PolarSSL v1.3.1
ssl_cli.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 client-side functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_CLI_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 
33 #if defined(POLARSSL_MEMORY_C)
34 #include "polarssl/memory.h"
35 #else
36 #define polarssl_malloc malloc
37 #define polarssl_free free
38 #endif
39 
40 #include <stdlib.h>
41 #include <stdio.h>
42 
43 #ifdef _MSC_VER
44 #include <basetsd.h>
45 typedef UINT32 uint32_t;
46 #else
47 #include <inttypes.h>
48 #endif
49 
50 #if defined(POLARSSL_HAVE_TIME)
51 #include <time.h>
52 #endif
53 
54 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
55 static void ssl_write_hostname_ext( ssl_context *ssl,
56  unsigned char *buf,
57  size_t *olen )
58 {
59  unsigned char *p = buf;
60 
61  *olen = 0;
62 
63  if ( ssl->hostname == NULL )
64  return;
65 
66  SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
67  ssl->hostname ) );
68 
69  /*
70  * struct {
71  * NameType name_type;
72  * select (name_type) {
73  * case host_name: HostName;
74  * } name;
75  * } ServerName;
76  *
77  * enum {
78  * host_name(0), (255)
79  * } NameType;
80  *
81  * opaque HostName<1..2^16-1>;
82  *
83  * struct {
84  * ServerName server_name_list<1..2^16-1>
85  * } ServerNameList;
86  */
87  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
88  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
89 
90  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
91  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
92 
93  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
94  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
95 
96  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
97  *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
98  *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
99 
100  memcpy( p, ssl->hostname, ssl->hostname_len );
101 
102  *olen = ssl->hostname_len + 9;
103 }
104 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
105 
106 static void ssl_write_renegotiation_ext( ssl_context *ssl,
107  unsigned char *buf,
108  size_t *olen )
109 {
110  unsigned char *p = buf;
111 
112  *olen = 0;
113 
114  if( ssl->renegotiation != SSL_RENEGOTIATION )
115  return;
116 
117  SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
118 
119  /*
120  * Secure renegotiation
121  */
122  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
123  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
124 
125  *p++ = 0x00;
126  *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
127  *p++ = ssl->verify_data_len & 0xFF;
128 
129  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
130 
131  *olen = 5 + ssl->verify_data_len;
132 }
133 
134 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
135 static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
136  unsigned char *buf,
137  size_t *olen )
138 {
139  unsigned char *p = buf;
140  unsigned char *sig_alg_list = buf + 6;
141  size_t sig_alg_len = 0;
142 
143  *olen = 0;
144 
145  if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
146  return;
147 
148  SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
149 
150  /*
151  * Prepare signature_algorithms extension (TLS 1.2)
152  */
153 #if defined(POLARSSL_RSA_C)
154 #if defined(POLARSSL_SHA512_C)
155  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
156  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
157  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
158  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
159 #endif
160 #if defined(POLARSSL_SHA256_C)
161  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
162  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
163  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
164  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
165 #endif
166 #if defined(POLARSSL_SHA1_C)
167  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
168  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
169 #endif
170 #if defined(POLARSSL_MD5_C)
171  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
172  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
173 #endif
174 #endif /* POLARSSL_RSA_C */
175 #if defined(POLARSSL_ECDSA_C)
176 #if defined(POLARSSL_SHA512_C)
177  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
178  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
179  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
180  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
181 #endif
182 #if defined(POLARSSL_SHA256_C)
183  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
184  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
185  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
186  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
187 #endif
188 #if defined(POLARSSL_SHA1_C)
189  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
190  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
191 #endif
192 #if defined(POLARSSL_MD5_C)
193  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
194  sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
195 #endif
196 #endif /* POLARSSL_ECDSA_C */
197 
198  /*
199  * enum {
200  * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
201  * sha512(6), (255)
202  * } HashAlgorithm;
203  *
204  * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
205  * SignatureAlgorithm;
206  *
207  * struct {
208  * HashAlgorithm hash;
209  * SignatureAlgorithm signature;
210  * } SignatureAndHashAlgorithm;
211  *
212  * SignatureAndHashAlgorithm
213  * supported_signature_algorithms<2..2^16-2>;
214  */
215  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
216  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
217 
218  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
219  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
220 
221  *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
222  *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
223 
224  *olen = 6 + sig_alg_len;
225 }
226 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
227 
228 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
229 static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
230  unsigned char *buf,
231  size_t *olen )
232 {
233  unsigned char *p = buf;
234  unsigned char elliptic_curve_list[20];
235  size_t elliptic_curve_len = 0;
236  const ecp_curve_info *curve;
237  ((void) ssl);
238 
239  *olen = 0;
240 
241  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
242 
243  for( curve = ecp_curve_list();
244  curve->grp_id != POLARSSL_ECP_DP_NONE;
245  curve++ )
246  {
247  elliptic_curve_list[elliptic_curve_len++] = curve->tls_id >> 8;
248  elliptic_curve_list[elliptic_curve_len++] = curve->tls_id & 0xFF;
249  }
250 
251  if( elliptic_curve_len == 0 )
252  return;
253 
254  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
255  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
256 
257  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
258  *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
259 
260  *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
261  *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
262 
263  memcpy( p, elliptic_curve_list, elliptic_curve_len );
264 
265  *olen = 6 + elliptic_curve_len;
266 }
267 
268 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
269  unsigned char *buf,
270  size_t *olen )
271 {
272  unsigned char *p = buf;
273  ((void) ssl);
274 
275  *olen = 0;
276 
277  SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
278 
279  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
280  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
281 
282  *p++ = 0x00;
283  *p++ = 2;
284 
285  *p++ = 1;
287 
288  *olen = 6;
289 }
290 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
291 
292 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
293 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
294  unsigned char *buf,
295  size_t *olen )
296 {
297  unsigned char *p = buf;
298 
299  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
300  *olen = 0;
301  return;
302  }
303 
304  SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
305 
306  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
307  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
308 
309  *p++ = 0x00;
310  *p++ = 1;
311 
312  *p++ = ssl->mfl_code;
313 
314  *olen = 5;
315 }
316 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
317 
318 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
319 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
320  unsigned char *buf, size_t *olen )
321 {
322  unsigned char *p = buf;
323 
324  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
325  {
326  *olen = 0;
327  return;
328  }
329 
330  SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
331 
332  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
333  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
334 
335  *p++ = 0x00;
336  *p++ = 0x00;
337 
338  *olen = 4;
339 }
340 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
341 
342 #if defined(POLARSSL_SSL_SESSION_TICKETS)
343 static void ssl_write_session_ticket_ext( ssl_context *ssl,
344  unsigned char *buf, size_t *olen )
345 {
346  unsigned char *p = buf;
347  size_t tlen = ssl->session_negotiate->ticket_len;
348 
350  {
351  *olen = 0;
352  return;
353  }
354 
355  SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
356 
357  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
358  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
359 
360  *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
361  *p++ = (unsigned char)( ( tlen ) & 0xFF );
362 
363  *olen = 4;
364 
365  if( ssl->session_negotiate->ticket == NULL ||
366  ssl->session_negotiate->ticket_len == 0 )
367  {
368  return;
369  }
370 
371  SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
372 
373  memcpy( p, ssl->session_negotiate->ticket, tlen );
374 
375  *olen += tlen;
376 }
377 #endif /* POLARSSL_SSL_SESSION_TICKETS */
378 
379 static int ssl_write_client_hello( ssl_context *ssl )
380 {
381  int ret;
382  size_t i, n, olen, ext_len = 0;
383  unsigned char *buf;
384  unsigned char *p, *q;
385 #if defined(POLARSSL_HAVE_TIME)
386  time_t t;
387 #endif
388  const int *ciphersuites;
389  const ssl_ciphersuite_t *ciphersuite_info;
390 
391  SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
392 
394  {
395  ssl->major_ver = ssl->min_major_ver;
396  ssl->minor_ver = ssl->min_minor_ver;
397  }
398 
399  if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
400  {
403  }
404 
405  /*
406  * 0 . 0 handshake type
407  * 1 . 3 handshake length
408  * 4 . 5 highest version supported
409  * 6 . 9 current UNIX time
410  * 10 . 37 random bytes
411  */
412  buf = ssl->out_msg;
413  p = buf + 4;
414 
415  *p++ = (unsigned char) ssl->max_major_ver;
416  *p++ = (unsigned char) ssl->max_minor_ver;
417 
418  SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
419  buf[4], buf[5] ) );
420 
421 #if defined(POLARSSL_HAVE_TIME)
422  t = time( NULL );
423  *p++ = (unsigned char)( t >> 24 );
424  *p++ = (unsigned char)( t >> 16 );
425  *p++ = (unsigned char)( t >> 8 );
426  *p++ = (unsigned char)( t );
427 
428  SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
429 #else
430  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
431  return( ret );
432 
433  p += 4;
434 #endif
435 
436  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
437  return( ret );
438 
439  p += 28;
440 
441  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
442 
443  SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
444 
445  /*
446  * 38 . 38 session id length
447  * 39 . 39+n session id
448  * 40+n . 41+n ciphersuitelist length
449  * 42+n . .. ciphersuitelist
450  * .. . .. compression methods length
451  * .. . .. compression methods
452  * .. . .. extensions length
453  * .. . .. extensions
454  */
455  n = ssl->session_negotiate->length;
456 
457  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
458  ssl->handshake->resume == 0 )
459  {
460  n = 0;
461  }
462 
463 #if defined(POLARSSL_SSL_SESSION_TICKETS)
464  /*
465  * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
466  * generate and include a Session ID in the TLS ClientHello."
467  */
468  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
469  ssl->session_negotiate->ticket != NULL &&
470  ssl->session_negotiate->ticket_len != 0 )
471  {
472  ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
473 
474  if( ret != 0 )
475  return( ret );
476 
477  ssl->session_negotiate->length = n = 32;
478  }
479 #endif /* POLARSSL_SSL_SESSION_TICKETS */
480 
481  *p++ = (unsigned char) n;
482 
483  for( i = 0; i < n; i++ )
484  *p++ = ssl->session_negotiate->id[i];
485 
486  SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
487  SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
488 
489  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
490  n = 0;
491  q = p;
492 
493  // Skip writing ciphersuite length for now
494  p += 2;
495 
496  /*
497  * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
498  */
500  {
501  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
502  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
503  n++;
504  }
505 
506  for( i = 0; ciphersuites[i] != 0; i++ )
507  {
508  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
509 
510  if( ciphersuite_info == NULL )
511  continue;
512 
513  if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
514  ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
515  continue;
516 
517  SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
518  ciphersuites[i] ) );
519 
520  n++;
521  *p++ = (unsigned char)( ciphersuites[i] >> 8 );
522  *p++ = (unsigned char)( ciphersuites[i] );
523  }
524 
525  *q++ = (unsigned char)( n >> 7 );
526  *q++ = (unsigned char)( n << 1 );
527 
528  SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
529 
530 
531 #if defined(POLARSSL_ZLIB_SUPPORT)
532  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
533  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
535 
536  *p++ = 2;
537  *p++ = SSL_COMPRESS_DEFLATE;
538  *p++ = SSL_COMPRESS_NULL;
539 #else
540  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
541  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
542 
543  *p++ = 1;
544  *p++ = SSL_COMPRESS_NULL;
545 #endif
546 
547  // First write extensions, then the total length
548  //
549 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
550  ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
551  ext_len += olen;
552 #endif
553 
554  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
555  ext_len += olen;
556 
557 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
558  ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
559  ext_len += olen;
560 #endif
561 
562 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
563  ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
564  ext_len += olen;
565 
566  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
567  ext_len += olen;
568 #endif
569 
570 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
571  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
572  ext_len += olen;
573 #endif
574 
575 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
576  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
577  ext_len += olen;
578 #endif
579 
580 #if defined(POLARSSL_SSL_SESSION_TICKETS)
581  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
582  ext_len += olen;
583 #endif
584 
585  SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
586  ext_len ) );
587 
588  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
589  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
590  p += ext_len;
591 
592  ssl->out_msglen = p - buf;
594  ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
595 
596  ssl->state++;
597 
598  if( ( ret = ssl_write_record( ssl ) ) != 0 )
599  {
600  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
601  return( ret );
602  }
603 
604  SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
605 
606  return( 0 );
607 }
608 
609 static int ssl_parse_renegotiation_info( ssl_context *ssl,
610  const unsigned char *buf,
611  size_t len )
612 {
613  int ret;
614 
616  {
617  if( len != 1 || buf[0] != 0x0 )
618  {
619  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
620 
621  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
622  return( ret );
623 
625  }
626 
628  }
629  else
630  {
631  if( len != 1 + ssl->verify_data_len * 2 ||
632  buf[0] != ssl->verify_data_len * 2 ||
633  memcmp( buf + 1, ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
634  memcmp( buf + 1 + ssl->verify_data_len,
635  ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
636  {
637  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
638 
639  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
640  return( ret );
641 
643  }
644  }
645 
646  return( 0 );
647 }
648 
649 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
650 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
651  const unsigned char *buf,
652  size_t len )
653 {
654  /*
655  * server should use the extension only if we did,
656  * and if so the server's value should match ours (and len is always 1)
657  */
658  if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
659  len != 1 ||
660  buf[0] != ssl->mfl_code )
661  {
663  }
664 
665  return( 0 );
666 }
667 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
668 
669 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
670 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
671  const unsigned char *buf,
672  size_t len )
673 {
674  if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
675  len != 0 )
676  {
678  }
679 
680  ((void) buf);
681 
683 
684  return( 0 );
685 }
686 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
687 
688 #if defined(POLARSSL_SSL_SESSION_TICKETS)
689 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
690  const unsigned char *buf,
691  size_t len )
692 {
694  len != 0 )
695  {
697  }
698 
699  ((void) buf);
700 
701  ssl->handshake->new_session_ticket = 1;
702 
703  return( 0 );
704 }
705 #endif /* POLARSSL_SSL_SESSION_TICKETS */
706 
707 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
708 static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
709  const unsigned char *buf,
710  size_t len )
711 {
712  size_t list_size;
713  const unsigned char *p;
714 
715  list_size = buf[0];
716  if( list_size + 1 != len )
717  {
718  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
720  }
721 
722  p = buf + 2;
723  while( list_size > 0 )
724  {
725  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
727  {
728  ssl->handshake->ecdh_ctx.point_format = p[0];
729  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
730  return( 0 );
731  }
732 
733  list_size--;
734  p++;
735  }
736 
737  return( 0 );
738 }
739 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
740 
741 static int ssl_parse_server_hello( ssl_context *ssl )
742 {
743  int ret, i, comp;
744  size_t n;
745  size_t ext_len = 0;
746  unsigned char *buf, *ext;
747  int renegotiation_info_seen = 0;
748  int handshake_failure = 0;
749 #if defined(POLARSSL_DEBUG_C)
750  uint32_t t;
751 #endif
752 
753  SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
754 
755  /*
756  * 0 . 0 handshake type
757  * 1 . 3 handshake length
758  * 4 . 5 protocol version
759  * 6 . 9 UNIX time()
760  * 10 . 37 random bytes
761  */
762  buf = ssl->in_msg;
763 
764  if( ( ret = ssl_read_record( ssl ) ) != 0 )
765  {
766  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
767  return( ret );
768  }
769 
770  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
771  {
772  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
774  }
775 
776  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
777  buf[4], buf[5] ) );
778 
779  if( ssl->in_hslen < 42 ||
780  buf[0] != SSL_HS_SERVER_HELLO ||
781  buf[4] != SSL_MAJOR_VERSION_3 )
782  {
783  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
785  }
786 
787  if( buf[5] > ssl->max_minor_ver )
788  {
789  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
791  }
792 
793  ssl->minor_ver = buf[5];
794 
795  if( ssl->minor_ver < ssl->min_minor_ver )
796  {
797  SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
798  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
799  buf[4], buf[5] ) );
800 
803 
805  }
806 
807 #if defined(POLARSSL_DEBUG_C)
808  t = ( (uint32_t) buf[6] << 24 )
809  | ( (uint32_t) buf[7] << 16 )
810  | ( (uint32_t) buf[8] << 8 )
811  | ( (uint32_t) buf[9] );
812  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
813 #endif
814 
815  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
816 
817  n = buf[38];
818 
819  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
820 
821  if( n > 32 )
822  {
823  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
825  }
826 
827  /*
828  * 38 . 38 session id length
829  * 39 . 38+n session id
830  * 39+n . 40+n chosen ciphersuite
831  * 41+n . 41+n chosen compression alg.
832  * 42+n . 43+n extensions length
833  * 44+n . 44+n+m extensions
834  */
835  if( ssl->in_hslen > 42 + n )
836  {
837  ext_len = ( ( buf[42 + n] << 8 )
838  | ( buf[43 + n] ) );
839 
840  if( ( ext_len > 0 && ext_len < 4 ) ||
841  ssl->in_hslen != 44 + n + ext_len )
842  {
843  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
845  }
846  }
847 
848  i = ( buf[39 + n] << 8 ) | buf[40 + n];
849  comp = buf[41 + n];
850 
851  /*
852  * Initialize update checksum functions
853  */
856 
857  if( ssl->transform_negotiate->ciphersuite_info == NULL )
858  {
859  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
860  ssl->ciphersuite_list[ssl->minor_ver][i] ) );
862  }
863 
864  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
865  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
866 
867  /*
868  * Check if the session can be resumed
869  */
870  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
871  ssl->handshake->resume == 0 || n == 0 ||
872  ssl->session_negotiate->ciphersuite != i ||
873  ssl->session_negotiate->compression != comp ||
874  ssl->session_negotiate->length != n ||
875  memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
876  {
877  ssl->state++;
878  ssl->handshake->resume = 0;
879 #if defined(POLARSSL_HAVE_TIME)
880  ssl->session_negotiate->start = time( NULL );
881 #endif
882  ssl->session_negotiate->ciphersuite = i;
883  ssl->session_negotiate->compression = comp;
884  ssl->session_negotiate->length = n;
885  memcpy( ssl->session_negotiate->id, buf + 39, n );
886  }
887  else
888  {
890 
891  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
892  {
893  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
894  return( ret );
895  }
896  }
897 
898  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
899  ssl->handshake->resume ? "a" : "no" ) );
900 
901  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
902  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
903 
904  i = 0;
905  while( 1 )
906  {
907  if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
908  {
909  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
911  }
912 
913  if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
915  {
916  break;
917  }
918  }
919 
920  if( comp != SSL_COMPRESS_NULL
921 #if defined(POLARSSL_ZLIB_SUPPORT)
922  && comp != SSL_COMPRESS_DEFLATE
923 #endif
924  )
925  {
926  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
928  }
929  ssl->session_negotiate->compression = comp;
930 
931  ext = buf + 44 + n;
932 
933  SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
934 
935  while( ext_len )
936  {
937  unsigned int ext_id = ( ( ext[0] << 8 )
938  | ( ext[1] ) );
939  unsigned int ext_size = ( ( ext[2] << 8 )
940  | ( ext[3] ) );
941 
942  if( ext_size + 4 > ext_len )
943  {
944  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
946  }
947 
948  switch( ext_id )
949  {
951  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
952  renegotiation_info_seen = 1;
953 
954  if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ) ) != 0 )
955  return( ret );
956 
957  break;
958 
959 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
961  SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
962 
963  if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
964  ext + 4, ext_size ) ) != 0 )
965  {
966  return( ret );
967  }
968 
969  break;
970 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
971 
972 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
974  SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
975 
976  if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
977  ext + 4, ext_size ) ) != 0 )
978  {
979  return( ret );
980  }
981 
982  break;
983 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
984 
985 #if defined(POLARSSL_SSL_SESSION_TICKETS)
987  SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
988 
989  if( ( ret = ssl_parse_session_ticket_ext( ssl,
990  ext + 4, ext_size ) ) != 0 )
991  {
992  return( ret );
993  }
994 
995  break;
996 #endif /* POLARSSL_SSL_SESSION_TICKETS */
997 
998 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1000  SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1001 
1002  if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1003  ext + 4, ext_size ) ) != 0 )
1004  {
1005  return( ret );
1006  }
1007 
1008  break;
1009 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1010 
1011  default:
1012  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1013  ext_id ) );
1014  }
1015 
1016  ext_len -= 4 + ext_size;
1017  ext += 4 + ext_size;
1018 
1019  if( ext_len > 0 && ext_len < 4 )
1020  {
1021  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1023  }
1024  }
1025 
1026  /*
1027  * Renegotiation security checks
1028  */
1031  {
1032  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1033  handshake_failure = 1;
1034  }
1035  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1037  renegotiation_info_seen == 0 )
1038  {
1039  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1040  handshake_failure = 1;
1041  }
1042  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1045  {
1046  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1047  handshake_failure = 1;
1048  }
1049  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1051  renegotiation_info_seen == 1 )
1052  {
1053  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1054  handshake_failure = 1;
1055  }
1056 
1057  if( handshake_failure == 1 )
1058  {
1059  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1060  return( ret );
1061 
1063  }
1064 
1065  SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1066 
1067  return( 0 );
1068 }
1069 
1070 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1071  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1072 static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
1073  unsigned char *end )
1074 {
1076 
1077  /*
1078  * Ephemeral DH parameters:
1079  *
1080  * struct {
1081  * opaque dh_p<1..2^16-1>;
1082  * opaque dh_g<1..2^16-1>;
1083  * opaque dh_Ys<1..2^16-1>;
1084  * } ServerDHParams;
1085  */
1086  if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1087  {
1088  SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
1089  return( ret );
1090  }
1091 
1092  if( ssl->handshake->dhm_ctx.len < 64 ||
1093  ssl->handshake->dhm_ctx.len > 512 )
1094  {
1095  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
1097  }
1098 
1099  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1100  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1101  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1102 
1103  return( ret );
1104 }
1105 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1106  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1107 
1108 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1109  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1110  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1111 static int ssl_parse_server_ecdh_params( ssl_context *ssl,
1112  unsigned char **p,
1113  unsigned char *end )
1114 {
1116 
1117  /*
1118  * Ephemeral ECDH parameters:
1119  *
1120  * struct {
1121  * ECParameters curve_params;
1122  * ECPoint public;
1123  * } ServerECDHParams;
1124  */
1125  if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
1126  (const unsigned char **) p, end ) ) != 0 )
1127  {
1128  SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
1129  return( ret );
1130  }
1131 
1132  SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
1133  (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
1134 
1135  if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1136  ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1137  {
1138  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDH length)" ) );
1140  }
1141 
1142  SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1143 
1144  return( ret );
1145 }
1146 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1147  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1148  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1149 
1150 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1151 static int ssl_parse_server_psk_hint( ssl_context *ssl,
1152  unsigned char **p,
1153  unsigned char *end )
1154 {
1156  size_t len;
1157  ((void) ssl);
1158 
1159  /*
1160  * PSK parameters:
1161  *
1162  * opaque psk_identity_hint<0..2^16-1>;
1163  */
1164  len = (*p)[0] << 8 | (*p)[1];
1165  *p += 2;
1166 
1167  if( (*p) + len > end )
1168  {
1169  SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1171  }
1172 
1173  // TODO: Retrieve PSK identity hint and callback to app
1174  //
1175  *p += len;
1176  ret = 0;
1177 
1178  return( ret );
1179 }
1180 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1181 
1182 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
1183  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1184 /*
1185  * Generate a pre-master secret and encrypt it with the server's RSA key
1186  */
1187 static int ssl_write_encrypted_pms( ssl_context *ssl,
1188  size_t offset, size_t *olen,
1189  size_t pms_offset )
1190 {
1191  int ret;
1192  size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
1193  unsigned char *p = ssl->handshake->premaster + pms_offset;
1194 
1195  /*
1196  * Generate (part of) the pre-master as
1197  * struct {
1198  * ProtocolVersion client_version;
1199  * opaque random[46];
1200  * } PreMasterSecret;
1201  */
1202  p[0] = (unsigned char) ssl->max_major_ver;
1203  p[1] = (unsigned char) ssl->max_minor_ver;
1204 
1205  if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
1206  {
1207  SSL_DEBUG_RET( 1, "f_rng", ret );
1208  return( ret );
1209  }
1210 
1211  ssl->handshake->pmslen = 48;
1212 
1213  /*
1214  * Now write it out, encrypted
1215  */
1216  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1217  POLARSSL_PK_RSA ) )
1218  {
1219  SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1221  }
1222 
1223  if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
1224  p, ssl->handshake->pmslen,
1225  ssl->out_msg + offset + len_bytes, olen,
1226  SSL_MAX_CONTENT_LEN - offset - len_bytes,
1227  ssl->f_rng, ssl->p_rng ) ) != 0 )
1228  {
1229  SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1230  return( ret );
1231  }
1232 
1233 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1234  defined(POLARSSL_SSL_PROTO_TLS1_2)
1235  if( len_bytes == 2 )
1236  {
1237  ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1238  ssl->out_msg[offset+1] = (unsigned char)( *olen );
1239  *olen += 2;
1240  }
1241 #endif
1242 
1243  return( 0 );
1244 }
1245 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
1246  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1247 
1248 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1249 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1250  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1251  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1252 static int ssl_parse_signature_algorithm( ssl_context *ssl,
1253  unsigned char **p,
1254  unsigned char *end,
1255  md_type_t *md_alg,
1256  pk_type_t *pk_alg )
1257 {
1258  ((void) ssl);
1259  *md_alg = POLARSSL_MD_NONE;
1260  *pk_alg = POLARSSL_PK_NONE;
1261 
1262  /* Only in TLS 1.2 */
1263  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1264  {
1265  return( 0 );
1266  }
1267 
1268  if( (*p) + 2 > end )
1270 
1271  /*
1272  * Get hash algorithm
1273  */
1274  if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
1275  {
1276  SSL_DEBUG_MSG( 2, ( "Server used unsupported "
1277  "HashAlgorithm %d", *(p)[0] ) );
1279  }
1280 
1281  /*
1282  * Get signature algorithm
1283  */
1284  if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
1285  {
1286  SSL_DEBUG_MSG( 2, ( "server used unsupported "
1287  "SignatureAlgorithm %d", (*p)[1] ) );
1289  }
1290 
1291  SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1292  SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
1293  *p += 2;
1294 
1295  return( 0 );
1296 }
1297 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1298  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1299  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1300 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1301 
1302 static int ssl_parse_server_key_exchange( ssl_context *ssl )
1303 {
1304  int ret;
1305  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1306  unsigned char *p, *end;
1307 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1308  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1309  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1310  size_t sig_len, params_len;
1311  unsigned char hash[64];
1312  md_type_t md_alg = POLARSSL_MD_NONE;
1313  size_t hashlen;
1314  pk_type_t pk_alg = POLARSSL_PK_NONE;
1315 #endif
1316 
1317  SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
1318 
1319 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1320  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1321  {
1322  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1323  ssl->state++;
1324  return( 0 );
1325  }
1326  ((void) p);
1327  ((void) end);
1328 #endif
1329 
1330  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1331  {
1332  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1333  return( ret );
1334  }
1335 
1336  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1337  {
1338  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1340  }
1341 
1342  /*
1343  * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
1344  * doesn't use a psk_identity_hint
1345  */
1346  if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
1347  {
1348  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1349  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1350  {
1351  ssl->record_read = 1;
1352  goto exit;
1353  }
1354 
1355  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1357  }
1358 
1359  p = ssl->in_msg + 4;
1360  end = ssl->in_msg + ssl->in_hslen;
1361  SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 );
1362 
1363 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1364  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1365  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1366  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1367  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1368  {
1369  if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
1370  {
1371  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1373  }
1374  } /* FALLTROUGH */
1375 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1376 
1377 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
1378  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1379  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1380  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1381  ; /* nothing more to do */
1382  else
1383 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
1384  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1385 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1386  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1387  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1388  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1389  {
1390  if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
1391  {
1392  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1394  }
1395  }
1396  else
1397 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1398  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1399 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1400  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1401  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1402  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1403  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1404  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1405  {
1406  if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
1407  {
1408  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1410  }
1411  }
1412  else
1413 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1414  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1415  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1416  {
1417  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1419  }
1420 
1421 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1422  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1423  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1424  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1425  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1426  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1427  {
1428  params_len = p - ( ssl->in_msg + 4 );
1429 
1430  /*
1431  * Handle the digitally-signed structure
1432  */
1433 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1434  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1435  {
1436  if( ssl_parse_signature_algorithm( ssl, &p, end,
1437  &md_alg, &pk_alg ) != 0 )
1438  {
1439  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1441  }
1442 
1443  if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
1444  {
1445  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1447  }
1448  }
1449  else
1450 #endif
1451 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1452  defined(POLARSSL_SSL_PROTO_TLS1_1)
1453  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
1454  {
1455  pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
1456 
1457  /* Default hash for ECDSA is SHA-1 */
1458  if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
1459  md_alg = POLARSSL_MD_SHA1;
1460  }
1461  else
1462 #endif
1463  {
1464  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1466  }
1467 
1468  /*
1469  * Read signature
1470  */
1471  sig_len = ( p[0] << 8 ) | p[1];
1472  p += 2;
1473 
1474  if( end != p + sig_len )
1475  {
1476  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1478  }
1479 
1480  SSL_DEBUG_BUF( 3, "signature", p, sig_len );
1481 
1482  /*
1483  * Compute the hash that has been signed
1484  */
1485 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1486  defined(POLARSSL_SSL_PROTO_TLS1_1)
1487  if( md_alg == POLARSSL_MD_NONE )
1488  {
1489  md5_context md5;
1491 
1492  hashlen = 36;
1493 
1494  /*
1495  * digitally-signed struct {
1496  * opaque md5_hash[16];
1497  * opaque sha_hash[20];
1498  * };
1499  *
1500  * md5_hash
1501  * MD5(ClientHello.random + ServerHello.random
1502  * + ServerParams);
1503  * sha_hash
1504  * SHA(ClientHello.random + ServerHello.random
1505  * + ServerParams);
1506  */
1507  md5_starts( &md5 );
1508  md5_update( &md5, ssl->handshake->randbytes, 64 );
1509  md5_update( &md5, ssl->in_msg + 4, params_len );
1510  md5_finish( &md5, hash );
1511 
1512  sha1_starts( &sha1 );
1513  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1514  sha1_update( &sha1, ssl->in_msg + 4, params_len );
1515  sha1_finish( &sha1, hash + 16 );
1516  }
1517  else
1518 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
1519  POLARSSL_SSL_PROTO_TLS1_1 */
1520 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1521  defined(POLARSSL_SSL_PROTO_TLS1_2)
1522  if( md_alg != POLARSSL_MD_NONE )
1523  {
1524  md_context_t ctx;
1525 
1526  /* Info from md_alg will be used instead */
1527  hashlen = 0;
1528 
1529  /*
1530  * digitally-signed struct {
1531  * opaque client_random[32];
1532  * opaque server_random[32];
1533  * ServerDHParams params;
1534  * };
1535  */
1536  if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1537  {
1538  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1539  return( ret );
1540  }
1541 
1542  md_starts( &ctx );
1543  md_update( &ctx, ssl->handshake->randbytes, 64 );
1544  md_update( &ctx, ssl->in_msg + 4, params_len );
1545  md_finish( &ctx, hash );
1546  md_free_ctx( &ctx );
1547  }
1548  else
1549 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1550  POLARSSL_SSL_PROTO_TLS1_2 */
1551  {
1552  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1554  }
1555 
1556  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
1557  (unsigned int) ( md_info_from_type( md_alg ) )->size );
1558 
1559  /*
1560  * Verify signature
1561  */
1562  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
1563  {
1564  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1566  }
1567 
1568  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
1569  md_alg, hash, hashlen, p, sig_len ) ) != 0 )
1570  {
1571  SSL_DEBUG_RET( 1, "pk_verify", ret );
1572  return( ret );
1573  }
1574  }
1575 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1576  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1577  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1578 
1579 exit:
1580  ssl->state++;
1581 
1582  SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
1583 
1584  return( 0 );
1585 }
1586 
1587 static int ssl_parse_certificate_request( ssl_context *ssl )
1588 {
1589  int ret;
1590  unsigned char *buf, *p;
1591  size_t n = 0, m = 0;
1592  size_t cert_type_len = 0, dn_len = 0;
1593 
1594  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1595 
1596  /*
1597  * 0 . 0 handshake type
1598  * 1 . 3 handshake length
1599  * 4 . 4 cert type count
1600  * 5 .. m-1 cert types
1601  * m .. m+1 sig alg length (TLS 1.2 only)
1602  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1603  * n .. n+1 length of all DNs
1604  * n+2 .. n+3 length of DN 1
1605  * n+4 .. ... Distinguished Name #1
1606  * ... .. ... length of DN 2, etc.
1607  */
1608  if( ssl->record_read == 0 )
1609  {
1610  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1611  {
1612  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1613  return( ret );
1614  }
1615 
1616  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1617  {
1618  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1620  }
1621 
1622  ssl->record_read = 1;
1623  }
1624 
1625  ssl->client_auth = 0;
1626  ssl->state++;
1627 
1628  if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
1629  ssl->client_auth++;
1630 
1631  SSL_DEBUG_MSG( 3, ( "got %s certificate request",
1632  ssl->client_auth ? "a" : "no" ) );
1633 
1634  if( ssl->client_auth == 0 )
1635  goto exit;
1636 
1637  ssl->record_read = 0;
1638 
1639  // TODO: handshake_failure alert for an anonymous server to request
1640  // client authentication
1641 
1642  buf = ssl->in_msg;
1643 
1644  // Retrieve cert types
1645  //
1646  cert_type_len = buf[4];
1647  n = cert_type_len;
1648 
1649  if( ssl->in_hslen < 6 + n )
1650  {
1651  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1653  }
1654 
1655  p = buf + 5;
1656  while( cert_type_len > 0 )
1657  {
1658 #if defined(POLARSSL_RSA_C)
1659  if( *p == SSL_CERT_TYPE_RSA_SIGN &&
1661  {
1663  break;
1664  }
1665  else
1666 #endif
1667 #if defined(POLARSSL_ECDSA_C)
1668  if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
1670  {
1672  break;
1673  }
1674  else
1675 #endif
1676  {
1677  ; /* Unsupported cert type, ignore */
1678  }
1679 
1680  cert_type_len--;
1681  p++;
1682  }
1683 
1684 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1685  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1686  {
1687  /* Ignored, see comments about hash in write_certificate_verify */
1688  // TODO: should check the signature part against our pk_key though
1689  size_t sig_alg_len = ( ( buf[5 + n] << 8 )
1690  | ( buf[6 + n] ) );
1691 
1692  p = buf + 7 + n;
1693  m += 2;
1694  n += sig_alg_len;
1695 
1696  if( ssl->in_hslen < 6 + n )
1697  {
1698  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1700  }
1701  }
1702 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1703 
1704  /* Ignore certificate_authorities, we only have one cert anyway */
1705  // TODO: should not send cert if no CA matches
1706  dn_len = ( ( buf[5 + m + n] << 8 )
1707  | ( buf[6 + m + n] ) );
1708 
1709  n += dn_len;
1710  if( ssl->in_hslen != 7 + m + n )
1711  {
1712  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1714  }
1715 
1716 exit:
1717  SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1718 
1719  return( 0 );
1720 }
1721 
1722 static int ssl_parse_server_hello_done( ssl_context *ssl )
1723 {
1724  int ret;
1725 
1726  SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
1727 
1728  if( ssl->record_read == 0 )
1729  {
1730  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1731  {
1732  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1733  return( ret );
1734  }
1735 
1736  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1737  {
1738  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1740  }
1741  }
1742  ssl->record_read = 0;
1743 
1744  if( ssl->in_hslen != 4 ||
1745  ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
1746  {
1747  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1749  }
1750 
1751  ssl->state++;
1752 
1753  SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
1754 
1755  return( 0 );
1756 }
1757 
1758 static int ssl_write_client_key_exchange( ssl_context *ssl )
1759 {
1760  int ret;
1761  size_t i, n;
1762  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1763 
1764  SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
1765 
1766 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
1767  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
1768  {
1769  /*
1770  * DHM key exchange -- send G^X mod P
1771  */
1772  n = ssl->handshake->dhm_ctx.len;
1773 
1774  ssl->out_msg[4] = (unsigned char)( n >> 8 );
1775  ssl->out_msg[5] = (unsigned char)( n );
1776  i = 6;
1777 
1778  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
1779  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1780  &ssl->out_msg[i], n,
1781  ssl->f_rng, ssl->p_rng );
1782  if( ret != 0 )
1783  {
1784  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
1785  return( ret );
1786  }
1787 
1788  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1789  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1790 
1791  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1792 
1793  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1794  ssl->handshake->premaster,
1795  &ssl->handshake->pmslen,
1796  ssl->f_rng, ssl->p_rng ) ) != 0 )
1797  {
1798  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1799  return( ret );
1800  }
1801 
1802  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1803  }
1804  else
1805 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
1806 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1807  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1808  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1809  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1810  {
1811  /*
1812  * ECDH key exchange -- send client public value
1813  */
1814  i = 4;
1815 
1816  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
1817  &n,
1818  &ssl->out_msg[i], 1000,
1819  ssl->f_rng, ssl->p_rng );
1820  if( ret != 0 )
1821  {
1822  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
1823  return( ret );
1824  }
1825 
1826  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
1827 
1828  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
1829  &ssl->handshake->pmslen,
1830  ssl->handshake->premaster,
1832  ssl->f_rng, ssl->p_rng ) ) != 0 )
1833  {
1834  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
1835  return( ret );
1836  }
1837 
1838  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
1839  }
1840  else
1841 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1842  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1843 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1844  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1845  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1846  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1847  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1848  {
1849  /*
1850  * opaque psk_identity<0..2^16-1>;
1851  */
1852  if( ssl->psk == NULL || ssl->psk_identity == NULL )
1854 
1855  i = 4;
1856  n = ssl->psk_identity_len;
1857  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
1858  ssl->out_msg[i++] = (unsigned char)( n );
1859 
1860  memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
1861  i += ssl->psk_identity_len;
1862 
1863 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
1864  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
1865  {
1866  n = 0;
1867  }
1868  else
1869 #endif
1870 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1871  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1872  {
1873  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
1874  return( ret );
1875  }
1876  else
1877 #endif
1878 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1879  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1880  {
1881  /*
1882  * ClientDiffieHellmanPublic public (DHM send G^X mod P)
1883  */
1884  n = ssl->handshake->dhm_ctx.len;
1885  ssl->out_msg[i++] = (unsigned char)( n >> 8 );
1886  ssl->out_msg[i++] = (unsigned char)( n );
1887 
1888  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
1889  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1890  &ssl->out_msg[i], n,
1891  ssl->f_rng, ssl->p_rng );
1892  if( ret != 0 )
1893  {
1894  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
1895  return( ret );
1896  }
1897  }
1898  else
1899 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1900 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1901  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1902  {
1903  /*
1904  * ClientECDiffieHellmanPublic public;
1905  */
1906  ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
1907  &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
1908  ssl->f_rng, ssl->p_rng );
1909  if( ret != 0 )
1910  {
1911  SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
1912  return( ret );
1913  }
1914 
1915  SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
1916  }
1917  else
1918 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1919  {
1920  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1922  }
1923 
1924  if( ( ret = ssl_psk_derive_premaster( ssl,
1925  ciphersuite_info->key_exchange ) ) != 0 )
1926  {
1927  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
1928  return( ret );
1929  }
1930  }
1931  else
1932 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1933 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1934  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1935  {
1936  i = 4;
1937  if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
1938  return( ret );
1939  }
1940  else
1941 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
1942  {
1943  ((void) ciphersuite_info);
1944  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1946  }
1947 
1948  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1949  {
1950  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1951  return( ret );
1952  }
1953 
1954  ssl->out_msglen = i + n;
1957 
1958  ssl->state++;
1959 
1960  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1961  {
1962  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1963  return( ret );
1964  }
1965 
1966  SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
1967 
1968  return( 0 );
1969 }
1970 
1971 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1972  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1973  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1974  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1975 static int ssl_write_certificate_verify( ssl_context *ssl )
1976 {
1978  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1979 
1980  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1981 
1982  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1983  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1984  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1985  {
1986  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
1987  ssl->state++;
1988  return( 0 );
1989  }
1990 
1991  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1992  return( ret );
1993 }
1994 #else
1995 static int ssl_write_certificate_verify( ssl_context *ssl )
1996 {
1998  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1999  size_t n = 0, offset = 0;
2000  unsigned char hash[48];
2001  unsigned char *hash_start = hash;
2002  md_type_t md_alg = POLARSSL_MD_NONE;
2003  unsigned int hashlen;
2004 
2005  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2006 
2007  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2008  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2009  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2010  {
2011  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2012  ssl->state++;
2013  return( 0 );
2014  }
2015 
2016  if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
2017  {
2018  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2019  ssl->state++;
2020  return( 0 );
2021  }
2022 
2023  if( ssl_own_key( ssl ) == NULL )
2024  {
2025  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2027  }
2028 
2029  /*
2030  * Make an RSA signature of the handshake digests
2031  */
2032  ssl->handshake->calc_verify( ssl, hash );
2033 
2034 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2035  defined(POLARSSL_SSL_PROTO_TLS1_1)
2036  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2037  {
2038  /*
2039  * digitally-signed struct {
2040  * opaque md5_hash[16];
2041  * opaque sha_hash[20];
2042  * };
2043  *
2044  * md5_hash
2045  * MD5(handshake_messages);
2046  *
2047  * sha_hash
2048  * SHA(handshake_messages);
2049  */
2050  hashlen = 36;
2051  md_alg = POLARSSL_MD_NONE;
2052 
2053  /*
2054  * For ECDSA, default hash is SHA-1 only
2055  */
2056  if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
2057  {
2058  hash_start += 16;
2059  hashlen -= 16;
2060  md_alg = POLARSSL_MD_SHA1;
2061  }
2062  }
2063  else
2064 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2065  POLARSSL_SSL_PROTO_TLS1_1 */
2066 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2067  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2068  {
2069  /*
2070  * digitally-signed struct {
2071  * opaque handshake_messages[handshake_messages_length];
2072  * };
2073  *
2074  * Taking shortcut here. We assume that the server always allows the
2075  * PRF Hash function and has sent it in the allowed signature
2076  * algorithms list received in the Certificate Request message.
2077  *
2078  * Until we encounter a server that does not, we will take this
2079  * shortcut.
2080  *
2081  * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2082  * in order to satisfy 'weird' needs from the server side.
2083  */
2086  {
2087  md_alg = POLARSSL_MD_SHA384;
2088  ssl->out_msg[4] = SSL_HASH_SHA384;
2089  }
2090  else
2091  {
2092  md_alg = POLARSSL_MD_SHA256;
2093  ssl->out_msg[4] = SSL_HASH_SHA256;
2094  }
2095  ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
2096 
2097  /* Info from md_alg will be used instead */
2098  hashlen = 0;
2099  offset = 2;
2100  }
2101  else
2102 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2103  {
2104  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2106  }
2107 
2108  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
2109  ssl->out_msg + 6 + offset, &n,
2110  ssl->f_rng, ssl->p_rng ) ) != 0 )
2111  {
2112  SSL_DEBUG_RET( 1, "pk_sign", ret );
2113  return( ret );
2114  }
2115 
2116  ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2117  ssl->out_msg[5 + offset] = (unsigned char)( n );
2118 
2119  ssl->out_msglen = 6 + n + offset;
2122 
2123  ssl->state++;
2124 
2125  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2126  {
2127  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2128  return( ret );
2129  }
2130 
2131  SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
2132 
2133  return( ret );
2134 }
2135 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2136  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2137  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2138 
2139 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2140 static int ssl_parse_new_session_ticket( ssl_context *ssl )
2141 {
2142  int ret;
2143  uint32_t lifetime;
2144  size_t ticket_len;
2145  unsigned char *ticket;
2146 
2147  SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2148 
2149  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2150  {
2151  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2152  return( ret );
2153  }
2154 
2155  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2156  {
2157  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2159  }
2160 
2161  /*
2162  * struct {
2163  * uint32 ticket_lifetime_hint;
2164  * opaque ticket<0..2^16-1>;
2165  * } NewSessionTicket;
2166  *
2167  * 0 . 0 handshake message type
2168  * 1 . 3 handshake message length
2169  * 4 . 7 ticket_lifetime_hint
2170  * 8 . 9 ticket_len (n)
2171  * 10 . 9+n ticket content
2172  */
2173  if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
2174  ssl->in_hslen < 10 )
2175  {
2176  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2178  }
2179 
2180  lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
2181  ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] );
2182 
2183  ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
2184 
2185  if( ticket_len + 10 != ssl->in_hslen )
2186  {
2187  SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2189  }
2190 
2191  SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
2192 
2193  /* We're not waiting for a NewSessionTicket message any more */
2194  ssl->handshake->new_session_ticket = 0;
2195 
2196  /*
2197  * Zero-length ticket means the server changed his mind and doesn't want
2198  * to send a ticket after all, so just forget it
2199  */
2200  if( ticket_len == 0)
2201  return( 0 );
2202 
2204  ssl->session_negotiate->ticket = NULL;
2205  ssl->session_negotiate->ticket_len = 0;
2206 
2207  if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
2208  {
2209  SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
2211  }
2212 
2213  memcpy( ticket, ssl->in_msg + 10, ticket_len );
2214 
2215  ssl->session_negotiate->ticket = ticket;
2216  ssl->session_negotiate->ticket_len = ticket_len;
2217  ssl->session_negotiate->ticket_lifetime = lifetime;
2218 
2219  /*
2220  * RFC 5077 section 3.4:
2221  * "If the client receives a session ticket from the server, then it
2222  * discards any Session ID that was sent in the ServerHello."
2223  */
2224  SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
2225  ssl->session_negotiate->length = 0;
2226 
2227  SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2228 
2229  return( 0 );
2230 }
2231 #endif /* POLARSSL_SSL_SESSION_TICKETS */
2232 
2233 /*
2234  * SSL handshake -- client side -- single step
2235  */
2237 {
2238  int ret = 0;
2239 
2240  if( ssl->state == SSL_HANDSHAKE_OVER )
2242 
2243  SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
2244 
2245  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2246  return( ret );
2247 
2248  switch( ssl->state )
2249  {
2250  case SSL_HELLO_REQUEST:
2251  ssl->state = SSL_CLIENT_HELLO;
2252  break;
2253 
2254  /*
2255  * ==> ClientHello
2256  */
2257  case SSL_CLIENT_HELLO:
2258  ret = ssl_write_client_hello( ssl );
2259  break;
2260 
2261  /*
2262  * <== ServerHello
2263  * Certificate
2264  * ( ServerKeyExchange )
2265  * ( CertificateRequest )
2266  * ServerHelloDone
2267  */
2268  case SSL_SERVER_HELLO:
2269  ret = ssl_parse_server_hello( ssl );
2270  break;
2271 
2273  ret = ssl_parse_certificate( ssl );
2274  break;
2275 
2277  ret = ssl_parse_server_key_exchange( ssl );
2278  break;
2279 
2281  ret = ssl_parse_certificate_request( ssl );
2282  break;
2283 
2284  case SSL_SERVER_HELLO_DONE:
2285  ret = ssl_parse_server_hello_done( ssl );
2286  break;
2287 
2288  /*
2289  * ==> ( Certificate/Alert )
2290  * ClientKeyExchange
2291  * ( CertificateVerify )
2292  * ChangeCipherSpec
2293  * Finished
2294  */
2296  ret = ssl_write_certificate( ssl );
2297  break;
2298 
2300  ret = ssl_write_client_key_exchange( ssl );
2301  break;
2302 
2304  ret = ssl_write_certificate_verify( ssl );
2305  break;
2306 
2308  ret = ssl_write_change_cipher_spec( ssl );
2309  break;
2310 
2311  case SSL_CLIENT_FINISHED:
2312  ret = ssl_write_finished( ssl );
2313  break;
2314 
2315  /*
2316  * <== ( NewSessionTicket )
2317  * ChangeCipherSpec
2318  * Finished
2319  */
2321 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2322  if( ssl->handshake->new_session_ticket != 0 )
2323  ret = ssl_parse_new_session_ticket( ssl );
2324  else
2325 #endif
2326  ret = ssl_parse_change_cipher_spec( ssl );
2327  break;
2328 
2329  case SSL_SERVER_FINISHED:
2330  ret = ssl_parse_finished( ssl );
2331  break;
2332 
2333  case SSL_FLUSH_BUFFERS:
2334  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2335  ssl->state = SSL_HANDSHAKE_WRAPUP;
2336  break;
2337 
2338  case SSL_HANDSHAKE_WRAPUP:
2339  ssl_handshake_wrapup( ssl );
2340  break;
2341 
2342  default:
2343  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2345  }
2346 
2347  return( ret );
2348 }
2349 #endif