PolarSSL v1.3.8
ssl_srv.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 server-side functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #if !defined(POLARSSL_CONFIG_FILE)
27 #include "polarssl/config.h"
28 #else
29 #include POLARSSL_CONFIG_FILE
30 #endif
31 
32 #if defined(POLARSSL_SSL_SRV_C)
33 
34 #include "polarssl/debug.h"
35 #include "polarssl/ssl.h"
36 #if defined(POLARSSL_ECP_C)
37 #include "polarssl/ecp.h"
38 #endif
39 
40 #if defined(POLARSSL_PLATFORM_C)
41 #include "polarssl/platform.h"
42 #else
43 #define polarssl_malloc malloc
44 #define polarssl_free free
45 #endif
46 
47 #include <stdlib.h>
48 #include <stdio.h>
49 
50 #if defined(POLARSSL_HAVE_TIME)
51 #include <time.h>
52 #endif
53 
54 #if defined(POLARSSL_SSL_SESSION_TICKETS)
55 /* Implementation that should never be optimized out by the compiler */
56 static void polarssl_zeroize( void *v, size_t n ) {
57  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
58 }
59 
60 /*
61  * Serialize a session in the following format:
62  * 0 . n-1 session structure, n = sizeof(ssl_session)
63  * n . n+2 peer_cert length = m (0 if no certificate)
64  * n+3 . n+2+m peer cert ASN.1
65  *
66  * Assumes ticket is NULL (always true on server side).
67  */
68 static int ssl_save_session( const ssl_session *session,
69  unsigned char *buf, size_t buf_len,
70  size_t *olen )
71 {
72  unsigned char *p = buf;
73  size_t left = buf_len;
74 #if defined(POLARSSL_X509_CRT_PARSE_C)
75  size_t cert_len;
76 #endif /* POLARSSL_X509_CRT_PARSE_C */
77 
78  if( left < sizeof( ssl_session ) )
79  return( -1 );
80 
81  memcpy( p, session, sizeof( ssl_session ) );
82  p += sizeof( ssl_session );
83  left -= sizeof( ssl_session );
84 
85 #if defined(POLARSSL_X509_CRT_PARSE_C)
86  if( session->peer_cert == NULL )
87  cert_len = 0;
88  else
89  cert_len = session->peer_cert->raw.len;
90 
91  if( left < 3 + cert_len )
92  return( -1 );
93 
94  *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
95  *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
96  *p++ = (unsigned char)( cert_len & 0xFF );
97 
98  if( session->peer_cert != NULL )
99  memcpy( p, session->peer_cert->raw.p, cert_len );
100 
101  p += cert_len;
102 #endif /* POLARSSL_X509_CRT_PARSE_C */
103 
104  *olen = p - buf;
105 
106  return( 0 );
107 }
108 
109 /*
110  * Unserialise session, see ssl_save_session()
111  */
112 static int ssl_load_session( ssl_session *session,
113  const unsigned char *buf, size_t len )
114 {
115  const unsigned char *p = buf;
116  const unsigned char * const end = buf + len;
117 #if defined(POLARSSL_X509_CRT_PARSE_C)
118  size_t cert_len;
119 #endif /* POLARSSL_X509_CRT_PARSE_C */
120 
121  if( p + sizeof( ssl_session ) > end )
123 
124  memcpy( session, p, sizeof( ssl_session ) );
125  p += sizeof( ssl_session );
126 
127 #if defined(POLARSSL_X509_CRT_PARSE_C)
128  if( p + 3 > end )
130 
131  cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
132  p += 3;
133 
134  if( cert_len == 0 )
135  {
136  session->peer_cert = NULL;
137  }
138  else
139  {
140  int ret;
141 
142  if( p + cert_len > end )
144 
145  session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
146 
147  if( session->peer_cert == NULL )
149 
150  x509_crt_init( session->peer_cert );
151 
152  if( ( ret = x509_crt_parse_der( session->peer_cert,
153  p, cert_len ) ) != 0 )
154  {
155  x509_crt_free( session->peer_cert );
156  polarssl_free( session->peer_cert );
157  session->peer_cert = NULL;
158  return( ret );
159  }
160 
161  p += cert_len;
162  }
163 #endif /* POLARSSL_X509_CRT_PARSE_C */
164 
165  if( p != end )
167 
168  return( 0 );
169 }
170 
171 /*
172  * Create session ticket, secured as recommended in RFC 5077 section 4:
173  *
174  * struct {
175  * opaque key_name[16];
176  * opaque iv[16];
177  * opaque encrypted_state<0..2^16-1>;
178  * opaque mac[32];
179  * } ticket;
180  *
181  * (the internal state structure differs, however).
182  */
183 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
184 {
185  int ret;
186  unsigned char * const start = ssl->out_msg + 10;
187  unsigned char *p = start;
188  unsigned char *state;
189  unsigned char iv[16];
190  size_t clear_len, enc_len, pad_len, i;
191 
192  *tlen = 0;
193 
194  if( ssl->ticket_keys == NULL )
196 
197  /* Write key name */
198  memcpy( p, ssl->ticket_keys->key_name, 16 );
199  p += 16;
200 
201  /* Generate and write IV (with a copy for aes_crypt) */
202  if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
203  return( ret );
204  memcpy( iv, p, 16 );
205  p += 16;
206 
207  /*
208  * Dump session state
209  *
210  * After the session state itself, we still need room for 16 bytes of
211  * padding and 32 bytes of MAC, so there's only so much room left
212  */
213  state = p + 2;
214  if( ssl_save_session( ssl->session_negotiate, state,
215  SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48,
216  &clear_len ) != 0 )
217  {
219  }
220  SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
221 
222  /* Apply PKCS padding */
223  pad_len = 16 - clear_len % 16;
224  enc_len = clear_len + pad_len;
225  for( i = clear_len; i < enc_len; i++ )
226  state[i] = (unsigned char) pad_len;
227 
228  /* Encrypt */
229  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
230  enc_len, iv, state, state ) ) != 0 )
231  {
232  return( ret );
233  }
234 
235  /* Write length */
236  *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
237  *p++ = (unsigned char)( ( enc_len ) & 0xFF );
238  p = state + enc_len;
239 
240  /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
241  sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
242  p += 32;
243 
244  *tlen = p - start;
245 
246  SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
247 
248  return( 0 );
249 }
250 
251 /*
252  * Load session ticket (see ssl_write_ticket for structure)
253  */
254 static int ssl_parse_ticket( ssl_context *ssl,
255  unsigned char *buf,
256  size_t len )
257 {
258  int ret;
259  ssl_session session;
260  unsigned char *key_name = buf;
261  unsigned char *iv = buf + 16;
262  unsigned char *enc_len_p = iv + 16;
263  unsigned char *ticket = enc_len_p + 2;
264  unsigned char *mac;
265  unsigned char computed_mac[32];
266  size_t enc_len, clear_len, i;
267  unsigned char pad_len, diff;
268 
269  SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
270 
271  if( len < 34 || ssl->ticket_keys == NULL )
273 
274  enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
275  mac = ticket + enc_len;
276 
277  if( len != enc_len + 66 )
279 
280  /* Check name, in constant time though it's not a big secret */
281  diff = 0;
282  for( i = 0; i < 16; i++ )
283  diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
284  /* don't return yet, check the MAC anyway */
285 
286  /* Check mac, with constant-time buffer comparison */
287  sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
288  computed_mac, 0 );
289 
290  for( i = 0; i < 32; i++ )
291  diff |= mac[i] ^ computed_mac[i];
292 
293  /* Now return if ticket is not authentic, since we want to avoid
294  * decrypting arbitrary attacker-chosen data */
295  if( diff != 0 )
297 
298  /* Decrypt */
299  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
300  enc_len, iv, ticket, ticket ) ) != 0 )
301  {
302  return( ret );
303  }
304 
305  /* Check PKCS padding */
306  pad_len = ticket[enc_len - 1];
307 
308  ret = 0;
309  for( i = 2; i < pad_len; i++ )
310  if( ticket[enc_len - i] != pad_len )
312  if( ret != 0 )
313  return( ret );
314 
315  clear_len = enc_len - pad_len;
316 
317  SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
318 
319  /* Actually load session */
320  if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
321  {
322  SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
323  ssl_session_free( &session );
324  return( ret );
325  }
326 
327 #if defined(POLARSSL_HAVE_TIME)
328  /* Check if still valid */
329  if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
330  {
331  SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
332  ssl_session_free( &session );
334  }
335 #endif
336 
337  /*
338  * Keep the session ID sent by the client, since we MUST send it back to
339  * inform him we're accepting the ticket (RFC 5077 section 3.4)
340  */
341  session.length = ssl->session_negotiate->length;
342  memcpy( &session.id, ssl->session_negotiate->id, session.length );
343 
345  memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
346 
347  /* Zeroize instead of free as we copied the content */
348  polarssl_zeroize( &session, sizeof( ssl_session ) );
349 
350  return( 0 );
351 }
352 #endif /* POLARSSL_SSL_SESSION_TICKETS */
353 
354 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
355 /*
356  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
357  * making it act on ssl->hanshake->sni_key_cert instead.
358  */
359 static int ssl_sni_wrapper( ssl_context *ssl,
360  const unsigned char* name, size_t len )
361 {
362  int ret;
363  ssl_key_cert *key_cert_ori = ssl->key_cert;
364 
365  ssl->key_cert = NULL;
366  ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
367  ssl->handshake->sni_key_cert = ssl->key_cert;
368 
369  ssl->key_cert = key_cert_ori;
370 
371  return( ret );
372 }
373 
374 static int ssl_parse_servername_ext( ssl_context *ssl,
375  const unsigned char *buf,
376  size_t len )
377 {
378  int ret;
379  size_t servername_list_size, hostname_len;
380  const unsigned char *p;
381 
382  SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
383 
384  servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
385  if( servername_list_size + 2 != len )
386  {
387  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
389  }
390 
391  p = buf + 2;
392  while( servername_list_size > 0 )
393  {
394  hostname_len = ( ( p[1] << 8 ) | p[2] );
395  if( hostname_len + 3 > servername_list_size )
396  {
397  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
399  }
400 
401  if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
402  {
403  ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
404  if( ret != 0 )
405  {
406  SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
410  }
411  return( 0 );
412  }
413 
414  servername_list_size -= hostname_len + 3;
415  p += hostname_len + 3;
416  }
417 
418  if( servername_list_size != 0 )
419  {
420  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
422  }
423 
424  return( 0 );
425 }
426 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
427 
428 static int ssl_parse_renegotiation_info( ssl_context *ssl,
429  const unsigned char *buf,
430  size_t len )
431 {
432  int ret;
433 
435  {
436  if( len != 1 || buf[0] != 0x0 )
437  {
438  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
439 
440  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
441  return( ret );
442 
444  }
445 
447  }
448  else
449  {
450  /* Check verify-data in constant-time. The length OTOH is no secret */
451  if( len != 1 + ssl->verify_data_len ||
452  buf[0] != ssl->verify_data_len ||
453  safer_memcmp( buf + 1, ssl->peer_verify_data,
454  ssl->verify_data_len ) != 0 )
455  {
456  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
457 
458  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
459  return( ret );
460 
462  }
463  }
464 
465  return( 0 );
466 }
467 
468 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
469 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
470  const unsigned char *buf,
471  size_t len )
472 {
473  size_t sig_alg_list_size;
474  const unsigned char *p;
475  const unsigned char *end = buf + len;
476  const int *md_cur;
477 
478 
479  sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
480  if( sig_alg_list_size + 2 != len ||
481  sig_alg_list_size % 2 != 0 )
482  {
483  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
485  }
486 
487  /*
488  * For now, ignore the SignatureAlgorithm part and rely on offered
489  * ciphersuites only for that part. To be fixed later.
490  *
491  * So, just look at the HashAlgorithm part.
492  */
493  for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
494  for( p = buf + 2; p < end; p += 2 ) {
495  if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
496  ssl->handshake->sig_alg = p[0];
497  break;
498  }
499  }
500  }
501 
502  SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
503  ssl->handshake->sig_alg ) );
504 
505  return( 0 );
506 }
507 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
508 
509 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
510 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
511  const unsigned char *buf,
512  size_t len )
513 {
514  size_t list_size, our_size;
515  const unsigned char *p;
516  const ecp_curve_info *curve_info, **curves;
517 
518  list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
519  if( list_size + 2 != len ||
520  list_size % 2 != 0 )
521  {
522  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
524  }
525 
526  /* Don't allow our peer to make us allocate too much memory,
527  * and leave room for a final 0 */
528  our_size = list_size / 2 + 1;
529  if( our_size > POLARSSL_ECP_DP_MAX )
530  our_size = POLARSSL_ECP_DP_MAX;
531 
532  if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
534 
535  /* explicit void pointer cast for buggy MS compiler */
536  memset( (void *) curves, 0, our_size * sizeof( *curves ) );
537  ssl->handshake->curves = curves;
538 
539  p = buf + 2;
540  while( list_size > 0 && our_size > 1 )
541  {
542  curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
543 
544  if( curve_info != NULL )
545  {
546  *curves++ = curve_info;
547  our_size--;
548  }
549 
550  list_size -= 2;
551  p += 2;
552  }
553 
554  return( 0 );
555 }
556 
557 static int ssl_parse_supported_point_formats( ssl_context *ssl,
558  const unsigned char *buf,
559  size_t len )
560 {
561  size_t list_size;
562  const unsigned char *p;
563 
564  list_size = buf[0];
565  if( list_size + 1 != len )
566  {
567  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
569  }
570 
571  p = buf + 2;
572  while( list_size > 0 )
573  {
574  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
576  {
577  ssl->handshake->ecdh_ctx.point_format = p[0];
578  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
579  return( 0 );
580  }
581 
582  list_size--;
583  p++;
584  }
585 
586  return( 0 );
587 }
588 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
589 
590 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
591 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
592  const unsigned char *buf,
593  size_t len )
594 {
595  if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
596  {
597  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
599  }
600 
601  ssl->session_negotiate->mfl_code = buf[0];
602 
603  return( 0 );
604 }
605 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
606 
607 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
608 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
609  const unsigned char *buf,
610  size_t len )
611 {
612  if( len != 0 )
613  {
614  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
616  }
617 
618  ((void) buf);
619 
621 
622  return( 0 );
623 }
624 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
625 
626 #if defined(POLARSSL_SSL_SESSION_TICKETS)
627 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
628  unsigned char *buf,
629  size_t len )
630 {
631  int ret;
632 
634  return( 0 );
635 
636  /* Remember the client asked us to send a new ticket */
637  ssl->handshake->new_session_ticket = 1;
638 
639  SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
640 
641  if( len == 0 )
642  return( 0 );
643 
645  {
646  SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
647  return( 0 );
648  }
649 
650  /*
651  * Failures are ok: just ignore the ticket and proceed.
652  */
653  if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
654  {
655  SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
656  return( 0 );
657  }
658 
659  SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
660 
661  ssl->handshake->resume = 1;
662 
663  /* Don't send a new ticket after all, this one is OK */
664  ssl->handshake->new_session_ticket = 0;
665 
666  return( 0 );
667 }
668 #endif /* POLARSSL_SSL_SESSION_TICKETS */
669 
670 #if defined(POLARSSL_SSL_ALPN)
671 static int ssl_parse_alpn_ext( ssl_context *ssl,
672  const unsigned char *buf, size_t len )
673 {
674  size_t list_len, cur_len, ours_len;
675  const unsigned char *theirs, *start, *end;
676  const char **ours;
677 
678  /* If ALPN not configured, just ignore the extension */
679  if( ssl->alpn_list == NULL )
680  return( 0 );
681 
682  /*
683  * opaque ProtocolName<1..2^8-1>;
684  *
685  * struct {
686  * ProtocolName protocol_name_list<2..2^16-1>
687  * } ProtocolNameList;
688  */
689 
690  /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
691  if( len < 4 )
693 
694  list_len = ( buf[0] << 8 ) | buf[1];
695  if( list_len != len - 2 )
697 
698  /*
699  * Use our order of preference
700  */
701  start = buf + 2;
702  end = buf + len;
703  for( ours = ssl->alpn_list; *ours != NULL; ours++ )
704  {
705  ours_len = strlen( *ours );
706  for( theirs = start; theirs != end; theirs += cur_len )
707  {
708  /* If the list is well formed, we should get equality first */
709  if( theirs > end )
711 
712  cur_len = *theirs++;
713 
714  /* Empty strings MUST NOT be included */
715  if( cur_len == 0 )
717 
718  if( cur_len == ours_len &&
719  memcmp( theirs, *ours, cur_len ) == 0 )
720  {
721  ssl->alpn_chosen = *ours;
722  return( 0 );
723  }
724  }
725  }
726 
727  /* If we get there, no match was found */
731 }
732 #endif /* POLARSSL_SSL_ALPN */
733 
734 /*
735  * Auxiliary functions for ServerHello parsing and related actions
736  */
737 
738 #if defined(POLARSSL_X509_CRT_PARSE_C)
739 /*
740  * Return 1 if the given EC key uses the given curve, 0 otherwise
741  */
742 #if defined(POLARSSL_ECDSA_C)
743 static int ssl_key_matches_curves( pk_context *pk,
744  const ecp_curve_info **curves )
745 {
746  const ecp_curve_info **crv = curves;
747  ecp_group_id grp_id = pk_ec( *pk )->grp.id;
748 
749  while( *crv != NULL )
750  {
751  if( (*crv)->grp_id == grp_id )
752  return( 1 );
753  crv++;
754  }
755 
756  return( 0 );
757 }
758 #endif /* POLARSSL_ECDSA_C */
759 
760 /*
761  * Try picking a certificate for this ciphersuite,
762  * return 0 on success and -1 on failure.
763  */
764 static int ssl_pick_cert( ssl_context *ssl,
765  const ssl_ciphersuite_t * ciphersuite_info )
766 {
767  ssl_key_cert *cur, *list;
768  pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
769 
770 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
771  if( ssl->handshake->sni_key_cert != NULL )
772  list = ssl->handshake->sni_key_cert;
773  else
774 #endif
775  list = ssl->handshake->key_cert;
776 
777  if( pk_alg == POLARSSL_PK_NONE )
778  return( 0 );
779 
780  for( cur = list; cur != NULL; cur = cur->next )
781  {
782  if( ! pk_can_do( cur->key, pk_alg ) )
783  continue;
784 
785  /*
786  * This avoids sending the client a cert it'll reject based on
787  * keyUsage or other extensions.
788  *
789  * It also allows the user to provision different certificates for
790  * different uses based on keyUsage, eg if they want to avoid signing
791  * and decrypting with the same RSA key.
792  */
793  if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
794  SSL_IS_SERVER ) != 0 )
795  {
796  continue;
797  }
798 
799 #if defined(POLARSSL_ECDSA_C)
800  if( pk_alg == POLARSSL_PK_ECDSA )
801  {
802  if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
803  break;
804  }
805  else
806 #endif
807  break;
808  }
809 
810  if( cur == NULL )
811  return( -1 );
812 
813  ssl->handshake->key_cert = cur;
814  return( 0 );
815 }
816 #endif /* POLARSSL_X509_CRT_PARSE_C */
817 
818 /*
819  * Check if a given ciphersuite is suitable for use with our config/keys/etc
820  * Sets ciphersuite_info only if the suite matches.
821  */
822 static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
823  const ssl_ciphersuite_t **ciphersuite_info )
824 {
825  const ssl_ciphersuite_t *suite_info;
826 
827  suite_info = ssl_ciphersuite_from_id( suite_id );
828  if( suite_info == NULL )
829  {
830  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", suite_id ) );
832  }
833 
834  if( suite_info->min_minor_ver > ssl->minor_ver ||
835  suite_info->max_minor_ver < ssl->minor_ver )
836  return( 0 );
837 
838 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
839  if( ssl_ciphersuite_uses_ec( suite_info ) &&
840  ( ssl->handshake->curves == NULL ||
841  ssl->handshake->curves[0] == NULL ) )
842  return( 0 );
843 #endif
844 
845 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
846  /* If the ciphersuite requires a pre-shared key and we don't
847  * have one, skip it now rather than failing later */
848  if( ssl_ciphersuite_uses_psk( suite_info ) &&
849  ssl->f_psk == NULL &&
850  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
851  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
852  return( 0 );
853 #endif
854 
855 #if defined(POLARSSL_X509_CRT_PARSE_C)
856  /*
857  * Final check: if ciphersuite requires us to have a
858  * certificate/key of a particular type:
859  * - select the appropriate certificate if we have one, or
860  * - try the next ciphersuite if we don't
861  * This must be done last since we modify the key_cert list.
862  */
863  if( ssl_pick_cert( ssl, suite_info ) != 0 )
864  return( 0 );
865 #endif
866 
867  *ciphersuite_info = suite_info;
868  return( 0 );
869 }
870 
871 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
872 static int ssl_parse_client_hello_v2( ssl_context *ssl )
873 {
874  int ret;
875  unsigned int i, j;
876  size_t n;
877  unsigned int ciph_len, sess_len, chal_len;
878  unsigned char *buf, *p;
879  const int *ciphersuites;
880  const ssl_ciphersuite_t *ciphersuite_info;
881 
882  SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
883 
885  {
886  SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
887 
888  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
889  return( ret );
890 
892  }
893 
894  buf = ssl->in_hdr;
895 
896  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
897 
898  SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
899  buf[2] ) );
900  SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
901  ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
902  SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
903  buf[3], buf[4] ) );
904 
905  /*
906  * SSLv2 Client Hello
907  *
908  * Record layer:
909  * 0 . 1 message length
910  *
911  * SSL layer:
912  * 2 . 2 message type
913  * 3 . 4 protocol version
914  */
915  if( buf[2] != SSL_HS_CLIENT_HELLO ||
916  buf[3] != SSL_MAJOR_VERSION_3 )
917  {
918  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
920  }
921 
922  n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
923 
924  if( n < 17 || n > 512 )
925  {
926  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
928  }
929 
931  ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
932  ? buf[4] : ssl->max_minor_ver;
933 
934  if( ssl->minor_ver < ssl->min_minor_ver )
935  {
936  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
937  " [%d:%d] < [%d:%d]",
938  ssl->major_ver, ssl->minor_ver,
939  ssl->min_major_ver, ssl->min_minor_ver ) );
940 
944  }
945 
946  ssl->handshake->max_major_ver = buf[3];
947  ssl->handshake->max_minor_ver = buf[4];
948 
949  if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
950  {
951  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
952  return( ret );
953  }
954 
955  ssl->handshake->update_checksum( ssl, buf + 2, n );
956 
957  buf = ssl->in_msg;
958  n = ssl->in_left - 5;
959 
960  /*
961  * 0 . 1 ciphersuitelist length
962  * 2 . 3 session id length
963  * 4 . 5 challenge length
964  * 6 . .. ciphersuitelist
965  * .. . .. session id
966  * .. . .. challenge
967  */
968  SSL_DEBUG_BUF( 4, "record contents", buf, n );
969 
970  ciph_len = ( buf[0] << 8 ) | buf[1];
971  sess_len = ( buf[2] << 8 ) | buf[3];
972  chal_len = ( buf[4] << 8 ) | buf[5];
973 
974  SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
975  ciph_len, sess_len, chal_len ) );
976 
977  /*
978  * Make sure each parameter length is valid
979  */
980  if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
981  {
982  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
984  }
985 
986  if( sess_len > 32 )
987  {
988  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
990  }
991 
992  if( chal_len < 8 || chal_len > 32 )
993  {
994  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
996  }
997 
998  if( n != 6 + ciph_len + sess_len + chal_len )
999  {
1000  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1002  }
1003 
1004  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1005  buf + 6, ciph_len );
1006  SSL_DEBUG_BUF( 3, "client hello, session id",
1007  buf + 6 + ciph_len, sess_len );
1008  SSL_DEBUG_BUF( 3, "client hello, challenge",
1009  buf + 6 + ciph_len + sess_len, chal_len );
1010 
1011  p = buf + 6 + ciph_len;
1012  ssl->session_negotiate->length = sess_len;
1013  memset( ssl->session_negotiate->id, 0,
1014  sizeof( ssl->session_negotiate->id ) );
1015  memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
1016 
1017  p += sess_len;
1018  memset( ssl->handshake->randbytes, 0, 64 );
1019  memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1020 
1021  /*
1022  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1023  */
1024  for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1025  {
1026  if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
1027  {
1028  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1029  if( ssl->renegotiation == SSL_RENEGOTIATION )
1030  {
1031  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1032 
1033  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1034  return( ret );
1035 
1037  }
1039  break;
1040  }
1041  }
1042 
1043  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1044  ciphersuite_info = NULL;
1045 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1046  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1047  {
1048  for( i = 0; ciphersuites[i] != 0; i++ )
1049 #else
1050  for( i = 0; ciphersuites[i] != 0; i++ )
1051  {
1052  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1053 #endif
1054  {
1055  if( p[0] != 0 ||
1056  p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1057  p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1058  continue;
1059 
1060  if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1061  &ciphersuite_info ) ) != 0 )
1062  return( ret );
1063 
1064  if( ciphersuite_info != NULL )
1065  goto have_ciphersuite_v2;
1066  }
1067  }
1068 
1069  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1070 
1072 
1073 have_ciphersuite_v2:
1074  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1075  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1077 
1078  /*
1079  * SSLv2 Client Hello relevant renegotiation security checks
1080  */
1083  {
1084  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1085 
1086  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1087  return( ret );
1088 
1090  }
1091 
1092  ssl->in_left = 0;
1093  ssl->state++;
1094 
1095  SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1096 
1097  return( 0 );
1098 }
1099 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1100 
1101 static int ssl_parse_client_hello( ssl_context *ssl )
1102 {
1103  int ret;
1104  unsigned int i, j;
1105  size_t n;
1106  unsigned int ciph_len, sess_len;
1107  unsigned int comp_len;
1108  unsigned int ext_len = 0;
1109  unsigned char *buf, *p, *ext;
1110  int renegotiation_info_seen = 0;
1111  int handshake_failure = 0;
1112  const int *ciphersuites;
1113  const ssl_ciphersuite_t *ciphersuite_info;
1114 
1115  SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1116 
1117  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1118  ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1119  {
1120  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1121  return( ret );
1122  }
1123 
1124  buf = ssl->in_hdr;
1125 
1126 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1127  if( ( buf[0] & 0x80 ) != 0 )
1128  return ssl_parse_client_hello_v2( ssl );
1129 #endif
1130 
1131  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1132 
1133  SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1134  buf[0] ) );
1135  SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1136  ( buf[3] << 8 ) | buf[4] ) );
1137  SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1138  buf[1], buf[2] ) );
1139 
1140  /*
1141  * SSLv3/TLS Client Hello
1142  *
1143  * Record layer:
1144  * 0 . 0 message type
1145  * 1 . 2 protocol version
1146  * 3 . 4 message length
1147  */
1148 
1149  /* According to RFC 5246 Appendix E.1, the version here is typically
1150  * "{03,00}, the lowest version number supported by the client, [or] the
1151  * value of ClientHello.client_version", so the only meaningful check here
1152  * is the major version shouldn't be less than 3 */
1153  if( buf[0] != SSL_MSG_HANDSHAKE ||
1154  buf[1] < SSL_MAJOR_VERSION_3 )
1155  {
1156  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1158  }
1159 
1160  n = ( buf[3] << 8 ) | buf[4];
1161 
1162  if( n < 45 || n > SSL_MAX_CONTENT_LEN )
1163  {
1164  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1166  }
1167 
1168  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1169  ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1170  {
1171  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1172  return( ret );
1173  }
1174 
1175  buf = ssl->in_msg;
1176  if( !ssl->renegotiation )
1177  n = ssl->in_left - 5;
1178  else
1179  n = ssl->in_msglen;
1180 
1181  ssl->handshake->update_checksum( ssl, buf, n );
1182 
1183  /*
1184  * SSL layer:
1185  * 0 . 0 handshake type
1186  * 1 . 3 handshake length
1187  * 4 . 5 protocol version
1188  * 6 . 9 UNIX time()
1189  * 10 . 37 random bytes
1190  * 38 . 38 session id length
1191  * 39 . 38+x session id
1192  * 39+x . 40+x ciphersuitelist length
1193  * 41+x . 40+y ciphersuitelist
1194  * 41+y . 41+y compression alg length
1195  * 42+y . 41+z compression algs
1196  * .. . .. extensions
1197  */
1198  SSL_DEBUG_BUF( 4, "record contents", buf, n );
1199 
1200  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1201  buf[0] ) );
1202  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1203  ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1204  SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1205  buf[4], buf[5] ) );
1206 
1207  /*
1208  * Check the handshake type and protocol version
1209  */
1210  if( buf[0] != SSL_HS_CLIENT_HELLO )
1211  {
1212  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1214  }
1215 
1216  ssl->major_ver = buf[4];
1217  ssl->minor_ver = buf[5];
1218 
1219  ssl->handshake->max_major_ver = ssl->major_ver;
1220  ssl->handshake->max_minor_ver = ssl->minor_ver;
1221 
1222  if( ssl->major_ver < ssl->min_major_ver ||
1223  ssl->minor_ver < ssl->min_minor_ver )
1224  {
1225  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1226  " [%d:%d] < [%d:%d]",
1227  ssl->major_ver, ssl->minor_ver,
1228  ssl->min_major_ver, ssl->min_minor_ver ) );
1229 
1232 
1234  }
1235 
1236  if( ssl->major_ver > ssl->max_major_ver )
1237  {
1238  ssl->major_ver = ssl->max_major_ver;
1239  ssl->minor_ver = ssl->max_minor_ver;
1240  }
1241  else if( ssl->minor_ver > ssl->max_minor_ver )
1242  ssl->minor_ver = ssl->max_minor_ver;
1243 
1244  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
1245 
1246  /*
1247  * Check the handshake message length
1248  */
1249  if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1250  {
1251  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1253  }
1254 
1255  /*
1256  * Check the session length
1257  */
1258  sess_len = buf[38];
1259 
1260  if( sess_len > 32 || sess_len > n - 42 )
1261  {
1262  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1264  }
1265 
1266  ssl->session_negotiate->length = sess_len;
1267  memset( ssl->session_negotiate->id, 0,
1268  sizeof( ssl->session_negotiate->id ) );
1269  memcpy( ssl->session_negotiate->id, buf + 39,
1270  ssl->session_negotiate->length );
1271 
1272  /*
1273  * Check the ciphersuitelist length
1274  */
1275  ciph_len = ( buf[39 + sess_len] << 8 )
1276  | ( buf[40 + sess_len] );
1277 
1278  if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
1279  {
1280  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1282  }
1283 
1284  /*
1285  * Check the compression algorithms length
1286  */
1287  comp_len = buf[41 + sess_len + ciph_len];
1288 
1289  if( comp_len < 1 || comp_len > 16 ||
1290  comp_len > n - 42 - sess_len - ciph_len )
1291  {
1292  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1294  }
1295 
1296  /*
1297  * Check the extension length
1298  */
1299  if( n > 42 + sess_len + ciph_len + comp_len )
1300  {
1301  ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1302  | ( buf[43 + sess_len + ciph_len + comp_len] );
1303 
1304  if( ( ext_len > 0 && ext_len < 4 ) ||
1305  n != 44 + sess_len + ciph_len + comp_len + ext_len )
1306  {
1307  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1308  SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1310  }
1311  }
1312 
1314 #if defined(POLARSSL_ZLIB_SUPPORT)
1315  for( i = 0; i < comp_len; ++i )
1316  {
1317  if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
1318  {
1320  break;
1321  }
1322  }
1323 #endif
1324 
1325  SSL_DEBUG_BUF( 3, "client hello, random bytes",
1326  buf + 6, 32 );
1327  SSL_DEBUG_BUF( 3, "client hello, session id",
1328  buf + 38, sess_len );
1329  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1330  buf + 41 + sess_len, ciph_len );
1331  SSL_DEBUG_BUF( 3, "client hello, compression",
1332  buf + 42 + sess_len + ciph_len, comp_len );
1333 
1334  /*
1335  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1336  */
1337  for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1338  {
1339  if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1340  {
1341  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1342  if( ssl->renegotiation == SSL_RENEGOTIATION )
1343  {
1344  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1345 
1346  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1347  return( ret );
1348 
1350  }
1352  break;
1353  }
1354  }
1355 
1356  ext = buf + 44 + sess_len + ciph_len + comp_len;
1357 
1358  while( ext_len )
1359  {
1360  unsigned int ext_id = ( ( ext[0] << 8 )
1361  | ( ext[1] ) );
1362  unsigned int ext_size = ( ( ext[2] << 8 )
1363  | ( ext[3] ) );
1364 
1365  if( ext_size + 4 > ext_len )
1366  {
1367  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1369  }
1370  switch( ext_id )
1371  {
1372 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
1373  case TLS_EXT_SERVERNAME:
1374  SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1375  if( ssl->f_sni == NULL )
1376  break;
1377 
1378  ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1379  if( ret != 0 )
1380  return( ret );
1381  break;
1382 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
1383 
1385  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1386  renegotiation_info_seen = 1;
1387 
1388  ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1389  if( ret != 0 )
1390  return( ret );
1391  break;
1392 
1393 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1394  case TLS_EXT_SIG_ALG:
1395  SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1396  if( ssl->renegotiation == SSL_RENEGOTIATION )
1397  break;
1398 
1399  ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1400  if( ret != 0 )
1401  return( ret );
1402  break;
1403 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1404 
1405 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1407  SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1408 
1409  ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1410  if( ret != 0 )
1411  return( ret );
1412  break;
1413 
1415  SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1417 
1418  ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1419  if( ret != 0 )
1420  return( ret );
1421  break;
1422 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1423 
1424 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1426  SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1427 
1428  ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1429  if( ret != 0 )
1430  return( ret );
1431  break;
1432 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1433 
1434 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1436  SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1437 
1438  ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1439  if( ret != 0 )
1440  return( ret );
1441  break;
1442 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1443 
1444 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1446  SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1447 
1448  ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1449  if( ret != 0 )
1450  return( ret );
1451  break;
1452 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1453 
1454 #if defined(POLARSSL_SSL_ALPN)
1455  case TLS_EXT_ALPN:
1456  SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1457 
1458  ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1459  if( ret != 0 )
1460  return( ret );
1461  break;
1462 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1463 
1464  default:
1465  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1466  ext_id ) );
1467  }
1468 
1469  ext_len -= 4 + ext_size;
1470  ext += 4 + ext_size;
1471 
1472  if( ext_len > 0 && ext_len < 4 )
1473  {
1474  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1476  }
1477  }
1478 
1479  /*
1480  * Renegotiation security checks
1481  */
1484  {
1485  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1486  handshake_failure = 1;
1487  }
1488  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1490  renegotiation_info_seen == 0 )
1491  {
1492  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1493  handshake_failure = 1;
1494  }
1495  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1498  {
1499  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1500  handshake_failure = 1;
1501  }
1502  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1504  renegotiation_info_seen == 1 )
1505  {
1506  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1507  handshake_failure = 1;
1508  }
1509 
1510  if( handshake_failure == 1 )
1511  {
1512  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1513  return( ret );
1514 
1516  }
1517 
1518  /*
1519  * Search for a matching ciphersuite
1520  * (At the end because we need information from the EC-based extensions
1521  * and certificate from the SNI callback triggered by the SNI extension.)
1522  */
1523  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1524  ciphersuite_info = NULL;
1525 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1526  for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1527  {
1528  for( i = 0; ciphersuites[i] != 0; i++ )
1529 #else
1530  for( i = 0; ciphersuites[i] != 0; i++ )
1531  {
1532  for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1533 #endif
1534  {
1535  if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1536  p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1537  continue;
1538 
1539  if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1540  &ciphersuite_info ) ) != 0 )
1541  return( ret );
1542 
1543  if( ciphersuite_info != NULL )
1544  goto have_ciphersuite;
1545  }
1546  }
1547 
1548  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1549 
1550  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1551  return( ret );
1552 
1554 
1555 have_ciphersuite:
1556  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1557  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1559 
1560  ssl->in_left = 0;
1561  ssl->state++;
1562 
1563  SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1564 
1565  return( 0 );
1566 }
1567 
1568 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1569 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1570  unsigned char *buf,
1571  size_t *olen )
1572 {
1573  unsigned char *p = buf;
1574 
1576  {
1577  *olen = 0;
1578  return;
1579  }
1580 
1581  SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1582 
1583  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1584  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1585 
1586  *p++ = 0x00;
1587  *p++ = 0x00;
1588 
1589  *olen = 4;
1590 }
1591 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1592 
1593 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1594 static void ssl_write_session_ticket_ext( ssl_context *ssl,
1595  unsigned char *buf,
1596  size_t *olen )
1597 {
1598  unsigned char *p = buf;
1599 
1600  if( ssl->handshake->new_session_ticket == 0 )
1601  {
1602  *olen = 0;
1603  return;
1604  }
1605 
1606  SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1607 
1608  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1609  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1610 
1611  *p++ = 0x00;
1612  *p++ = 0x00;
1613 
1614  *olen = 4;
1615 }
1616 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1617 
1618 static void ssl_write_renegotiation_ext( ssl_context *ssl,
1619  unsigned char *buf,
1620  size_t *olen )
1621 {
1622  unsigned char *p = buf;
1623 
1625  {
1626  *olen = 0;
1627  return;
1628  }
1629 
1630  SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1631 
1632  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1633  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1634 
1635  *p++ = 0x00;
1636  *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1637  *p++ = ssl->verify_data_len * 2 & 0xFF;
1638 
1639  memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1640  p += ssl->verify_data_len;
1641  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1642  p += ssl->verify_data_len;
1643 
1644  *olen = 5 + ssl->verify_data_len * 2;
1645 }
1646 
1647 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1648 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1649  unsigned char *buf,
1650  size_t *olen )
1651 {
1652  unsigned char *p = buf;
1653 
1655  {
1656  *olen = 0;
1657  return;
1658  }
1659 
1660  SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1661 
1662  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1663  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1664 
1665  *p++ = 0x00;
1666  *p++ = 1;
1667 
1668  *p++ = ssl->session_negotiate->mfl_code;
1669 
1670  *olen = 5;
1671 }
1672 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1673 
1674 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1675 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1676  unsigned char *buf,
1677  size_t *olen )
1678 {
1679  unsigned char *p = buf;
1680  ((void) ssl);
1681 
1682  if( ( ssl->handshake->cli_exts &
1684  {
1685  *olen = 0;
1686  return;
1687  }
1688 
1689  SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1690 
1691  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1692  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1693 
1694  *p++ = 0x00;
1695  *p++ = 2;
1696 
1697  *p++ = 1;
1699 
1700  *olen = 6;
1701 }
1702 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1703 
1704 #if defined(POLARSSL_SSL_ALPN )
1705 static void ssl_write_alpn_ext( ssl_context *ssl,
1706  unsigned char *buf, size_t *olen )
1707 {
1708  if( ssl->alpn_chosen == NULL )
1709  {
1710  *olen = 0;
1711  return;
1712  }
1713 
1714  SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
1715 
1716  /*
1717  * 0 . 1 ext identifier
1718  * 2 . 3 ext length
1719  * 4 . 5 protocol list length
1720  * 6 . 6 protocol name length
1721  * 7 . 7+n protocol name
1722  */
1723  buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
1724  buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
1725 
1726  *olen = 7 + strlen( ssl->alpn_chosen );
1727 
1728  buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
1729  buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
1730 
1731  buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
1732  buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
1733 
1734  buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
1735 
1736  memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
1737 }
1738 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1739 
1740 static int ssl_write_server_hello( ssl_context *ssl )
1741 {
1742 #if defined(POLARSSL_HAVE_TIME)
1743  time_t t;
1744 #endif
1745  int ret;
1746  size_t olen, ext_len = 0, n;
1747  unsigned char *buf, *p;
1748 
1749  SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1750 
1751  if( ssl->f_rng == NULL )
1752  {
1753  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
1754  return( POLARSSL_ERR_SSL_NO_RNG );
1755  }
1756 
1757  /*
1758  * 0 . 0 handshake type
1759  * 1 . 3 handshake length
1760  * 4 . 5 protocol version
1761  * 6 . 9 UNIX time()
1762  * 10 . 37 random bytes
1763  */
1764  buf = ssl->out_msg;
1765  p = buf + 4;
1766 
1767  *p++ = (unsigned char) ssl->major_ver;
1768  *p++ = (unsigned char) ssl->minor_ver;
1769 
1770  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1771  buf[4], buf[5] ) );
1772 
1773 #if defined(POLARSSL_HAVE_TIME)
1774  t = time( NULL );
1775  *p++ = (unsigned char)( t >> 24 );
1776  *p++ = (unsigned char)( t >> 16 );
1777  *p++ = (unsigned char)( t >> 8 );
1778  *p++ = (unsigned char)( t );
1779 
1780  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1781 #else
1782  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1783  return( ret );
1784 
1785  p += 4;
1786 #endif /* POLARSSL_HAVE_TIME */
1787 
1788  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1789  return( ret );
1790 
1791  p += 28;
1792 
1793  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
1794 
1795  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1796 
1797  /*
1798  * Resume is 0 by default, see ssl_handshake_init().
1799  * It may be already set to 1 by ssl_parse_session_ticket_ext().
1800  * If not, try looking up session ID in our cache.
1801  */
1802  if( ssl->handshake->resume == 0 &&
1804  ssl->session_negotiate->length != 0 &&
1805  ssl->f_get_cache != NULL &&
1806  ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1807  {
1808  SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
1809  ssl->handshake->resume = 1;
1810  }
1811 
1812  if( ssl->handshake->resume == 0 )
1813  {
1814  /*
1815  * New session, create a new session id,
1816  * unless we're about to issue a session ticket
1817  */
1818  ssl->state++;
1819 
1820 #if defined(POLARSSL_HAVE_TIME)
1821  ssl->session_negotiate->start = time( NULL );
1822 #endif
1823 
1824 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1825  if( ssl->handshake->new_session_ticket != 0 )
1826  {
1827  ssl->session_negotiate->length = n = 0;
1828  memset( ssl->session_negotiate->id, 0, 32 );
1829  }
1830  else
1831 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1832  {
1833  ssl->session_negotiate->length = n = 32;
1834  if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1835  n ) ) != 0 )
1836  return( ret );
1837  }
1838  }
1839  else
1840  {
1841  /*
1842  * Resuming a session
1843  */
1844  n = ssl->session_negotiate->length;
1846 
1847  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1848  {
1849  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1850  return( ret );
1851  }
1852  }
1853 
1854  /*
1855  * 38 . 38 session id length
1856  * 39 . 38+n session id
1857  * 39+n . 40+n chosen ciphersuite
1858  * 41+n . 41+n chosen compression alg.
1859  * 42+n . 43+n extensions length
1860  * 44+n . 43+n+m extensions
1861  */
1862  *p++ = (unsigned char) ssl->session_negotiate->length;
1863  memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1864  p += ssl->session_negotiate->length;
1865 
1866  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1867  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1868  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1869  ssl->handshake->resume ? "a" : "no" ) );
1870 
1871  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1872  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1873  *p++ = (unsigned char)( ssl->session_negotiate->compression );
1874 
1875  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1877  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
1878  ssl->session_negotiate->compression ) );
1879 
1880  /*
1881  * First write extensions, then the total length
1882  */
1883  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1884  ext_len += olen;
1885 
1886 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1887  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1888  ext_len += olen;
1889 #endif
1890 
1891 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1892  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1893  ext_len += olen;
1894 #endif
1895 
1896 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1897  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1898  ext_len += olen;
1899 #endif
1900 
1901 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1902  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1903  ext_len += olen;
1904 #endif
1905 
1906 #if defined(POLARSSL_SSL_ALPN)
1907  ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1908  ext_len += olen;
1909 #endif
1910 
1911  SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
1912 
1913  if( ext_len > 0 )
1914  {
1915  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1916  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1917  p += ext_len;
1918  }
1919 
1920  ssl->out_msglen = p - buf;
1922  ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1923 
1924  ret = ssl_write_record( ssl );
1925 
1926  SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1927 
1928  return( ret );
1929 }
1930 
1931 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1932  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1933  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1934  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1935 static int ssl_write_certificate_request( ssl_context *ssl )
1936 {
1937  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1938 
1939  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1940 
1941  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1942  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1943  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1944  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1945  {
1946  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1947  ssl->state++;
1948  return( 0 );
1949  }
1950 
1951  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1953 }
1954 #else
1955 static int ssl_write_certificate_request( ssl_context *ssl )
1956 {
1958  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1959  size_t dn_size, total_dn_size; /* excluding length bytes */
1960  size_t ct_len, sa_len; /* including length bytes */
1961  unsigned char *buf, *p;
1962  const x509_crt *crt;
1963 
1964  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1965 
1966  ssl->state++;
1967 
1968  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1969  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1970  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1971  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1972  ssl->authmode == SSL_VERIFY_NONE )
1973  {
1974  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1975  return( 0 );
1976  }
1977 
1978  /*
1979  * 0 . 0 handshake type
1980  * 1 . 3 handshake length
1981  * 4 . 4 cert type count
1982  * 5 .. m-1 cert types
1983  * m .. m+1 sig alg length (TLS 1.2 only)
1984  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1985  * n .. n+1 length of all DNs
1986  * n+2 .. n+3 length of DN 1
1987  * n+4 .. ... Distinguished Name #1
1988  * ... .. ... length of DN 2, etc.
1989  */
1990  buf = ssl->out_msg;
1991  p = buf + 4;
1992 
1993  /*
1994  * Supported certificate types
1995  *
1996  * ClientCertificateType certificate_types<1..2^8-1>;
1997  * enum { (255) } ClientCertificateType;
1998  */
1999  ct_len = 0;
2000 
2001 #if defined(POLARSSL_RSA_C)
2002  p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
2003 #endif
2004 #if defined(POLARSSL_ECDSA_C)
2005  p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
2006 #endif
2007 
2008  p[0] = (unsigned char) ct_len++;
2009  p += ct_len;
2010 
2011  sa_len = 0;
2012 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2013  /*
2014  * Add signature_algorithms for verify (TLS 1.2)
2015  *
2016  * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2017  *
2018  * struct {
2019  * HashAlgorithm hash;
2020  * SignatureAlgorithm signature;
2021  * } SignatureAndHashAlgorithm;
2022  *
2023  * enum { (255) } HashAlgorithm;
2024  * enum { (255) } SignatureAlgorithm;
2025  */
2026  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2027  {
2028  /*
2029  * Only use current running hash algorithm that is already required
2030  * for requested ciphersuite.
2031  */
2033 
2036  {
2038  }
2039 
2040  /*
2041  * Supported signature algorithms
2042  */
2043 #if defined(POLARSSL_RSA_C)
2044  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2045  p[2 + sa_len++] = SSL_SIG_RSA;
2046 #endif
2047 #if defined(POLARSSL_ECDSA_C)
2048  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2049  p[2 + sa_len++] = SSL_SIG_ECDSA;
2050 #endif
2051 
2052  p[0] = (unsigned char)( sa_len >> 8 );
2053  p[1] = (unsigned char)( sa_len );
2054  sa_len += 2;
2055  p += sa_len;
2056  }
2057 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2058 
2059  /*
2060  * DistinguishedName certificate_authorities<0..2^16-1>;
2061  * opaque DistinguishedName<1..2^16-1>;
2062  */
2063  p += 2;
2064  crt = ssl->ca_chain;
2065 
2066  total_dn_size = 0;
2067  while( crt != NULL && crt->version != 0 )
2068  {
2069  if( p - buf > 4096 )
2070  break;
2071 
2072  dn_size = crt->subject_raw.len;
2073  *p++ = (unsigned char)( dn_size >> 8 );
2074  *p++ = (unsigned char)( dn_size );
2075  memcpy( p, crt->subject_raw.p, dn_size );
2076  p += dn_size;
2077 
2078  SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
2079 
2080  total_dn_size += 2 + dn_size;
2081  crt = crt->next;
2082  }
2083 
2084  ssl->out_msglen = p - buf;
2087  ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2088  ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
2089 
2090  ret = ssl_write_record( ssl );
2091 
2092  SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2093 
2094  return( ret );
2095 }
2096 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2097  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2098  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2099  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2100 
2101 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2102  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2103 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
2104 {
2105  int ret;
2106 
2107  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
2108  {
2109  SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2111  }
2112 
2113  if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
2114  pk_ec( *ssl_own_key( ssl ) ),
2115  POLARSSL_ECDH_OURS ) ) != 0 )
2116  {
2117  SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
2118  return( ret );
2119  }
2120 
2121  return( 0 );
2122 }
2123 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2124  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2125 
2126 static int ssl_write_server_key_exchange( ssl_context *ssl )
2127 {
2128  int ret;
2129  size_t n = 0;
2130  const ssl_ciphersuite_t *ciphersuite_info =
2132 
2133 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2134  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2135  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2136  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2137  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2138  unsigned char *p = ssl->out_msg + 4;
2139  unsigned char *dig_signed = p;
2140  size_t dig_signed_len = 0, len;
2141  ((void) dig_signed);
2142  ((void) dig_signed_len);
2143 #endif
2144 
2145  SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2146 
2147 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2148  defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2149  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2150  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
2151  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2152  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2153  {
2154  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2155  ssl->state++;
2156  return( 0 );
2157  }
2158 #endif
2159 
2160 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2161  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2162  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2163  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2164  {
2165  ssl_get_ecdh_params_from_cert( ssl );
2166 
2167  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2168  ssl->state++;
2169  return( 0 );
2170  }
2171 #endif
2172 
2173 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2174  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2175  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2176  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2177  {
2178  /* TODO: Support identity hints */
2179  *(p++) = 0x00;
2180  *(p++) = 0x00;
2181 
2182  n += 2;
2183  }
2184 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2185  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2186 
2187 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2188  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2189  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2190  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2191  {
2192  /*
2193  * Ephemeral DH parameters:
2194  *
2195  * struct {
2196  * opaque dh_p<1..2^16-1>;
2197  * opaque dh_g<1..2^16-1>;
2198  * opaque dh_Ys<1..2^16-1>;
2199  * } ServerDHParams;
2200  */
2201  if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
2202  ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
2203  {
2204  SSL_DEBUG_RET( 1, "mpi_copy", ret );
2205  return( ret );
2206  }
2207 
2208  if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
2209  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2210  p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
2211  {
2212  SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2213  return( ret );
2214  }
2215 
2216  dig_signed = p;
2217  dig_signed_len = len;
2218 
2219  p += len;
2220  n += len;
2221 
2222  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2223  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2224  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2225  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2226  }
2227 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2228  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2229 
2230 #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
2231  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2232  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2233  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2234  {
2235  /*
2236  * Ephemeral ECDH parameters:
2237  *
2238  * struct {
2239  * ECParameters curve_params;
2240  * ECPoint public;
2241  * } ServerECDHParams;
2242  */
2243  const ecp_curve_info **curve = NULL;
2244 #if defined(POLARSSL_SSL_SET_CURVES)
2245  const ecp_group_id *gid;
2246 
2247  /* Match our preference list against the offered curves */
2248  for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
2249  for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
2250  if( (*curve)->grp_id == *gid )
2251  goto curve_matching_done;
2252 
2253 curve_matching_done:
2254 #else
2255  curve = ssl->handshake->curves;
2256 #endif
2257 
2258  if( *curve == NULL )
2259  {
2260  SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2262  }
2263 
2264  SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
2265 
2266  if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
2267  (*curve)->grp_id ) ) != 0 )
2268  {
2269  SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2270  return( ret );
2271  }
2272 
2273  if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2274  p, SSL_MAX_CONTENT_LEN - n,
2275  ssl->f_rng, ssl->p_rng ) ) != 0 )
2276  {
2277  SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2278  return( ret );
2279  }
2280 
2281  dig_signed = p;
2282  dig_signed_len = len;
2283 
2284  p += len;
2285  n += len;
2286 
2287  SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2288  }
2289 #endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
2290 
2291 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2292  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2293  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2294  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2295  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2296  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2297  {
2298  size_t signature_len = 0;
2299  unsigned int hashlen = 0;
2300  unsigned char hash[64];
2301  md_type_t md_alg = POLARSSL_MD_NONE;
2302 
2303  /*
2304  * Choose hash algorithm. NONE means MD5 + SHA1 here.
2305  */
2306 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2307  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2308  {
2309  md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2310 
2311  if( md_alg == POLARSSL_MD_NONE )
2312  {
2313  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2315  }
2316  }
2317  else
2318 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2319 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2320  defined(POLARSSL_SSL_PROTO_TLS1_1)
2321  if( ciphersuite_info->key_exchange ==
2323  {
2324  md_alg = POLARSSL_MD_SHA1;
2325  }
2326  else
2327 #endif
2328  {
2329  md_alg = POLARSSL_MD_NONE;
2330  }
2331 
2332  /*
2333  * Compute the hash to be signed
2334  */
2335 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2336  defined(POLARSSL_SSL_PROTO_TLS1_1)
2337  if( md_alg == POLARSSL_MD_NONE )
2338  {
2339  md5_context md5;
2341 
2342  md5_init( &md5 );
2343  sha1_init( &sha1 );
2344 
2345  /*
2346  * digitally-signed struct {
2347  * opaque md5_hash[16];
2348  * opaque sha_hash[20];
2349  * };
2350  *
2351  * md5_hash
2352  * MD5(ClientHello.random + ServerHello.random
2353  * + ServerParams);
2354  * sha_hash
2355  * SHA(ClientHello.random + ServerHello.random
2356  * + ServerParams);
2357  */
2358  md5_starts( &md5 );
2359  md5_update( &md5, ssl->handshake->randbytes, 64 );
2360  md5_update( &md5, dig_signed, dig_signed_len );
2361  md5_finish( &md5, hash );
2362 
2363  sha1_starts( &sha1 );
2364  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
2365  sha1_update( &sha1, dig_signed, dig_signed_len );
2366  sha1_finish( &sha1, hash + 16 );
2367 
2368  hashlen = 36;
2369 
2370  md5_free( &md5 );
2371  sha1_free( &sha1 );
2372  }
2373  else
2374 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2375  POLARSSL_SSL_PROTO_TLS1_1 */
2376 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2377  defined(POLARSSL_SSL_PROTO_TLS1_2)
2378  if( md_alg != POLARSSL_MD_NONE )
2379  {
2380  md_context_t ctx;
2381  const md_info_t *md_info = md_info_from_type( md_alg );
2382 
2383  md_init( &ctx );
2384 
2385  /* Info from md_alg will be used instead */
2386  hashlen = 0;
2387 
2388  /*
2389  * digitally-signed struct {
2390  * opaque client_random[32];
2391  * opaque server_random[32];
2392  * ServerDHParams params;
2393  * };
2394  */
2395  if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 )
2396  {
2397  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2398  return( ret );
2399  }
2400 
2401  md_starts( &ctx );
2402  md_update( &ctx, ssl->handshake->randbytes, 64 );
2403  md_update( &ctx, dig_signed, dig_signed_len );
2404  md_finish( &ctx, hash );
2405  md_free( &ctx );
2406  }
2407  else
2408 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2409  POLARSSL_SSL_PROTO_TLS1_2 */
2410  {
2411  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2413  }
2414 
2415  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2416  (unsigned int) ( md_info_from_type( md_alg ) )->size );
2417 
2418  /*
2419  * Make the signature
2420  */
2421  if( ssl_own_key( ssl ) == NULL )
2422  {
2423  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2425  }
2426 
2427 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2428  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2429  {
2430  *(p++) = ssl->handshake->sig_alg;
2431  *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
2432 
2433  n += 2;
2434  }
2435 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2436 
2437  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
2438  p + 2 , &signature_len,
2439  ssl->f_rng, ssl->p_rng ) ) != 0 )
2440  {
2441  SSL_DEBUG_RET( 1, "pk_sign", ret );
2442  return( ret );
2443  }
2444 
2445  *(p++) = (unsigned char)( signature_len >> 8 );
2446  *(p++) = (unsigned char)( signature_len );
2447  n += 2;
2448 
2449  SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
2450 
2451  p += signature_len;
2452  n += signature_len;
2453  }
2454 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2455  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2456  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2457 
2458  ssl->out_msglen = 4 + n;
2461 
2462  ssl->state++;
2463 
2464  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2465  {
2466  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2467  return( ret );
2468  }
2469 
2470  SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2471 
2472  return( 0 );
2473 }
2474 
2475 static int ssl_write_server_hello_done( ssl_context *ssl )
2476 {
2477  int ret;
2478 
2479  SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2480 
2481  ssl->out_msglen = 4;
2484 
2485  ssl->state++;
2486 
2487  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2488  {
2489  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2490  return( ret );
2491  }
2492 
2493  SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2494 
2495  return( 0 );
2496 }
2497 
2498 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2499  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2500 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2501  const unsigned char *end )
2502 {
2504  size_t n;
2505 
2506  /*
2507  * Receive G^Y mod P, premaster = (G^Y)^X mod P
2508  */
2509  if( *p + 2 > end )
2510  {
2511  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2513  }
2514 
2515  n = ( (*p)[0] << 8 ) | (*p)[1];
2516  *p += 2;
2517 
2518  if( *p + n > end )
2519  {
2520  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2522  }
2523 
2524  if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
2525  {
2526  SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2528  }
2529 
2530  *p += n;
2531 
2532  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2533 
2534  return( ret );
2535 }
2536 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2537  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2538 
2539 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2540  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2541 static int ssl_parse_encrypted_pms( ssl_context *ssl,
2542  const unsigned char *p,
2543  const unsigned char *end,
2544  size_t pms_offset )
2545 {
2546  int ret;
2547  size_t len = pk_get_len( ssl_own_key( ssl ) );
2548  unsigned char *pms = ssl->handshake->premaster + pms_offset;
2549 
2550  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
2551  {
2552  SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
2554  }
2555 
2556  /*
2557  * Decrypt the premaster using own private RSA key
2558  */
2559 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2560  defined(POLARSSL_SSL_PROTO_TLS1_2)
2561  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2562  {
2563  if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2564  *p++ != ( ( len ) & 0xFF ) )
2565  {
2566  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2568  }
2569  }
2570 #endif
2571 
2572  if( p + len != end )
2573  {
2574  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2576  }
2577 
2578  ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2579  pms, &ssl->handshake->pmslen,
2580  sizeof( ssl->handshake->premaster ) - pms_offset,
2581  ssl->f_rng, ssl->p_rng );
2582 
2583  if( ret != 0 || ssl->handshake->pmslen != 48 ||
2584  pms[0] != ssl->handshake->max_major_ver ||
2585  pms[1] != ssl->handshake->max_minor_ver )
2586  {
2587  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2588 
2589  /*
2590  * Protection against Bleichenbacher's attack:
2591  * invalid PKCS#1 v1.5 padding must not cause
2592  * the connection to end immediately; instead,
2593  * send a bad_record_mac later in the handshake.
2594  */
2595  ssl->handshake->pmslen = 48;
2596 
2597  ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
2598  if( ret != 0 )
2599  return( ret );
2600  }
2601 
2602  return( ret );
2603 }
2604 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2605  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2606 
2607 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2608 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2609  const unsigned char *end )
2610 {
2611  int ret = 0;
2612  size_t n;
2613 
2614  if( ssl->f_psk == NULL &&
2615  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2616  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
2617  {
2618  SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2620  }
2621 
2622  /*
2623  * Receive client pre-shared key identity name
2624  */
2625  if( *p + 2 > end )
2626  {
2627  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2629  }
2630 
2631  n = ( (*p)[0] << 8 ) | (*p)[1];
2632  *p += 2;
2633 
2634  if( n < 1 || n > 65535 || *p + n > end )
2635  {
2636  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2638  }
2639 
2640  if( ssl->f_psk != NULL )
2641  {
2642  if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 )
2644  }
2645  else
2646  {
2647  /* Identity is not a big secret since clients send it in the clear,
2648  * but treat it carefully anyway, just in case */
2649  if( n != ssl->psk_identity_len ||
2650  safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
2651  {
2653  }
2654  }
2655 
2657  {
2658  SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
2659  if( ( ret = ssl_send_alert_message( ssl,
2662  {
2663  return( ret );
2664  }
2665 
2667  }
2668 
2669  *p += n;
2670 
2671  return( 0 );
2672 }
2673 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2674 
2675 static int ssl_parse_client_key_exchange( ssl_context *ssl )
2676 {
2677  int ret;
2678  const ssl_ciphersuite_t *ciphersuite_info;
2679 
2680  ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2681 
2682  SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2683 
2684  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2685  {
2686  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2687  return( ret );
2688  }
2689 
2690  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2691  {
2692  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2694  }
2695 
2696  if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2697  {
2698  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2700  }
2701 
2702 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2703  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2704  {
2705  unsigned char *p = ssl->in_msg + 4;
2706  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2707 
2708  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2709  {
2710  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2711  return( ret );
2712  }
2713 
2714  if( p != end )
2715  {
2716  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2718  }
2719 
2721 
2722  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2723  ssl->handshake->premaster,
2724  &ssl->handshake->pmslen,
2725  ssl->f_rng, ssl->p_rng ) ) != 0 )
2726  {
2727  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2729  }
2730 
2731  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2732  }
2733  else
2734 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2735 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2736  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2737  defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2738  defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2739  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2740  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2741  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2742  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2743  {
2744  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2745  ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 )
2746  {
2747  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2749  }
2750 
2751  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2752 
2753  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2754  &ssl->handshake->pmslen,
2755  ssl->handshake->premaster,
2757  ssl->f_rng, ssl->p_rng ) ) != 0 )
2758  {
2759  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2761  }
2762 
2763  SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
2764  }
2765  else
2766 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2767  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2768  POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2769  POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2770 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2771  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2772  {
2773  unsigned char *p = ssl->in_msg + 4;
2774  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2775 
2776  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2777  {
2778  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2779  return( ret );
2780  }
2781 
2782  if( p != end )
2783  {
2784  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2786  }
2787 
2788  if( ( ret = ssl_psk_derive_premaster( ssl,
2789  ciphersuite_info->key_exchange ) ) != 0 )
2790  {
2791  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2792  return( ret );
2793  }
2794  }
2795  else
2796 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2797 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2798  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2799  {
2800  unsigned char *p = ssl->in_msg + 4;
2801  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2802 
2803  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2804  {
2805  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2806  return( ret );
2807  }
2808 
2809  if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
2810  {
2811  SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
2812  return( ret );
2813  }
2814 
2815  if( ( ret = ssl_psk_derive_premaster( ssl,
2816  ciphersuite_info->key_exchange ) ) != 0 )
2817  {
2818  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2819  return( ret );
2820  }
2821  }
2822  else
2823 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2824 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2825  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2826  {
2827  unsigned char *p = ssl->in_msg + 4;
2828  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2829 
2830  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2831  {
2832  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2833  return( ret );
2834  }
2835  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2836  {
2837  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2838  return( ret );
2839  }
2840 
2841  if( p != end )
2842  {
2843  SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
2845  }
2846 
2847  if( ( ret = ssl_psk_derive_premaster( ssl,
2848  ciphersuite_info->key_exchange ) ) != 0 )
2849  {
2850  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2851  return( ret );
2852  }
2853  }
2854  else
2855 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2856 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2857  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2858  {
2859  unsigned char *p = ssl->in_msg + 4;
2860  unsigned char *end = ssl->in_msg + ssl->in_hslen;
2861 
2862  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2863  {
2864  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2865  return( ret );
2866  }
2867 
2868  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2869  p, end - p ) ) != 0 )
2870  {
2871  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2873  }
2874 
2875  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2876 
2877  if( ( ret = ssl_psk_derive_premaster( ssl,
2878  ciphersuite_info->key_exchange ) ) != 0 )
2879  {
2880  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2881  return( ret );
2882  }
2883  }
2884  else
2885 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2886 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2887  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2888  {
2889  if( ( ret = ssl_parse_encrypted_pms( ssl,
2890  ssl->in_msg + 4,
2891  ssl->in_msg + ssl->in_hslen,
2892  0 ) ) != 0 )
2893  {
2894  SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
2895  return( ret );
2896  }
2897  }
2898  else
2899 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2900  {
2901  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2903  }
2904 
2905  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2906  {
2907  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2908  return( ret );
2909  }
2910 
2911  ssl->state++;
2912 
2913  SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2914 
2915  return( 0 );
2916 }
2917 
2918 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2919  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2920  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2921  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2922 static int ssl_parse_certificate_verify( ssl_context *ssl )
2923 {
2924  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2925 
2926  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2927 
2928  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2929  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2930  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2931  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2932  {
2933  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2934  ssl->state++;
2935  return( 0 );
2936  }
2937 
2938  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2940 }
2941 #else
2942 static int ssl_parse_certificate_verify( ssl_context *ssl )
2943 {
2945  size_t sa_len, sig_len;
2946  unsigned char hash[48];
2947  unsigned char *hash_start = hash;
2948  size_t hashlen;
2949 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2950  pk_type_t pk_alg;
2951 #endif
2952  md_type_t md_alg;
2953  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2954 
2955  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2956 
2957  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2958  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2959  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2960  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2961  {
2962  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2963  ssl->state++;
2964  return( 0 );
2965  }
2966 
2967  if( ssl->session_negotiate->peer_cert == NULL )
2968  {
2969  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2970  ssl->state++;
2971  return( 0 );
2972  }
2973 
2974  ssl->handshake->calc_verify( ssl, hash );
2975 
2976  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2977  {
2978  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2979  return( ret );
2980  }
2981 
2982  ssl->state++;
2983 
2984  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2985  {
2986  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2988  }
2989 
2990  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2991  {
2992  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2994  }
2995 
2996  /*
2997  * 0 . 0 handshake type
2998  * 1 . 3 handshake length
2999  * 4 . 5 sig alg (TLS 1.2 only)
3000  * 4+n . 5+n signature length (n = sa_len)
3001  * 6+n . 6+n+m signature (m = sig_len)
3002  */
3003 
3004 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3005  defined(POLARSSL_SSL_PROTO_TLS1_1)
3006  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
3007  {
3008  sa_len = 0;
3009 
3010  md_alg = POLARSSL_MD_NONE;
3011  hashlen = 36;
3012 
3013  /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3014  if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
3015  POLARSSL_PK_ECDSA ) )
3016  {
3017  hash_start += 16;
3018  hashlen -= 16;
3019  md_alg = POLARSSL_MD_SHA1;
3020  }
3021  }
3022  else
3023 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 ||
3024  POLARSSL_SSL_PROTO_TLS1_1 */
3025 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3026  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
3027  {
3028  sa_len = 2;
3029 
3030  /*
3031  * Hash
3032  */
3033  if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
3034  {
3035  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3036  " for verify message" ) );
3038  }
3039 
3040  md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
3041 
3042  /* Info from md_alg will be used instead */
3043  hashlen = 0;
3044 
3045  /*
3046  * Signature
3047  */
3048  if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
3049  == POLARSSL_PK_NONE )
3050  {
3051  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3052  " for verify message" ) );
3054  }
3055 
3056  /*
3057  * Check the certificate's key type matches the signature alg
3058  */
3059  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
3060  {
3061  SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3063  }
3064  }
3065  else
3066 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3067  {
3068  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3070  }
3071 
3072  sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
3073 
3074  if( sa_len + sig_len + 6 != ssl->in_hslen )
3075  {
3076  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3078  }
3079 
3080  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
3081  md_alg, hash_start, hashlen,
3082  ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
3083  {
3084  SSL_DEBUG_RET( 1, "pk_verify", ret );
3085  return( ret );
3086  }
3087 
3088  SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3089 
3090  return( ret );
3091 }
3092 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
3093  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3094  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
3095 
3096 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3097 static int ssl_write_new_session_ticket( ssl_context *ssl )
3098 {
3099  int ret;
3100  size_t tlen;
3101  uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
3102 
3103  SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3104 
3107 
3108  /*
3109  * struct {
3110  * uint32 ticket_lifetime_hint;
3111  * opaque ticket<0..2^16-1>;
3112  * } NewSessionTicket;
3113  *
3114  * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3115  * 8 . 9 ticket_len (n)
3116  * 10 . 9+n ticket content
3117  */
3118 
3119  ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
3120  ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
3121  ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
3122  ssl->out_msg[7] = ( lifetime ) & 0xFF;
3123 
3124  if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
3125  {
3126  SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
3127  tlen = 0;
3128  }
3129 
3130  ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
3131  ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
3132 
3133  ssl->out_msglen = 10 + tlen;
3134 
3135  /*
3136  * Morally equivalent to updating ssl->state, but NewSessionTicket and
3137  * ChangeCipherSpec share the same state.
3138  */
3139  ssl->handshake->new_session_ticket = 0;
3140 
3141  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3142  {
3143  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3144  return( ret );
3145  }
3146 
3147  SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3148 
3149  return( 0 );
3150 }
3151 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3152 
3153 /*
3154  * SSL handshake -- server side -- single step
3155  */
3157 {
3158  int ret = 0;
3159 
3160  if( ssl->state == SSL_HANDSHAKE_OVER )
3162 
3163  SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
3164 
3165  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3166  return( ret );
3167 
3168  switch( ssl->state )
3169  {
3170  case SSL_HELLO_REQUEST:
3171  ssl->state = SSL_CLIENT_HELLO;
3172  break;
3173 
3174  /*
3175  * <== ClientHello
3176  */
3177  case SSL_CLIENT_HELLO:
3178  ret = ssl_parse_client_hello( ssl );
3179  break;
3180 
3181  /*
3182  * ==> ServerHello
3183  * Certificate
3184  * ( ServerKeyExchange )
3185  * ( CertificateRequest )
3186  * ServerHelloDone
3187  */
3188  case SSL_SERVER_HELLO:
3189  ret = ssl_write_server_hello( ssl );
3190  break;
3191 
3193  ret = ssl_write_certificate( ssl );
3194  break;
3195 
3197  ret = ssl_write_server_key_exchange( ssl );
3198  break;
3199 
3201  ret = ssl_write_certificate_request( ssl );
3202  break;
3203 
3204  case SSL_SERVER_HELLO_DONE:
3205  ret = ssl_write_server_hello_done( ssl );
3206  break;
3207 
3208  /*
3209  * <== ( Certificate/Alert )
3210  * ClientKeyExchange
3211  * ( CertificateVerify )
3212  * ChangeCipherSpec
3213  * Finished
3214  */
3216  ret = ssl_parse_certificate( ssl );
3217  break;
3218 
3220  ret = ssl_parse_client_key_exchange( ssl );
3221  break;
3222 
3224  ret = ssl_parse_certificate_verify( ssl );
3225  break;
3226 
3228  ret = ssl_parse_change_cipher_spec( ssl );
3229  break;
3230 
3231  case SSL_CLIENT_FINISHED:
3232  ret = ssl_parse_finished( ssl );
3233  break;
3234 
3235  /*
3236  * ==> ( NewSessionTicket )
3237  * ChangeCipherSpec
3238  * Finished
3239  */
3241 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3242  if( ssl->handshake->new_session_ticket != 0 )
3243  ret = ssl_write_new_session_ticket( ssl );
3244  else
3245 #endif
3246  ret = ssl_write_change_cipher_spec( ssl );
3247  break;
3248 
3249  case SSL_SERVER_FINISHED:
3250  ret = ssl_write_finished( ssl );
3251  break;
3252 
3253  case SSL_FLUSH_BUFFERS:
3254  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3255  ssl->state = SSL_HANDSHAKE_WRAPUP;
3256  break;
3257 
3258  case SSL_HANDSHAKE_WRAPUP:
3259  ssl_handshake_wrapup( ssl );
3260  break;
3261 
3262  default:
3263  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3265  }
3266 
3267  return( ret );
3268 }
3269 #endif /* POLARSSL_SSL_SRV_C */