PolarSSL v1.3.9
ssl_srv.c
Go to the documentation of this file.
1/*
2 * SSLv3/TLSv1 server-side functions
3 *
4 * Copyright (C) 2006-2014, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
26#if !defined(POLARSSL_CONFIG_FILE)
27#include "polarssl/config.h"
28#else
29#include POLARSSL_CONFIG_FILE
30#endif
31
32#if defined(POLARSSL_SSL_SRV_C)
33
34#include "polarssl/debug.h"
35#include "polarssl/ssl.h"
36#if defined(POLARSSL_ECP_C)
37#include "polarssl/ecp.h"
38#endif
39
40#if defined(POLARSSL_PLATFORM_C)
41#include "polarssl/platform.h"
42#else
43#define polarssl_malloc malloc
44#define polarssl_free free
45#endif
46
47#include <stdlib.h>
48#include <stdio.h>
49
50#if defined(POLARSSL_HAVE_TIME)
51#include <time.h>
52#endif
53
54#if defined(POLARSSL_SSL_SESSION_TICKETS)
55/* Implementation that should never be optimized out by the compiler */
56static void polarssl_zeroize( void *v, size_t n ) {
57 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
58}
59
60/*
61 * Serialize a session in the following format:
62 * 0 . n-1 session structure, n = sizeof(ssl_session)
63 * n . n+2 peer_cert length = m (0 if no certificate)
64 * n+3 . n+2+m peer cert ASN.1
65 *
66 * Assumes ticket is NULL (always true on server side).
67 */
68static int ssl_save_session( const ssl_session *session,
69 unsigned char *buf, size_t buf_len,
70 size_t *olen )
71{
72 unsigned char *p = buf;
73 size_t left = buf_len;
74#if defined(POLARSSL_X509_CRT_PARSE_C)
75 size_t cert_len;
76#endif /* POLARSSL_X509_CRT_PARSE_C */
77
78 if( left < sizeof( ssl_session ) )
79 return( -1 );
80
81 memcpy( p, session, sizeof( ssl_session ) );
82 p += sizeof( ssl_session );
83 left -= sizeof( ssl_session );
84
85#if defined(POLARSSL_X509_CRT_PARSE_C)
86 if( session->peer_cert == NULL )
87 cert_len = 0;
88 else
89 cert_len = session->peer_cert->raw.len;
90
91 if( left < 3 + cert_len )
92 return( -1 );
93
94 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
95 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
96 *p++ = (unsigned char)( cert_len & 0xFF );
97
98 if( session->peer_cert != NULL )
99 memcpy( p, session->peer_cert->raw.p, cert_len );
100
101 p += cert_len;
102#endif /* POLARSSL_X509_CRT_PARSE_C */
103
104 *olen = p - buf;
105
106 return( 0 );
107}
108
109/*
110 * Unserialise session, see ssl_save_session()
111 */
112static int ssl_load_session( ssl_session *session,
113 const unsigned char *buf, size_t len )
114{
115 const unsigned char *p = buf;
116 const unsigned char * const end = buf + len;
117#if defined(POLARSSL_X509_CRT_PARSE_C)
118 size_t cert_len;
119#endif /* POLARSSL_X509_CRT_PARSE_C */
120
121 if( p + sizeof( ssl_session ) > end )
122 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
123
124 memcpy( session, p, sizeof( ssl_session ) );
125 p += sizeof( ssl_session );
126
127#if defined(POLARSSL_X509_CRT_PARSE_C)
128 if( p + 3 > end )
129 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
130
131 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
132 p += 3;
133
134 if( cert_len == 0 )
135 {
136 session->peer_cert = NULL;
137 }
138 else
139 {
140 int ret;
141
142 if( p + cert_len > end )
143 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
144
145 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
146
147 if( session->peer_cert == NULL )
148 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
149
150 x509_crt_init( session->peer_cert );
151
152 if( ( ret = x509_crt_parse_der( session->peer_cert,
153 p, cert_len ) ) != 0 )
154 {
155 x509_crt_free( session->peer_cert );
156 polarssl_free( session->peer_cert );
157 session->peer_cert = NULL;
158 return( ret );
159 }
160
161 p += cert_len;
162 }
163#endif /* POLARSSL_X509_CRT_PARSE_C */
164
165 if( p != end )
166 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
167
168 return( 0 );
169}
170
171/*
172 * Create session ticket, secured as recommended in RFC 5077 section 4:
173 *
174 * struct {
175 * opaque key_name[16];
176 * opaque iv[16];
177 * opaque encrypted_state<0..2^16-1>;
178 * opaque mac[32];
179 * } ticket;
180 *
181 * (the internal state structure differs, however).
182 */
183static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
184{
185 int ret;
186 unsigned char * const start = ssl->out_msg + 10;
187 unsigned char *p = start;
188 unsigned char *state;
189 unsigned char iv[16];
190 size_t clear_len, enc_len, pad_len, i;
191
192 *tlen = 0;
193
194 if( ssl->ticket_keys == NULL )
195 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
196
197 /* Write key name */
198 memcpy( p, ssl->ticket_keys->key_name, 16 );
199 p += 16;
200
201 /* Generate and write IV (with a copy for aes_crypt) */
202 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
203 return( ret );
204 memcpy( iv, p, 16 );
205 p += 16;
206
207 /*
208 * Dump session state
209 *
210 * After the session state itself, we still need room for 16 bytes of
211 * padding and 32 bytes of MAC, so there's only so much room left
212 */
213 state = p + 2;
214 if( ssl_save_session( ssl->session_negotiate, state,
215 SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48,
216 &clear_len ) != 0 )
217 {
218 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
219 }
220 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
221
222 /* Apply PKCS padding */
223 pad_len = 16 - clear_len % 16;
224 enc_len = clear_len + pad_len;
225 for( i = clear_len; i < enc_len; i++ )
226 state[i] = (unsigned char) pad_len;
227
228 /* Encrypt */
229 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
230 enc_len, iv, state, state ) ) != 0 )
231 {
232 return( ret );
233 }
234
235 /* Write length */
236 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
237 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
238 p = state + enc_len;
239
240 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
241 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
242 p += 32;
243
244 *tlen = p - start;
245
246 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
247
248 return( 0 );
249}
250
251/*
252 * Load session ticket (see ssl_write_ticket for structure)
253 */
254static int ssl_parse_ticket( ssl_context *ssl,
255 unsigned char *buf,
256 size_t len )
257{
258 int ret;
259 ssl_session session;
260 unsigned char *key_name = buf;
261 unsigned char *iv = buf + 16;
262 unsigned char *enc_len_p = iv + 16;
263 unsigned char *ticket = enc_len_p + 2;
264 unsigned char *mac;
265 unsigned char computed_mac[32];
266 size_t enc_len, clear_len, i;
267 unsigned char pad_len, diff;
268
269 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
270
271 if( len < 34 || ssl->ticket_keys == NULL )
272 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
273
274 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
275 mac = ticket + enc_len;
276
277 if( len != enc_len + 66 )
278 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
279
280 /* Check name, in constant time though it's not a big secret */
281 diff = 0;
282 for( i = 0; i < 16; i++ )
283 diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
284 /* don't return yet, check the MAC anyway */
285
286 /* Check mac, with constant-time buffer comparison */
287 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
288 computed_mac, 0 );
289
290 for( i = 0; i < 32; i++ )
291 diff |= mac[i] ^ computed_mac[i];
292
293 /* Now return if ticket is not authentic, since we want to avoid
294 * decrypting arbitrary attacker-chosen data */
295 if( diff != 0 )
296 return( POLARSSL_ERR_SSL_INVALID_MAC );
297
298 /* Decrypt */
299 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
300 enc_len, iv, ticket, ticket ) ) != 0 )
301 {
302 return( ret );
303 }
304
305 /* Check PKCS padding */
306 pad_len = ticket[enc_len - 1];
307
308 ret = 0;
309 for( i = 2; i < pad_len; i++ )
310 if( ticket[enc_len - i] != pad_len )
311 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
312 if( ret != 0 )
313 return( ret );
314
315 clear_len = enc_len - pad_len;
316
317 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
318
319 /* Actually load session */
320 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
321 {
322 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
323 ssl_session_free( &session );
324 return( ret );
325 }
326
327#if defined(POLARSSL_HAVE_TIME)
328 /* Check if still valid */
329 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
330 {
331 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
332 ssl_session_free( &session );
333 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
334 }
335#endif
336
337 /*
338 * Keep the session ID sent by the client, since we MUST send it back to
339 * inform him we're accepting the ticket (RFC 5077 section 3.4)
340 */
341 session.length = ssl->session_negotiate->length;
342 memcpy( &session.id, ssl->session_negotiate->id, session.length );
343
344 ssl_session_free( ssl->session_negotiate );
345 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
346
347 /* Zeroize instead of free as we copied the content */
348 polarssl_zeroize( &session, sizeof( ssl_session ) );
349
350 return( 0 );
351}
352#endif /* POLARSSL_SSL_SESSION_TICKETS */
353
354#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
355/*
356 * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
357 * making it act on ssl->hanshake->sni_key_cert instead.
358 */
359static int ssl_sni_wrapper( ssl_context *ssl,
360 const unsigned char* name, size_t len )
361{
362 int ret;
363 ssl_key_cert *key_cert_ori = ssl->key_cert;
364
365 ssl->key_cert = NULL;
366 ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
367 ssl->handshake->sni_key_cert = ssl->key_cert;
368
369 ssl->key_cert = key_cert_ori;
370
371 return( ret );
372}
373
374static int ssl_parse_servername_ext( ssl_context *ssl,
375 const unsigned char *buf,
376 size_t len )
377{
378 int ret;
379 size_t servername_list_size, hostname_len;
380 const unsigned char *p;
381
382 SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
383
384 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
385 if( servername_list_size + 2 != len )
386 {
387 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
388 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
389 }
390
391 p = buf + 2;
392 while( servername_list_size > 0 )
393 {
394 hostname_len = ( ( p[1] << 8 ) | p[2] );
395 if( hostname_len + 3 > servername_list_size )
396 {
397 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
398 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
399 }
400
401 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
402 {
403 ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
404 if( ret != 0 )
405 {
406 SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
407 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
408 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
409 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
410 }
411 return( 0 );
412 }
413
414 servername_list_size -= hostname_len + 3;
415 p += hostname_len + 3;
416 }
417
418 if( servername_list_size != 0 )
419 {
420 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
421 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
422 }
423
424 return( 0 );
425}
426#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
427
428static int ssl_parse_renegotiation_info( ssl_context *ssl,
429 const unsigned char *buf,
430 size_t len )
431{
432 int ret;
433
434 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
435 {
436 if( len != 1 || buf[0] != 0x0 )
437 {
438 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
439
440 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
441 return( ret );
442
443 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
444 }
445
446 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
447 }
448 else
449 {
450 /* Check verify-data in constant-time. The length OTOH is no secret */
451 if( len != 1 + ssl->verify_data_len ||
452 buf[0] != ssl->verify_data_len ||
453 safer_memcmp( buf + 1, ssl->peer_verify_data,
454 ssl->verify_data_len ) != 0 )
455 {
456 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
457
458 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
459 return( ret );
460
461 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
462 }
463 }
464
465 return( 0 );
466}
467
468#if defined(POLARSSL_SSL_PROTO_TLS1_2)
469static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
470 const unsigned char *buf,
471 size_t len )
472{
473 size_t sig_alg_list_size;
474 const unsigned char *p;
475 const unsigned char *end = buf + len;
476 const int *md_cur;
477
478
479 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
480 if( sig_alg_list_size + 2 != len ||
481 sig_alg_list_size % 2 != 0 )
482 {
483 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
484 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
485 }
486
487 /*
488 * For now, ignore the SignatureAlgorithm part and rely on offered
489 * ciphersuites only for that part. To be fixed later.
490 *
491 * So, just look at the HashAlgorithm part.
492 */
493 for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
494 for( p = buf + 2; p < end; p += 2 ) {
495 if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
496 ssl->handshake->sig_alg = p[0];
497 goto have_sig_alg;
498 }
499 }
500 }
501
502 /* Some key echanges do not need signatures at all */
503 SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
504 return( 0 );
505
506have_sig_alg:
507 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
508 ssl->handshake->sig_alg ) );
509
510 return( 0 );
511}
512#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
513
514#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
515static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
516 const unsigned char *buf,
517 size_t len )
518{
519 size_t list_size, our_size;
520 const unsigned char *p;
521 const ecp_curve_info *curve_info, **curves;
522
523 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
524 if( list_size + 2 != len ||
525 list_size % 2 != 0 )
526 {
527 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
528 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
529 }
530
531 /* Should never happen unless client duplicates the extension */
532 if( ssl->handshake->curves != NULL )
533 {
534 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
535 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
536 }
537
538 /* Don't allow our peer to make us allocate too much memory,
539 * and leave room for a final 0 */
540 our_size = list_size / 2 + 1;
541 if( our_size > POLARSSL_ECP_DP_MAX )
542 our_size = POLARSSL_ECP_DP_MAX;
543
544 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
545 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
546
547 /* explicit void pointer cast for buggy MS compiler */
548 memset( (void *) curves, 0, our_size * sizeof( *curves ) );
549 ssl->handshake->curves = curves;
550
551 p = buf + 2;
552 while( list_size > 0 && our_size > 1 )
553 {
554 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
555
556 if( curve_info != NULL )
557 {
558 *curves++ = curve_info;
559 our_size--;
560 }
561
562 list_size -= 2;
563 p += 2;
564 }
565
566 return( 0 );
567}
568
569static int ssl_parse_supported_point_formats( ssl_context *ssl,
570 const unsigned char *buf,
571 size_t len )
572{
573 size_t list_size;
574 const unsigned char *p;
575
576 list_size = buf[0];
577 if( list_size + 1 != len )
578 {
579 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
580 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
581 }
582
583 p = buf + 2;
584 while( list_size > 0 )
585 {
586 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
587 p[0] == POLARSSL_ECP_PF_COMPRESSED )
588 {
589 ssl->handshake->ecdh_ctx.point_format = p[0];
590 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
591 return( 0 );
592 }
593
594 list_size--;
595 p++;
596 }
597
598 return( 0 );
599}
600#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
601
602#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
603static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
604 const unsigned char *buf,
605 size_t len )
606{
607 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
608 {
609 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
610 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
611 }
612
613 ssl->session_negotiate->mfl_code = buf[0];
614
615 return( 0 );
616}
617#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
618
619#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
620static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
621 const unsigned char *buf,
622 size_t len )
623{
624 if( len != 0 )
625 {
626 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
627 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
628 }
629
630 ((void) buf);
631
632 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
633
634 return( 0 );
635}
636#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
637
638#if defined(POLARSSL_SSL_SESSION_TICKETS)
639static int ssl_parse_session_ticket_ext( ssl_context *ssl,
640 unsigned char *buf,
641 size_t len )
642{
643 int ret;
644
645 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
646 return( 0 );
647
648 /* Remember the client asked us to send a new ticket */
649 ssl->handshake->new_session_ticket = 1;
650
651 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
652
653 if( len == 0 )
654 return( 0 );
655
656 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
657 {
658 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
659 return( 0 );
660 }
661
662 /*
663 * Failures are ok: just ignore the ticket and proceed.
664 */
665 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
666 {
667 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
668 return( 0 );
669 }
670
671 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
672
673 ssl->handshake->resume = 1;
674
675 /* Don't send a new ticket after all, this one is OK */
676 ssl->handshake->new_session_ticket = 0;
677
678 return( 0 );
679}
680#endif /* POLARSSL_SSL_SESSION_TICKETS */
681
682#if defined(POLARSSL_SSL_ALPN)
683static int ssl_parse_alpn_ext( ssl_context *ssl,
684 const unsigned char *buf, size_t len )
685{
686 size_t list_len, cur_len, ours_len;
687 const unsigned char *theirs, *start, *end;
688 const char **ours;
689
690 /* If ALPN not configured, just ignore the extension */
691 if( ssl->alpn_list == NULL )
692 return( 0 );
693
694 /*
695 * opaque ProtocolName<1..2^8-1>;
696 *
697 * struct {
698 * ProtocolName protocol_name_list<2..2^16-1>
699 * } ProtocolNameList;
700 */
701
702 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
703 if( len < 4 )
704 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
705
706 list_len = ( buf[0] << 8 ) | buf[1];
707 if( list_len != len - 2 )
708 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
709
710 /*
711 * Use our order of preference
712 */
713 start = buf + 2;
714 end = buf + len;
715 for( ours = ssl->alpn_list; *ours != NULL; ours++ )
716 {
717 ours_len = strlen( *ours );
718 for( theirs = start; theirs != end; theirs += cur_len )
719 {
720 /* If the list is well formed, we should get equality first */
721 if( theirs > end )
722 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
723
724 cur_len = *theirs++;
725
726 /* Empty strings MUST NOT be included */
727 if( cur_len == 0 )
728 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
729
730 if( cur_len == ours_len &&
731 memcmp( theirs, *ours, cur_len ) == 0 )
732 {
733 ssl->alpn_chosen = *ours;
734 return( 0 );
735 }
736 }
737 }
738
739 /* If we get there, no match was found */
740 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
741 SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
742 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
743}
744#endif /* POLARSSL_SSL_ALPN */
745
746/*
747 * Auxiliary functions for ServerHello parsing and related actions
748 */
749
750#if defined(POLARSSL_X509_CRT_PARSE_C)
751/*
752 * Return 1 if the given EC key uses the given curve, 0 otherwise
753 */
754#if defined(POLARSSL_ECDSA_C)
755static int ssl_key_matches_curves( pk_context *pk,
756 const ecp_curve_info **curves )
757{
758 const ecp_curve_info **crv = curves;
759 ecp_group_id grp_id = pk_ec( *pk )->grp.id;
760
761 while( *crv != NULL )
762 {
763 if( (*crv)->grp_id == grp_id )
764 return( 1 );
765 crv++;
766 }
767
768 return( 0 );
769}
770#endif /* POLARSSL_ECDSA_C */
771
772/*
773 * Try picking a certificate for this ciphersuite,
774 * return 0 on success and -1 on failure.
775 */
776static int ssl_pick_cert( ssl_context *ssl,
777 const ssl_ciphersuite_t * ciphersuite_info )
778{
779 ssl_key_cert *cur, *list;
780 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
781
782#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
783 if( ssl->handshake->sni_key_cert != NULL )
784 list = ssl->handshake->sni_key_cert;
785 else
786#endif
787 list = ssl->handshake->key_cert;
788
789 if( pk_alg == POLARSSL_PK_NONE )
790 return( 0 );
791
792 for( cur = list; cur != NULL; cur = cur->next )
793 {
794 if( ! pk_can_do( cur->key, pk_alg ) )
795 continue;
796
797 /*
798 * This avoids sending the client a cert it'll reject based on
799 * keyUsage or other extensions.
800 *
801 * It also allows the user to provision different certificates for
802 * different uses based on keyUsage, eg if they want to avoid signing
803 * and decrypting with the same RSA key.
804 */
805 if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
806 SSL_IS_SERVER ) != 0 )
807 {
808 continue;
809 }
810
811#if defined(POLARSSL_ECDSA_C)
812 if( pk_alg == POLARSSL_PK_ECDSA )
813 {
814 if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
815 break;
816 }
817 else
818#endif
819 break;
820 }
821
822 if( cur == NULL )
823 return( -1 );
824
825 ssl->handshake->key_cert = cur;
826 return( 0 );
827}
828#endif /* POLARSSL_X509_CRT_PARSE_C */
829
830/*
831 * Check if a given ciphersuite is suitable for use with our config/keys/etc
832 * Sets ciphersuite_info only if the suite matches.
833 */
834static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
835 const ssl_ciphersuite_t **ciphersuite_info )
836{
837 const ssl_ciphersuite_t *suite_info;
838
839 suite_info = ssl_ciphersuite_from_id( suite_id );
840 if( suite_info == NULL )
841 {
842 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", suite_id ) );
843 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
844 }
845
846 if( suite_info->min_minor_ver > ssl->minor_ver ||
847 suite_info->max_minor_ver < ssl->minor_ver )
848 return( 0 );
849
850#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
851 if( ssl_ciphersuite_uses_ec( suite_info ) &&
852 ( ssl->handshake->curves == NULL ||
853 ssl->handshake->curves[0] == NULL ) )
854 return( 0 );
855#endif
856
857#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
858 /* If the ciphersuite requires a pre-shared key and we don't
859 * have one, skip it now rather than failing later */
860 if( ssl_ciphersuite_uses_psk( suite_info ) &&
861 ssl->f_psk == NULL &&
862 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
863 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
864 return( 0 );
865#endif
866
867#if defined(POLARSSL_X509_CRT_PARSE_C)
868 /*
869 * Final check: if ciphersuite requires us to have a
870 * certificate/key of a particular type:
871 * - select the appropriate certificate if we have one, or
872 * - try the next ciphersuite if we don't
873 * This must be done last since we modify the key_cert list.
874 */
875 if( ssl_pick_cert( ssl, suite_info ) != 0 )
876 return( 0 );
877#endif
878
879 *ciphersuite_info = suite_info;
880 return( 0 );
881}
882
883#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
884static int ssl_parse_client_hello_v2( ssl_context *ssl )
885{
886 int ret;
887 unsigned int i, j;
888 size_t n;
889 unsigned int ciph_len, sess_len, chal_len;
890 unsigned char *buf, *p;
891 const int *ciphersuites;
892 const ssl_ciphersuite_t *ciphersuite_info;
893
894 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
895
896 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
897 {
898 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
899
900 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
901 return( ret );
902
903 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
904 }
905
906 buf = ssl->in_hdr;
907
908 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
909
910 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
911 buf[2] ) );
912 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
913 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
914 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
915 buf[3], buf[4] ) );
916
917 /*
918 * SSLv2 Client Hello
919 *
920 * Record layer:
921 * 0 . 1 message length
922 *
923 * SSL layer:
924 * 2 . 2 message type
925 * 3 . 4 protocol version
926 */
927 if( buf[2] != SSL_HS_CLIENT_HELLO ||
928 buf[3] != SSL_MAJOR_VERSION_3 )
929 {
930 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
931 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
932 }
933
934 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
935
936 if( n < 17 || n > 512 )
937 {
938 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
939 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
940 }
941
942 ssl->major_ver = SSL_MAJOR_VERSION_3;
943 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
944 ? buf[4] : ssl->max_minor_ver;
945
946 if( ssl->minor_ver < ssl->min_minor_ver )
947 {
948 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
949 " [%d:%d] < [%d:%d]",
950 ssl->major_ver, ssl->minor_ver,
951 ssl->min_major_ver, ssl->min_minor_ver ) );
952
953 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
954 SSL_ALERT_MSG_PROTOCOL_VERSION );
955 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
956 }
957
958 ssl->handshake->max_major_ver = buf[3];
959 ssl->handshake->max_minor_ver = buf[4];
960
961 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
962 {
963 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
964 return( ret );
965 }
966
967 ssl->handshake->update_checksum( ssl, buf + 2, n );
968
969 buf = ssl->in_msg;
970 n = ssl->in_left - 5;
971
972 /*
973 * 0 . 1 ciphersuitelist length
974 * 2 . 3 session id length
975 * 4 . 5 challenge length
976 * 6 . .. ciphersuitelist
977 * .. . .. session id
978 * .. . .. challenge
979 */
980 SSL_DEBUG_BUF( 4, "record contents", buf, n );
981
982 ciph_len = ( buf[0] << 8 ) | buf[1];
983 sess_len = ( buf[2] << 8 ) | buf[3];
984 chal_len = ( buf[4] << 8 ) | buf[5];
985
986 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
987 ciph_len, sess_len, chal_len ) );
988
989 /*
990 * Make sure each parameter length is valid
991 */
992 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
993 {
994 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
995 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
996 }
997
998 if( sess_len > 32 )
999 {
1000 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1001 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1002 }
1003
1004 if( chal_len < 8 || chal_len > 32 )
1005 {
1006 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1007 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1008 }
1009
1010 if( n != 6 + ciph_len + sess_len + chal_len )
1011 {
1012 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1013 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1014 }
1015
1016 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1017 buf + 6, ciph_len );
1018 SSL_DEBUG_BUF( 3, "client hello, session id",
1019 buf + 6 + ciph_len, sess_len );
1020 SSL_DEBUG_BUF( 3, "client hello, challenge",
1021 buf + 6 + ciph_len + sess_len, chal_len );
1022
1023 p = buf + 6 + ciph_len;
1024 ssl->session_negotiate->length = sess_len;
1025 memset( ssl->session_negotiate->id, 0,
1026 sizeof( ssl->session_negotiate->id ) );
1027 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
1028
1029 p += sess_len;
1030 memset( ssl->handshake->randbytes, 0, 64 );
1031 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1032
1033 /*
1034 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1035 */
1036 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1037 {
1038 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
1039 {
1040 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1041 if( ssl->renegotiation == SSL_RENEGOTIATION )
1042 {
1043 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1044
1045 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1046 return( ret );
1047
1048 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1049 }
1050 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1051 break;
1052 }
1053 }
1054
1055 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1056 ciphersuite_info = NULL;
1057#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1058 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1059 {
1060 for( i = 0; ciphersuites[i] != 0; i++ )
1061#else
1062 for( i = 0; ciphersuites[i] != 0; i++ )
1063 {
1064 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1065#endif
1066 {
1067 if( p[0] != 0 ||
1068 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1069 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1070 continue;
1071
1072 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1073 &ciphersuite_info ) ) != 0 )
1074 return( ret );
1075
1076 if( ciphersuite_info != NULL )
1077 goto have_ciphersuite_v2;
1078 }
1079 }
1080
1081 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1082
1083 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1084
1085have_ciphersuite_v2:
1086 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1087 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1088 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1089
1090 /*
1091 * SSLv2 Client Hello relevant renegotiation security checks
1092 */
1093 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1094 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1095 {
1096 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1097
1098 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1099 return( ret );
1100
1101 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1102 }
1103
1104 ssl->in_left = 0;
1105 ssl->state++;
1106
1107 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1108
1109 return( 0 );
1110}
1111#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1112
1113static int ssl_parse_client_hello( ssl_context *ssl )
1114{
1115 int ret;
1116 unsigned int i, j;
1117 size_t n;
1118 unsigned int ciph_len, sess_len;
1119 unsigned int comp_len;
1120 unsigned int ext_len = 0;
1121 unsigned char *buf, *p, *ext;
1122 int renegotiation_info_seen = 0;
1123 int handshake_failure = 0;
1124 const int *ciphersuites;
1125 const ssl_ciphersuite_t *ciphersuite_info;
1126
1127 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1128
1129 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1130 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1131 {
1132 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1133 return( ret );
1134 }
1135
1136 buf = ssl->in_hdr;
1137
1138#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1139 if( ( buf[0] & 0x80 ) != 0 )
1140 return ssl_parse_client_hello_v2( ssl );
1141#endif
1142
1143 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1144
1145 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1146 buf[0] ) );
1147 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1148 ( buf[3] << 8 ) | buf[4] ) );
1149 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1150 buf[1], buf[2] ) );
1151
1152 /*
1153 * SSLv3/TLS Client Hello
1154 *
1155 * Record layer:
1156 * 0 . 0 message type
1157 * 1 . 2 protocol version
1158 * 3 . 4 message length
1159 */
1160
1161 /* According to RFC 5246 Appendix E.1, the version here is typically
1162 * "{03,00}, the lowest version number supported by the client, [or] the
1163 * value of ClientHello.client_version", so the only meaningful check here
1164 * is the major version shouldn't be less than 3 */
1165 if( buf[0] != SSL_MSG_HANDSHAKE ||
1166 buf[1] < SSL_MAJOR_VERSION_3 )
1167 {
1168 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1169 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1170 }
1171
1172 n = ( buf[3] << 8 ) | buf[4];
1173
1174 if( n < 45 || n > SSL_MAX_CONTENT_LEN )
1175 {
1176 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1177 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1178 }
1179
1180 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1181 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1182 {
1183 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1184 return( ret );
1185 }
1186
1187 buf = ssl->in_msg;
1188 if( !ssl->renegotiation )
1189 n = ssl->in_left - 5;
1190 else
1191 n = ssl->in_msglen;
1192
1193 ssl->handshake->update_checksum( ssl, buf, n );
1194
1195 /*
1196 * SSL layer:
1197 * 0 . 0 handshake type
1198 * 1 . 3 handshake length
1199 * 4 . 5 protocol version
1200 * 6 . 9 UNIX time()
1201 * 10 . 37 random bytes
1202 * 38 . 38 session id length
1203 * 39 . 38+x session id
1204 * 39+x . 40+x ciphersuitelist length
1205 * 41+x . 40+y ciphersuitelist
1206 * 41+y . 41+y compression alg length
1207 * 42+y . 41+z compression algs
1208 * .. . .. extensions
1209 */
1210 SSL_DEBUG_BUF( 4, "record contents", buf, n );
1211
1212 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1213 buf[0] ) );
1214 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1215 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1216 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1217 buf[4], buf[5] ) );
1218
1219 /*
1220 * Check the handshake type and protocol version
1221 */
1222 if( buf[0] != SSL_HS_CLIENT_HELLO )
1223 {
1224 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1225 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1226 }
1227
1228 ssl->major_ver = buf[4];
1229 ssl->minor_ver = buf[5];
1230
1231 ssl->handshake->max_major_ver = ssl->major_ver;
1232 ssl->handshake->max_minor_ver = ssl->minor_ver;
1233
1234 if( ssl->major_ver < ssl->min_major_ver ||
1235 ssl->minor_ver < ssl->min_minor_ver )
1236 {
1237 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1238 " [%d:%d] < [%d:%d]",
1239 ssl->major_ver, ssl->minor_ver,
1240 ssl->min_major_ver, ssl->min_minor_ver ) );
1241
1242 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1243 SSL_ALERT_MSG_PROTOCOL_VERSION );
1244
1245 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1246 }
1247
1248 if( ssl->major_ver > ssl->max_major_ver )
1249 {
1250 ssl->major_ver = ssl->max_major_ver;
1251 ssl->minor_ver = ssl->max_minor_ver;
1252 }
1253 else if( ssl->minor_ver > ssl->max_minor_ver )
1254 ssl->minor_ver = ssl->max_minor_ver;
1255
1256 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
1257
1258 /*
1259 * Check the handshake message length
1260 */
1261 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1262 {
1263 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1264 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1265 }
1266
1267 /*
1268 * Check the session length
1269 */
1270 sess_len = buf[38];
1271
1272 if( sess_len > 32 || sess_len > n - 42 )
1273 {
1274 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1275 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1276 }
1277
1278 ssl->session_negotiate->length = sess_len;
1279 memset( ssl->session_negotiate->id, 0,
1280 sizeof( ssl->session_negotiate->id ) );
1281 memcpy( ssl->session_negotiate->id, buf + 39,
1282 ssl->session_negotiate->length );
1283
1284 /*
1285 * Check the ciphersuitelist length
1286 */
1287 ciph_len = ( buf[39 + sess_len] << 8 )
1288 | ( buf[40 + sess_len] );
1289
1290 if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
1291 {
1292 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1293 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1294 }
1295
1296 /*
1297 * Check the compression algorithms length
1298 */
1299 comp_len = buf[41 + sess_len + ciph_len];
1300
1301 if( comp_len < 1 || comp_len > 16 ||
1302 comp_len > n - 42 - sess_len - ciph_len )
1303 {
1304 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1305 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1306 }
1307
1308 /*
1309 * Check the extension length
1310 */
1311 if( n > 42 + sess_len + ciph_len + comp_len )
1312 {
1313 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1314 | ( buf[43 + sess_len + ciph_len + comp_len] );
1315
1316 if( ( ext_len > 0 && ext_len < 4 ) ||
1317 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1318 {
1319 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1320 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1321 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1322 }
1323 }
1324
1325 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
1326#if defined(POLARSSL_ZLIB_SUPPORT)
1327 for( i = 0; i < comp_len; ++i )
1328 {
1329 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
1330 {
1331 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
1332 break;
1333 }
1334 }
1335#endif
1336
1337 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1338 buf + 6, 32 );
1339 SSL_DEBUG_BUF( 3, "client hello, session id",
1340 buf + 38, sess_len );
1341 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1342 buf + 41 + sess_len, ciph_len );
1343 SSL_DEBUG_BUF( 3, "client hello, compression",
1344 buf + 42 + sess_len + ciph_len, comp_len );
1345
1346 /*
1347 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1348 */
1349 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1350 {
1351 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1352 {
1353 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1354 if( ssl->renegotiation == SSL_RENEGOTIATION )
1355 {
1356 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1357
1358 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1359 return( ret );
1360
1361 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1362 }
1363 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1364 break;
1365 }
1366 }
1367
1368 ext = buf + 44 + sess_len + ciph_len + comp_len;
1369
1370 while( ext_len )
1371 {
1372 unsigned int ext_id = ( ( ext[0] << 8 )
1373 | ( ext[1] ) );
1374 unsigned int ext_size = ( ( ext[2] << 8 )
1375 | ( ext[3] ) );
1376
1377 if( ext_size + 4 > ext_len )
1378 {
1379 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1380 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1381 }
1382 switch( ext_id )
1383 {
1384#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
1385 case TLS_EXT_SERVERNAME:
1386 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1387 if( ssl->f_sni == NULL )
1388 break;
1389
1390 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1391 if( ret != 0 )
1392 return( ret );
1393 break;
1394#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
1395
1396 case TLS_EXT_RENEGOTIATION_INFO:
1397 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1398 renegotiation_info_seen = 1;
1399
1400 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1401 if( ret != 0 )
1402 return( ret );
1403 break;
1404
1405#if defined(POLARSSL_SSL_PROTO_TLS1_2)
1406 case TLS_EXT_SIG_ALG:
1407 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1408 if( ssl->renegotiation == SSL_RENEGOTIATION )
1409 break;
1410
1411 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1412 if( ret != 0 )
1413 return( ret );
1414 break;
1415#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1416
1417#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1418 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1419 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1420
1421 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1422 if( ret != 0 )
1423 return( ret );
1424 break;
1425
1426 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1427 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1428 ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1429
1430 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1431 if( ret != 0 )
1432 return( ret );
1433 break;
1434#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1435
1436#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1437 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1438 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1439
1440 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1441 if( ret != 0 )
1442 return( ret );
1443 break;
1444#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1445
1446#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1447 case TLS_EXT_TRUNCATED_HMAC:
1448 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1449
1450 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1451 if( ret != 0 )
1452 return( ret );
1453 break;
1454#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1455
1456#if defined(POLARSSL_SSL_SESSION_TICKETS)
1457 case TLS_EXT_SESSION_TICKET:
1458 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1459
1460 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1461 if( ret != 0 )
1462 return( ret );
1463 break;
1464#endif /* POLARSSL_SSL_SESSION_TICKETS */
1465
1466#if defined(POLARSSL_SSL_ALPN)
1467 case TLS_EXT_ALPN:
1468 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1469
1470 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1471 if( ret != 0 )
1472 return( ret );
1473 break;
1474#endif /* POLARSSL_SSL_SESSION_TICKETS */
1475
1476 default:
1477 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1478 ext_id ) );
1479 }
1480
1481 ext_len -= 4 + ext_size;
1482 ext += 4 + ext_size;
1483
1484 if( ext_len > 0 && ext_len < 4 )
1485 {
1486 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1487 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1488 }
1489 }
1490
1491 /*
1492 * Renegotiation security checks
1493 */
1494 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1495 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1496 {
1497 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1498 handshake_failure = 1;
1499 }
1500 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1501 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1502 renegotiation_info_seen == 0 )
1503 {
1504 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1505 handshake_failure = 1;
1506 }
1507 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1508 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1509 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
1510 {
1511 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1512 handshake_failure = 1;
1513 }
1514 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1515 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1516 renegotiation_info_seen == 1 )
1517 {
1518 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1519 handshake_failure = 1;
1520 }
1521
1522 if( handshake_failure == 1 )
1523 {
1524 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1525 return( ret );
1526
1527 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1528 }
1529
1530 /*
1531 * Search for a matching ciphersuite
1532 * (At the end because we need information from the EC-based extensions
1533 * and certificate from the SNI callback triggered by the SNI extension.)
1534 */
1535 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1536 ciphersuite_info = NULL;
1537#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1538 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1539 {
1540 for( i = 0; ciphersuites[i] != 0; i++ )
1541#else
1542 for( i = 0; ciphersuites[i] != 0; i++ )
1543 {
1544 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1545#endif
1546 {
1547 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1548 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1549 continue;
1550
1551 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1552 &ciphersuite_info ) ) != 0 )
1553 return( ret );
1554
1555 if( ciphersuite_info != NULL )
1556 goto have_ciphersuite;
1557 }
1558 }
1559
1560 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1561
1562 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1563 return( ret );
1564
1565 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1566
1567have_ciphersuite:
1568 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1569 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1570 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1571
1572 ssl->in_left = 0;
1573 ssl->state++;
1574
1575 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1576
1577 return( 0 );
1578}
1579
1580#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1581static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1582 unsigned char *buf,
1583 size_t *olen )
1584{
1585 unsigned char *p = buf;
1586
1587 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1588 {
1589 *olen = 0;
1590 return;
1591 }
1592
1593 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1594
1595 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1596 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1597
1598 *p++ = 0x00;
1599 *p++ = 0x00;
1600
1601 *olen = 4;
1602}
1603#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1604
1605#if defined(POLARSSL_SSL_SESSION_TICKETS)
1606static void ssl_write_session_ticket_ext( ssl_context *ssl,
1607 unsigned char *buf,
1608 size_t *olen )
1609{
1610 unsigned char *p = buf;
1611
1612 if( ssl->handshake->new_session_ticket == 0 )
1613 {
1614 *olen = 0;
1615 return;
1616 }
1617
1618 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1619
1620 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1621 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1622
1623 *p++ = 0x00;
1624 *p++ = 0x00;
1625
1626 *olen = 4;
1627}
1628#endif /* POLARSSL_SSL_SESSION_TICKETS */
1629
1630static void ssl_write_renegotiation_ext( ssl_context *ssl,
1631 unsigned char *buf,
1632 size_t *olen )
1633{
1634 unsigned char *p = buf;
1635
1636 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1637 {
1638 *olen = 0;
1639 return;
1640 }
1641
1642 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1643
1644 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1645 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1646
1647 *p++ = 0x00;
1648 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1649 *p++ = ssl->verify_data_len * 2 & 0xFF;
1650
1651 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1652 p += ssl->verify_data_len;
1653 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1654 p += ssl->verify_data_len;
1655
1656 *olen = 5 + ssl->verify_data_len * 2;
1657}
1658
1659#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1660static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1661 unsigned char *buf,
1662 size_t *olen )
1663{
1664 unsigned char *p = buf;
1665
1666 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1667 {
1668 *olen = 0;
1669 return;
1670 }
1671
1672 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1673
1674 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1675 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1676
1677 *p++ = 0x00;
1678 *p++ = 1;
1679
1680 *p++ = ssl->session_negotiate->mfl_code;
1681
1682 *olen = 5;
1683}
1684#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1685
1686#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1687static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1688 unsigned char *buf,
1689 size_t *olen )
1690{
1691 unsigned char *p = buf;
1692 ((void) ssl);
1693
1694 if( ( ssl->handshake->cli_exts &
1695 TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
1696 {
1697 *olen = 0;
1698 return;
1699 }
1700
1701 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1702
1703 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1704 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1705
1706 *p++ = 0x00;
1707 *p++ = 2;
1708
1709 *p++ = 1;
1710 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1711
1712 *olen = 6;
1713}
1714#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1715
1716#if defined(POLARSSL_SSL_ALPN )
1717static void ssl_write_alpn_ext( ssl_context *ssl,
1718 unsigned char *buf, size_t *olen )
1719{
1720 if( ssl->alpn_chosen == NULL )
1721 {
1722 *olen = 0;
1723 return;
1724 }
1725
1726 SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
1727
1728 /*
1729 * 0 . 1 ext identifier
1730 * 2 . 3 ext length
1731 * 4 . 5 protocol list length
1732 * 6 . 6 protocol name length
1733 * 7 . 7+n protocol name
1734 */
1735 buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
1736 buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
1737
1738 *olen = 7 + strlen( ssl->alpn_chosen );
1739
1740 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
1741 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
1742
1743 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
1744 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
1745
1746 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
1747
1748 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
1749}
1750#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1751
1752static int ssl_write_server_hello( ssl_context *ssl )
1753{
1754#if defined(POLARSSL_HAVE_TIME)
1755 time_t t;
1756#endif
1757 int ret;
1758 size_t olen, ext_len = 0, n;
1759 unsigned char *buf, *p;
1760
1761 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1762
1763 if( ssl->f_rng == NULL )
1764 {
1765 SSL_DEBUG_MSG( 1, ( "no RNG provided") );
1766 return( POLARSSL_ERR_SSL_NO_RNG );
1767 }
1768
1769 /*
1770 * 0 . 0 handshake type
1771 * 1 . 3 handshake length
1772 * 4 . 5 protocol version
1773 * 6 . 9 UNIX time()
1774 * 10 . 37 random bytes
1775 */
1776 buf = ssl->out_msg;
1777 p = buf + 4;
1778
1779 *p++ = (unsigned char) ssl->major_ver;
1780 *p++ = (unsigned char) ssl->minor_ver;
1781
1782 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1783 buf[4], buf[5] ) );
1784
1785#if defined(POLARSSL_HAVE_TIME)
1786 t = time( NULL );
1787 *p++ = (unsigned char)( t >> 24 );
1788 *p++ = (unsigned char)( t >> 16 );
1789 *p++ = (unsigned char)( t >> 8 );
1790 *p++ = (unsigned char)( t );
1791
1792 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1793#else
1794 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1795 return( ret );
1796
1797 p += 4;
1798#endif /* POLARSSL_HAVE_TIME */
1799
1800 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1801 return( ret );
1802
1803 p += 28;
1804
1805 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
1806
1807 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1808
1809 /*
1810 * Resume is 0 by default, see ssl_handshake_init().
1811 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1812 * If not, try looking up session ID in our cache.
1813 */
1814 if( ssl->handshake->resume == 0 &&
1815 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1816 ssl->session_negotiate->length != 0 &&
1817 ssl->f_get_cache != NULL &&
1818 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1819 {
1820 SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
1821 ssl->handshake->resume = 1;
1822 }
1823
1824 if( ssl->handshake->resume == 0 )
1825 {
1826 /*
1827 * New session, create a new session id,
1828 * unless we're about to issue a session ticket
1829 */
1830 ssl->state++;
1831
1832#if defined(POLARSSL_HAVE_TIME)
1833 ssl->session_negotiate->start = time( NULL );
1834#endif
1835
1836#if defined(POLARSSL_SSL_SESSION_TICKETS)
1837 if( ssl->handshake->new_session_ticket != 0 )
1838 {
1839 ssl->session_negotiate->length = n = 0;
1840 memset( ssl->session_negotiate->id, 0, 32 );
1841 }
1842 else
1843#endif /* POLARSSL_SSL_SESSION_TICKETS */
1844 {
1845 ssl->session_negotiate->length = n = 32;
1846 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1847 n ) ) != 0 )
1848 return( ret );
1849 }
1850 }
1851 else
1852 {
1853 /*
1854 * Resuming a session
1855 */
1856 n = ssl->session_negotiate->length;
1857 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
1858
1859 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1860 {
1861 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1862 return( ret );
1863 }
1864 }
1865
1866 /*
1867 * 38 . 38 session id length
1868 * 39 . 38+n session id
1869 * 39+n . 40+n chosen ciphersuite
1870 * 41+n . 41+n chosen compression alg.
1871 * 42+n . 43+n extensions length
1872 * 44+n . 43+n+m extensions
1873 */
1874 *p++ = (unsigned char) ssl->session_negotiate->length;
1875 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1876 p += ssl->session_negotiate->length;
1877
1878 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1879 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1880 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1881 ssl->handshake->resume ? "a" : "no" ) );
1882
1883 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1884 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1885 *p++ = (unsigned char)( ssl->session_negotiate->compression );
1886
1887 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1888 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
1889 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
1890 ssl->session_negotiate->compression ) );
1891
1892 /*
1893 * First write extensions, then the total length
1894 */
1895 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1896 ext_len += olen;
1897
1898#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1899 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1900 ext_len += olen;
1901#endif
1902
1903#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1904 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1905 ext_len += olen;
1906#endif
1907
1908#if defined(POLARSSL_SSL_SESSION_TICKETS)
1909 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1910 ext_len += olen;
1911#endif
1912
1913#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1914 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1915 ext_len += olen;
1916#endif
1917
1918#if defined(POLARSSL_SSL_ALPN)
1919 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1920 ext_len += olen;
1921#endif
1922
1923 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
1924
1925 if( ext_len > 0 )
1926 {
1927 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1928 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1929 p += ext_len;
1930 }
1931
1932 ssl->out_msglen = p - buf;
1933 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1934 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1935
1936 ret = ssl_write_record( ssl );
1937
1938 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1939
1940 return( ret );
1941}
1942
1943#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1944 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1945 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1946 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1947static int ssl_write_certificate_request( ssl_context *ssl )
1948{
1949 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1950
1951 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1952
1953 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1954 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1955 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1956 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1957 {
1958 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1959 ssl->state++;
1960 return( 0 );
1961 }
1962
1963 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1964 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1965}
1966#else
1967static int ssl_write_certificate_request( ssl_context *ssl )
1968{
1969 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1970 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1971 size_t dn_size, total_dn_size; /* excluding length bytes */
1972 size_t ct_len, sa_len; /* including length bytes */
1973 unsigned char *buf, *p;
1974 const x509_crt *crt;
1975
1976 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1977
1978 ssl->state++;
1979
1980 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1981 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1982 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1983 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1984 ssl->authmode == SSL_VERIFY_NONE )
1985 {
1986 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1987 return( 0 );
1988 }
1989
1990 /*
1991 * 0 . 0 handshake type
1992 * 1 . 3 handshake length
1993 * 4 . 4 cert type count
1994 * 5 .. m-1 cert types
1995 * m .. m+1 sig alg length (TLS 1.2 only)
1996 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1997 * n .. n+1 length of all DNs
1998 * n+2 .. n+3 length of DN 1
1999 * n+4 .. ... Distinguished Name #1
2000 * ... .. ... length of DN 2, etc.
2001 */
2002 buf = ssl->out_msg;
2003 p = buf + 4;
2004
2005 /*
2006 * Supported certificate types
2007 *
2008 * ClientCertificateType certificate_types<1..2^8-1>;
2009 * enum { (255) } ClientCertificateType;
2010 */
2011 ct_len = 0;
2012
2013#if defined(POLARSSL_RSA_C)
2014 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
2015#endif
2016#if defined(POLARSSL_ECDSA_C)
2017 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
2018#endif
2019
2020 p[0] = (unsigned char) ct_len++;
2021 p += ct_len;
2022
2023 sa_len = 0;
2024#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2025 /*
2026 * Add signature_algorithms for verify (TLS 1.2)
2027 *
2028 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2029 *
2030 * struct {
2031 * HashAlgorithm hash;
2032 * SignatureAlgorithm signature;
2033 * } SignatureAndHashAlgorithm;
2034 *
2035 * enum { (255) } HashAlgorithm;
2036 * enum { (255) } SignatureAlgorithm;
2037 */
2038 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2039 {
2040 /*
2041 * Only use current running hash algorithm that is already required
2042 * for requested ciphersuite.
2043 */
2044 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
2045
2046 if( ssl->transform_negotiate->ciphersuite_info->mac ==
2047 POLARSSL_MD_SHA384 )
2048 {
2049 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
2050 }
2051
2052 /*
2053 * Supported signature algorithms
2054 */
2055#if defined(POLARSSL_RSA_C)
2056 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2057 p[2 + sa_len++] = SSL_SIG_RSA;
2058#endif
2059#if defined(POLARSSL_ECDSA_C)
2060 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2061 p[2 + sa_len++] = SSL_SIG_ECDSA;
2062#endif
2063
2064 p[0] = (unsigned char)( sa_len >> 8 );
2065 p[1] = (unsigned char)( sa_len );
2066 sa_len += 2;
2067 p += sa_len;
2068 }
2069#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2070
2071 /*
2072 * DistinguishedName certificate_authorities<0..2^16-1>;
2073 * opaque DistinguishedName<1..2^16-1>;
2074 */
2075 p += 2;
2076 crt = ssl->ca_chain;
2077
2078 total_dn_size = 0;
2079 while( crt != NULL && crt->version != 0 )
2080 {
2081 if( p - buf > 4096 )
2082 break;
2083
2084 dn_size = crt->subject_raw.len;
2085 *p++ = (unsigned char)( dn_size >> 8 );
2086 *p++ = (unsigned char)( dn_size );
2087 memcpy( p, crt->subject_raw.p, dn_size );
2088 p += dn_size;
2089
2090 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
2091
2092 total_dn_size += 2 + dn_size;
2093 crt = crt->next;
2094 }
2095
2096 ssl->out_msglen = p - buf;
2097 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2098 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
2099 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2100 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
2101
2102 ret = ssl_write_record( ssl );
2103
2104 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2105
2106 return( ret );
2107}
2108#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2109 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2110 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2111 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2112
2113#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2114 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2115static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
2116{
2117 int ret;
2118
2119 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
2120 {
2121 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2122 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
2123 }
2124
2125 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
2126 pk_ec( *ssl_own_key( ssl ) ),
2127 POLARSSL_ECDH_OURS ) ) != 0 )
2128 {
2129 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
2130 return( ret );
2131 }
2132
2133 return( 0 );
2134}
2135#endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2136 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2137
2138static int ssl_write_server_key_exchange( ssl_context *ssl )
2139{
2140 int ret;
2141 size_t n = 0;
2142 const ssl_ciphersuite_t *ciphersuite_info =
2143 ssl->transform_negotiate->ciphersuite_info;
2144
2145#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2146 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2147 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2148 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2149 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2150 unsigned char *p = ssl->out_msg + 4;
2151 unsigned char *dig_signed = p;
2152 size_t dig_signed_len = 0, len;
2153 ((void) dig_signed);
2154 ((void) dig_signed_len);
2155#endif
2156
2157 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2158
2159#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2160 defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2161 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2162 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
2163 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2164 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2165 {
2166 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2167 ssl->state++;
2168 return( 0 );
2169 }
2170#endif
2171
2172#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2173 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2174 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2175 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2176 {
2177 ssl_get_ecdh_params_from_cert( ssl );
2178
2179 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2180 ssl->state++;
2181 return( 0 );
2182 }
2183#endif
2184
2185#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2186 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2187 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2188 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2189 {
2190 /* TODO: Support identity hints */
2191 *(p++) = 0x00;
2192 *(p++) = 0x00;
2193
2194 n += 2;
2195 }
2196#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2197 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2198
2199#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2200 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2201 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2202 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2203 {
2204 /*
2205 * Ephemeral DH parameters:
2206 *
2207 * struct {
2208 * opaque dh_p<1..2^16-1>;
2209 * opaque dh_g<1..2^16-1>;
2210 * opaque dh_Ys<1..2^16-1>;
2211 * } ServerDHParams;
2212 */
2213 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
2214 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
2215 {
2216 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2217 return( ret );
2218 }
2219
2220 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
2221 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2222 p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
2223 {
2224 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2225 return( ret );
2226 }
2227
2228 dig_signed = p;
2229 dig_signed_len = len;
2230
2231 p += len;
2232 n += len;
2233
2234 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2235 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2236 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2237 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2238 }
2239#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2240 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2241
2242#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
2243 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2244 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2245 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2246 {
2247 /*
2248 * Ephemeral ECDH parameters:
2249 *
2250 * struct {
2251 * ECParameters curve_params;
2252 * ECPoint public;
2253 * } ServerECDHParams;
2254 */
2255 const ecp_curve_info **curve = NULL;
2256#if defined(POLARSSL_SSL_SET_CURVES)
2257 const ecp_group_id *gid;
2258
2259 /* Match our preference list against the offered curves */
2260 for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
2261 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
2262 if( (*curve)->grp_id == *gid )
2263 goto curve_matching_done;
2264
2265curve_matching_done:
2266#else
2267 curve = ssl->handshake->curves;
2268#endif
2269
2270 if( *curve == NULL )
2271 {
2272 SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2273 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
2274 }
2275
2276 SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
2277
2278 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
2279 (*curve)->grp_id ) ) != 0 )
2280 {
2281 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2282 return( ret );
2283 }
2284
2285 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2286 p, SSL_MAX_CONTENT_LEN - n,
2287 ssl->f_rng, ssl->p_rng ) ) != 0 )
2288 {
2289 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2290 return( ret );
2291 }
2292
2293 dig_signed = p;
2294 dig_signed_len = len;
2295
2296 p += len;
2297 n += len;
2298
2299 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2300 }
2301#endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
2302
2303#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2304 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2305 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2306 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2307 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2308 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2309 {
2310 size_t signature_len = 0;
2311 unsigned int hashlen = 0;
2312 unsigned char hash[64];
2313 md_type_t md_alg = POLARSSL_MD_NONE;
2314
2315 /*
2316 * Choose hash algorithm. NONE means MD5 + SHA1 here.
2317 */
2318#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2319 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2320 {
2321 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2322
2323 if( md_alg == POLARSSL_MD_NONE )
2324 {
2325 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2326 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2327 }
2328 }
2329 else
2330#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2331#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2332 defined(POLARSSL_SSL_PROTO_TLS1_1)
2333 if( ciphersuite_info->key_exchange ==
2334 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2335 {
2336 md_alg = POLARSSL_MD_SHA1;
2337 }
2338 else
2339#endif
2340 {
2341 md_alg = POLARSSL_MD_NONE;
2342 }
2343
2344 /*
2345 * Compute the hash to be signed
2346 */
2347#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2348 defined(POLARSSL_SSL_PROTO_TLS1_1)
2349 if( md_alg == POLARSSL_MD_NONE )
2350 {
2351 md5_context md5;
2352 sha1_context sha1;
2353
2354 md5_init( &md5 );
2355 sha1_init( &sha1 );
2356
2357 /*
2358 * digitally-signed struct {
2359 * opaque md5_hash[16];
2360 * opaque sha_hash[20];
2361 * };
2362 *
2363 * md5_hash
2364 * MD5(ClientHello.random + ServerHello.random
2365 * + ServerParams);
2366 * sha_hash
2367 * SHA(ClientHello.random + ServerHello.random
2368 * + ServerParams);
2369 */
2370 md5_starts( &md5 );
2371 md5_update( &md5, ssl->handshake->randbytes, 64 );
2372 md5_update( &md5, dig_signed, dig_signed_len );
2373 md5_finish( &md5, hash );
2374
2375 sha1_starts( &sha1 );
2376 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
2377 sha1_update( &sha1, dig_signed, dig_signed_len );
2378 sha1_finish( &sha1, hash + 16 );
2379
2380 hashlen = 36;
2381
2382 md5_free( &md5 );
2383 sha1_free( &sha1 );
2384 }
2385 else
2386#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2387 POLARSSL_SSL_PROTO_TLS1_1 */
2388#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2389 defined(POLARSSL_SSL_PROTO_TLS1_2)
2390 if( md_alg != POLARSSL_MD_NONE )
2391 {
2392 md_context_t ctx;
2393 const md_info_t *md_info = md_info_from_type( md_alg );
2394
2395 md_init( &ctx );
2396
2397 /* Info from md_alg will be used instead */
2398 hashlen = 0;
2399
2400 /*
2401 * digitally-signed struct {
2402 * opaque client_random[32];
2403 * opaque server_random[32];
2404 * ServerDHParams params;
2405 * };
2406 */
2407 if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 )
2408 {
2409 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2410 return( ret );
2411 }
2412
2413 md_starts( &ctx );
2414 md_update( &ctx, ssl->handshake->randbytes, 64 );
2415 md_update( &ctx, dig_signed, dig_signed_len );
2416 md_finish( &ctx, hash );
2417 md_free( &ctx );
2418 }
2419 else
2420#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2421 POLARSSL_SSL_PROTO_TLS1_2 */
2422 {
2423 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2424 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2425 }
2426
2427 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2428 (unsigned int) ( md_info_from_type( md_alg ) )->size );
2429
2430 /*
2431 * Make the signature
2432 */
2433 if( ssl_own_key( ssl ) == NULL )
2434 {
2435 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2436 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2437 }
2438
2439#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2440 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2441 {
2442 *(p++) = ssl->handshake->sig_alg;
2443 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
2444
2445 n += 2;
2446 }
2447#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2448
2449 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
2450 p + 2 , &signature_len,
2451 ssl->f_rng, ssl->p_rng ) ) != 0 )
2452 {
2453 SSL_DEBUG_RET( 1, "pk_sign", ret );
2454 return( ret );
2455 }
2456
2457 *(p++) = (unsigned char)( signature_len >> 8 );
2458 *(p++) = (unsigned char)( signature_len );
2459 n += 2;
2460
2461 SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
2462
2463 p += signature_len;
2464 n += signature_len;
2465 }
2466#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2467 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2468 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2469
2470 ssl->out_msglen = 4 + n;
2471 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2472 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2473
2474 ssl->state++;
2475
2476 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2477 {
2478 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2479 return( ret );
2480 }
2481
2482 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2483
2484 return( 0 );
2485}
2486
2487static int ssl_write_server_hello_done( ssl_context *ssl )
2488{
2489 int ret;
2490
2491 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2492
2493 ssl->out_msglen = 4;
2494 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2495 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2496
2497 ssl->state++;
2498
2499 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2500 {
2501 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2502 return( ret );
2503 }
2504
2505 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2506
2507 return( 0 );
2508}
2509
2510#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2511 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2512static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2513 const unsigned char *end )
2514{
2515 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2516 size_t n;
2517
2518 /*
2519 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2520 */
2521 if( *p + 2 > end )
2522 {
2523 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2524 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2525 }
2526
2527 n = ( (*p)[0] << 8 ) | (*p)[1];
2528 *p += 2;
2529
2530 if( *p + n > end )
2531 {
2532 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2533 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2534 }
2535
2536 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
2537 {
2538 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2539 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2540 }
2541
2542 *p += n;
2543
2544 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2545
2546 return( ret );
2547}
2548#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2549 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2550
2551#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2552 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2553static int ssl_parse_encrypted_pms( ssl_context *ssl,
2554 const unsigned char *p,
2555 const unsigned char *end,
2556 size_t pms_offset )
2557{
2558 int ret;
2559 size_t len = pk_get_len( ssl_own_key( ssl ) );
2560 unsigned char *pms = ssl->handshake->premaster + pms_offset;
2561
2562 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
2563 {
2564 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
2565 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2566 }
2567
2568 /*
2569 * Decrypt the premaster using own private RSA key
2570 */
2571#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2572 defined(POLARSSL_SSL_PROTO_TLS1_2)
2573 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2574 {
2575 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2576 *p++ != ( ( len ) & 0xFF ) )
2577 {
2578 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2579 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2580 }
2581 }
2582#endif
2583
2584 if( p + len != end )
2585 {
2586 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2587 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2588 }
2589
2590 ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2591 pms, &ssl->handshake->pmslen,
2592 sizeof( ssl->handshake->premaster ) - pms_offset,
2593 ssl->f_rng, ssl->p_rng );
2594
2595 if( ret != 0 || ssl->handshake->pmslen != 48 ||
2596 pms[0] != ssl->handshake->max_major_ver ||
2597 pms[1] != ssl->handshake->max_minor_ver )
2598 {
2599 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2600
2601 /*
2602 * Protection against Bleichenbacher's attack:
2603 * invalid PKCS#1 v1.5 padding must not cause
2604 * the connection to end immediately; instead,
2605 * send a bad_record_mac later in the handshake.
2606 */
2607 ssl->handshake->pmslen = 48;
2608
2609 ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
2610 if( ret != 0 )
2611 return( ret );
2612 }
2613
2614 return( ret );
2615}
2616#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2617 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2618
2619#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2620static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2621 const unsigned char *end )
2622{
2623 int ret = 0;
2624 size_t n;
2625
2626 if( ssl->f_psk == NULL &&
2627 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2628 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
2629 {
2630 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2631 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2632 }
2633
2634 /*
2635 * Receive client pre-shared key identity name
2636 */
2637 if( *p + 2 > end )
2638 {
2639 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2640 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2641 }
2642
2643 n = ( (*p)[0] << 8 ) | (*p)[1];
2644 *p += 2;
2645
2646 if( n < 1 || n > 65535 || *p + n > end )
2647 {
2648 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2649 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2650 }
2651
2652 if( ssl->f_psk != NULL )
2653 {
2654 if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 )
2655 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2656 }
2657 else
2658 {
2659 /* Identity is not a big secret since clients send it in the clear,
2660 * but treat it carefully anyway, just in case */
2661 if( n != ssl->psk_identity_len ||
2662 safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
2663 {
2664 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2665 }
2666 }
2667
2668 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
2669 {
2670 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
2671 if( ( ret = ssl_send_alert_message( ssl,
2672 SSL_ALERT_LEVEL_FATAL,
2673 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
2674 {
2675 return( ret );
2676 }
2677
2678 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
2679 }
2680
2681 *p += n;
2682
2683 return( 0 );
2684}
2685#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2686
2687static int ssl_parse_client_key_exchange( ssl_context *ssl )
2688{
2689 int ret;
2690 const ssl_ciphersuite_t *ciphersuite_info;
2691
2692 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2693
2694 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2695
2696 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2697 {
2698 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2699 return( ret );
2700 }
2701
2702 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2703 {
2704 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2705 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2706 }
2707
2708 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2709 {
2710 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2711 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2712 }
2713
2714#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2715 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2716 {
2717 unsigned char *p = ssl->in_msg + 4;
2718 unsigned char *end = ssl->in_msg + ssl->in_hslen;
2719
2720 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2721 {
2722 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2723 return( ret );
2724 }
2725
2726 if( p != end )
2727 {
2728 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2729 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2730 }
2731
2732 ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE;
2733
2734 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2735 ssl->handshake->premaster,
2736 &ssl->handshake->pmslen,
2737 ssl->f_rng, ssl->p_rng ) ) != 0 )
2738 {
2739 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2740 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2741 }
2742
2743 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2744 }
2745 else
2746#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2747#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2748 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2749 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2750 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2751 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2752 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2753 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2754 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2755 {
2756 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2757 ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 )
2758 {
2759 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2760 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2761 }
2762
2763 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2764
2765 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2766 &ssl->handshake->pmslen,
2767 ssl->handshake->premaster,
2768 POLARSSL_MPI_MAX_SIZE,
2769 ssl->f_rng, ssl->p_rng ) ) != 0 )
2770 {
2771 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2772 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2773 }
2774
2775 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
2776 }
2777 else
2778#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2779 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2780 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2781 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2782#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2783 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2784 {
2785 unsigned char *p = ssl->in_msg + 4;
2786 unsigned char *end = ssl->in_msg + ssl->in_hslen;
2787
2788 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2789 {
2790 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2791 return( ret );
2792 }
2793
2794 if( p != end )
2795 {
2796 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2797 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2798 }
2799
2800 if( ( ret = ssl_psk_derive_premaster( ssl,
2801 ciphersuite_info->key_exchange ) ) != 0 )
2802 {
2803 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2804 return( ret );
2805 }
2806 }
2807 else
2808#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2809#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2810 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2811 {
2812 unsigned char *p = ssl->in_msg + 4;
2813 unsigned char *end = ssl->in_msg + ssl->in_hslen;
2814
2815 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2816 {
2817 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2818 return( ret );
2819 }
2820
2821 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
2822 {
2823 SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
2824 return( ret );
2825 }
2826
2827 if( ( ret = ssl_psk_derive_premaster( ssl,
2828 ciphersuite_info->key_exchange ) ) != 0 )
2829 {
2830 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2831 return( ret );
2832 }
2833 }
2834 else
2835#endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2836#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2837 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2838 {
2839 unsigned char *p = ssl->in_msg + 4;
2840 unsigned char *end = ssl->in_msg + ssl->in_hslen;
2841
2842 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2843 {
2844 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2845 return( ret );
2846 }
2847 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2848 {
2849 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2850 return( ret );
2851 }
2852
2853 if( p != end )
2854 {
2855 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2856 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2857 }
2858
2859 if( ( ret = ssl_psk_derive_premaster( ssl,
2860 ciphersuite_info->key_exchange ) ) != 0 )
2861 {
2862 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2863 return( ret );
2864 }
2865 }
2866 else
2867#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2868#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2869 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2870 {
2871 unsigned char *p = ssl->in_msg + 4;
2872 unsigned char *end = ssl->in_msg + ssl->in_hslen;
2873
2874 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2875 {
2876 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2877 return( ret );
2878 }
2879
2880 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2881 p, end - p ) ) != 0 )
2882 {
2883 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2884 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2885 }
2886
2887 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2888
2889 if( ( ret = ssl_psk_derive_premaster( ssl,
2890 ciphersuite_info->key_exchange ) ) != 0 )
2891 {
2892 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2893 return( ret );
2894 }
2895 }
2896 else
2897#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2898#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2899 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2900 {
2901 if( ( ret = ssl_parse_encrypted_pms( ssl,
2902 ssl->in_msg + 4,
2903 ssl->in_msg + ssl->in_hslen,
2904 0 ) ) != 0 )
2905 {
2906 SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
2907 return( ret );
2908 }
2909 }
2910 else
2911#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2912 {
2913 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2914 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2915 }
2916
2917 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2918 {
2919 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2920 return( ret );
2921 }
2922
2923 ssl->state++;
2924
2925 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2926
2927 return( 0 );
2928}
2929
2930#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2931 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2932 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2933 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2934static int ssl_parse_certificate_verify( ssl_context *ssl )
2935{
2936 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2937
2938 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2939
2940 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2941 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2942 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2943 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2944 {
2945 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2946 ssl->state++;
2947 return( 0 );
2948 }
2949
2950 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2951 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2952}
2953#else
2954static int ssl_parse_certificate_verify( ssl_context *ssl )
2955{
2956 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2957 size_t sa_len, sig_len;
2958 unsigned char hash[48];
2959 unsigned char *hash_start = hash;
2960 size_t hashlen;
2961#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2962 pk_type_t pk_alg;
2963#endif
2964 md_type_t md_alg;
2965 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2966
2967 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2968
2969 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2970 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2971 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2972 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2973 {
2974 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2975 ssl->state++;
2976 return( 0 );
2977 }
2978
2979 if( ssl->session_negotiate->peer_cert == NULL )
2980 {
2981 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2982 ssl->state++;
2983 return( 0 );
2984 }
2985
2986 ssl->handshake->calc_verify( ssl, hash );
2987
2988 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2989 {
2990 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2991 return( ret );
2992 }
2993
2994 ssl->state++;
2995
2996 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2997 {
2998 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2999 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3000 }
3001
3002 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
3003 {
3004 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3005 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3006 }
3007
3008 /*
3009 * 0 . 0 handshake type
3010 * 1 . 3 handshake length
3011 * 4 . 5 sig alg (TLS 1.2 only)
3012 * 4+n . 5+n signature length (n = sa_len)
3013 * 6+n . 6+n+m signature (m = sig_len)
3014 */
3015
3016#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3017 defined(POLARSSL_SSL_PROTO_TLS1_1)
3018 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
3019 {
3020 sa_len = 0;
3021
3022 md_alg = POLARSSL_MD_NONE;
3023 hashlen = 36;
3024
3025 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3026 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
3027 POLARSSL_PK_ECDSA ) )
3028 {
3029 hash_start += 16;
3030 hashlen -= 16;
3031 md_alg = POLARSSL_MD_SHA1;
3032 }
3033 }
3034 else
3035#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 ||
3036 POLARSSL_SSL_PROTO_TLS1_1 */
3037#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3038 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
3039 {
3040 sa_len = 2;
3041
3042 /*
3043 * Hash
3044 */
3045 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
3046 {
3047 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3048 " for verify message" ) );
3049 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3050 }
3051
3052 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
3053
3054 /* Info from md_alg will be used instead */
3055 hashlen = 0;
3056
3057 /*
3058 * Signature
3059 */
3060 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
3061 == POLARSSL_PK_NONE )
3062 {
3063 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3064 " for verify message" ) );
3065 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3066 }
3067
3068 /*
3069 * Check the certificate's key type matches the signature alg
3070 */
3071 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
3072 {
3073 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3074 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3075 }
3076 }
3077 else
3078#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3079 {
3080 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3081 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
3082 }
3083
3084 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
3085
3086 if( sa_len + sig_len + 6 != ssl->in_hslen )
3087 {
3088 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3089 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3090 }
3091
3092 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
3093 md_alg, hash_start, hashlen,
3094 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
3095 {
3096 SSL_DEBUG_RET( 1, "pk_verify", ret );
3097 return( ret );
3098 }
3099
3100 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3101
3102 return( ret );
3103}
3104#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
3105 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3106 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
3107
3108#if defined(POLARSSL_SSL_SESSION_TICKETS)
3109static int ssl_write_new_session_ticket( ssl_context *ssl )
3110{
3111 int ret;
3112 size_t tlen;
3113 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
3114
3115 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3116
3117 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
3118 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
3119
3120 /*
3121 * struct {
3122 * uint32 ticket_lifetime_hint;
3123 * opaque ticket<0..2^16-1>;
3124 * } NewSessionTicket;
3125 *
3126 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3127 * 8 . 9 ticket_len (n)
3128 * 10 . 9+n ticket content
3129 */
3130
3131 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
3132 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
3133 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
3134 ssl->out_msg[7] = ( lifetime ) & 0xFF;
3135
3136 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
3137 {
3138 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
3139 tlen = 0;
3140 }
3141
3142 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
3143 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
3144
3145 ssl->out_msglen = 10 + tlen;
3146
3147 /*
3148 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3149 * ChangeCipherSpec share the same state.
3150 */
3151 ssl->handshake->new_session_ticket = 0;
3152
3153 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3154 {
3155 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3156 return( ret );
3157 }
3158
3159 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3160
3161 return( 0 );
3162}
3163#endif /* POLARSSL_SSL_SESSION_TICKETS */
3164
3165/*
3166 * SSL handshake -- server side -- single step
3167 */
3168int ssl_handshake_server_step( ssl_context *ssl )
3169{
3170 int ret = 0;
3171
3172 if( ssl->state == SSL_HANDSHAKE_OVER )
3173 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3174
3175 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
3176
3177 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3178 return( ret );
3179
3180 switch( ssl->state )
3181 {
3182 case SSL_HELLO_REQUEST:
3183 ssl->state = SSL_CLIENT_HELLO;
3184 break;
3185
3186 /*
3187 * <== ClientHello
3188 */
3189 case SSL_CLIENT_HELLO:
3190 ret = ssl_parse_client_hello( ssl );
3191 break;
3192
3193 /*
3194 * ==> ServerHello
3195 * Certificate
3196 * ( ServerKeyExchange )
3197 * ( CertificateRequest )
3198 * ServerHelloDone
3199 */
3200 case SSL_SERVER_HELLO:
3201 ret = ssl_write_server_hello( ssl );
3202 break;
3203
3204 case SSL_SERVER_CERTIFICATE:
3205 ret = ssl_write_certificate( ssl );
3206 break;
3207
3208 case SSL_SERVER_KEY_EXCHANGE:
3209 ret = ssl_write_server_key_exchange( ssl );
3210 break;
3211
3212 case SSL_CERTIFICATE_REQUEST:
3213 ret = ssl_write_certificate_request( ssl );
3214 break;
3215
3216 case SSL_SERVER_HELLO_DONE:
3217 ret = ssl_write_server_hello_done( ssl );
3218 break;
3219
3220 /*
3221 * <== ( Certificate/Alert )
3222 * ClientKeyExchange
3223 * ( CertificateVerify )
3224 * ChangeCipherSpec
3225 * Finished
3226 */
3227 case SSL_CLIENT_CERTIFICATE:
3228 ret = ssl_parse_certificate( ssl );
3229 break;
3230
3231 case SSL_CLIENT_KEY_EXCHANGE:
3232 ret = ssl_parse_client_key_exchange( ssl );
3233 break;
3234
3235 case SSL_CERTIFICATE_VERIFY:
3236 ret = ssl_parse_certificate_verify( ssl );
3237 break;
3238
3239 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
3240 ret = ssl_parse_change_cipher_spec( ssl );
3241 break;
3242
3243 case SSL_CLIENT_FINISHED:
3244 ret = ssl_parse_finished( ssl );
3245 break;
3246
3247 /*
3248 * ==> ( NewSessionTicket )
3249 * ChangeCipherSpec
3250 * Finished
3251 */
3252 case SSL_SERVER_CHANGE_CIPHER_SPEC:
3253#if defined(POLARSSL_SSL_SESSION_TICKETS)
3254 if( ssl->handshake->new_session_ticket != 0 )
3255 ret = ssl_write_new_session_ticket( ssl );
3256 else
3257#endif
3258 ret = ssl_write_change_cipher_spec( ssl );
3259 break;
3260
3261 case SSL_SERVER_FINISHED:
3262 ret = ssl_write_finished( ssl );
3263 break;
3264
3265 case SSL_FLUSH_BUFFERS:
3266 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3267 ssl->state = SSL_HANDSHAKE_WRAPUP;
3268 break;
3269
3270 case SSL_HANDSHAKE_WRAPUP:
3271 ssl_handshake_wrapup( ssl );
3272 break;
3273
3274 default:
3275 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3276 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3277 }
3278
3279 return( ret );
3280}
3281#endif /* POLARSSL_SSL_SRV_C */
aes_crypt_cbc
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes)
AES_DECRYPT
#define AES_DECRYPT
Definition aes.h:47
AES_ENCRYPT
#define AES_ENCRYPT
Definition aes.h:46
mpi_copy
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
mpi_size
size_t mpi_size(const mpi *X)
Return the total size in bytes.
SSL_MAX_CONTENT_LEN
#define SSL_MAX_CONTENT_LEN
Definition config-ccm-psk-tls1_2.h:62
POLARSSL_MPI_MAX_SIZE
#define POLARSSL_MPI_MAX_SIZE
Definition config-suite-b.h:64
config.h
Configuration options (set of defines)
debug.h
Debug functions.
SSL_DEBUG_MPI
#define SSL_DEBUG_MPI(level, text, X)
Definition debug.h:70
SSL_DEBUG_ECP
#define SSL_DEBUG_ECP(level, text, X)
Definition debug.h:75
SSL_DEBUG_BUF
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition debug.h:66
SSL_DEBUG_RET
#define SSL_DEBUG_RET(level, text, ret)
Definition debug.h:63
SSL_DEBUG_MSG
#define SSL_DEBUG_MSG(level, args)
Definition debug.h:60
dhm_read_public
int dhm_read_public(dhm_context *ctx, const unsigned char *input, size_t ilen)
Import the peer's public value G^Y.
dhm_make_params
int dhm_make_params(dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExchange parameters.
dhm_calc_secret
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.
ecdh_make_params
int ecdh_make_params(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Generate a public key and a TLS ServerKeyExchange payload.
POLARSSL_ECDH_OURS
@ POLARSSL_ECDH_OURS
Definition ecdh.h:41
ecdh_calc_secret
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
ecdh_get_params
int ecdh_get_params(ecdh_context *ctx, const ecp_keypair *key, ecdh_side side)
Setup an ECDH context from an EC key.
ecdh_read_public
int ecdh_read_public(ecdh_context *ctx, const unsigned char *buf, size_t blen)
Parse and process a TLS ClientKeyExchange payload.
ecp.h
Elliptic curves over GF(p)
POLARSSL_ECP_DP_MAX
#define POLARSSL_ECP_DP_MAX
Number of supported curves (plus one for NONE).
Definition ecp.h:82
ecp_group_id
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition ecp.h:58
POLARSSL_ECP_DP_NONE
@ POLARSSL_ECP_DP_NONE
Definition ecp.h:59
ecp_curve_info_from_tls_id
const ecp_curve_info * ecp_curve_info_from_tls_id(uint16_t tls_id)
Get curve information from a TLS NamedCurve value.
POLARSSL_ECP_PF_UNCOMPRESSED
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition ecp.h:233
POLARSSL_ECP_PF_COMPRESSED
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition ecp.h:234
ecp_use_known_dp
int ecp_use_known_dp(ecp_group *grp, ecp_group_id index)
Set a group using well-known domain parameters.
_asn1_buf::len
size_t len
ASN1 length, e.g.
Definition asn1.h:127
_asn1_buf::p
unsigned char * p
ASN1 data, e.g.
Definition asn1.h:128
_x509_crt::pk
pk_context pk
Container for the public key context.
Definition x509_crt.h:75
x509_crt_init
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
x509_crt_parse_der
int x509_crt_parse_der(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
_x509_crt::version
int version
The X.509 version.
Definition x509_crt.h:62
x509_crt_free
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
_x509_crt::raw
x509_buf raw
The raw certificate data (DER).
Definition x509_crt.h:59
_x509_crt::subject_raw
x509_buf subject_raw
The raw subject data (DER).
Definition x509_crt.h:67
_x509_crt::next
struct _x509_crt * next
Next certificate in the CA-chain.
Definition x509_crt.h:98
md5_free
void md5_free(md5_context *ctx)
Clear MD5 context.
md5_init
void md5_init(md5_context *ctx)
Initialize MD5 context.
md5_update
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
md5_finish
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
md5
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
md5_starts
void md5_starts(md5_context *ctx)
MD5 context setup.
md_starts
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
md_info_from_type
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
md_init_ctx
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
md_list
const int * md_list(void)
Returns the list of digests supported by the generic digest module.
md_free
void md_free(md_context_t *ctx)
Free and clear the message-specific context of ctx.
md_finish
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
md_init
void md_init(md_context_t *ctx)
Initialize a md_context (as NONE)
md_update
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
md_type_t
md_type_t
Definition md.h:51
POLARSSL_MD_NONE
@ POLARSSL_MD_NONE
Definition md.h:52
POLARSSL_MD_SHA1
@ POLARSSL_MD_SHA1
Definition md.h:56
POLARSSL_MD_SHA384
@ POLARSSL_MD_SHA384
Definition md.h:59
pk_decrypt
int pk_decrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Decrypt message (including padding if relevant).
pk_sign
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature, including padding if relevant.
pk_get_len
static size_t pk_get_len(const pk_context *ctx)
Get the length in bytes of the underlying key.
Definition pk.h:281
pk_verify
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature (including padding if relevant).
pk_ec
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition pk.h:84
pk_type_t
pk_type_t
Public key types.
Definition pk.h:95
POLARSSL_PK_ECDSA
@ POLARSSL_PK_ECDSA
Definition pk.h:100
POLARSSL_PK_ECKEY
@ POLARSSL_PK_ECKEY
Definition pk.h:98
POLARSSL_PK_RSA
@ POLARSSL_PK_RSA
Definition pk.h:97
POLARSSL_PK_NONE
@ POLARSSL_PK_NONE
Definition pk.h:96
pk_can_do
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
platform.h
PolarSSL Platform abstraction layer.
sha1
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
sha1_starts
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
sha1_update
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
sha1_init
void sha1_init(sha1_context *ctx)
Initialize SHA-1 context.
sha1_finish
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
sha1_free
void sha1_free(sha1_context *ctx)
Clear SHA-1 context.
sha256_hmac
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
ssl.h
SSL/TLS functions.
SSL_ALERT_MSG_UNRECOGNIZED_NAME
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME
Definition ssl.h:371
TLS_EXT_SIG_ALG
#define TLS_EXT_SIG_ALG
Definition ssl.h:400
SSL_SIG_ECDSA
#define SSL_SIG_ECDSA
Definition ssl.h:326
ssl_read_record
int ssl_read_record(ssl_context *ssl)
SSL_VERIFY_NONE
#define SSL_VERIFY_NONE
Definition ssl.h:212
SSL_LEGACY_RENEGOTIATION
#define SSL_LEGACY_RENEGOTIATION
Definition ssl.h:221
SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
Definition ssl.h:372
ssl_send_alert_message
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
TLS_EXT_TRUNCATED_HMAC
#define TLS_EXT_TRUNCATED_HMAC
Definition ssl.h:395
ssl_own_key
static pk_context * ssl_own_key(ssl_context *ssl)
Definition ssl.h:1770
POLARSSL_ERR_SSL_INTERNAL_ERROR
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition ssl.h:146
SSL_HS_CERTIFICATE_REQUEST
#define SSL_HS_CERTIFICATE_REQUEST
Definition ssl.h:381
POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition ssl.h:141
ssl_sig_from_pk
unsigned char ssl_sig_from_pk(pk_context *pk)
POLARSSL_ERR_SSL_NO_RNG
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition ssl.h:115
SSL_MAX_FRAG_LEN_NONE
#define SSL_MAX_FRAG_LEN_NONE
Definition ssl.h:199
TLS_EXT_SERVERNAME
#define TLS_EXT_SERVERNAME
Definition ssl.h:390
SSL_HASH_SHA384
#define SSL_HASH_SHA384
Definition ssl.h:321
POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Processing of the CertificateVerify handshake message failed.
Definition ssl.h:134
POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public.
Definition ssl.h:132
SSL_CLIENT_FINISHED
@ SSL_CLIENT_FINISHED
Definition ssl.h:488
SSL_CERTIFICATE_VERIFY
@ SSL_CERTIFICATE_VERIFY
Definition ssl.h:486
SSL_CERTIFICATE_REQUEST
@ SSL_CERTIFICATE_REQUEST
Definition ssl.h:482
SSL_SERVER_CERTIFICATE
@ SSL_SERVER_CERTIFICATE
Definition ssl.h:480
SSL_HANDSHAKE_OVER
@ SSL_HANDSHAKE_OVER
Definition ssl.h:493
SSL_SERVER_CHANGE_CIPHER_SPEC
@ SSL_SERVER_CHANGE_CIPHER_SPEC
Definition ssl.h:489
SSL_SERVER_KEY_EXCHANGE
@ SSL_SERVER_KEY_EXCHANGE
Definition ssl.h:481
SSL_CLIENT_CERTIFICATE
@ SSL_CLIENT_CERTIFICATE
Definition ssl.h:484
SSL_HANDSHAKE_WRAPUP
@ SSL_HANDSHAKE_WRAPUP
Definition ssl.h:492
SSL_SERVER_FINISHED
@ SSL_SERVER_FINISHED
Definition ssl.h:490
SSL_HELLO_REQUEST
@ SSL_HELLO_REQUEST
Definition ssl.h:477
SSL_SERVER_HELLO_DONE
@ SSL_SERVER_HELLO_DONE
Definition ssl.h:483
SSL_CLIENT_HELLO
@ SSL_CLIENT_HELLO
Definition ssl.h:478
SSL_CLIENT_CHANGE_CIPHER_SPEC
@ SSL_CLIENT_CHANGE_CIPHER_SPEC
Definition ssl.h:487
SSL_CLIENT_KEY_EXCHANGE
@ SSL_CLIENT_KEY_EXCHANGE
Definition ssl.h:485
SSL_FLUSH_BUFFERS
@ SSL_FLUSH_BUFFERS
Definition ssl.h:491
SSL_SERVER_HELLO
@ SSL_SERVER_HELLO
Definition ssl.h:479
SSL_LEGACY_BREAK_HANDSHAKE
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition ssl.h:232
ssl_write_record
int ssl_write_record(ssl_context *ssl)
SSL_ALERT_MSG_PROTOCOL_VERSION
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition ssl.h:365
SSL_HS_CERTIFICATE_VERIFY
#define SSL_HS_CERTIFICATE_VERIFY
Definition ssl.h:383
ssl_md_alg_from_hash
md_type_t ssl_md_alg_from_hash(unsigned char hash)
POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition ssl.h:108
SSL_INITIAL_HANDSHAKE
#define SSL_INITIAL_HANDSHAKE
Definition ssl.h:216
SSL_SECURE_RENEGOTIATION
#define SSL_SECURE_RENEGOTIATION
Definition ssl.h:222
POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition ssl.h:144
POLARSSL_PREMASTER_SIZE
#define POLARSSL_PREMASTER_SIZE
Definition ssl.h:453
ssl_psk_derive_premaster
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
SSL_HS_CLIENT_KEY_EXCHANGE
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition ssl.h:384
SSL_TRUNC_HMAC_DISABLED
#define SSL_TRUNC_HMAC_DISABLED
Definition ssl.h:234
POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Processing of the ClientKeyExchange handshake message failed.
Definition ssl.h:131
ssl_handshake_server_step
int ssl_handshake_server_step(ssl_context *ssl)
ssl_write_certificate
int ssl_write_certificate(ssl_context *ssl)
TLS_EXT_ALPN
#define TLS_EXT_ALPN
Definition ssl.h:402
SSL_MINOR_VERSION_0
#define SSL_MINOR_VERSION_0
Definition ssl.h:154
TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition ssl.h:397
ssl_session_free
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
ssl_check_cert_usage
int ssl_check_cert_usage(const x509_crt *cert, const ssl_ciphersuite_t *ciphersuite, int cert_endpoint)
SSL_HS_CLIENT_HELLO
#define SSL_HS_CLIENT_HELLO
Definition ssl.h:376
SSL_HS_SERVER_HELLO_DONE
#define SSL_HS_SERVER_HELLO_DONE
Definition ssl.h:382
POLARSSL_ERR_SSL_UNKNOWN_IDENTITY
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY
Unknown identity received (eg, PSK identity)
Definition ssl.h:145
ssl_derive_keys
int ssl_derive_keys(ssl_context *ssl)
SSL_SESSION_TICKETS_DISABLED
#define SSL_SESSION_TICKETS_DISABLED
Definition ssl.h:238
SSL_EMPTY_RENEGOTIATION_INFO
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition ssl.h:310
SSL_CERT_TYPE_RSA_SIGN
#define SSL_CERT_TYPE_RSA_SIGN
Definition ssl.h:332
SSL_LEGACY_NO_RENEGOTIATION
#define SSL_LEGACY_NO_RENEGOTIATION
Definition ssl.h:230
SSL_HS_NEW_SESSION_TICKET
#define SSL_HS_NEW_SESSION_TICKET
Definition ssl.h:378
TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
Definition ssl.h:413
ssl_write_change_cipher_spec
int ssl_write_change_cipher_spec(ssl_context *ssl)
POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition ssl.h:119
SSL_MINOR_VERSION_3
#define SSL_MINOR_VERSION_3
Definition ssl.h:157
ssl_optimize_checksum
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ssl_write_finished
int ssl_write_finished(ssl_context *ssl)
SSL_ALERT_LEVEL_FATAL
#define SSL_ALERT_LEVEL_FATAL
Definition ssl.h:344
ssl_pk_alg_from_sig
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
SSL_MAJOR_VERSION_3
#define SSL_MAJOR_VERSION_3
Definition ssl.h:153
ssl_handshake_wrapup
void ssl_handshake_wrapup(ssl_context *ssl)
SSL_TRUNC_HMAC_ENABLED
#define SSL_TRUNC_HMAC_ENABLED
Definition ssl.h:235
SSL_IS_SERVER
#define SSL_IS_SERVER
Definition ssl.h:207
TLS_EXT_SERVERNAME_HOSTNAME
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition ssl.h:391
POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN
The server has no ciphersuites in common with the client.
Definition ssl.h:114
POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO
Processing of the ClientHello handshake message failed.
Definition ssl.h:125
SSL_RENEGOTIATION
#define SSL_RENEGOTIATION
Definition ssl.h:217
SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
Definition ssl.h:373
POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret.
Definition ssl.h:133
TLS_EXT_MAX_FRAGMENT_LENGTH
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition ssl.h:393
ssl_parse_certificate
int ssl_parse_certificate(ssl_context *ssl)
SSL_HS_SERVER_HELLO
#define SSL_HS_SERVER_HELLO
Definition ssl.h:377
ssl_parse_finished
int ssl_parse_finished(ssl_context *ssl)
SSL_HASH_SHA256
#define SSL_HASH_SHA256
Definition ssl.h:320
ssl_flush_output
int ssl_flush_output(ssl_context *ssl)
SSL_CERT_TYPE_ECDSA_SIGN
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition ssl.h:333
ssl_get_ciphersuite_name
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
SSL_HS_SERVER_KEY_EXCHANGE
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition ssl.h:380
ssl_session
struct _ssl_session ssl_session
Definition ssl.h:498
ssl_parse_change_cipher_spec
int ssl_parse_change_cipher_spec(ssl_context *ssl)
SSL_SIG_RSA
#define SSL_SIG_RSA
Definition ssl.h:325
POLARSSL_ERR_SSL_INVALID_MAC
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition ssl.h:110
SSL_MAX_FRAG_LEN_INVALID
#define SSL_MAX_FRAG_LEN_INVALID
Definition ssl.h:204
TLS_EXT_RENEGOTIATION_INFO
#define TLS_EXT_RENEGOTIATION_INFO
Definition ssl.h:406
SSL_COMPRESS_NULL
#define SSL_COMPRESS_NULL
Definition ssl.h:209
POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition ssl.h:117
POLARSSL_ERR_SSL_BAD_INPUT_DATA
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition ssl.h:109
SSL_MSG_HANDSHAKE
#define SSL_MSG_HANDSHAKE
Definition ssl.h:340
ssl_send_fatal_handshake_failure
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
SSL_COMPRESS_DEFLATE
#define SSL_COMPRESS_DEFLATE
Definition ssl.h:210
TLS_EXT_SESSION_TICKET
#define TLS_EXT_SESSION_TICKET
Definition ssl.h:404
POLARSSL_ERR_SSL_MALLOC_FAILED
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition ssl.h:137
TLS_EXT_SUPPORTED_POINT_FORMATS
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition ssl.h:398
ssl_fetch_input
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
safer_memcmp
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition ssl.h:1797
POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED
Session ticket has expired.
Definition ssl.h:143
ssl_ciphersuite_uses_ec
int ssl_ciphersuite_uses_ec(const ssl_ciphersuite_t *info)
ssl_get_ciphersuite_sig_pk_alg
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
ssl_ciphersuite_uses_psk
int ssl_ciphersuite_uses_psk(const ssl_ciphersuite_t *info)
ssl_ciphersuite_from_id
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
POLARSSL_KEY_EXCHANGE_DHE_RSA
@ POLARSSL_KEY_EXCHANGE_DHE_RSA
Definition ssl_ciphersuites.h:240
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA
@ POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA
Definition ssl_ciphersuites.h:242
POLARSSL_KEY_EXCHANGE_PSK
@ POLARSSL_KEY_EXCHANGE_PSK
Definition ssl_ciphersuites.h:243
POLARSSL_KEY_EXCHANGE_DHE_PSK
@ POLARSSL_KEY_EXCHANGE_DHE_PSK
Definition ssl_ciphersuites.h:244
POLARSSL_KEY_EXCHANGE_ECDHE_RSA
@ POLARSSL_KEY_EXCHANGE_ECDHE_RSA
Definition ssl_ciphersuites.h:241
POLARSSL_KEY_EXCHANGE_ECDHE_PSK
@ POLARSSL_KEY_EXCHANGE_ECDHE_PSK
Definition ssl_ciphersuites.h:246
POLARSSL_KEY_EXCHANGE_RSA_PSK
@ POLARSSL_KEY_EXCHANGE_RSA_PSK
Definition ssl_ciphersuites.h:245
POLARSSL_KEY_EXCHANGE_RSA
@ POLARSSL_KEY_EXCHANGE_RSA
Definition ssl_ciphersuites.h:239
POLARSSL_KEY_EXCHANGE_ECDH_RSA
@ POLARSSL_KEY_EXCHANGE_ECDH_RSA
Definition ssl_ciphersuites.h:247
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA
@ POLARSSL_KEY_EXCHANGE_ECDH_ECDSA
Definition ssl_ciphersuites.h:248
_ssl_ciphersuite_t
This structure is used for storing ciphersuite information.
Definition ssl_ciphersuites.h:261
_ssl_ciphersuite_t::max_minor_ver
int max_minor_ver
Definition ssl_ciphersuites.h:272
_ssl_ciphersuite_t::key_exchange
key_exchange_type_t key_exchange
Definition ssl_ciphersuites.h:267
_ssl_ciphersuite_t::mac
md_type_t mac
Definition ssl_ciphersuites.h:266
_ssl_ciphersuite_t::min_minor_ver
int min_minor_ver
Definition ssl_ciphersuites.h:270
_ssl_context
Definition ssl.h:684
_ssl_context::f_psk
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition ssl.h:729
_ssl_context::in_hdr
unsigned char * in_hdr
Definition ssl.h:756
_ssl_context::handshake
ssl_handshake_params * handshake
Definition ssl.h:741
_ssl_context::alpn_list
const char ** alpn_list
Definition ssl.h:855
_ssl_context::minor_ver
int minor_ver
Definition ssl.h:693
_ssl_context::ciphersuite_list
const int * ciphersuite_list[4]
Definition ssl.h:816
_ssl_context::f_get_cache
int(* f_get_cache)(void *, ssl_session *)
Definition ssl.h:707
_ssl_context::allow_legacy_renegotiation
int allow_legacy_renegotiation
Definition ssl.h:814
_ssl_context::p_rng
void * p_rng
Definition ssl.h:710
_ssl_context::p_sni
void * p_sni
Definition ssl.h:720
_ssl_context::ticket_keys
ssl_ticket_keys * ticket_keys
Definition ssl.h:803
_ssl_context::authmode
int authmode
Definition ssl.h:810
_ssl_context::state
int state
Definition ssl.h:688
_ssl_context::out_ctr
unsigned char * out_ctr
Definition ssl.h:772
_ssl_context::out_msg
unsigned char * out_msg
Definition ssl.h:775
_ssl_context::f_rng
int(* f_rng)(void *, unsigned char *, size_t)
Definition ssl.h:703
_ssl_context::ca_chain
x509_crt * ca_chain
Definition ssl.h:794
_ssl_context::psk
unsigned char * psk
Definition ssl.h:837
_ssl_context::dhm_G
mpi dhm_G
Definition ssl.h:830
_ssl_context::p_get_cache
void * p_get_cache
Definition ssl.h:714
_ssl_context::major_ver
int major_ver
Definition ssl.h:692
_ssl_context::transform_negotiate
ssl_transform * transform_negotiate
Definition ssl.h:750
_ssl_context::session_tickets
int session_tickets
Definition ssl.h:824
_ssl_context::in_msglen
size_t in_msglen
Definition ssl.h:762
_ssl_context::psk_identity_len
size_t psk_identity_len
Definition ssl.h:840
_ssl_context::renegotiation
int renegotiation
Definition ssl.h:689
_ssl_context::psk_identity
unsigned char * psk_identity
Definition ssl.h:839
_ssl_context::min_minor_ver
int min_minor_ver
Definition ssl.h:698
_ssl_context::ticket_lifetime
int ticket_lifetime
Definition ssl.h:825
_ssl_context::verify_data_len
size_t verify_data_len
Definition ssl.h:864
_ssl_context::max_major_ver
int max_major_ver
Definition ssl.h:695
_ssl_context::alpn_chosen
const char * alpn_chosen
Definition ssl.h:856
_ssl_context::f_sni
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition ssl.h:719
_ssl_context::in_hslen
size_t in_hslen
Definition ssl.h:765
_ssl_context::min_major_ver
int min_major_ver
Definition ssl.h:697
_ssl_context::in_left
size_t in_left
Definition ssl.h:763
_ssl_context::psk_len
size_t psk_len
Definition ssl.h:838
_ssl_context::in_msgtype
int in_msgtype
Definition ssl.h:761
_ssl_context::session_negotiate
ssl_session * session_negotiate
Definition ssl.h:739
_ssl_context::own_verify_data
char own_verify_data[36]
Definition ssl.h:865
_ssl_context::out_msgtype
int out_msgtype
Definition ssl.h:777
_ssl_context::secure_renegotiation
int secure_renegotiation
Definition ssl.h:862
_ssl_context::max_minor_ver
int max_minor_ver
Definition ssl.h:696
_ssl_context::dhm_P
mpi dhm_P
Definition ssl.h:829
_ssl_context::out_msglen
size_t out_msglen
Definition ssl.h:778
_ssl_context::peer_verify_data
char peer_verify_data[36]
Definition ssl.h:866
_ssl_context::in_msg
unsigned char * in_msg
Definition ssl.h:758
_ssl_context::p_psk
void * p_psk
Definition ssl.h:730
_ssl_context::key_cert
ssl_key_cert * key_cert
Definition ssl.h:792
_ssl_handshake_params::dhm_ctx
dhm_context dhm_ctx
Definition ssl.h:596
_ssl_handshake_params::cli_exts
int cli_exts
Definition ssl.h:650
_ssl_handshake_params::sni_key_cert
ssl_key_cert * sni_key_cert
Definition ssl.h:613
_ssl_handshake_params::curves
const ecp_curve_info ** curves
Definition ssl.h:602
_ssl_handshake_params::calc_verify
void(* calc_verify)(ssl_context *, unsigned char *)
Definition ssl.h:635
_ssl_handshake_params::pmslen
size_t pmslen
Definition ssl.h:641
_ssl_handshake_params::max_minor_ver
int max_minor_ver
Definition ssl.h:649
_ssl_handshake_params::sig_alg
int sig_alg
Definition ssl.h:592
_ssl_handshake_params::resume
int resume
Definition ssl.h:647
_ssl_handshake_params::update_checksum
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition ssl.h:634
_ssl_handshake_params::ecdh_ctx
ecdh_context ecdh_ctx
Definition ssl.h:599
_ssl_handshake_params::max_major_ver
int max_major_ver
Definition ssl.h:648
_ssl_handshake_params::premaster
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition ssl.h:644
_ssl_handshake_params::new_session_ticket
int new_session_ticket
Definition ssl.h:653
_ssl_handshake_params::randbytes
unsigned char randbytes[64]
Definition ssl.h:643
_ssl_handshake_params::verify_sig_alg
int verify_sig_alg
Definition ssl.h:594
_ssl_handshake_params::key_cert
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition ssl.h:611
_ssl_key_cert
Definition ssl.h:675
_ssl_key_cert::key
pk_context * key
Definition ssl.h:677
_ssl_key_cert::cert
x509_crt * cert
Definition ssl.h:676
_ssl_key_cert::next
ssl_key_cert * next
Definition ssl.h:679
_ssl_session
Definition ssl.h:513
_ssl_session::mfl_code
unsigned char mfl_code
Definition ssl.h:535
_ssl_session::id
unsigned char id[32]
Definition ssl.h:520
_ssl_session::ciphersuite
int ciphersuite
Definition ssl.h:517
_ssl_session::length
size_t length
Definition ssl.h:519
_ssl_session::compression
int compression
Definition ssl.h:518
_ssl_session::trunc_hmac
int trunc_hmac
Definition ssl.h:539
_ssl_session::peer_cert
x509_crt * peer_cert
Definition ssl.h:524
_ssl_session::start
time_t start
Definition ssl.h:515
_ssl_ticket_keys::enc
aes_context enc
Definition ssl.h:664
_ssl_ticket_keys::dec
aes_context dec
Definition ssl.h:665
_ssl_ticket_keys::key_name
unsigned char key_name[16]
Definition ssl.h:663
_ssl_ticket_keys::mac_key
unsigned char mac_key[16]
Definition ssl.h:666
_ssl_transform::ciphersuite_info
const ssl_ciphersuite_t * ciphersuite_info
Definition ssl.h:552
_x509_crt
Container for an X.509 certificate.
Definition x509_crt.h:58
dhm_context::G
mpi G
Definition dhm.h:160
dhm_context::GX
mpi GX
Definition dhm.h:162
dhm_context::GY
mpi GY
Definition dhm.h:163
dhm_context::K
mpi K
Definition dhm.h:164
dhm_context::X
mpi X
Definition dhm.h:161
dhm_context::P
mpi P
Definition dhm.h:159
ecdh_context::point_format
int point_format
Definition ecdh.h:55
ecdh_context::Q
ecp_point Q
Definition ecdh.h:52
ecdh_context::grp
ecp_group grp
Definition ecdh.h:50
ecdh_context::z
mpi z
Definition ecdh.h:54
ecdh_context::Qp
ecp_point Qp
Definition ecdh.h:53
ecp_curve_info
Curve information for use by other modules.
Definition ecp.h:88
md5_context
MD5 context structure.
Definition md5.h:59
md_context_t
Generic message digest context.
Definition md.h:132
md_info_t
Message digest information.
Definition md.h:74
pk_context
Public key container.
Definition pk.h:195
sha1_context
SHA-1 context structure.
Definition sha1.h:59
polarssl_malloc
#define polarssl_malloc
Definition test_suite_aes.cfb.c:20
polarssl_free
#define polarssl_free
Definition test_suite_aes.cfb.c:21
Generated on Tue Feb 18 2025 20:02:19 for PolarSSL v1.3.9 by doxygen 1.12.0