PolarSSL v1.3.9
ssl_cli.c
Go to the documentation of this file.
1/*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright (C) 2006-2014, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
26#if !defined(POLARSSL_CONFIG_FILE)
27#include "polarssl/config.h"
28#else
29#include POLARSSL_CONFIG_FILE
30#endif
31
32#if defined(POLARSSL_SSL_CLI_C)
33
34#include "polarssl/debug.h"
35#include "polarssl/ssl.h"
36
37#if defined(POLARSSL_PLATFORM_C)
38#include "polarssl/platform.h"
39#else
40#define polarssl_malloc malloc
41#define polarssl_free free
42#endif
43
44#include <stdlib.h>
45#include <stdio.h>
46
47#if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
48#include <basetsd.h>
49typedef UINT32 uint32_t;
50#else
51#include <inttypes.h>
52#endif
53
54#if defined(POLARSSL_HAVE_TIME)
55#include <time.h>
56#endif
57
58#if defined(POLARSSL_SSL_SESSION_TICKETS)
59/* Implementation that should never be optimized out by the compiler */
60static void polarssl_zeroize( void *v, size_t n ) {
61 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
62}
63#endif
64
65#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
66static void ssl_write_hostname_ext( ssl_context *ssl,
67 unsigned char *buf,
68 size_t *olen )
69{
70 unsigned char *p = buf;
71
72 *olen = 0;
73
74 if( ssl->hostname == NULL )
75 return;
76
77 SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
78 ssl->hostname ) );
79
80 /*
81 * struct {
82 * NameType name_type;
83 * select (name_type) {
84 * case host_name: HostName;
85 * } name;
86 * } ServerName;
87 *
88 * enum {
89 * host_name(0), (255)
90 * } NameType;
91 *
92 * opaque HostName<1..2^16-1>;
93 *
94 * struct {
95 * ServerName server_name_list<1..2^16-1>
96 * } ServerNameList;
97 */
98 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
99 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
100
101 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
102 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
103
104 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
105 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
106
107 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
108 *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
109 *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
110
111 memcpy( p, ssl->hostname, ssl->hostname_len );
112
113 *olen = ssl->hostname_len + 9;
114}
115#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
116
117static void ssl_write_renegotiation_ext( ssl_context *ssl,
118 unsigned char *buf,
119 size_t *olen )
120{
121 unsigned char *p = buf;
122
123 *olen = 0;
124
125 if( ssl->renegotiation != SSL_RENEGOTIATION )
126 return;
127
128 SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
129
130 /*
131 * Secure renegotiation
132 */
133 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
134 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
135
136 *p++ = 0x00;
137 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
138 *p++ = ssl->verify_data_len & 0xFF;
139
140 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
141
142 *olen = 5 + ssl->verify_data_len;
143}
144
145#if defined(POLARSSL_SSL_PROTO_TLS1_2)
146static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
147 unsigned char *buf,
148 size_t *olen )
149{
150 unsigned char *p = buf;
151 size_t sig_alg_len = 0;
152#if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C)
153 unsigned char *sig_alg_list = buf + 6;
154#endif
155
156 *olen = 0;
157
158 if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
159 return;
160
161 SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
162
163 /*
164 * Prepare signature_algorithms extension (TLS 1.2)
165 */
166#if defined(POLARSSL_RSA_C)
167#if defined(POLARSSL_SHA512_C)
168 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
169 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
170 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
171 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
172#endif
173#if defined(POLARSSL_SHA256_C)
174 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
175 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
176 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
177 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
178#endif
179#if defined(POLARSSL_SHA1_C)
180 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
181 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
182#endif
183#if defined(POLARSSL_MD5_C)
184 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
185 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
186#endif
187#endif /* POLARSSL_RSA_C */
188#if defined(POLARSSL_ECDSA_C)
189#if defined(POLARSSL_SHA512_C)
190 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
191 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
192 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
193 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
194#endif
195#if defined(POLARSSL_SHA256_C)
196 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
197 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
198 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
199 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
200#endif
201#if defined(POLARSSL_SHA1_C)
202 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
203 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
204#endif
205#if defined(POLARSSL_MD5_C)
206 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
207 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
208#endif
209#endif /* POLARSSL_ECDSA_C */
210
211 /*
212 * enum {
213 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
214 * sha512(6), (255)
215 * } HashAlgorithm;
216 *
217 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
218 * SignatureAlgorithm;
219 *
220 * struct {
221 * HashAlgorithm hash;
222 * SignatureAlgorithm signature;
223 * } SignatureAndHashAlgorithm;
224 *
225 * SignatureAndHashAlgorithm
226 * supported_signature_algorithms<2..2^16-2>;
227 */
228 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
229 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
230
231 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
232 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
233
234 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
235 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
236
237 *olen = 6 + sig_alg_len;
238}
239#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
240
241#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
242static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
243 unsigned char *buf,
244 size_t *olen )
245{
246 unsigned char *p = buf;
247 unsigned char *elliptic_curve_list = p + 6;
248 size_t elliptic_curve_len = 0;
249 const ecp_curve_info *info;
250#if defined(POLARSSL_SSL_SET_CURVES)
251 const ecp_group_id *grp_id;
252#else
253 ((void) ssl);
254#endif
255
256 *olen = 0;
257
258 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
259
260#if defined(POLARSSL_SSL_SET_CURVES)
261 for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
262 {
263 info = ecp_curve_info_from_grp_id( *grp_id );
264#else
265 for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
266 {
267#endif
268
269 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
270 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
271 }
272
273 if( elliptic_curve_len == 0 )
274 return;
275
276 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
277 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
278
279 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
280 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
281
282 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
283 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
284
285 *olen = 6 + elliptic_curve_len;
286}
287
288static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
289 unsigned char *buf,
290 size_t *olen )
291{
292 unsigned char *p = buf;
293 ((void) ssl);
294
295 *olen = 0;
296
297 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
298
299 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
300 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
301
302 *p++ = 0x00;
303 *p++ = 2;
304
305 *p++ = 1;
306 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
307
308 *olen = 6;
309}
310#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
311
312#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
313static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
314 unsigned char *buf,
315 size_t *olen )
316{
317 unsigned char *p = buf;
318
319 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
320 *olen = 0;
321 return;
322 }
323
324 SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
325
326 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
327 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
328
329 *p++ = 0x00;
330 *p++ = 1;
331
332 *p++ = ssl->mfl_code;
333
334 *olen = 5;
335}
336#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
337
338#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
339static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
340 unsigned char *buf, size_t *olen )
341{
342 unsigned char *p = buf;
343
344 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
345 {
346 *olen = 0;
347 return;
348 }
349
350 SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
351
352 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
353 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
354
355 *p++ = 0x00;
356 *p++ = 0x00;
357
358 *olen = 4;
359}
360#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
361
362#if defined(POLARSSL_SSL_SESSION_TICKETS)
363static void ssl_write_session_ticket_ext( ssl_context *ssl,
364 unsigned char *buf, size_t *olen )
365{
366 unsigned char *p = buf;
367 size_t tlen = ssl->session_negotiate->ticket_len;
368
369 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
370 {
371 *olen = 0;
372 return;
373 }
374
375 SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
376
377 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
378 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
379
380 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
381 *p++ = (unsigned char)( ( tlen ) & 0xFF );
382
383 *olen = 4;
384
385 if( ssl->session_negotiate->ticket == NULL ||
386 ssl->session_negotiate->ticket_len == 0 )
387 {
388 return;
389 }
390
391 SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
392
393 memcpy( p, ssl->session_negotiate->ticket, tlen );
394
395 *olen += tlen;
396}
397#endif /* POLARSSL_SSL_SESSION_TICKETS */
398
399#if defined(POLARSSL_SSL_ALPN)
400static void ssl_write_alpn_ext( ssl_context *ssl,
401 unsigned char *buf, size_t *olen )
402{
403 unsigned char *p = buf;
404 const char **cur;
405
406 if( ssl->alpn_list == NULL )
407 {
408 *olen = 0;
409 return;
410 }
411
412 SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
413
414 *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
415 *p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
416
417 /*
418 * opaque ProtocolName<1..2^8-1>;
419 *
420 * struct {
421 * ProtocolName protocol_name_list<2..2^16-1>
422 * } ProtocolNameList;
423 */
424
425 /* Skip writing extension and list length for now */
426 p += 4;
427
428 for( cur = ssl->alpn_list; *cur != NULL; cur++ )
429 {
430 *p = (unsigned char)( strlen( *cur ) & 0xFF );
431 memcpy( p + 1, *cur, *p );
432 p += 1 + *p;
433 }
434
435 *olen = p - buf;
436
437 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
438 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
439 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
440
441 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
442 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
443 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
444}
445#endif /* POLARSSL_SSL_ALPN */
446
447static int ssl_write_client_hello( ssl_context *ssl )
448{
449 int ret;
450 size_t i, n, olen, ext_len = 0;
451 unsigned char *buf;
452 unsigned char *p, *q;
453#if defined(POLARSSL_HAVE_TIME)
454 time_t t;
455#endif
456 const int *ciphersuites;
457 const ssl_ciphersuite_t *ciphersuite_info;
458
459 SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
460
461 if( ssl->f_rng == NULL )
462 {
463 SSL_DEBUG_MSG( 1, ( "no RNG provided") );
464 return( POLARSSL_ERR_SSL_NO_RNG );
465 }
466
467 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
468 {
469 ssl->major_ver = ssl->min_major_ver;
470 ssl->minor_ver = ssl->min_minor_ver;
471 }
472
473 if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
474 {
475 ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
476 ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
477 }
478
479 /*
480 * 0 . 0 handshake type
481 * 1 . 3 handshake length
482 * 4 . 5 highest version supported
483 * 6 . 9 current UNIX time
484 * 10 . 37 random bytes
485 */
486 buf = ssl->out_msg;
487 p = buf + 4;
488
489 *p++ = (unsigned char) ssl->max_major_ver;
490 *p++ = (unsigned char) ssl->max_minor_ver;
491
492 SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
493 buf[4], buf[5] ) );
494
495#if defined(POLARSSL_HAVE_TIME)
496 t = time( NULL );
497 *p++ = (unsigned char)( t >> 24 );
498 *p++ = (unsigned char)( t >> 16 );
499 *p++ = (unsigned char)( t >> 8 );
500 *p++ = (unsigned char)( t );
501
502 SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
503#else
504 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
505 return( ret );
506
507 p += 4;
508#endif /* POLARSSL_HAVE_TIME */
509
510 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
511 return( ret );
512
513 p += 28;
514
515 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
516
517 SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
518
519 /*
520 * 38 . 38 session id length
521 * 39 . 39+n session id
522 * 40+n . 41+n ciphersuitelist length
523 * 42+n . .. ciphersuitelist
524 * .. . .. compression methods length
525 * .. . .. compression methods
526 * .. . .. extensions length
527 * .. . .. extensions
528 */
529 n = ssl->session_negotiate->length;
530
531 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
532 ssl->handshake->resume == 0 )
533 {
534 n = 0;
535 }
536
537#if defined(POLARSSL_SSL_SESSION_TICKETS)
538 /*
539 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
540 * generate and include a Session ID in the TLS ClientHello."
541 */
542 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
543 ssl->session_negotiate->ticket != NULL &&
544 ssl->session_negotiate->ticket_len != 0 )
545 {
546 ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
547
548 if( ret != 0 )
549 return( ret );
550
551 ssl->session_negotiate->length = n = 32;
552 }
553#endif /* POLARSSL_SSL_SESSION_TICKETS */
554
555 *p++ = (unsigned char) n;
556
557 for( i = 0; i < n; i++ )
558 *p++ = ssl->session_negotiate->id[i];
559
560 SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
561 SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
562
563 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
564 n = 0;
565 q = p;
566
567 // Skip writing ciphersuite length for now
568 p += 2;
569
570 /*
571 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
572 */
573 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
574 {
575 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
576 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
577 n++;
578 }
579
580 for( i = 0; ciphersuites[i] != 0; i++ )
581 {
582 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
583
584 if( ciphersuite_info == NULL )
585 continue;
586
587 if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
588 ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
589 continue;
590
591 SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
592 ciphersuites[i] ) );
593
594 n++;
595 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
596 *p++ = (unsigned char)( ciphersuites[i] );
597 }
598
599 *q++ = (unsigned char)( n >> 7 );
600 *q++ = (unsigned char)( n << 1 );
601
602 SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
603
604
605#if defined(POLARSSL_ZLIB_SUPPORT)
606 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
607 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
608 SSL_COMPRESS_DEFLATE, SSL_COMPRESS_NULL ) );
609
610 *p++ = 2;
611 *p++ = SSL_COMPRESS_DEFLATE;
612 *p++ = SSL_COMPRESS_NULL;
613#else
614 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
615 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
616
617 *p++ = 1;
618 *p++ = SSL_COMPRESS_NULL;
619#endif /* POLARSSL_ZLIB_SUPPORT */
620
621 // First write extensions, then the total length
622 //
623#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
624 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
625 ext_len += olen;
626#endif
627
628 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
629 ext_len += olen;
630
631#if defined(POLARSSL_SSL_PROTO_TLS1_2)
632 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
633 ext_len += olen;
634#endif
635
636#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
637 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
638 ext_len += olen;
639
640 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
641 ext_len += olen;
642#endif
643
644#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
645 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
646 ext_len += olen;
647#endif
648
649#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
650 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
651 ext_len += olen;
652#endif
653
654#if defined(POLARSSL_SSL_SESSION_TICKETS)
655 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
656 ext_len += olen;
657#endif
658
659#if defined(POLARSSL_SSL_ALPN)
660 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
661 ext_len += olen;
662#endif
663
664 SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
665 ext_len ) );
666
667 if( ext_len > 0 )
668 {
669 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
670 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
671 p += ext_len;
672 }
673
674 ssl->out_msglen = p - buf;
675 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
676 ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
677
678 ssl->state++;
679
680 if( ( ret = ssl_write_record( ssl ) ) != 0 )
681 {
682 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
683 return( ret );
684 }
685
686 SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
687
688 return( 0 );
689}
690
691static int ssl_parse_renegotiation_info( ssl_context *ssl,
692 const unsigned char *buf,
693 size_t len )
694{
695 int ret;
696
697 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
698 {
699 if( len != 1 || buf[0] != 0x0 )
700 {
701 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
702
703 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
704 return( ret );
705
706 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
707 }
708
709 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
710 }
711 else
712 {
713 /* Check verify-data in constant-time. The length OTOH is no secret */
714 if( len != 1 + ssl->verify_data_len * 2 ||
715 buf[0] != ssl->verify_data_len * 2 ||
716 safer_memcmp( buf + 1,
717 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
718 safer_memcmp( buf + 1 + ssl->verify_data_len,
719 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
720 {
721 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
722
723 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
724 return( ret );
725
726 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
727 }
728 }
729
730 return( 0 );
731}
732
733#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
734static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
735 const unsigned char *buf,
736 size_t len )
737{
738 /*
739 * server should use the extension only if we did,
740 * and if so the server's value should match ours (and len is always 1)
741 */
742 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
743 len != 1 ||
744 buf[0] != ssl->mfl_code )
745 {
746 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
747 }
748
749 return( 0 );
750}
751#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
752
753#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
754static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
755 const unsigned char *buf,
756 size_t len )
757{
758 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
759 len != 0 )
760 {
761 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
762 }
763
764 ((void) buf);
765
766 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
767
768 return( 0 );
769}
770#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
771
772#if defined(POLARSSL_SSL_SESSION_TICKETS)
773static int ssl_parse_session_ticket_ext( ssl_context *ssl,
774 const unsigned char *buf,
775 size_t len )
776{
777 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ||
778 len != 0 )
779 {
780 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
781 }
782
783 ((void) buf);
784
785 ssl->handshake->new_session_ticket = 1;
786
787 return( 0 );
788}
789#endif /* POLARSSL_SSL_SESSION_TICKETS */
790
791#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
792static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
793 const unsigned char *buf,
794 size_t len )
795{
796 size_t list_size;
797 const unsigned char *p;
798
799 list_size = buf[0];
800 if( list_size + 1 != len )
801 {
802 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
803 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
804 }
805
806 p = buf + 1;
807 while( list_size > 0 )
808 {
809 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
810 p[0] == POLARSSL_ECP_PF_COMPRESSED )
811 {
812 ssl->handshake->ecdh_ctx.point_format = p[0];
813 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
814 return( 0 );
815 }
816
817 list_size--;
818 p++;
819 }
820
821 SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
822 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
823}
824#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
825
826#if defined(POLARSSL_SSL_ALPN)
827static int ssl_parse_alpn_ext( ssl_context *ssl,
828 const unsigned char *buf, size_t len )
829{
830 size_t list_len, name_len;
831 const char **p;
832
833 /* If we didn't send it, the server shouldn't send it */
834 if( ssl->alpn_list == NULL )
835 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
836
837 /*
838 * opaque ProtocolName<1..2^8-1>;
839 *
840 * struct {
841 * ProtocolName protocol_name_list<2..2^16-1>
842 * } ProtocolNameList;
843 *
844 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
845 */
846
847 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
848 if( len < 4 )
849 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
850
851 list_len = ( buf[0] << 8 ) | buf[1];
852 if( list_len != len - 2 )
853 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
854
855 name_len = buf[2];
856 if( name_len != list_len - 1 )
857 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
858
859 /* Check that the server chosen protocol was in our list and save it */
860 for( p = ssl->alpn_list; *p != NULL; p++ )
861 {
862 if( name_len == strlen( *p ) &&
863 memcmp( buf + 3, *p, name_len ) == 0 )
864 {
865 ssl->alpn_chosen = *p;
866 return( 0 );
867 }
868 }
869
870 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
871}
872#endif /* POLARSSL_SSL_ALPN */
873
874static int ssl_parse_server_hello( ssl_context *ssl )
875{
876 int ret, i, comp;
877 size_t n;
878 size_t ext_len;
879 unsigned char *buf, *ext;
880 int renegotiation_info_seen = 0;
881 int handshake_failure = 0;
882#if defined(POLARSSL_DEBUG_C)
883 uint32_t t;
884#endif
885
886 SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
887
888 /*
889 * 0 . 0 handshake type
890 * 1 . 3 handshake length
891 * 4 . 5 protocol version
892 * 6 . 9 UNIX time()
893 * 10 . 37 random bytes
894 */
895 buf = ssl->in_msg;
896
897 if( ( ret = ssl_read_record( ssl ) ) != 0 )
898 {
899 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
900 return( ret );
901 }
902
903 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
904 {
905 if( ssl->renegotiation == SSL_RENEGOTIATION )
906 {
907 ssl->renego_records_seen++;
908
909 if( ssl->renego_max_records >= 0 &&
910 ssl->renego_records_seen > ssl->renego_max_records )
911 {
912 SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
913 "but not honored by server" ) );
914 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
915 }
916
917 SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
918 return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
919 }
920
921 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
922 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
923 }
924
925 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
926 buf[4], buf[5] ) );
927
928 if( ssl->in_hslen < 42 ||
929 buf[0] != SSL_HS_SERVER_HELLO ||
930 buf[4] != SSL_MAJOR_VERSION_3 )
931 {
932 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
933 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
934 }
935
936 if( buf[5] > ssl->max_minor_ver )
937 {
938 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
939 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
940 }
941
942 ssl->minor_ver = buf[5];
943
944 if( ssl->minor_ver < ssl->min_minor_ver )
945 {
946 SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
947 " [%d:%d] < [%d:%d]", ssl->major_ver,
948 ssl->minor_ver, buf[4], buf[5] ) );
949
950 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
951 SSL_ALERT_MSG_PROTOCOL_VERSION );
952
953 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
954 }
955
956#if defined(POLARSSL_DEBUG_C)
957 t = ( (uint32_t) buf[6] << 24 )
958 | ( (uint32_t) buf[7] << 16 )
959 | ( (uint32_t) buf[8] << 8 )
960 | ( (uint32_t) buf[9] );
961 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
962#endif
963
964 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
965
966 n = buf[38];
967
968 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
969
970 if( n > 32 )
971 {
972 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
973 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
974 }
975
976 /*
977 * 38 . 38 session id length
978 * 39 . 38+n session id
979 * 39+n . 40+n chosen ciphersuite
980 * 41+n . 41+n chosen compression alg.
981 * 42+n . 43+n extensions length
982 * 44+n . 44+n+m extensions
983 */
984 if( ssl->in_hslen > 43 + n )
985 {
986 ext_len = ( ( buf[42 + n] << 8 )
987 | ( buf[43 + n] ) );
988
989 if( ( ext_len > 0 && ext_len < 4 ) ||
990 ssl->in_hslen != 44 + n + ext_len )
991 {
992 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
993 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
994 }
995 }
996 else if( ssl->in_hslen == 42 + n )
997 {
998 ext_len = 0;
999 }
1000 else
1001 {
1002 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1003 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1004 }
1005
1006 i = ( buf[39 + n] << 8 ) | buf[40 + n];
1007 comp = buf[41 + n];
1008
1009 /*
1010 * Initialize update checksum functions
1011 */
1012 ssl->transform_negotiate->ciphersuite_info = ssl_ciphersuite_from_id( i );
1013
1014 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1015 {
1016 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1017 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1018 }
1019
1020 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1021
1022 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1023 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1024
1025 /*
1026 * Check if the session can be resumed
1027 */
1028 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
1029 ssl->handshake->resume == 0 || n == 0 ||
1030 ssl->session_negotiate->ciphersuite != i ||
1031 ssl->session_negotiate->compression != comp ||
1032 ssl->session_negotiate->length != n ||
1033 memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
1034 {
1035 ssl->state++;
1036 ssl->handshake->resume = 0;
1037#if defined(POLARSSL_HAVE_TIME)
1038 ssl->session_negotiate->start = time( NULL );
1039#endif
1040 ssl->session_negotiate->ciphersuite = i;
1041 ssl->session_negotiate->compression = comp;
1042 ssl->session_negotiate->length = n;
1043 memcpy( ssl->session_negotiate->id, buf + 39, n );
1044 }
1045 else
1046 {
1047 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
1048
1049 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1050 {
1051 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1052 return( ret );
1053 }
1054 }
1055
1056 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1057 ssl->handshake->resume ? "a" : "no" ) );
1058
1059 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
1060 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
1061
1062 i = 0;
1063 while( 1 )
1064 {
1065 if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
1066 {
1067 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1068 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1069 }
1070
1071 if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
1072 ssl->session_negotiate->ciphersuite )
1073 {
1074 break;
1075 }
1076 }
1077
1078 if( comp != SSL_COMPRESS_NULL
1079#if defined(POLARSSL_ZLIB_SUPPORT)
1080 && comp != SSL_COMPRESS_DEFLATE
1081#endif
1082 )
1083 {
1084 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1085 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1086 }
1087 ssl->session_negotiate->compression = comp;
1088
1089 ext = buf + 44 + n;
1090
1091 SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1092
1093 while( ext_len )
1094 {
1095 unsigned int ext_id = ( ( ext[0] << 8 )
1096 | ( ext[1] ) );
1097 unsigned int ext_size = ( ( ext[2] << 8 )
1098 | ( ext[3] ) );
1099
1100 if( ext_size + 4 > ext_len )
1101 {
1102 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1103 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1104 }
1105
1106 switch( ext_id )
1107 {
1108 case TLS_EXT_RENEGOTIATION_INFO:
1109 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1110 renegotiation_info_seen = 1;
1111
1112 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1113 ext_size ) ) != 0 )
1114 return( ret );
1115
1116 break;
1117
1118#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1119 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1120 SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1121
1122 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1123 ext + 4, ext_size ) ) != 0 )
1124 {
1125 return( ret );
1126 }
1127
1128 break;
1129#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1130
1131#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1132 case TLS_EXT_TRUNCATED_HMAC:
1133 SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
1134
1135 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1136 ext + 4, ext_size ) ) != 0 )
1137 {
1138 return( ret );
1139 }
1140
1141 break;
1142#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1143
1144#if defined(POLARSSL_SSL_SESSION_TICKETS)
1145 case TLS_EXT_SESSION_TICKET:
1146 SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
1147
1148 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1149 ext + 4, ext_size ) ) != 0 )
1150 {
1151 return( ret );
1152 }
1153
1154 break;
1155#endif /* POLARSSL_SSL_SESSION_TICKETS */
1156
1157#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1158 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1159 SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1160
1161 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1162 ext + 4, ext_size ) ) != 0 )
1163 {
1164 return( ret );
1165 }
1166
1167 break;
1168#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1169
1170#if defined(POLARSSL_SSL_ALPN)
1171 case TLS_EXT_ALPN:
1172 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1173
1174 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1175 return( ret );
1176
1177 break;
1178#endif /* POLARSSL_SSL_ALPN */
1179
1180 default:
1181 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1182 ext_id ) );
1183 }
1184
1185 ext_len -= 4 + ext_size;
1186 ext += 4 + ext_size;
1187
1188 if( ext_len > 0 && ext_len < 4 )
1189 {
1190 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1191 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1192 }
1193 }
1194
1195 /*
1196 * Renegotiation security checks
1197 */
1198 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1199 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1200 {
1201 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1202 handshake_failure = 1;
1203 }
1204 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1205 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1206 renegotiation_info_seen == 0 )
1207 {
1208 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1209 handshake_failure = 1;
1210 }
1211 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1212 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1213 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
1214 {
1215 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1216 handshake_failure = 1;
1217 }
1218 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1219 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1220 renegotiation_info_seen == 1 )
1221 {
1222 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1223 handshake_failure = 1;
1224 }
1225
1226 if( handshake_failure == 1 )
1227 {
1228 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1229 return( ret );
1230
1231 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1232 }
1233
1234 SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1235
1236 return( 0 );
1237}
1238
1239#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1240 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1241static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
1242 unsigned char *end )
1243{
1244 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1245
1246 /*
1247 * Ephemeral DH parameters:
1248 *
1249 * struct {
1250 * opaque dh_p<1..2^16-1>;
1251 * opaque dh_g<1..2^16-1>;
1252 * opaque dh_Ys<1..2^16-1>;
1253 * } ServerDHParams;
1254 */
1255 if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1256 {
1257 SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
1258 return( ret );
1259 }
1260
1261 if( ssl->handshake->dhm_ctx.len < 64 ||
1262 ssl->handshake->dhm_ctx.len > 512 )
1263 {
1264 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
1265 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1266 }
1267
1268 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1269 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1270 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1271
1272 return( ret );
1273}
1274#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1275 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1276
1277#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1278 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1279 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1280 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1281 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1282static int ssl_check_server_ecdh_params( const ssl_context *ssl )
1283{
1284 const ecp_curve_info *curve_info;
1285
1286 curve_info = ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
1287 if( curve_info == NULL )
1288 {
1289 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1290 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1291 }
1292
1293 SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
1294
1295#if defined(POLARSSL_SSL_ECP_SET_CURVES)
1296 if( ! ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) )
1297#else
1298 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1299 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1300#endif
1301 return( -1 );
1302
1303 SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1304
1305 return( 0 );
1306}
1307#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1308 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1309 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1310 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1311 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1312
1313#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1314 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1315 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1316static int ssl_parse_server_ecdh_params( ssl_context *ssl,
1317 unsigned char **p,
1318 unsigned char *end )
1319{
1320 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1321
1322 /*
1323 * Ephemeral ECDH parameters:
1324 *
1325 * struct {
1326 * ECParameters curve_params;
1327 * ECPoint public;
1328 * } ServerECDHParams;
1329 */
1330 if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
1331 (const unsigned char **) p, end ) ) != 0 )
1332 {
1333 SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
1334 return( ret );
1335 }
1336
1337 if( ssl_check_server_ecdh_params( ssl ) != 0 )
1338 {
1339 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
1340 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1341 }
1342
1343 return( ret );
1344}
1345#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1346 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1347 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1348
1349#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1350static int ssl_parse_server_psk_hint( ssl_context *ssl,
1351 unsigned char **p,
1352 unsigned char *end )
1353{
1354 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1355 size_t len;
1356 ((void) ssl);
1357
1358 /*
1359 * PSK parameters:
1360 *
1361 * opaque psk_identity_hint<0..2^16-1>;
1362 */
1363 len = (*p)[0] << 8 | (*p)[1];
1364 *p += 2;
1365
1366 if( (*p) + len > end )
1367 {
1368 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1369 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1370 }
1371
1372 // TODO: Retrieve PSK identity hint and callback to app
1373 //
1374 *p += len;
1375 ret = 0;
1376
1377 return( ret );
1378}
1379#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1380
1381#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
1382 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1383/*
1384 * Generate a pre-master secret and encrypt it with the server's RSA key
1385 */
1386static int ssl_write_encrypted_pms( ssl_context *ssl,
1387 size_t offset, size_t *olen,
1388 size_t pms_offset )
1389{
1390 int ret;
1391 size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
1392 unsigned char *p = ssl->handshake->premaster + pms_offset;
1393
1394 /*
1395 * Generate (part of) the pre-master as
1396 * struct {
1397 * ProtocolVersion client_version;
1398 * opaque random[46];
1399 * } PreMasterSecret;
1400 */
1401 p[0] = (unsigned char) ssl->max_major_ver;
1402 p[1] = (unsigned char) ssl->max_minor_ver;
1403
1404 if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
1405 {
1406 SSL_DEBUG_RET( 1, "f_rng", ret );
1407 return( ret );
1408 }
1409
1410 ssl->handshake->pmslen = 48;
1411
1412 /*
1413 * Now write it out, encrypted
1414 */
1415 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1416 POLARSSL_PK_RSA ) )
1417 {
1418 SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1419 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
1420 }
1421
1422 if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
1423 p, ssl->handshake->pmslen,
1424 ssl->out_msg + offset + len_bytes, olen,
1425 SSL_MAX_CONTENT_LEN - offset - len_bytes,
1426 ssl->f_rng, ssl->p_rng ) ) != 0 )
1427 {
1428 SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1429 return( ret );
1430 }
1431
1432#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1433 defined(POLARSSL_SSL_PROTO_TLS1_2)
1434 if( len_bytes == 2 )
1435 {
1436 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1437 ssl->out_msg[offset+1] = (unsigned char)( *olen );
1438 *olen += 2;
1439 }
1440#endif
1441
1442 return( 0 );
1443}
1444#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
1445 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1446
1447#if defined(POLARSSL_SSL_PROTO_TLS1_2)
1448#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1449 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1450 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1451static int ssl_parse_signature_algorithm( ssl_context *ssl,
1452 unsigned char **p,
1453 unsigned char *end,
1454 md_type_t *md_alg,
1455 pk_type_t *pk_alg )
1456{
1457 ((void) ssl);
1458 *md_alg = POLARSSL_MD_NONE;
1459 *pk_alg = POLARSSL_PK_NONE;
1460
1461 /* Only in TLS 1.2 */
1462 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1463 {
1464 return( 0 );
1465 }
1466
1467 if( (*p) + 2 > end )
1468 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1469
1470 /*
1471 * Get hash algorithm
1472 */
1473 if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
1474 {
1475 SSL_DEBUG_MSG( 2, ( "Server used unsupported "
1476 "HashAlgorithm %d", *(p)[0] ) );
1477 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1478 }
1479
1480 /*
1481 * Get signature algorithm
1482 */
1483 if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
1484 {
1485 SSL_DEBUG_MSG( 2, ( "server used unsupported "
1486 "SignatureAlgorithm %d", (*p)[1] ) );
1487 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1488 }
1489
1490 SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1491 SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
1492 *p += 2;
1493
1494 return( 0 );
1495}
1496#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1497 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1498 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1499#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1500
1501
1502#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1503 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1504static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
1505{
1506 int ret;
1507 const ecp_keypair *peer_key;
1508
1509 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1510 POLARSSL_PK_ECKEY ) )
1511 {
1512 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
1513 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
1514 }
1515
1516 peer_key = pk_ec( ssl->session_negotiate->peer_cert->pk );
1517
1518 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
1519 POLARSSL_ECDH_THEIRS ) ) != 0 )
1520 {
1521 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
1522 return( ret );
1523 }
1524
1525 if( ssl_check_server_ecdh_params( ssl ) != 0 )
1526 {
1527 SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
1528 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1529 }
1530
1531 return( ret );
1532}
1533#endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
1534 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1535
1536static int ssl_parse_server_key_exchange( ssl_context *ssl )
1537{
1538 int ret;
1539 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1540 unsigned char *p, *end;
1541#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1542 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1543 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1544 size_t sig_len, params_len;
1545 unsigned char hash[64];
1546 md_type_t md_alg = POLARSSL_MD_NONE;
1547 size_t hashlen;
1548 pk_type_t pk_alg = POLARSSL_PK_NONE;
1549#endif
1550
1551 SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
1552
1553#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1554 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1555 {
1556 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1557 ssl->state++;
1558 return( 0 );
1559 }
1560 ((void) p);
1561 ((void) end);
1562#endif
1563
1564#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1565 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1566 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
1567 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
1568 {
1569 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
1570 {
1571 SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
1572 return( ret );
1573 }
1574
1575 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1576 ssl->state++;
1577 return( 0 );
1578 }
1579 ((void) p);
1580 ((void) end);
1581#endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1582 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1583
1584 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1585 {
1586 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1587 return( ret );
1588 }
1589
1590 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1591 {
1592 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1593 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1594 }
1595
1596 /*
1597 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
1598 * doesn't use a psk_identity_hint
1599 */
1600 if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
1601 {
1602 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1603 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1604 {
1605 ssl->record_read = 1;
1606 goto exit;
1607 }
1608
1609 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1610 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1611 }
1612
1613 p = ssl->in_msg + 4;
1614 end = ssl->in_msg + ssl->in_hslen;
1615 SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 );
1616
1617#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1618 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1619 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1620 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1621 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1622 {
1623 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
1624 {
1625 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1626 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1627 }
1628 } /* FALLTROUGH */
1629#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1630
1631#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
1632 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1633 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1634 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1635 ; /* nothing more to do */
1636 else
1637#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
1638 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1639#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1640 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1641 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1642 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1643 {
1644 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
1645 {
1646 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1647 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1648 }
1649 }
1650 else
1651#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1652 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1653#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1654 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1655 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1656 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1657 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1658 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1659 {
1660 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
1661 {
1662 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1663 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1664 }
1665 }
1666 else
1667#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1668 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1669 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1670 {
1671 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1672 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1673 }
1674
1675#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1676 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1677 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1678 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1679 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1680 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1681 {
1682 params_len = p - ( ssl->in_msg + 4 );
1683
1684 /*
1685 * Handle the digitally-signed structure
1686 */
1687#if defined(POLARSSL_SSL_PROTO_TLS1_2)
1688 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1689 {
1690 if( ssl_parse_signature_algorithm( ssl, &p, end,
1691 &md_alg, &pk_alg ) != 0 )
1692 {
1693 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1694 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1695 }
1696
1697 if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
1698 {
1699 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1700 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1701 }
1702 }
1703 else
1704#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1705#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1706 defined(POLARSSL_SSL_PROTO_TLS1_1)
1707 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
1708 {
1709 pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
1710
1711 /* Default hash for ECDSA is SHA-1 */
1712 if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
1713 md_alg = POLARSSL_MD_SHA1;
1714 }
1715 else
1716#endif
1717 {
1718 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1719 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1720 }
1721
1722 /*
1723 * Read signature
1724 */
1725 sig_len = ( p[0] << 8 ) | p[1];
1726 p += 2;
1727
1728 if( end != p + sig_len )
1729 {
1730 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1731 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1732 }
1733
1734 SSL_DEBUG_BUF( 3, "signature", p, sig_len );
1735
1736 /*
1737 * Compute the hash that has been signed
1738 */
1739#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1740 defined(POLARSSL_SSL_PROTO_TLS1_1)
1741 if( md_alg == POLARSSL_MD_NONE )
1742 {
1743 md5_context md5;
1744 sha1_context sha1;
1745
1746 md5_init( &md5 );
1747 sha1_init( &sha1 );
1748
1749 hashlen = 36;
1750
1751 /*
1752 * digitally-signed struct {
1753 * opaque md5_hash[16];
1754 * opaque sha_hash[20];
1755 * };
1756 *
1757 * md5_hash
1758 * MD5(ClientHello.random + ServerHello.random
1759 * + ServerParams);
1760 * sha_hash
1761 * SHA(ClientHello.random + ServerHello.random
1762 * + ServerParams);
1763 */
1764 md5_starts( &md5 );
1765 md5_update( &md5, ssl->handshake->randbytes, 64 );
1766 md5_update( &md5, ssl->in_msg + 4, params_len );
1767 md5_finish( &md5, hash );
1768
1769 sha1_starts( &sha1 );
1770 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1771 sha1_update( &sha1, ssl->in_msg + 4, params_len );
1772 sha1_finish( &sha1, hash + 16 );
1773
1774 md5_free( &md5 );
1775 sha1_free( &sha1 );
1776 }
1777 else
1778#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
1779 POLARSSL_SSL_PROTO_TLS1_1 */
1780#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1781 defined(POLARSSL_SSL_PROTO_TLS1_2)
1782 if( md_alg != POLARSSL_MD_NONE )
1783 {
1784 md_context_t ctx;
1785
1786 md_init( &ctx );
1787
1788 /* Info from md_alg will be used instead */
1789 hashlen = 0;
1790
1791 /*
1792 * digitally-signed struct {
1793 * opaque client_random[32];
1794 * opaque server_random[32];
1795 * ServerDHParams params;
1796 * };
1797 */
1798 if( ( ret = md_init_ctx( &ctx,
1799 md_info_from_type( md_alg ) ) ) != 0 )
1800 {
1801 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1802 return( ret );
1803 }
1804
1805 md_starts( &ctx );
1806 md_update( &ctx, ssl->handshake->randbytes, 64 );
1807 md_update( &ctx, ssl->in_msg + 4, params_len );
1808 md_finish( &ctx, hash );
1809 md_free( &ctx );
1810 }
1811 else
1812#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1813 POLARSSL_SSL_PROTO_TLS1_2 */
1814 {
1815 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1816 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1817 }
1818
1819 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
1820 (unsigned int) ( md_info_from_type( md_alg ) )->size );
1821
1822 /*
1823 * Verify signature
1824 */
1825 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
1826 {
1827 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1828 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
1829 }
1830
1831 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
1832 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
1833 {
1834 SSL_DEBUG_RET( 1, "pk_verify", ret );
1835 return( ret );
1836 }
1837 }
1838#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1839 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1840 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1841
1842exit:
1843 ssl->state++;
1844
1845 SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
1846
1847 return( 0 );
1848}
1849
1850#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1851 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1852 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1853 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1854static int ssl_parse_certificate_request( ssl_context *ssl )
1855{
1856 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1857
1858 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1859
1860 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1861 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1862 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1863 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1864 {
1865 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
1866 ssl->state++;
1867 return( 0 );
1868 }
1869
1870 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1871 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1872}
1873#else
1874static int ssl_parse_certificate_request( ssl_context *ssl )
1875{
1876 int ret;
1877 unsigned char *buf, *p;
1878 size_t n = 0, m = 0;
1879 size_t cert_type_len = 0, dn_len = 0;
1880 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1881
1882 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1883
1884 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1885 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1886 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1887 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1888 {
1889 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
1890 ssl->state++;
1891 return( 0 );
1892 }
1893
1894 /*
1895 * 0 . 0 handshake type
1896 * 1 . 3 handshake length
1897 * 4 . 4 cert type count
1898 * 5 .. m-1 cert types
1899 * m .. m+1 sig alg length (TLS 1.2 only)
1900 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1901 * n .. n+1 length of all DNs
1902 * n+2 .. n+3 length of DN 1
1903 * n+4 .. ... Distinguished Name #1
1904 * ... .. ... length of DN 2, etc.
1905 */
1906 if( ssl->record_read == 0 )
1907 {
1908 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1909 {
1910 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1911 return( ret );
1912 }
1913
1914 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1915 {
1916 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1917 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1918 }
1919
1920 ssl->record_read = 1;
1921 }
1922
1923 ssl->client_auth = 0;
1924 ssl->state++;
1925
1926 if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
1927 ssl->client_auth++;
1928
1929 SSL_DEBUG_MSG( 3, ( "got %s certificate request",
1930 ssl->client_auth ? "a" : "no" ) );
1931
1932 if( ssl->client_auth == 0 )
1933 goto exit;
1934
1935 ssl->record_read = 0;
1936
1937 // TODO: handshake_failure alert for an anonymous server to request
1938 // client authentication
1939
1940 buf = ssl->in_msg;
1941
1942 // Retrieve cert types
1943 //
1944 cert_type_len = buf[4];
1945 n = cert_type_len;
1946
1947 if( ssl->in_hslen < 6 + n )
1948 {
1949 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1950 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
1951 }
1952
1953 p = buf + 5;
1954 while( cert_type_len > 0 )
1955 {
1956#if defined(POLARSSL_RSA_C)
1957 if( *p == SSL_CERT_TYPE_RSA_SIGN &&
1958 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
1959 {
1960 ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN;
1961 break;
1962 }
1963 else
1964#endif
1965#if defined(POLARSSL_ECDSA_C)
1966 if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
1967 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
1968 {
1969 ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN;
1970 break;
1971 }
1972 else
1973#endif
1974 {
1975 ; /* Unsupported cert type, ignore */
1976 }
1977
1978 cert_type_len--;
1979 p++;
1980 }
1981
1982#if defined(POLARSSL_SSL_PROTO_TLS1_2)
1983 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1984 {
1985 /* Ignored, see comments about hash in write_certificate_verify */
1986 // TODO: should check the signature part against our pk_key though
1987 size_t sig_alg_len = ( ( buf[5 + n] << 8 )
1988 | ( buf[6 + n] ) );
1989
1990 p = buf + 7 + n;
1991 m += 2;
1992 n += sig_alg_len;
1993
1994 if( ssl->in_hslen < 6 + n )
1995 {
1996 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1997 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
1998 }
1999 }
2000#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2001
2002 /* Ignore certificate_authorities, we only have one cert anyway */
2003 // TODO: should not send cert if no CA matches
2004 dn_len = ( ( buf[5 + m + n] << 8 )
2005 | ( buf[6 + m + n] ) );
2006
2007 n += dn_len;
2008 if( ssl->in_hslen != 7 + m + n )
2009 {
2010 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2011 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2012 }
2013
2014exit:
2015 SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2016
2017 return( 0 );
2018}
2019#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2020 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2021 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2022 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2023
2024static int ssl_parse_server_hello_done( ssl_context *ssl )
2025{
2026 int ret;
2027
2028 SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
2029
2030 if( ssl->record_read == 0 )
2031 {
2032 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2033 {
2034 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2035 return( ret );
2036 }
2037
2038 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2039 {
2040 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2041 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2042 }
2043 }
2044 ssl->record_read = 0;
2045
2046 if( ssl->in_hslen != 4 ||
2047 ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
2048 {
2049 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2050 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
2051 }
2052
2053 ssl->state++;
2054
2055 SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
2056
2057 return( 0 );
2058}
2059
2060static int ssl_write_client_key_exchange( ssl_context *ssl )
2061{
2062 int ret;
2063 size_t i, n;
2064 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2065
2066 SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
2067
2068#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2069 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2070 {
2071 /*
2072 * DHM key exchange -- send G^X mod P
2073 */
2074 n = ssl->handshake->dhm_ctx.len;
2075
2076 ssl->out_msg[4] = (unsigned char)( n >> 8 );
2077 ssl->out_msg[5] = (unsigned char)( n );
2078 i = 6;
2079
2080 ret = dhm_make_public( &ssl->handshake->dhm_ctx,
2081 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2082 &ssl->out_msg[i], n,
2083 ssl->f_rng, ssl->p_rng );
2084 if( ret != 0 )
2085 {
2086 SSL_DEBUG_RET( 1, "dhm_make_public", ret );
2087 return( ret );
2088 }
2089
2090 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2091 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2092
2093 ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE;
2094
2095 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2096 ssl->handshake->premaster,
2097 &ssl->handshake->pmslen,
2098 ssl->f_rng, ssl->p_rng ) ) != 0 )
2099 {
2100 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2101 return( ret );
2102 }
2103
2104 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2105 }
2106 else
2107#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2108#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2109 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2110 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2111 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2112 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2113 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2114 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2115 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2116 {
2117 /*
2118 * ECDH key exchange -- send client public value
2119 */
2120 i = 4;
2121
2122 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
2123 &n,
2124 &ssl->out_msg[i], 1000,
2125 ssl->f_rng, ssl->p_rng );
2126 if( ret != 0 )
2127 {
2128 SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
2129 return( ret );
2130 }
2131
2132 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2133
2134 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2135 &ssl->handshake->pmslen,
2136 ssl->handshake->premaster,
2137 POLARSSL_MPI_MAX_SIZE,
2138 ssl->f_rng, ssl->p_rng ) ) != 0 )
2139 {
2140 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2141 return( ret );
2142 }
2143
2144 SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
2145 }
2146 else
2147#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2148 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2149 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2150 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2151#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2152 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2153 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2154 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2155 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2156 {
2157 /*
2158 * opaque psk_identity<0..2^16-1>;
2159 */
2160 if( ssl->psk == NULL || ssl->psk_identity == NULL )
2161 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2162
2163 i = 4;
2164 n = ssl->psk_identity_len;
2165 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2166 ssl->out_msg[i++] = (unsigned char)( n );
2167
2168 memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
2169 i += ssl->psk_identity_len;
2170
2171#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2172 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2173 {
2174 n = 0;
2175 }
2176 else
2177#endif
2178#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2179 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2180 {
2181 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
2182 return( ret );
2183 }
2184 else
2185#endif
2186#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2187 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2188 {
2189 /*
2190 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2191 */
2192 n = ssl->handshake->dhm_ctx.len;
2193 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2194 ssl->out_msg[i++] = (unsigned char)( n );
2195
2196 ret = dhm_make_public( &ssl->handshake->dhm_ctx,
2197 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2198 &ssl->out_msg[i], n,
2199 ssl->f_rng, ssl->p_rng );
2200 if( ret != 0 )
2201 {
2202 SSL_DEBUG_RET( 1, "dhm_make_public", ret );
2203 return( ret );
2204 }
2205 }
2206 else
2207#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2208#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2209 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2210 {
2211 /*
2212 * ClientECDiffieHellmanPublic public;
2213 */
2214 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2215 &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
2216 ssl->f_rng, ssl->p_rng );
2217 if( ret != 0 )
2218 {
2219 SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
2220 return( ret );
2221 }
2222
2223 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2224 }
2225 else
2226#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2227 {
2228 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2229 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2230 }
2231
2232 if( ( ret = ssl_psk_derive_premaster( ssl,
2233 ciphersuite_info->key_exchange ) ) != 0 )
2234 {
2235 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2236 return( ret );
2237 }
2238 }
2239 else
2240#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2241#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2242 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2243 {
2244 i = 4;
2245 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
2246 return( ret );
2247 }
2248 else
2249#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2250 {
2251 ((void) ciphersuite_info);
2252 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2253 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2254 }
2255
2256 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2257 {
2258 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2259 return( ret );
2260 }
2261
2262 ssl->out_msglen = i + n;
2263 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2264 ssl->out_msg[0] = SSL_HS_CLIENT_KEY_EXCHANGE;
2265
2266 ssl->state++;
2267
2268 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2269 {
2270 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2271 return( ret );
2272 }
2273
2274 SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
2275
2276 return( 0 );
2277}
2278
2279#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2280 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2281 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2282 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2283static int ssl_write_certificate_verify( ssl_context *ssl )
2284{
2285 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2286
2287 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2288
2289 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2290 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2291 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2292 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2293 {
2294 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2295 ssl->state++;
2296 return( 0 );
2297 }
2298
2299 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2300 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2301}
2302#else
2303static int ssl_write_certificate_verify( ssl_context *ssl )
2304{
2305 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2306 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2307 size_t n = 0, offset = 0;
2308 unsigned char hash[48];
2309 unsigned char *hash_start = hash;
2310 md_type_t md_alg = POLARSSL_MD_NONE;
2311 unsigned int hashlen;
2312
2313 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2314
2315 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2316 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2317 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2318 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2319 {
2320 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2321 ssl->state++;
2322 return( 0 );
2323 }
2324
2325 if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
2326 {
2327 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2328 ssl->state++;
2329 return( 0 );
2330 }
2331
2332 if( ssl_own_key( ssl ) == NULL )
2333 {
2334 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2335 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2336 }
2337
2338 /*
2339 * Make an RSA signature of the handshake digests
2340 */
2341 ssl->handshake->calc_verify( ssl, hash );
2342
2343#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2344 defined(POLARSSL_SSL_PROTO_TLS1_1)
2345 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2346 {
2347 /*
2348 * digitally-signed struct {
2349 * opaque md5_hash[16];
2350 * opaque sha_hash[20];
2351 * };
2352 *
2353 * md5_hash
2354 * MD5(handshake_messages);
2355 *
2356 * sha_hash
2357 * SHA(handshake_messages);
2358 */
2359 hashlen = 36;
2360 md_alg = POLARSSL_MD_NONE;
2361
2362 /*
2363 * For ECDSA, default hash is SHA-1 only
2364 */
2365 if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
2366 {
2367 hash_start += 16;
2368 hashlen -= 16;
2369 md_alg = POLARSSL_MD_SHA1;
2370 }
2371 }
2372 else
2373#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2374 POLARSSL_SSL_PROTO_TLS1_1 */
2375#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2376 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2377 {
2378 /*
2379 * digitally-signed struct {
2380 * opaque handshake_messages[handshake_messages_length];
2381 * };
2382 *
2383 * Taking shortcut here. We assume that the server always allows the
2384 * PRF Hash function and has sent it in the allowed signature
2385 * algorithms list received in the Certificate Request message.
2386 *
2387 * Until we encounter a server that does not, we will take this
2388 * shortcut.
2389 *
2390 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2391 * in order to satisfy 'weird' needs from the server side.
2392 */
2393 if( ssl->transform_negotiate->ciphersuite_info->mac ==
2394 POLARSSL_MD_SHA384 )
2395 {
2396 md_alg = POLARSSL_MD_SHA384;
2397 ssl->out_msg[4] = SSL_HASH_SHA384;
2398 }
2399 else
2400 {
2401 md_alg = POLARSSL_MD_SHA256;
2402 ssl->out_msg[4] = SSL_HASH_SHA256;
2403 }
2404 ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
2405
2406 /* Info from md_alg will be used instead */
2407 hashlen = 0;
2408 offset = 2;
2409 }
2410 else
2411#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2412 {
2413 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2414 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2415 }
2416
2417 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
2418 ssl->out_msg + 6 + offset, &n,
2419 ssl->f_rng, ssl->p_rng ) ) != 0 )
2420 {
2421 SSL_DEBUG_RET( 1, "pk_sign", ret );
2422 return( ret );
2423 }
2424
2425 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2426 ssl->out_msg[5 + offset] = (unsigned char)( n );
2427
2428 ssl->out_msglen = 6 + n + offset;
2429 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2430 ssl->out_msg[0] = SSL_HS_CERTIFICATE_VERIFY;
2431
2432 ssl->state++;
2433
2434 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2435 {
2436 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2437 return( ret );
2438 }
2439
2440 SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
2441
2442 return( ret );
2443}
2444#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2445 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2446 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2447
2448#if defined(POLARSSL_SSL_SESSION_TICKETS)
2449static int ssl_parse_new_session_ticket( ssl_context *ssl )
2450{
2451 int ret;
2452 uint32_t lifetime;
2453 size_t ticket_len;
2454 unsigned char *ticket;
2455
2456 SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2457
2458 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2459 {
2460 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2461 return( ret );
2462 }
2463
2464 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2465 {
2466 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2467 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2468 }
2469
2470 /*
2471 * struct {
2472 * uint32 ticket_lifetime_hint;
2473 * opaque ticket<0..2^16-1>;
2474 * } NewSessionTicket;
2475 *
2476 * 0 . 0 handshake message type
2477 * 1 . 3 handshake message length
2478 * 4 . 7 ticket_lifetime_hint
2479 * 8 . 9 ticket_len (n)
2480 * 10 . 9+n ticket content
2481 */
2482 if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
2483 ssl->in_hslen < 10 )
2484 {
2485 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2486 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
2487 }
2488
2489 lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
2490 ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] );
2491
2492 ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
2493
2494 if( ticket_len + 10 != ssl->in_hslen )
2495 {
2496 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2497 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
2498 }
2499
2500 SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
2501
2502 /* We're not waiting for a NewSessionTicket message any more */
2503 ssl->handshake->new_session_ticket = 0;
2504
2505 /*
2506 * Zero-length ticket means the server changed his mind and doesn't want
2507 * to send a ticket after all, so just forget it
2508 */
2509 if( ticket_len == 0 )
2510 return( 0 );
2511
2512 polarssl_zeroize( ssl->session_negotiate->ticket,
2513 ssl->session_negotiate->ticket_len );
2514 polarssl_free( ssl->session_negotiate->ticket );
2515 ssl->session_negotiate->ticket = NULL;
2516 ssl->session_negotiate->ticket_len = 0;
2517
2518 if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
2519 {
2520 SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
2521 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2522 }
2523
2524 memcpy( ticket, ssl->in_msg + 10, ticket_len );
2525
2526 ssl->session_negotiate->ticket = ticket;
2527 ssl->session_negotiate->ticket_len = ticket_len;
2528 ssl->session_negotiate->ticket_lifetime = lifetime;
2529
2530 /*
2531 * RFC 5077 section 3.4:
2532 * "If the client receives a session ticket from the server, then it
2533 * discards any Session ID that was sent in the ServerHello."
2534 */
2535 SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
2536 ssl->session_negotiate->length = 0;
2537
2538 SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2539
2540 return( 0 );
2541}
2542#endif /* POLARSSL_SSL_SESSION_TICKETS */
2543
2544/*
2545 * SSL handshake -- client side -- single step
2546 */
2547int ssl_handshake_client_step( ssl_context *ssl )
2548{
2549 int ret = 0;
2550
2551 if( ssl->state == SSL_HANDSHAKE_OVER )
2552 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2553
2554 SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
2555
2556 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2557 return( ret );
2558
2559 switch( ssl->state )
2560 {
2561 case SSL_HELLO_REQUEST:
2562 ssl->state = SSL_CLIENT_HELLO;
2563 break;
2564
2565 /*
2566 * ==> ClientHello
2567 */
2568 case SSL_CLIENT_HELLO:
2569 ret = ssl_write_client_hello( ssl );
2570 break;
2571
2572 /*
2573 * <== ServerHello
2574 * Certificate
2575 * ( ServerKeyExchange )
2576 * ( CertificateRequest )
2577 * ServerHelloDone
2578 */
2579 case SSL_SERVER_HELLO:
2580 ret = ssl_parse_server_hello( ssl );
2581 break;
2582
2583 case SSL_SERVER_CERTIFICATE:
2584 ret = ssl_parse_certificate( ssl );
2585 break;
2586
2587 case SSL_SERVER_KEY_EXCHANGE:
2588 ret = ssl_parse_server_key_exchange( ssl );
2589 break;
2590
2591 case SSL_CERTIFICATE_REQUEST:
2592 ret = ssl_parse_certificate_request( ssl );
2593 break;
2594
2595 case SSL_SERVER_HELLO_DONE:
2596 ret = ssl_parse_server_hello_done( ssl );
2597 break;
2598
2599 /*
2600 * ==> ( Certificate/Alert )
2601 * ClientKeyExchange
2602 * ( CertificateVerify )
2603 * ChangeCipherSpec
2604 * Finished
2605 */
2606 case SSL_CLIENT_CERTIFICATE:
2607 ret = ssl_write_certificate( ssl );
2608 break;
2609
2610 case SSL_CLIENT_KEY_EXCHANGE:
2611 ret = ssl_write_client_key_exchange( ssl );
2612 break;
2613
2614 case SSL_CERTIFICATE_VERIFY:
2615 ret = ssl_write_certificate_verify( ssl );
2616 break;
2617
2618 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2619 ret = ssl_write_change_cipher_spec( ssl );
2620 break;
2621
2622 case SSL_CLIENT_FINISHED:
2623 ret = ssl_write_finished( ssl );
2624 break;
2625
2626 /*
2627 * <== ( NewSessionTicket )
2628 * ChangeCipherSpec
2629 * Finished
2630 */
2631 case SSL_SERVER_CHANGE_CIPHER_SPEC:
2632#if defined(POLARSSL_SSL_SESSION_TICKETS)
2633 if( ssl->handshake->new_session_ticket != 0 )
2634 ret = ssl_parse_new_session_ticket( ssl );
2635 else
2636#endif
2637 ret = ssl_parse_change_cipher_spec( ssl );
2638 break;
2639
2640 case SSL_SERVER_FINISHED:
2641 ret = ssl_parse_finished( ssl );
2642 break;
2643
2644 case SSL_FLUSH_BUFFERS:
2645 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2646 ssl->state = SSL_HANDSHAKE_WRAPUP;
2647 break;
2648
2649 case SSL_HANDSHAKE_WRAPUP:
2650 ssl_handshake_wrapup( ssl );
2651 break;
2652
2653 default:
2654 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2655 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2656 }
2657
2658 return( ret );
2659}
2660#endif /* POLARSSL_SSL_CLI_C */
mpi_size
size_t mpi_size(const mpi *X)
Return the total size in bytes.
SSL_MAX_CONTENT_LEN
#define SSL_MAX_CONTENT_LEN
Definition: config-ccm-psk-tls1_2.h:62
POLARSSL_MPI_MAX_SIZE
#define POLARSSL_MPI_MAX_SIZE
Definition: config-suite-b.h:64
config.h
Configuration options (set of defines)
POLARSSL_ZLIB_SUPPORT
#define POLARSSL_ZLIB_SUPPORT
If set, the SSL/TLS module uses ZLIB to support compression and decompression of packet data.
Definition: config.h:1066
debug.h
Debug functions.
SSL_DEBUG_MPI
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:70
SSL_DEBUG_ECP
#define SSL_DEBUG_ECP(level, text, X)
Definition: debug.h:75
SSL_DEBUG_BUF
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:66
SSL_DEBUG_RET
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:63
SSL_DEBUG_MSG
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:60
dhm_make_public
int dhm_make_public(dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Create own private value X and export G^X.
dhm_calc_secret
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.
dhm_read_params
int dhm_read_params(dhm_context *ctx, unsigned char **p, const unsigned char *end)
Parse the ServerKeyExchange parameters.
POLARSSL_ECDH_THEIRS
@ POLARSSL_ECDH_THEIRS
Definition: ecdh.h:42
ecdh_calc_secret
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
ecdh_read_params
int ecdh_read_params(ecdh_context *ctx, const unsigned char **buf, const unsigned char *end)
Parse and procress a TLS ServerKeyExhange payload.
ecdh_get_params
int ecdh_get_params(ecdh_context *ctx, const ecp_keypair *key, ecdh_side side)
Setup an ECDH context from an EC key.
ecdh_make_public
int ecdh_make_public(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Generate a public key and a TLS ClientKeyExchange payload.
ecp_curve_info_from_grp_id
const ecp_curve_info * ecp_curve_info_from_grp_id(ecp_group_id grp_id)
Get curve information from an internal group identifier.
ecp_group_id
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:58
POLARSSL_ECP_DP_NONE
@ POLARSSL_ECP_DP_NONE
Definition: ecp.h:59
POLARSSL_ECP_PF_UNCOMPRESSED
#define POLARSSL_ECP_PF_UNCOMPRESSED
Uncompressed point format.
Definition: ecp.h:233
POLARSSL_ECP_PF_COMPRESSED
#define POLARSSL_ECP_PF_COMPRESSED
Compressed point format.
Definition: ecp.h:234
ecp_curve_list
const ecp_curve_info * ecp_curve_list(void)
Get the list of supported curves in order of preferrence (full information)
_x509_crt::pk
pk_context pk
Container for the public key context.
Definition: x509_crt.h:75
md5_free
void md5_free(md5_context *ctx)
Clear MD5 context.
md5_init
void md5_init(md5_context *ctx)
Initialize MD5 context.
md5_update
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
md5_finish
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
md5
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
md5_starts
void md5_starts(md5_context *ctx)
MD5 context setup.
md_starts
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
md_info_from_type
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
md_init_ctx
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
md_free
void md_free(md_context_t *ctx)
Free and clear the message-specific context of ctx.
md_finish
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
md_init
void md_init(md_context_t *ctx)
Initialize a md_context (as NONE)
md_update
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
md_type_t
md_type_t
Definition: md.h:51
POLARSSL_MD_NONE
@ POLARSSL_MD_NONE
Definition: md.h:52
POLARSSL_MD_SHA1
@ POLARSSL_MD_SHA1
Definition: md.h:56
POLARSSL_MD_SHA384
@ POLARSSL_MD_SHA384
Definition: md.h:59
POLARSSL_MD_SHA256
@ POLARSSL_MD_SHA256
Definition: md.h:58
pk_encrypt
int pk_encrypt(pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Encrypt message (including padding if relevant).
pk_sign
int pk_sign(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Make signature, including padding if relevant.
pk_verify
int pk_verify(pk_context *ctx, md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len)
Verify signature (including padding if relevant).
pk_ec
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:84
pk_type_t
pk_type_t
Public key types.
Definition: pk.h:95
POLARSSL_PK_ECDSA
@ POLARSSL_PK_ECDSA
Definition: pk.h:100
POLARSSL_PK_ECKEY
@ POLARSSL_PK_ECKEY
Definition: pk.h:98
POLARSSL_PK_RSA
@ POLARSSL_PK_RSA
Definition: pk.h:97
POLARSSL_PK_NONE
@ POLARSSL_PK_NONE
Definition: pk.h:96
pk_can_do
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
platform.h
PolarSSL Platform abstraction layer.
sha1
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
sha1_starts
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
sha1_update
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
sha1_init
void sha1_init(sha1_context *ctx)
Initialize SHA-1 context.
sha1_finish
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
sha1_free
void sha1_free(sha1_context *ctx)
Clear SHA-1 context.
ssl.h
SSL/TLS functions.
TLS_EXT_SIG_ALG
#define TLS_EXT_SIG_ALG
Definition: ssl.h:400
SSL_SIG_ECDSA
#define SSL_SIG_ECDSA
Definition: ssl.h:326
ssl_read_record
int ssl_read_record(ssl_context *ssl)
SSL_LEGACY_RENEGOTIATION
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:221
POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Processing of the ServerHelloDone handshake message failed.
Definition: ssl.h:130
ssl_send_alert_message
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
TLS_EXT_TRUNCATED_HMAC
#define TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:395
ssl_own_key
static pk_context * ssl_own_key(ssl_context *ssl)
Definition: ssl.h:1770
POLARSSL_ERR_SSL_INTERNAL_ERROR
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition: ssl.h:146
SSL_HS_CERTIFICATE_REQUEST
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:381
POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:141
ssl_sig_from_pk
unsigned char ssl_sig_from_pk(pk_context *pk)
POLARSSL_ERR_SSL_NO_RNG
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition: ssl.h:115
SSL_MAX_FRAG_LEN_NONE
#define SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:199
TLS_EXT_SERVERNAME
#define TLS_EXT_SERVERNAME
Definition: ssl.h:390
SSL_HASH_SHA384
#define SSL_HASH_SHA384
Definition: ssl.h:321
POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Processing of the CertificateRequest handshake message failed.
Definition: ssl.h:128
SSL_CLIENT_FINISHED
@ SSL_CLIENT_FINISHED
Definition: ssl.h:488
SSL_CERTIFICATE_VERIFY
@ SSL_CERTIFICATE_VERIFY
Definition: ssl.h:486
SSL_CERTIFICATE_REQUEST
@ SSL_CERTIFICATE_REQUEST
Definition: ssl.h:482
SSL_SERVER_CERTIFICATE
@ SSL_SERVER_CERTIFICATE
Definition: ssl.h:480
SSL_HANDSHAKE_OVER
@ SSL_HANDSHAKE_OVER
Definition: ssl.h:493
SSL_SERVER_CHANGE_CIPHER_SPEC
@ SSL_SERVER_CHANGE_CIPHER_SPEC
Definition: ssl.h:489
SSL_SERVER_KEY_EXCHANGE
@ SSL_SERVER_KEY_EXCHANGE
Definition: ssl.h:481
SSL_CLIENT_CERTIFICATE
@ SSL_CLIENT_CERTIFICATE
Definition: ssl.h:484
SSL_HANDSHAKE_WRAPUP
@ SSL_HANDSHAKE_WRAPUP
Definition: ssl.h:492
SSL_SERVER_FINISHED
@ SSL_SERVER_FINISHED
Definition: ssl.h:490
SSL_HELLO_REQUEST
@ SSL_HELLO_REQUEST
Definition: ssl.h:477
SSL_SERVER_HELLO_DONE
@ SSL_SERVER_HELLO_DONE
Definition: ssl.h:483
SSL_CLIENT_HELLO
@ SSL_CLIENT_HELLO
Definition: ssl.h:478
SSL_CLIENT_CHANGE_CIPHER_SPEC
@ SSL_CLIENT_CHANGE_CIPHER_SPEC
Definition: ssl.h:487
SSL_CLIENT_KEY_EXCHANGE
@ SSL_CLIENT_KEY_EXCHANGE
Definition: ssl.h:485
SSL_FLUSH_BUFFERS
@ SSL_FLUSH_BUFFERS
Definition: ssl.h:491
SSL_SERVER_HELLO
@ SSL_SERVER_HELLO
Definition: ssl.h:479
ssl_handshake_client_step
int ssl_handshake_client_step(ssl_context *ssl)
SSL_LEGACY_BREAK_HANDSHAKE
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:232
ssl_write_record
int ssl_write_record(ssl_context *ssl)
SSL_ALERT_MSG_PROTOCOL_VERSION
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:365
SSL_HS_CERTIFICATE_VERIFY
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:383
ssl_md_alg_from_hash
md_type_t ssl_md_alg_from_hash(unsigned char hash)
POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:108
SSL_INITIAL_HANDSHAKE
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:216
SSL_SECURE_RENEGOTIATION
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:222
POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH
Public key type mismatch (eg, asked for RSA key exchange and presented EC key)
Definition: ssl.h:144
POLARSSL_PREMASTER_SIZE
#define POLARSSL_PREMASTER_SIZE
Definition: ssl.h:453
ssl_psk_derive_premaster
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
SSL_HS_CLIENT_KEY_EXCHANGE
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:384
SSL_TRUNC_HMAC_DISABLED
#define SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:234
ssl_write_certificate
int ssl_write_certificate(ssl_context *ssl)
TLS_EXT_ALPN
#define TLS_EXT_ALPN
Definition: ssl.h:402
SSL_MINOR_VERSION_0
#define SSL_MINOR_VERSION_0
Definition: ssl.h:154
TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:397
POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
Processing of the NewSessionTicket handshake message failed.
Definition: ssl.h:142
SSL_HS_CLIENT_HELLO
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:376
SSL_HS_SERVER_HELLO_DONE
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:382
SSL_HASH_SHA512
#define SSL_HASH_SHA512
Definition: ssl.h:322
ssl_derive_keys
int ssl_derive_keys(ssl_context *ssl)
SSL_SESSION_TICKETS_DISABLED
#define SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:238
SSL_EMPTY_RENEGOTIATION_INFO
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:310
SSL_CERT_TYPE_RSA_SIGN
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:332
SSL_LEGACY_NO_RENEGOTIATION
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:230
SSL_HS_NEW_SESSION_TICKET
#define SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:378
ssl_write_change_cipher_spec
int ssl_write_change_cipher_spec(ssl_context *ssl)
POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key or pre-shared key is not set, but needed.
Definition: ssl.h:119
SSL_MINOR_VERSION_3
#define SSL_MINOR_VERSION_3
Definition: ssl.h:157
ssl_optimize_checksum
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
ssl_write_finished
int ssl_write_finished(ssl_context *ssl)
SSL_MAX_MINOR_VERSION
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:182
SSL_ALERT_LEVEL_FATAL
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:344
ssl_pk_alg_from_sig
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
ssl_own_cert
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1776
SSL_MAJOR_VERSION_3
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:153
ssl_handshake_wrapup
void ssl_handshake_wrapup(ssl_context *ssl)
POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO
Processing of the ServerHello handshake message failed.
Definition: ssl.h:126
SSL_TRUNC_HMAC_ENABLED
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:235
POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
Unexpected message at ServerHello in renegotiation.
Definition: ssl.h:148
TLS_EXT_SERVERNAME_HOSTNAME
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:391
SSL_HASH_SHA224
#define SSL_HASH_SHA224
Definition: ssl.h:319
SSL_RENEGOTIATION
#define SSL_RENEGOTIATION
Definition: ssl.h:217
TLS_EXT_MAX_FRAGMENT_LENGTH
#define TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:393
ssl_parse_certificate
int ssl_parse_certificate(ssl_context *ssl)
SSL_HS_SERVER_HELLO
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:377
ssl_parse_finished
int ssl_parse_finished(ssl_context *ssl)
SSL_HASH_SHA256
#define SSL_HASH_SHA256
Definition: ssl.h:320
ssl_flush_output
int ssl_flush_output(ssl_context *ssl)
SSL_CERT_TYPE_ECDSA_SIGN
#define SSL_CERT_TYPE_ECDSA_SIGN
Definition: ssl.h:333
SSL_MAX_MAJOR_VERSION
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:179
SSL_HS_SERVER_KEY_EXCHANGE
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:380
ssl_parse_change_cipher_spec
int ssl_parse_change_cipher_spec(ssl_context *ssl)
POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:127
POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Processing of the ServerKeyExchange handshake message failed.
Definition: ssl.h:129
SSL_SIG_RSA
#define SSL_SIG_RSA
Definition: ssl.h:325
TLS_EXT_RENEGOTIATION_INFO
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:406
SSL_COMPRESS_NULL
#define SSL_COMPRESS_NULL
Definition: ssl.h:209
SSL_HASH_SHA1
#define SSL_HASH_SHA1
Definition: ssl.h:318
POLARSSL_ERR_SSL_BAD_INPUT_DATA
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:109
SSL_MSG_HANDSHAKE
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:340
ssl_send_fatal_handshake_failure
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:121
SSL_COMPRESS_DEFLATE
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:210
SSL_HASH_MD5
#define SSL_HASH_MD5
Definition: ssl.h:317
TLS_EXT_SESSION_TICKET
#define TLS_EXT_SESSION_TICKET
Definition: ssl.h:404
POLARSSL_ERR_SSL_MALLOC_FAILED
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:137
TLS_EXT_SUPPORTED_POINT_FORMATS
#define TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:398
safer_memcmp
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1797
ssl_get_ciphersuite_sig_pk_alg
pk_type_t ssl_get_ciphersuite_sig_pk_alg(const ssl_ciphersuite_t *info)
ssl_ciphersuite_from_id
const ssl_ciphersuite_t * ssl_ciphersuite_from_id(int ciphersuite_id)
POLARSSL_KEY_EXCHANGE_DHE_RSA
@ POLARSSL_KEY_EXCHANGE_DHE_RSA
Definition: ssl_ciphersuites.h:240
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA
@ POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA
Definition: ssl_ciphersuites.h:242
POLARSSL_KEY_EXCHANGE_PSK
@ POLARSSL_KEY_EXCHANGE_PSK
Definition: ssl_ciphersuites.h:243
POLARSSL_KEY_EXCHANGE_DHE_PSK
@ POLARSSL_KEY_EXCHANGE_DHE_PSK
Definition: ssl_ciphersuites.h:244
POLARSSL_KEY_EXCHANGE_ECDHE_RSA
@ POLARSSL_KEY_EXCHANGE_ECDHE_RSA
Definition: ssl_ciphersuites.h:241
POLARSSL_KEY_EXCHANGE_ECDHE_PSK
@ POLARSSL_KEY_EXCHANGE_ECDHE_PSK
Definition: ssl_ciphersuites.h:246
POLARSSL_KEY_EXCHANGE_RSA_PSK
@ POLARSSL_KEY_EXCHANGE_RSA_PSK
Definition: ssl_ciphersuites.h:245
POLARSSL_KEY_EXCHANGE_RSA
@ POLARSSL_KEY_EXCHANGE_RSA
Definition: ssl_ciphersuites.h:239
POLARSSL_KEY_EXCHANGE_ECDH_RSA
@ POLARSSL_KEY_EXCHANGE_ECDH_RSA
Definition: ssl_ciphersuites.h:247
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA
@ POLARSSL_KEY_EXCHANGE_ECDH_ECDSA
Definition: ssl_ciphersuites.h:248
_ssl_ciphersuite_t
This structure is used for storing ciphersuite information.
Definition: ssl_ciphersuites.h:261
_ssl_ciphersuite_t::max_minor_ver
int max_minor_ver
Definition: ssl_ciphersuites.h:272
_ssl_ciphersuite_t::key_exchange
key_exchange_type_t key_exchange
Definition: ssl_ciphersuites.h:267
_ssl_ciphersuite_t::mac
md_type_t mac
Definition: ssl_ciphersuites.h:266
_ssl_ciphersuite_t::min_minor_ver
int min_minor_ver
Definition: ssl_ciphersuites.h:270
_ssl_context
Definition: ssl.h:684
_ssl_context::trunc_hmac
int trunc_hmac
Definition: ssl.h:821
_ssl_context::handshake
ssl_handshake_params * handshake
Definition: ssl.h:741
_ssl_context::alpn_list
const char ** alpn_list
Definition: ssl.h:855
_ssl_context::minor_ver
int minor_ver
Definition: ssl.h:693
_ssl_context::ciphersuite_list
const int * ciphersuite_list[4]
Definition: ssl.h:816
_ssl_context::allow_legacy_renegotiation
int allow_legacy_renegotiation
Definition: ssl.h:814
_ssl_context::p_rng
void * p_rng
Definition: ssl.h:710
_ssl_context::hostname
unsigned char * hostname
Definition: ssl.h:847
_ssl_context::record_read
int record_read
Definition: ssl.h:767
_ssl_context::state
int state
Definition: ssl.h:688
_ssl_context::renego_records_seen
int renego_records_seen
Definition: ssl.h:690
_ssl_context::out_msg
unsigned char * out_msg
Definition: ssl.h:775
_ssl_context::f_rng
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:703
_ssl_context::psk
unsigned char * psk
Definition: ssl.h:837
_ssl_context::major_ver
int major_ver
Definition: ssl.h:692
_ssl_context::transform_negotiate
ssl_transform * transform_negotiate
Definition: ssl.h:750
_ssl_context::session_tickets
int session_tickets
Definition: ssl.h:824
_ssl_context::psk_identity_len
size_t psk_identity_len
Definition: ssl.h:840
_ssl_context::renegotiation
int renegotiation
Definition: ssl.h:689
_ssl_context::psk_identity
unsigned char * psk_identity
Definition: ssl.h:839
_ssl_context::hostname_len
size_t hostname_len
Definition: ssl.h:848
_ssl_context::min_minor_ver
int min_minor_ver
Definition: ssl.h:698
_ssl_context::verify_data_len
size_t verify_data_len
Definition: ssl.h:864
_ssl_context::max_major_ver
int max_major_ver
Definition: ssl.h:695
_ssl_context::alpn_chosen
const char * alpn_chosen
Definition: ssl.h:856
_ssl_context::in_hslen
size_t in_hslen
Definition: ssl.h:765
_ssl_context::min_major_ver
int min_major_ver
Definition: ssl.h:697
_ssl_context::in_msgtype
int in_msgtype
Definition: ssl.h:761
_ssl_context::session_negotiate
ssl_session * session_negotiate
Definition: ssl.h:739
_ssl_context::own_verify_data
char own_verify_data[36]
Definition: ssl.h:865
_ssl_context::out_msgtype
int out_msgtype
Definition: ssl.h:777
_ssl_context::mfl_code
unsigned char mfl_code
Definition: ssl.h:785
_ssl_context::secure_renegotiation
int secure_renegotiation
Definition: ssl.h:862
_ssl_context::max_minor_ver
int max_minor_ver
Definition: ssl.h:696
_ssl_context::client_auth
int client_auth
Definition: ssl.h:811
_ssl_context::out_msglen
size_t out_msglen
Definition: ssl.h:778
_ssl_context::peer_verify_data
char peer_verify_data[36]
Definition: ssl.h:866
_ssl_context::in_msg
unsigned char * in_msg
Definition: ssl.h:758
_ssl_context::renego_max_records
int renego_max_records
Definition: ssl.h:815
_ssl_handshake_params::dhm_ctx
dhm_context dhm_ctx
Definition: ssl.h:596
_ssl_handshake_params::cert_type
int cert_type
Definition: ssl.h:593
_ssl_handshake_params::calc_verify
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:635
_ssl_handshake_params::pmslen
size_t pmslen
Definition: ssl.h:641
_ssl_handshake_params::resume
int resume
Definition: ssl.h:647
_ssl_handshake_params::ecdh_ctx
ecdh_context ecdh_ctx
Definition: ssl.h:599
_ssl_handshake_params::premaster
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:644
_ssl_handshake_params::new_session_ticket
int new_session_ticket
Definition: ssl.h:653
_ssl_handshake_params::randbytes
unsigned char randbytes[64]
Definition: ssl.h:643
_ssl_session::id
unsigned char id[32]
Definition: ssl.h:520
_ssl_session::ciphersuite
int ciphersuite
Definition: ssl.h:517
_ssl_session::ticket_lifetime
uint32_t ticket_lifetime
Definition: ssl.h:531
_ssl_session::length
size_t length
Definition: ssl.h:519
_ssl_session::compression
int compression
Definition: ssl.h:518
_ssl_session::trunc_hmac
int trunc_hmac
Definition: ssl.h:539
_ssl_session::ticket_len
size_t ticket_len
Definition: ssl.h:530
_ssl_session::ticket
unsigned char * ticket
Definition: ssl.h:529
_ssl_session::peer_cert
x509_crt * peer_cert
Definition: ssl.h:524
_ssl_session::start
time_t start
Definition: ssl.h:515
_ssl_transform::ciphersuite_info
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:552
dhm_context::G
mpi G
Definition: dhm.h:160
dhm_context::GX
mpi GX
Definition: dhm.h:162
dhm_context::GY
mpi GY
Definition: dhm.h:163
dhm_context::len
size_t len
Definition: dhm.h:158
dhm_context::K
mpi K
Definition: dhm.h:164
dhm_context::X
mpi X
Definition: dhm.h:161
dhm_context::P
mpi P
Definition: dhm.h:159
ecdh_context::point_format
int point_format
Definition: ecdh.h:55
ecdh_context::Q
ecp_point Q
Definition: ecdh.h:52
ecdh_context::grp
ecp_group grp
Definition: ecdh.h:50
ecdh_context::z
mpi z
Definition: ecdh.h:54
ecdh_context::Qp
ecp_point Qp
Definition: ecdh.h:53
ecp_curve_info
Curve information for use by other modules.
Definition: ecp.h:88
ecp_curve_info::name
const char * name
Definition: ecp.h:92
ecp_curve_info::tls_id
uint16_t tls_id
Definition: ecp.h:90
ecp_curve_info::grp_id
ecp_group_id grp_id
Definition: ecp.h:89
ecp_group::nbits
size_t nbits
Definition: ecp.h:145
ecp_group::id
ecp_group_id id
Definition: ecp.h:138
ecp_keypair
ECP key pair structure.
Definition: ecp.h:164
md5_context
MD5 context structure.
Definition: md5.h:59
md_context_t
Generic message digest context.
Definition: md.h:132
sha1_context
SHA-1 context structure.
Definition: sha1.h:59
polarssl_malloc
#define polarssl_malloc
Definition: test_suite_aes.cbc.c:310
polarssl_free
#define polarssl_free
Definition: test_suite_aes.cbc.c:311
Generated on Sat Jul 2 2022 03:36:42 for PolarSSL v1.3.9 by doxygen 1.9.3