  }
2896  else
2897 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2898 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2899  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2900  {
2901  if( ( ret = ssl_parse_encrypted_pms( ssl,
2902  ssl->in_msg + 4,
2903  ssl->in_msg + ssl->in_hslen,
2904  0 ) ) != 0 )
2905  {
2906  SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
2907  return( ret );
2908  }
2909  }
2910  else
2911 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2912  {
2913  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2915  }
2916 
2917  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2918  {
2919  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2920  return( ret );
2921  }
2922 
2923  ssl->state++;
2924 
2925  SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2926 
2927  return( 0 );
2928 }
2929 
2930 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2931  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2932  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2933  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2934 static int ssl_parse_certificate_verify( ssl_context *ssl )
2935 {
2936  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2937 
2938  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2939 
2940  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2941  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2942  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2943  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2944  {
2945  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2946  ssl->state++;
2947  return( 0 );
2948  }
2949 
2950  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2952 }
2953 #else
2954 static int ssl_parse_certificate_verify( ssl_context *ssl )
2955 {
2957  size_t sa_len, sig_len;
2958  unsigned char hash[48];
2959  unsigned char *hash_start = hash;
2960  size_t hashlen;
2961 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2962  pk_type_t pk_alg;
2963 #endif
2964  md_type_t md_alg;
2965  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2966 
2967  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2968 
2969  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2970  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2971  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2972  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2973  {
2974  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2975  ssl->state++;
2976  return( 0 );
2977  }
2978 
2979  if( ssl->session_negotiate->peer_cert == NULL )
2980  {
2981  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2982  ssl->state++;
2983  return( 0 );
2984  }
2985 
2986  ssl->handshake->calc_verify( ssl, hash );
2987 
2988  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2989  {
2990  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2991  return( ret );
2992  }
2993 
2994  ssl->state++;
2995 
2996  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2997  {
2998  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3000  }
3001 
3002  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
3003  {
3004  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3006  }
3007 
3008  /*
3009  * 0 . 0 handshake type
3010  * 1 . 3 handshake length
3011  * 4 . 5 sig alg (TLS 1.2 only)
3012  * 4+n . 5+n signature length (n = sa_len)
3013  * 6+n . 6+n+m signature (m = sig_len)
3014  */
3015 
3016 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3017  defined(POLARSSL_SSL_PROTO_TLS1_1)
3018  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
3019  {
3020  sa_len = 0;
3021 
3022  md_alg = POLARSSL_MD_NONE;
3023  hashlen = 36;
3024 
3025  /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3026  if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
3027  POLARSSL_PK_ECDSA ) )
3028  {
3029  hash_start += 16;
3030  hashlen -= 16;
3031  md_alg = POLARSSL_MD_SHA1;
3032  }
3033  }
3034  else
3035 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 ||
3036  POLARSSL_SSL_PROTO_TLS1_1 */
3037 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3038  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
3039  {
3040  sa_len = 2;
3041 
3042  /*
3043  * Hash
3044  */
3045  if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
3046  {
3047  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3048  " for verify message" ) );
3050  }
3051 
3052  md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
3053 
3054  /* Info from md_alg will be used instead */
3055  hashlen = 0;
3056 
3057  /*
3058  * Signature
3059  */
3060  if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
3061  == POLARSSL_PK_NONE )
3062  {
3063  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3064  " for verify message" ) );
3066  }
3067 
3068  /*
3069  * Check the certificate's key type matches the signature alg
3070  */
3071  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
3072  {
3073  SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3075  }
3076  }
3077  else
3078 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3079  {
3080  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3082  }
3083 
3084  sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
3085 
3086  if( sa_len + sig_len + 6 != ssl->in_hslen )
3087  {
3088  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3090  }
3091 
3092  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
3093  md_alg, hash_start, hashlen,
3094  ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
3095  {
3096  SSL_DEBUG_RET( 1, "pk_verify", ret );
3097  return( ret );
3098  }
3099 
3100  SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3101 
3102  return( ret );
3103 }
3104 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
3105  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3106  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
3107 
3108 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3109 static int ssl_write_new_session_ticket( ssl_context *ssl )
3110 {
3111  int ret;
3112  size_t tlen;
3113  uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
3114 
3115  SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3116 
3119 
3120  /*
3121  * struct {
3122  * uint32 ticket_lifetime_hint;
3123  * opaque ticket<0..2^16-1>;
3124  * } NewSessionTicket;
3125  *
3126  * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3127  * 8 . 9 ticket_len (n)
3128  * 10 . 9+n ticket content
3129  */
3130 
3131  ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
3132  ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
3133  ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
3134  ssl->out_msg[7] = ( lifetime ) & 0xFF;
3135 
3136  if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
3137  {
3138  SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
3139  tlen = 0;
3140  }
3141 
3142  ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
3143  ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
3144 
3145  ssl->out_msglen = 10 + tlen;
3146 
3147  /*
3148  * Morally equivalent to updating ssl->state, but NewSessionTicket and
3149  * ChangeCipherSpec share the same state.
3150  */
3151  ssl->handshake->new_session_ticket = 0;
3152 
3153  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3154  {
3155  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3156  return( ret );
3157  }
3158 
3159  SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3160 
3161  return( 0 );
3162 }
3163 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3164 
3165 /*
3166  * SSL handshake -- server side -- single step
3167  */
3169 {
3170  int ret = 0;
3171 
3172  if( ssl->state == SSL_HANDSHAKE_OVER )
3174 
3175  SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
3176 
3177  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3178  return( ret );
3179 
3180  switch( ssl->state )
3181  {
3182  case SSL_HELLO_REQUEST:
3183  ssl->state = SSL_CLIENT_HELLO;
3184  break;
3185 
3186  /*
3187  * <== ClientHello
3188  */
3189  case SSL_CLIENT_HELLO:
3190  ret = ssl_parse_client_hello( ssl );
3191  break;
3192 
3193  /*
3194  * ==> ServerHello
3195  * Certificate
3196  * ( ServerKeyExchange )
3197  * ( CertificateRequest )
3198  * ServerHelloDone
3199  */
3200  case SSL_SERVER_HELLO:
3201  ret = ssl_write_server_hello( ssl );
3202  break;
3203 
3205  ret = ssl_write_certificate( ssl );
3206  break;
3207 
3209  ret = ssl_write_server_key_exchange( ssl );
3210  break;
3211 
3213  ret = ssl_write_certificate_request( ssl );
3214  break;
3215 
3216  case SSL_SERVER_HELLO_DONE:
3217  ret = ssl_write_server_hello_done( ssl );
3218  break;
3219 
3220  /*
3221  * <== ( Certificate/Alert )
3222  * ClientKeyExchange
3223  * ( CertificateVerify )
3224  * ChangeCipherSpec
3225  * Finished
3226  */
3228  ret = ssl_parse_certificate( ssl );
3229  break;
3230 
3232  ret = ssl_parse_client_key_exchange( ssl );
3233  break;
3234 
3236  ret = ssl_parse_certificate_verify( ssl );
3237  break;
3238 
3240  ret = ssl_parse_change_cipher_spec( ssl );
3241  break;
3242 
3243  case SSL_CLIENT_FINISHED:
3244  ret = ssl_parse_finished( ssl );
3245  break;
3246 
3247  /*
3248  * ==> ( NewSessionTicket )
3249  * ChangeCipherSpec
3250  * Finished
3251  */
3253 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3254  if( ssl->handshake->new_session_ticket != 0 )
3255  ret = ssl_write_new_session_ticket( ssl );
3256  else
3257 #endif
3258  ret = ssl_write_change_cipher_spec( ssl );
3259  break;
3260 
3261  case SSL_SERVER_FINISHED:
3262  ret = ssl_write_finished( ssl );
3263  break;
3264 
3265  case SSL_FLUSH_BUFFERS:
3266  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3267  ssl->state = SSL_HANDSHAKE_WRAPUP;
3268  break;
3269 
3270  case SSL_HANDSHAKE_WRAPUP:
3271  ssl_handshake_wrapup( ssl );
3272  break;
3273 
3274  default:
3275  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3277  }
3278 
3279  return( ret );
3280 }
3281 #endif /* POLARSSL_SSL_SRV_C */
const ecp_curve_info ** curves
Definition: ssl.h:602
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:384
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:333
int ssl_ciphersuite_uses_ec(const ssl_ciphersuite_t *info)
int ecdh_make_params(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Generate a public key and a TLS ServerKeyExchange payload.
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:344
size_t length
Definition: ssl.h:519
int ciphersuite
Definition: ssl.h:517
mpi P
Definition: dhm.h:159
static size_t pk_get_len(const pk_context *ctx)
Get the length in bytes of the underlying key.
Definition: pk.h:281
size_t in_hslen
Definition: ssl.h:765
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:391
int major_ver
Definition: ssl.h:692
#define POLARSSL_PREMASTER_SIZE
Definition: ssl.h:453
SHA-1 context structure.
Definition: sha1.h:58
int compression
Definition: ssl.h:518
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition: ssl.h:144
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:234
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:688
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
char peer_verify_data[36]
Definition: ssl.h:866
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:376
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:84
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:59
#define TLS_EXT_ALPN
Definition: ssl.h:402
Debug functions.
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:380
void md_init(md_context_t *ctx)
Initialize a md_context (as NONE)
void * p_psk
Definition: ssl.h:730
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:395
#define polarssl_malloc
Elliptic curves over GF(p)
int ecdh_read_public(ecdh_context *ctx, const unsigned char *buf, size_t blen)
Parse and process a TLS ClientKeyExchange payload.
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:378
#define polarssl_free
ssl_session * session_negotiate
Definition: ssl.h:739
int ssl_parse_certificate(ssl_context *ssl)
ssl_key_cert * key_cert
Definition: ssl.h:792
ssl_key_cert * sni_key_cert
Definition: ssl.h:613
size_t out_msglen
Definition: ssl.h:778
mpi GX
Definition: dhm.h:162
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:238
#define SSL_SIG_RSA
Definition: ssl.h:325
int ticket_lifetime
Definition: ssl.h:825
const int * ciphersuite_list[4]
Definition: ssl.h:816
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:710
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
int pk_decrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Decrypt message (including padding if relevant).
mpi dhm_P
Definition: ssl.h:829
#define AES_DECRYPT
Definition: aes.h:47
#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
Definition: ssl.h:372
#define SSL_RENEGOTIATION
Definition: ssl.h:217
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:644
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:233
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:703
x509_crt * cert
Definition: ssl.h:676
size_t psk_identity_len
Definition: ssl.h:840
unsigned char * out_ctr
Definition: ssl.h:772
mpi X
Definition: dhm.h:161
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:235
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:865
int ecdh_get_params(ecdh_context *ctx, const ecp_keypair *key, ecdh_side side)
Setup an ECDH context from an EC key.
int x509_crt_parse_der(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
#define SSL_SIG_ECDSA
Definition: ssl.h:326
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:719
size_t in_msglen
Definition: ssl.h:762
unsigned char * in_hdr
Definition: ssl.h:756
int secure_renegotiation
Definition: ssl.h:862
time_t start
Definition: ssl.h:515
PolarSSL Platform abstraction layer.
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:230
unsigned char mac_key[16]
Definition: ssl.h:666
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:153
size_t psk_len
Definition: ssl.h:838
unsigned char id[32]
Definition: ssl.h:520
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:110
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:729
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:552
unsigned char * psk
Definition: ssl.h:837
int max_major_ver
Definition: ssl.h:695
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:98
#define POLARSSL_ECP_DP_MAX
Number of supported curves (plus one for NONE).
Definition: ecp.h:82
void md5_free(md5_context *ctx)
Clear MD5 context.
ecp_point Qp
Definition: ecdh.h:53
md_type_t
Definition: md.h:51
#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
Definition: ssl.h:413
#define POLARSSL_MPI_MAX_SIZE
const char ** alpn_list
Definition: ssl.h:855
int max_minor_ver
Definition: ssl.h:696
const char * alpn_chosen
Definition: ssl.h:856
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:70
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:400
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:381
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:332
ssl_handshake_params * handshake
Definition: ssl.h:741
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:117
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:340
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:365
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition: ssl.h:115
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:234
int in_msgtype
Definition: ssl.h:761
Container for an X.509 certificate.
Definition: x509_crt.h:57
void md_free(md_context_t *ctx)
Free and clear the message-specific context of ctx.
size_t verify_data_len
Definition: ssl.h:864
mpi dhm_G
Definition: ssl.h:830
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME
Definition: ssl.h:371
mpi G
Definition: dhm.h:160
#define SSL_IS_SERVER
Definition: ssl.h:207
int point_format
Definition: ecdh.h:55
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret...
Definition: ssl.h:133
int min_minor_ver
Definition: ssl.h:698
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
unsigned char * out_msg
Definition: ssl.h:775
struct _ssl_session ssl_session
Definition: ssl.h:498
#define SSL_MINOR_VERSION_0
Definition: ssl.h:154
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:634
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature (including padding if relevant).
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:141
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:611
ecdh_context ecdh_ctx
Definition: ssl.h:599
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:382
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:75
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:128
key_exchange_type_t key_exchange
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:66
int new_session_ticket
Definition: ssl.h:653
mpi GY
Definition: dhm.h:163
int trunc_hmac
Definition: ssl.h:539
void sha1_free(sha1_context *ctx)
Clear SHA-1 context.
Curve information for use by other modules.
Definition: ecp.h:87
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:714
void md5_starts(md5_context *ctx)
MD5 context setup.
unsigned char ssl_sig_from_pk(pk_context *pk)
#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
Definition: ssl.h:373
int authmode
Definition: ssl.h:810
int ssl_flush_output(ssl_context *ssl)
int ssl_ciphersuite_uses_psk(const ssl_ciphersuite_t *info)
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED
Session ticket has expired.
Definition: ssl.h:143
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:404
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:377
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:210
unsigned char * in_msg
Definition: ssl.h:758
aes_context dec
Definition: ssl.h:665
mpi z
Definition: ecdh.h:54
#define SSL_MINOR_VERSION_3
Definition: ssl.h:157
mpi K
Definition: dhm.h:164
MD5 context structure.
Definition: md5.h:58
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:406
int ssl_check_cert_usage(const x509_crt *cert, const ssl_ciphersuite_t *ciphersuite, int cert_endpoint)
pk_type_t
Public key types.
Definition: pk.h:95
aes_context enc
Definition: ssl.h:664
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:63
const int * md_list(void)
Returns the list of digests supported by the generic digest module.
int ssl_parse_change_cipher_spec(ssl_context *ssl)
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:693
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO
Processing of the ClientHello handshake message failed.
Definition: ssl.h:125
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:310
This structure is used for storing ciphersuite information.
#define SSL_HASH_SHA256
Definition: ssl.h:320
void md5_init(md5_context *ctx)
Initialize MD5 context.
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
#define SSL_VERIFY_NONE
Definition: ssl.h:212
#define AES_ENCRYPT
Definition: aes.h:46
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Processing of the ClientKeyExchange handshake message failed.
Definition: ssl.h:131
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:119
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:216
size_t in_left
Definition: ssl.h:763
pk_context * key
Definition: ssl.h:677
int session_tickets
Definition: ssl.h:824
int allow_legacy_renegotiation
Definition: ssl.h:814
#define SSL_COMPRESS_NULL
Definition: ssl.h:209
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition: ssl.h:146
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
int ssl_read_record(ssl_context *ssl)
size_t len
ASN1 length, e.g.
Definition: asn1.h:127
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:57
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:60
int out_msgtype
Definition: ssl.h:777
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:204
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:393
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:199
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:383
#define TLS_EXT_SERVERNAME
Definition: ssl.h:390
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature, including padding if relevant.
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public.
Definition: ssl.h:132
size_t mpi_size(const mpi *X)
Return the total size in bytes.
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:635
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
#define SSL_MAX_CONTENT_LEN
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:232
int min_major_ver
Definition: ssl.h:697
pk_context pk
Container for the public key context.
Definition: x509_crt.h:75
ssl_transform * transform_negotiate
Definition: ssl.h:750
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:221
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:222
SSL/TLS functions.
void sha1_init(sha1_context *ctx)
Initialize SHA-1 context.
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY
Unknown identity received (eg, PSK identity)
Definition: ssl.h:145
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:137
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:398
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int ssl_derive_keys(ssl_context *ssl)
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1770
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
unsigned char mfl_code
Definition: ssl.h:535
const ecp_curve_info * ecp_curve_info_from_tls_id(uint16_t tls_id)
Get curve information from a TLS NamedCurve value.
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int version
The X.509 version.
Definition: x509_crt.h:62
int renegotiation
Definition: ssl.h:689
dhm_context dhm_ctx
Definition: ssl.h:596
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1797
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:803
unsigned char * psk_identity
Definition: ssl.h:839
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
unsigned char key_name[16]
Definition: ssl.h:663
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:397
ssl_key_cert * next
Definition: ssl.h:679
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:108
x509_buf subject_raw
The raw subject data (DER).
Definition: x509_crt.h:67
Message digest information.
Definition: md.h:74
x509_crt * ca_chain
Definition: ssl.h:794
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:707
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:109
#define SSL_HASH_SHA384
Definition: ssl.h:321
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int dhm_make_params(dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExchange parameters.
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:194
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Processing of the CertificateVerify handshake message failed.
Definition: ssl.h:134
int dhm_read_public(dhm_context *ctx, const unsigned char *input, size_t ilen)
Import the peer&#39;s public value G^Y.
unsigned char randbytes[64]
Definition: ssl.h:643
ecp_group grp
Definition: ecdh.h:50
Generic message digest context.
Definition: md.h:132
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN
The server has no ciphersuites in common with the client.
Definition: ssl.h:114
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ecp_point Q
Definition: ecdh.h:52
x509_crt * peer_cert
Definition: ssl.h:524
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:720
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.