00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026 #include "polarssl/config.h"
00027
00028 #if defined(POLARSSL_SSL_CLI_C)
00029
00030 #include "polarssl/debug.h"
00031 #include "polarssl/ssl.h"
00032
00033 #if defined(POLARSSL_MEMORY_C)
00034 #include "polarssl/memory.h"
00035 #else
00036 #define polarssl_malloc malloc
00037 #define polarssl_free free
00038 #endif
00039
00040 #include <stdlib.h>
00041 #include <stdio.h>
00042
00043 #if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
00044 #include <basetsd.h>
00045 typedef UINT32 uint32_t;
00046 #else
00047 #include <inttypes.h>
00048 #endif
00049
00050 #if defined(POLARSSL_HAVE_TIME)
00051 #include <time.h>
00052 #endif
00053
00054 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
00055 static void ssl_write_hostname_ext( ssl_context *ssl,
00056 unsigned char *buf,
00057 size_t *olen )
00058 {
00059 unsigned char *p = buf;
00060
00061 *olen = 0;
00062
00063 if ( ssl->hostname == NULL )
00064 return;
00065
00066 SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
00067 ssl->hostname ) );
00068
00069
00070
00071
00072
00073
00074
00075
00076
00077
00078
00079
00080
00081
00082
00083
00084
00085
00086
00087 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
00088 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
00089
00090 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
00091 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
00092
00093 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
00094 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
00095
00096 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
00097 *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
00098 *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
00099
00100 memcpy( p, ssl->hostname, ssl->hostname_len );
00101
00102 *olen = ssl->hostname_len + 9;
00103 }
00104 #endif
00105
00106 static void ssl_write_renegotiation_ext( ssl_context *ssl,
00107 unsigned char *buf,
00108 size_t *olen )
00109 {
00110 unsigned char *p = buf;
00111
00112 *olen = 0;
00113
00114 if( ssl->renegotiation != SSL_RENEGOTIATION )
00115 return;
00116
00117 SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
00118
00119
00120
00121
00122 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
00123 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
00124
00125 *p++ = 0x00;
00126 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
00127 *p++ = ssl->verify_data_len & 0xFF;
00128
00129 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
00130
00131 *olen = 5 + ssl->verify_data_len;
00132 }
00133
00134 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
00135 static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
00136 unsigned char *buf,
00137 size_t *olen )
00138 {
00139 unsigned char *p = buf;
00140 unsigned char *sig_alg_list = buf + 6;
00141 size_t sig_alg_len = 0;
00142
00143 *olen = 0;
00144
00145 if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
00146 return;
00147
00148 SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
00149
00150
00151
00152
00153 #if defined(POLARSSL_RSA_C)
00154 #if defined(POLARSSL_SHA512_C)
00155 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
00156 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
00157 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
00158 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
00159 #endif
00160 #if defined(POLARSSL_SHA256_C)
00161 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
00162 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
00163 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
00164 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
00165 #endif
00166 #if defined(POLARSSL_SHA1_C)
00167 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
00168 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
00169 #endif
00170 #if defined(POLARSSL_MD5_C)
00171 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
00172 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
00173 #endif
00174 #endif
00175 #if defined(POLARSSL_ECDSA_C)
00176 #if defined(POLARSSL_SHA512_C)
00177 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
00178 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
00179 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
00180 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
00181 #endif
00182 #if defined(POLARSSL_SHA256_C)
00183 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
00184 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
00185 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
00186 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
00187 #endif
00188 #if defined(POLARSSL_SHA1_C)
00189 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
00190 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
00191 #endif
00192 #if defined(POLARSSL_MD5_C)
00193 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
00194 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
00195 #endif
00196 #endif
00197
00198
00199
00200
00201
00202
00203
00204
00205
00206
00207
00208
00209
00210
00211
00212
00213
00214
00215 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
00216 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
00217
00218 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
00219 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
00220
00221 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
00222 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
00223
00224 *olen = 6 + sig_alg_len;
00225 }
00226 #endif
00227
00228 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
00229 static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
00230 unsigned char *buf,
00231 size_t *olen )
00232 {
00233 unsigned char *p = buf;
00234 unsigned char elliptic_curve_list[20];
00235 size_t elliptic_curve_len = 0;
00236 const ecp_curve_info *curve;
00237 ((void) ssl);
00238
00239 *olen = 0;
00240
00241 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
00242
00243 for( curve = ecp_curve_list();
00244 curve->grp_id != POLARSSL_ECP_DP_NONE;
00245 curve++ )
00246 {
00247 elliptic_curve_list[elliptic_curve_len++] = curve->tls_id >> 8;
00248 elliptic_curve_list[elliptic_curve_len++] = curve->tls_id & 0xFF;
00249 }
00250
00251 if( elliptic_curve_len == 0 )
00252 return;
00253
00254 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
00255 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
00256
00257 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
00258 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
00259
00260 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
00261 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
00262
00263 memcpy( p, elliptic_curve_list, elliptic_curve_len );
00264
00265 *olen = 6 + elliptic_curve_len;
00266 }
00267
00268 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
00269 unsigned char *buf,
00270 size_t *olen )
00271 {
00272 unsigned char *p = buf;
00273 ((void) ssl);
00274
00275 *olen = 0;
00276
00277 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
00278
00279 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
00280 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
00281
00282 *p++ = 0x00;
00283 *p++ = 2;
00284
00285 *p++ = 1;
00286 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
00287
00288 *olen = 6;
00289 }
00290 #endif
00291
00292 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
00293 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
00294 unsigned char *buf,
00295 size_t *olen )
00296 {
00297 unsigned char *p = buf;
00298
00299 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
00300 *olen = 0;
00301 return;
00302 }
00303
00304 SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
00305
00306 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
00307 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
00308
00309 *p++ = 0x00;
00310 *p++ = 1;
00311
00312 *p++ = ssl->mfl_code;
00313
00314 *olen = 5;
00315 }
00316 #endif
00317
00318 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
00319 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
00320 unsigned char *buf, size_t *olen )
00321 {
00322 unsigned char *p = buf;
00323
00324 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
00325 {
00326 *olen = 0;
00327 return;
00328 }
00329
00330 SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
00331
00332 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
00333 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
00334
00335 *p++ = 0x00;
00336 *p++ = 0x00;
00337
00338 *olen = 4;
00339 }
00340 #endif
00341
00342 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00343 static void ssl_write_session_ticket_ext( ssl_context *ssl,
00344 unsigned char *buf, size_t *olen )
00345 {
00346 unsigned char *p = buf;
00347 size_t tlen = ssl->session_negotiate->ticket_len;
00348
00349 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
00350 {
00351 *olen = 0;
00352 return;
00353 }
00354
00355 SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
00356
00357 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
00358 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
00359
00360 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
00361 *p++ = (unsigned char)( ( tlen ) & 0xFF );
00362
00363 *olen = 4;
00364
00365 if( ssl->session_negotiate->ticket == NULL ||
00366 ssl->session_negotiate->ticket_len == 0 )
00367 {
00368 return;
00369 }
00370
00371 SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
00372
00373 memcpy( p, ssl->session_negotiate->ticket, tlen );
00374
00375 *olen += tlen;
00376 }
00377 #endif
00378
00379 static int ssl_write_client_hello( ssl_context *ssl )
00380 {
00381 int ret;
00382 size_t i, n, olen, ext_len = 0;
00383 unsigned char *buf;
00384 unsigned char *p, *q;
00385 #if defined(POLARSSL_HAVE_TIME)
00386 time_t t;
00387 #endif
00388 const int *ciphersuites;
00389 const ssl_ciphersuite_t *ciphersuite_info;
00390
00391 SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
00392
00393 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
00394 {
00395 ssl->major_ver = ssl->min_major_ver;
00396 ssl->minor_ver = ssl->min_minor_ver;
00397 }
00398
00399 if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
00400 {
00401 ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
00402 ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
00403 }
00404
00405
00406
00407
00408
00409
00410
00411
00412 buf = ssl->out_msg;
00413 p = buf + 4;
00414
00415 *p++ = (unsigned char) ssl->max_major_ver;
00416 *p++ = (unsigned char) ssl->max_minor_ver;
00417
00418 SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
00419 buf[4], buf[5] ) );
00420
00421 #if defined(POLARSSL_HAVE_TIME)
00422 t = time( NULL );
00423 *p++ = (unsigned char)( t >> 24 );
00424 *p++ = (unsigned char)( t >> 16 );
00425 *p++ = (unsigned char)( t >> 8 );
00426 *p++ = (unsigned char)( t );
00427
00428 SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
00429 #else
00430 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
00431 return( ret );
00432
00433 p += 4;
00434 #endif
00435
00436 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
00437 return( ret );
00438
00439 p += 28;
00440
00441 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
00442
00443 SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
00444
00445
00446
00447
00448
00449
00450
00451
00452
00453
00454
00455 n = ssl->session_negotiate->length;
00456
00457 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
00458 ssl->handshake->resume == 0 )
00459 {
00460 n = 0;
00461 }
00462
00463 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00464
00465
00466
00467
00468 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
00469 ssl->session_negotiate->ticket != NULL &&
00470 ssl->session_negotiate->ticket_len != 0 )
00471 {
00472 ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
00473
00474 if( ret != 0 )
00475 return( ret );
00476
00477 ssl->session_negotiate->length = n = 32;
00478 }
00479 #endif
00480
00481 *p++ = (unsigned char) n;
00482
00483 for( i = 0; i < n; i++ )
00484 *p++ = ssl->session_negotiate->id[i];
00485
00486 SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
00487 SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
00488
00489 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
00490 n = 0;
00491 q = p;
00492
00493
00494 p += 2;
00495
00496
00497
00498
00499 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
00500 {
00501 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
00502 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
00503 n++;
00504 }
00505
00506 for( i = 0; ciphersuites[i] != 0; i++ )
00507 {
00508 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
00509
00510 if( ciphersuite_info == NULL )
00511 continue;
00512
00513 if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
00514 ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
00515 continue;
00516
00517 SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
00518 ciphersuites[i] ) );
00519
00520 n++;
00521 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
00522 *p++ = (unsigned char)( ciphersuites[i] );
00523 }
00524
00525 *q++ = (unsigned char)( n >> 7 );
00526 *q++ = (unsigned char)( n << 1 );
00527
00528 SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
00529
00530
00531 #if defined(POLARSSL_ZLIB_SUPPORT)
00532 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
00533 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
00534 SSL_COMPRESS_DEFLATE, SSL_COMPRESS_NULL ) );
00535
00536 *p++ = 2;
00537 *p++ = SSL_COMPRESS_DEFLATE;
00538 *p++ = SSL_COMPRESS_NULL;
00539 #else
00540 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
00541 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
00542
00543 *p++ = 1;
00544 *p++ = SSL_COMPRESS_NULL;
00545 #endif
00546
00547
00548
00549 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
00550 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
00551 ext_len += olen;
00552 #endif
00553
00554 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
00555 ext_len += olen;
00556
00557 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
00558 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
00559 ext_len += olen;
00560 #endif
00561
00562 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
00563 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
00564 ext_len += olen;
00565
00566 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
00567 ext_len += olen;
00568 #endif
00569
00570 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
00571 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
00572 ext_len += olen;
00573 #endif
00574
00575 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
00576 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
00577 ext_len += olen;
00578 #endif
00579
00580 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00581 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
00582 ext_len += olen;
00583 #endif
00584
00585 SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
00586 ext_len ) );
00587
00588 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
00589 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
00590 p += ext_len;
00591
00592 ssl->out_msglen = p - buf;
00593 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00594 ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
00595
00596 ssl->state++;
00597
00598 if( ( ret = ssl_write_record( ssl ) ) != 0 )
00599 {
00600 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
00601 return( ret );
00602 }
00603
00604 SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
00605
00606 return( 0 );
00607 }
00608
00609 static int ssl_parse_renegotiation_info( ssl_context *ssl,
00610 const unsigned char *buf,
00611 size_t len )
00612 {
00613 int ret;
00614
00615 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
00616 {
00617 if( len != 1 || buf[0] != 0x0 )
00618 {
00619 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
00620
00621 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00622 return( ret );
00623
00624 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00625 }
00626
00627 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
00628 }
00629 else
00630 {
00631
00632 if( len != 1 + ssl->verify_data_len * 2 ||
00633 buf[0] != ssl->verify_data_len * 2 ||
00634 safer_memcmp( buf + 1,
00635 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
00636 safer_memcmp( buf + 1 + ssl->verify_data_len,
00637 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
00638 {
00639 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
00640
00641 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00642 return( ret );
00643
00644 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00645 }
00646 }
00647
00648 return( 0 );
00649 }
00650
00651 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
00652 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
00653 const unsigned char *buf,
00654 size_t len )
00655 {
00656
00657
00658
00659
00660 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
00661 len != 1 ||
00662 buf[0] != ssl->mfl_code )
00663 {
00664 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00665 }
00666
00667 return( 0 );
00668 }
00669 #endif
00670
00671 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
00672 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
00673 const unsigned char *buf,
00674 size_t len )
00675 {
00676 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
00677 len != 0 )
00678 {
00679 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00680 }
00681
00682 ((void) buf);
00683
00684 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
00685
00686 return( 0 );
00687 }
00688 #endif
00689
00690 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00691 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
00692 const unsigned char *buf,
00693 size_t len )
00694 {
00695 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ||
00696 len != 0 )
00697 {
00698 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00699 }
00700
00701 ((void) buf);
00702
00703 ssl->handshake->new_session_ticket = 1;
00704
00705 return( 0 );
00706 }
00707 #endif
00708
00709 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
00710 static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
00711 const unsigned char *buf,
00712 size_t len )
00713 {
00714 size_t list_size;
00715 const unsigned char *p;
00716
00717 list_size = buf[0];
00718 if( list_size + 1 != len )
00719 {
00720 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00721 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00722 }
00723
00724 p = buf + 2;
00725 while( list_size > 0 )
00726 {
00727 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
00728 p[0] == POLARSSL_ECP_PF_COMPRESSED )
00729 {
00730 ssl->handshake->ecdh_ctx.point_format = p[0];
00731 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
00732 return( 0 );
00733 }
00734
00735 list_size--;
00736 p++;
00737 }
00738
00739 return( 0 );
00740 }
00741 #endif
00742
00743 static int ssl_parse_server_hello( ssl_context *ssl )
00744 {
00745 int ret, i, comp;
00746 size_t n;
00747 size_t ext_len = 0;
00748 unsigned char *buf, *ext;
00749 int renegotiation_info_seen = 0;
00750 int handshake_failure = 0;
00751 #if defined(POLARSSL_DEBUG_C)
00752 uint32_t t;
00753 #endif
00754
00755 SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
00756
00757
00758
00759
00760
00761
00762
00763
00764 buf = ssl->in_msg;
00765
00766 if( ( ret = ssl_read_record( ssl ) ) != 0 )
00767 {
00768 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00769 return( ret );
00770 }
00771
00772 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00773 {
00774 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00775 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
00776 }
00777
00778 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
00779 buf[4], buf[5] ) );
00780
00781 if( ssl->in_hslen < 42 ||
00782 buf[0] != SSL_HS_SERVER_HELLO ||
00783 buf[4] != SSL_MAJOR_VERSION_3 )
00784 {
00785 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00786 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00787 }
00788
00789 if( buf[5] > ssl->max_minor_ver )
00790 {
00791 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00792 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00793 }
00794
00795 ssl->minor_ver = buf[5];
00796
00797 if( ssl->minor_ver < ssl->min_minor_ver )
00798 {
00799 SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
00800 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
00801 buf[4], buf[5] ) );
00802
00803 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
00804 SSL_ALERT_MSG_PROTOCOL_VERSION );
00805
00806 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
00807 }
00808
00809 #if defined(POLARSSL_DEBUG_C)
00810 t = ( (uint32_t) buf[6] << 24 )
00811 | ( (uint32_t) buf[7] << 16 )
00812 | ( (uint32_t) buf[8] << 8 )
00813 | ( (uint32_t) buf[9] );
00814 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
00815 #endif
00816
00817 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
00818
00819 n = buf[38];
00820
00821 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
00822
00823 if( n > 32 )
00824 {
00825 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00826 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00827 }
00828
00829
00830
00831
00832
00833
00834
00835
00836
00837 if( ssl->in_hslen > 42 + n )
00838 {
00839 ext_len = ( ( buf[42 + n] << 8 )
00840 | ( buf[43 + n] ) );
00841
00842 if( ( ext_len > 0 && ext_len < 4 ) ||
00843 ssl->in_hslen != 44 + n + ext_len )
00844 {
00845 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00846 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00847 }
00848 }
00849
00850 i = ( buf[39 + n] << 8 ) | buf[40 + n];
00851 comp = buf[41 + n];
00852
00853
00854
00855
00856 ssl->transform_negotiate->ciphersuite_info = ssl_ciphersuite_from_id( i );
00857 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
00858
00859 if( ssl->transform_negotiate->ciphersuite_info == NULL )
00860 {
00861 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
00862 ssl->ciphersuite_list[ssl->minor_ver][i] ) );
00863 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00864 }
00865
00866 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
00867 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
00868
00869
00870
00871
00872 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
00873 ssl->handshake->resume == 0 || n == 0 ||
00874 ssl->session_negotiate->ciphersuite != i ||
00875 ssl->session_negotiate->compression != comp ||
00876 ssl->session_negotiate->length != n ||
00877 memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
00878 {
00879 ssl->state++;
00880 ssl->handshake->resume = 0;
00881 #if defined(POLARSSL_HAVE_TIME)
00882 ssl->session_negotiate->start = time( NULL );
00883 #endif
00884 ssl->session_negotiate->ciphersuite = i;
00885 ssl->session_negotiate->compression = comp;
00886 ssl->session_negotiate->length = n;
00887 memcpy( ssl->session_negotiate->id, buf + 39, n );
00888 }
00889 else
00890 {
00891 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
00892
00893 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
00894 {
00895 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
00896 return( ret );
00897 }
00898 }
00899
00900 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
00901 ssl->handshake->resume ? "a" : "no" ) );
00902
00903 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
00904 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
00905
00906 i = 0;
00907 while( 1 )
00908 {
00909 if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
00910 {
00911 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00912 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00913 }
00914
00915 if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
00916 ssl->session_negotiate->ciphersuite )
00917 {
00918 break;
00919 }
00920 }
00921
00922 if( comp != SSL_COMPRESS_NULL
00923 #if defined(POLARSSL_ZLIB_SUPPORT)
00924 && comp != SSL_COMPRESS_DEFLATE
00925 #endif
00926 )
00927 {
00928 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00929 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00930 }
00931 ssl->session_negotiate->compression = comp;
00932
00933 ext = buf + 44 + n;
00934
00935 SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
00936
00937 while( ext_len )
00938 {
00939 unsigned int ext_id = ( ( ext[0] << 8 )
00940 | ( ext[1] ) );
00941 unsigned int ext_size = ( ( ext[2] << 8 )
00942 | ( ext[3] ) );
00943
00944 if( ext_size + 4 > ext_len )
00945 {
00946 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00947 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00948 }
00949
00950 switch( ext_id )
00951 {
00952 case TLS_EXT_RENEGOTIATION_INFO:
00953 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
00954 renegotiation_info_seen = 1;
00955
00956 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ) ) != 0 )
00957 return( ret );
00958
00959 break;
00960
00961 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
00962 case TLS_EXT_MAX_FRAGMENT_LENGTH:
00963 SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
00964
00965 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
00966 ext + 4, ext_size ) ) != 0 )
00967 {
00968 return( ret );
00969 }
00970
00971 break;
00972 #endif
00973
00974 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
00975 case TLS_EXT_TRUNCATED_HMAC:
00976 SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
00977
00978 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
00979 ext + 4, ext_size ) ) != 0 )
00980 {
00981 return( ret );
00982 }
00983
00984 break;
00985 #endif
00986
00987 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00988 case TLS_EXT_SESSION_TICKET:
00989 SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
00990
00991 if( ( ret = ssl_parse_session_ticket_ext( ssl,
00992 ext + 4, ext_size ) ) != 0 )
00993 {
00994 return( ret );
00995 }
00996
00997 break;
00998 #endif
00999
01000 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01001 case TLS_EXT_SUPPORTED_POINT_FORMATS:
01002 SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
01003
01004 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
01005 ext + 4, ext_size ) ) != 0 )
01006 {
01007 return( ret );
01008 }
01009
01010 break;
01011 #endif
01012
01013 default:
01014 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
01015 ext_id ) );
01016 }
01017
01018 ext_len -= 4 + ext_size;
01019 ext += 4 + ext_size;
01020
01021 if( ext_len > 0 && ext_len < 4 )
01022 {
01023 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
01024 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
01025 }
01026 }
01027
01028
01029
01030
01031 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01032 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
01033 {
01034 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01035 handshake_failure = 1;
01036 }
01037 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01038 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
01039 renegotiation_info_seen == 0 )
01040 {
01041 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
01042 handshake_failure = 1;
01043 }
01044 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01045 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01046 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
01047 {
01048 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
01049 handshake_failure = 1;
01050 }
01051 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01052 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01053 renegotiation_info_seen == 1 )
01054 {
01055 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
01056 handshake_failure = 1;
01057 }
01058
01059 if( handshake_failure == 1 )
01060 {
01061 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01062 return( ret );
01063
01064 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
01065 }
01066
01067 SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
01068
01069 return( 0 );
01070 }
01071
01072 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01073 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
01074 static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
01075 unsigned char *end )
01076 {
01077 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01078
01079
01080
01081
01082
01083
01084
01085
01086
01087
01088 if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
01089 {
01090 SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
01091 return( ret );
01092 }
01093
01094 if( ssl->handshake->dhm_ctx.len < 64 ||
01095 ssl->handshake->dhm_ctx.len > 512 )
01096 {
01097 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
01098 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01099 }
01100
01101 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
01102 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
01103 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
01104
01105 return( ret );
01106 }
01107 #endif
01108
01109
01110 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
01111 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
01112 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
01113 static int ssl_parse_server_ecdh_params( ssl_context *ssl,
01114 unsigned char **p,
01115 unsigned char *end )
01116 {
01117 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01118
01119
01120
01121
01122
01123
01124
01125
01126
01127 if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
01128 (const unsigned char **) p, end ) ) != 0 )
01129 {
01130 SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
01131 return( ret );
01132 }
01133
01134 SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
01135 (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
01136
01137 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
01138 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
01139 {
01140 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDH length)" ) );
01141 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01142 }
01143
01144 SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
01145
01146 return( ret );
01147 }
01148 #endif
01149
01150
01151
01152 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
01153 static int ssl_parse_server_psk_hint( ssl_context *ssl,
01154 unsigned char **p,
01155 unsigned char *end )
01156 {
01157 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01158 size_t len;
01159 ((void) ssl);
01160
01161
01162
01163
01164
01165
01166 len = (*p)[0] << 8 | (*p)[1];
01167 *p += 2;
01168
01169 if( (*p) + len > end )
01170 {
01171 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
01172 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01173 }
01174
01175
01176
01177 *p += len;
01178 ret = 0;
01179
01180 return( ret );
01181 }
01182 #endif
01183
01184 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
01185 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
01186
01187
01188
01189 static int ssl_write_encrypted_pms( ssl_context *ssl,
01190 size_t offset, size_t *olen,
01191 size_t pms_offset )
01192 {
01193 int ret;
01194 size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
01195 unsigned char *p = ssl->handshake->premaster + pms_offset;
01196
01197
01198
01199
01200
01201
01202
01203
01204 p[0] = (unsigned char) ssl->max_major_ver;
01205 p[1] = (unsigned char) ssl->max_minor_ver;
01206
01207 if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
01208 {
01209 SSL_DEBUG_RET( 1, "f_rng", ret );
01210 return( ret );
01211 }
01212
01213 ssl->handshake->pmslen = 48;
01214
01215
01216
01217
01218 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
01219 POLARSSL_PK_RSA ) )
01220 {
01221 SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
01222 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
01223 }
01224
01225 if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
01226 p, ssl->handshake->pmslen,
01227 ssl->out_msg + offset + len_bytes, olen,
01228 SSL_MAX_CONTENT_LEN - offset - len_bytes,
01229 ssl->f_rng, ssl->p_rng ) ) != 0 )
01230 {
01231 SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
01232 return( ret );
01233 }
01234
01235 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
01236 defined(POLARSSL_SSL_PROTO_TLS1_2)
01237 if( len_bytes == 2 )
01238 {
01239 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
01240 ssl->out_msg[offset+1] = (unsigned char)( *olen );
01241 *olen += 2;
01242 }
01243 #endif
01244
01245 return( 0 );
01246 }
01247 #endif
01248
01249
01250 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
01251 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01252 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
01253 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01254 static int ssl_parse_signature_algorithm( ssl_context *ssl,
01255 unsigned char **p,
01256 unsigned char *end,
01257 md_type_t *md_alg,
01258 pk_type_t *pk_alg )
01259 {
01260 ((void) ssl);
01261 *md_alg = POLARSSL_MD_NONE;
01262 *pk_alg = POLARSSL_PK_NONE;
01263
01264
01265 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
01266 {
01267 return( 0 );
01268 }
01269
01270 if( (*p) + 2 > end )
01271 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01272
01273
01274
01275
01276 if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
01277 {
01278 SSL_DEBUG_MSG( 2, ( "Server used unsupported "
01279 "HashAlgorithm %d", *(p)[0] ) );
01280 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01281 }
01282
01283
01284
01285
01286 if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
01287 {
01288 SSL_DEBUG_MSG( 2, ( "server used unsupported "
01289 "SignatureAlgorithm %d", (*p)[1] ) );
01290 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01291 }
01292
01293 SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
01294 SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
01295 *p += 2;
01296
01297 return( 0 );
01298 }
01299 #endif
01300
01301
01302 #endif
01303
01304 static int ssl_parse_server_key_exchange( ssl_context *ssl )
01305 {
01306 int ret;
01307 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
01308 unsigned char *p, *end;
01309 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01310 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
01311 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01312 size_t sig_len, params_len;
01313 unsigned char hash[64];
01314 md_type_t md_alg = POLARSSL_MD_NONE;
01315 size_t hashlen;
01316 pk_type_t pk_alg = POLARSSL_PK_NONE;
01317 #endif
01318
01319 SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
01320
01321 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
01322 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
01323 {
01324 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
01325 ssl->state++;
01326 return( 0 );
01327 }
01328 ((void) p);
01329 ((void) end);
01330 #endif
01331
01332 if( ( ret = ssl_read_record( ssl ) ) != 0 )
01333 {
01334 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01335 return( ret );
01336 }
01337
01338 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
01339 {
01340 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01341 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01342 }
01343
01344
01345
01346
01347
01348 if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
01349 {
01350 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01351 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
01352 {
01353 ssl->record_read = 1;
01354 goto exit;
01355 }
01356
01357 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01358 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01359 }
01360
01361 p = ssl->in_msg + 4;
01362 end = ssl->in_msg + ssl->in_hslen;
01363 SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 );
01364
01365 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
01366 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01367 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
01368 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
01369 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
01370 {
01371 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
01372 {
01373 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01374 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01375 }
01376 }
01377 #endif
01378
01379 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
01380 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
01381 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01382 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
01383 ;
01384 else
01385 #endif
01386
01387 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01388 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
01389 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
01390 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
01391 {
01392 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
01393 {
01394 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01395 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01396 }
01397 }
01398 else
01399 #endif
01400
01401 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
01402 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
01403 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01404 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
01405 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
01406 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
01407 {
01408 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
01409 {
01410 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01411 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01412 }
01413 }
01414 else
01415 #endif
01416
01417
01418 {
01419 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01420 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
01421 }
01422
01423 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01424 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
01425 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01426 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
01427 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
01428 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
01429 {
01430 params_len = p - ( ssl->in_msg + 4 );
01431
01432
01433
01434
01435 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
01436 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
01437 {
01438 if( ssl_parse_signature_algorithm( ssl, &p, end,
01439 &md_alg, &pk_alg ) != 0 )
01440 {
01441 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01442 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01443 }
01444
01445 if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
01446 {
01447 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01448 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01449 }
01450 }
01451 else
01452 #endif
01453 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
01454 defined(POLARSSL_SSL_PROTO_TLS1_1)
01455 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
01456 {
01457 pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
01458
01459
01460 if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
01461 md_alg = POLARSSL_MD_SHA1;
01462 }
01463 else
01464 #endif
01465 {
01466 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01467 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
01468 }
01469
01470
01471
01472
01473 sig_len = ( p[0] << 8 ) | p[1];
01474 p += 2;
01475
01476 if( end != p + sig_len )
01477 {
01478 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01479 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
01480 }
01481
01482 SSL_DEBUG_BUF( 3, "signature", p, sig_len );
01483
01484
01485
01486
01487 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
01488 defined(POLARSSL_SSL_PROTO_TLS1_1)
01489 if( md_alg == POLARSSL_MD_NONE )
01490 {
01491 md5_context md5;
01492 sha1_context sha1;
01493
01494 hashlen = 36;
01495
01496
01497
01498
01499
01500
01501
01502
01503
01504
01505
01506
01507
01508
01509 md5_starts( &md5 );
01510 md5_update( &md5, ssl->handshake->randbytes, 64 );
01511 md5_update( &md5, ssl->in_msg + 4, params_len );
01512 md5_finish( &md5, hash );
01513
01514 sha1_starts( &sha1 );
01515 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
01516 sha1_update( &sha1, ssl->in_msg + 4, params_len );
01517 sha1_finish( &sha1, hash + 16 );
01518 }
01519 else
01520 #endif
01521
01522 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
01523 defined(POLARSSL_SSL_PROTO_TLS1_2)
01524 if( md_alg != POLARSSL_MD_NONE )
01525 {
01526 md_context_t ctx;
01527
01528
01529 hashlen = 0;
01530
01531
01532
01533
01534
01535
01536
01537
01538 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
01539 {
01540 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
01541 return( ret );
01542 }
01543
01544 md_starts( &ctx );
01545 md_update( &ctx, ssl->handshake->randbytes, 64 );
01546 md_update( &ctx, ssl->in_msg + 4, params_len );
01547 md_finish( &ctx, hash );
01548 md_free_ctx( &ctx );
01549 }
01550 else
01551 #endif
01552
01553 {
01554 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01555 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
01556 }
01557
01558 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
01559 (unsigned int) ( md_info_from_type( md_alg ) )->size );
01560
01561
01562
01563
01564 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
01565 {
01566 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
01567 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
01568 }
01569
01570 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
01571 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
01572 {
01573 SSL_DEBUG_RET( 1, "pk_verify", ret );
01574 return( ret );
01575 }
01576 }
01577 #endif
01578
01579
01580
01581 exit:
01582 ssl->state++;
01583
01584 SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
01585
01586 return( 0 );
01587 }
01588
01589 static int ssl_parse_certificate_request( ssl_context *ssl )
01590 {
01591 int ret;
01592 unsigned char *buf, *p;
01593 size_t n = 0, m = 0;
01594 size_t cert_type_len = 0, dn_len = 0;
01595
01596 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
01597
01598
01599
01600
01601
01602
01603
01604
01605
01606
01607
01608
01609
01610 if( ssl->record_read == 0 )
01611 {
01612 if( ( ret = ssl_read_record( ssl ) ) != 0 )
01613 {
01614 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01615 return( ret );
01616 }
01617
01618 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
01619 {
01620 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
01621 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01622 }
01623
01624 ssl->record_read = 1;
01625 }
01626
01627 ssl->client_auth = 0;
01628 ssl->state++;
01629
01630 if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
01631 ssl->client_auth++;
01632
01633 SSL_DEBUG_MSG( 3, ( "got %s certificate request",
01634 ssl->client_auth ? "a" : "no" ) );
01635
01636 if( ssl->client_auth == 0 )
01637 goto exit;
01638
01639 ssl->record_read = 0;
01640
01641
01642
01643
01644 buf = ssl->in_msg;
01645
01646
01647
01648 cert_type_len = buf[4];
01649 n = cert_type_len;
01650
01651 if( ssl->in_hslen < 6 + n )
01652 {
01653 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
01654 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
01655 }
01656
01657 p = buf + 5;
01658 while( cert_type_len > 0 )
01659 {
01660 #if defined(POLARSSL_RSA_C)
01661 if( *p == SSL_CERT_TYPE_RSA_SIGN &&
01662 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
01663 {
01664 ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN;
01665 break;
01666 }
01667 else
01668 #endif
01669 #if defined(POLARSSL_ECDSA_C)
01670 if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
01671 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
01672 {
01673 ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN;
01674 break;
01675 }
01676 else
01677 #endif
01678 {
01679 ;
01680 }
01681
01682 cert_type_len--;
01683 p++;
01684 }
01685
01686 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
01687 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
01688 {
01689
01690
01691 size_t sig_alg_len = ( ( buf[5 + n] << 8 )
01692 | ( buf[6 + n] ) );
01693
01694 p = buf + 7 + n;
01695 m += 2;
01696 n += sig_alg_len;
01697
01698 if( ssl->in_hslen < 6 + n )
01699 {
01700 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
01701 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
01702 }
01703 }
01704 #endif
01705
01706
01707
01708 dn_len = ( ( buf[5 + m + n] << 8 )
01709 | ( buf[6 + m + n] ) );
01710
01711 n += dn_len;
01712 if( ssl->in_hslen != 7 + m + n )
01713 {
01714 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
01715 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
01716 }
01717
01718 exit:
01719 SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
01720
01721 return( 0 );
01722 }
01723
01724 static int ssl_parse_server_hello_done( ssl_context *ssl )
01725 {
01726 int ret;
01727
01728 SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
01729
01730 if( ssl->record_read == 0 )
01731 {
01732 if( ( ret = ssl_read_record( ssl ) ) != 0 )
01733 {
01734 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01735 return( ret );
01736 }
01737
01738 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
01739 {
01740 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
01741 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01742 }
01743 }
01744 ssl->record_read = 0;
01745
01746 if( ssl->in_hslen != 4 ||
01747 ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
01748 {
01749 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
01750 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
01751 }
01752
01753 ssl->state++;
01754
01755 SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
01756
01757 return( 0 );
01758 }
01759
01760 static int ssl_write_client_key_exchange( ssl_context *ssl )
01761 {
01762 int ret;
01763 size_t i, n;
01764 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
01765
01766 SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
01767
01768 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
01769 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
01770 {
01771
01772
01773
01774 n = ssl->handshake->dhm_ctx.len;
01775
01776 ssl->out_msg[4] = (unsigned char)( n >> 8 );
01777 ssl->out_msg[5] = (unsigned char)( n );
01778 i = 6;
01779
01780 ret = dhm_make_public( &ssl->handshake->dhm_ctx,
01781 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
01782 &ssl->out_msg[i], n,
01783 ssl->f_rng, ssl->p_rng );
01784 if( ret != 0 )
01785 {
01786 SSL_DEBUG_RET( 1, "dhm_make_public", ret );
01787 return( ret );
01788 }
01789
01790 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
01791 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
01792
01793 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
01794
01795 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
01796 ssl->handshake->premaster,
01797 &ssl->handshake->pmslen,
01798 ssl->f_rng, ssl->p_rng ) ) != 0 )
01799 {
01800 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
01801 return( ret );
01802 }
01803
01804 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
01805 }
01806 else
01807 #endif
01808 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
01809 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01810 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
01811 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
01812 {
01813
01814
01815
01816 i = 4;
01817
01818 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
01819 &n,
01820 &ssl->out_msg[i], 1000,
01821 ssl->f_rng, ssl->p_rng );
01822 if( ret != 0 )
01823 {
01824 SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
01825 return( ret );
01826 }
01827
01828 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
01829
01830 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
01831 &ssl->handshake->pmslen,
01832 ssl->handshake->premaster,
01833 POLARSSL_MPI_MAX_SIZE,
01834 ssl->f_rng, ssl->p_rng ) ) != 0 )
01835 {
01836 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
01837 return( ret );
01838 }
01839
01840 SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
01841 }
01842 else
01843 #endif
01844
01845 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
01846 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01847 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
01848 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
01849 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
01850 {
01851
01852
01853
01854 if( ssl->psk == NULL || ssl->psk_identity == NULL )
01855 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
01856
01857 i = 4;
01858 n = ssl->psk_identity_len;
01859 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
01860 ssl->out_msg[i++] = (unsigned char)( n );
01861
01862 memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
01863 i += ssl->psk_identity_len;
01864
01865 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
01866 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
01867 {
01868 n = 0;
01869 }
01870 else
01871 #endif
01872 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
01873 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
01874 {
01875 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
01876 return( ret );
01877 }
01878 else
01879 #endif
01880 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
01881 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
01882 {
01883
01884
01885
01886 n = ssl->handshake->dhm_ctx.len;
01887 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
01888 ssl->out_msg[i++] = (unsigned char)( n );
01889
01890 ret = dhm_make_public( &ssl->handshake->dhm_ctx,
01891 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
01892 &ssl->out_msg[i], n,
01893 ssl->f_rng, ssl->p_rng );
01894 if( ret != 0 )
01895 {
01896 SSL_DEBUG_RET( 1, "dhm_make_public", ret );
01897 return( ret );
01898 }
01899 }
01900 else
01901 #endif
01902 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
01903 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
01904 {
01905
01906
01907
01908 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
01909 &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
01910 ssl->f_rng, ssl->p_rng );
01911 if( ret != 0 )
01912 {
01913 SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
01914 return( ret );
01915 }
01916
01917 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
01918 }
01919 else
01920 #endif
01921 {
01922 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01923 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
01924 }
01925
01926 if( ( ret = ssl_psk_derive_premaster( ssl,
01927 ciphersuite_info->key_exchange ) ) != 0 )
01928 {
01929 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
01930 return( ret );
01931 }
01932 }
01933 else
01934 #endif
01935 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
01936 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
01937 {
01938 i = 4;
01939 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
01940 return( ret );
01941 }
01942 else
01943 #endif
01944 {
01945 ((void) ciphersuite_info);
01946 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
01947 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
01948 }
01949
01950 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
01951 {
01952 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
01953 return( ret );
01954 }
01955
01956 ssl->out_msglen = i + n;
01957 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01958 ssl->out_msg[0] = SSL_HS_CLIENT_KEY_EXCHANGE;
01959
01960 ssl->state++;
01961
01962 if( ( ret = ssl_write_record( ssl ) ) != 0 )
01963 {
01964 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01965 return( ret );
01966 }
01967
01968 SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
01969
01970 return( 0 );
01971 }
01972
01973 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
01974 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
01975 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
01976 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01977 static int ssl_write_certificate_verify( ssl_context *ssl )
01978 {
01979 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01980 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
01981
01982 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
01983
01984 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01985 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
01986 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
01987 {
01988 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
01989 ssl->state++;
01990 return( 0 );
01991 }
01992
01993 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
01994 return( ret );
01995 }
01996 #else
01997 static int ssl_write_certificate_verify( ssl_context *ssl )
01998 {
01999 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02000 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02001 size_t n = 0, offset = 0;
02002 unsigned char hash[48];
02003 unsigned char *hash_start = hash;
02004 md_type_t md_alg = POLARSSL_MD_NONE;
02005 unsigned int hashlen;
02006
02007 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
02008
02009 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
02010 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
02011 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
02012 {
02013 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
02014 ssl->state++;
02015 return( 0 );
02016 }
02017
02018 if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
02019 {
02020 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
02021 ssl->state++;
02022 return( 0 );
02023 }
02024
02025 if( ssl_own_key( ssl ) == NULL )
02026 {
02027 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
02028 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02029 }
02030
02031
02032
02033
02034 ssl->handshake->calc_verify( ssl, hash );
02035
02036 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02037 defined(POLARSSL_SSL_PROTO_TLS1_1)
02038 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
02039 {
02040
02041
02042
02043
02044
02045
02046
02047
02048
02049
02050
02051
02052 hashlen = 36;
02053 md_alg = POLARSSL_MD_NONE;
02054
02055
02056
02057
02058 if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
02059 {
02060 hash_start += 16;
02061 hashlen -= 16;
02062 md_alg = POLARSSL_MD_SHA1;
02063 }
02064 }
02065 else
02066 #endif
02067
02068 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02069 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02070 {
02071
02072
02073
02074
02075
02076
02077
02078
02079
02080
02081
02082
02083
02084
02085
02086 if( ssl->transform_negotiate->ciphersuite_info->mac ==
02087 POLARSSL_MD_SHA384 )
02088 {
02089 md_alg = POLARSSL_MD_SHA384;
02090 ssl->out_msg[4] = SSL_HASH_SHA384;
02091 }
02092 else
02093 {
02094 md_alg = POLARSSL_MD_SHA256;
02095 ssl->out_msg[4] = SSL_HASH_SHA256;
02096 }
02097 ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
02098
02099
02100 hashlen = 0;
02101 offset = 2;
02102 }
02103 else
02104 #endif
02105 {
02106 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02107 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02108 }
02109
02110 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
02111 ssl->out_msg + 6 + offset, &n,
02112 ssl->f_rng, ssl->p_rng ) ) != 0 )
02113 {
02114 SSL_DEBUG_RET( 1, "pk_sign", ret );
02115 return( ret );
02116 }
02117
02118 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
02119 ssl->out_msg[5 + offset] = (unsigned char)( n );
02120
02121 ssl->out_msglen = 6 + n + offset;
02122 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02123 ssl->out_msg[0] = SSL_HS_CERTIFICATE_VERIFY;
02124
02125 ssl->state++;
02126
02127 if( ( ret = ssl_write_record( ssl ) ) != 0 )
02128 {
02129 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02130 return( ret );
02131 }
02132
02133 SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
02134
02135 return( ret );
02136 }
02137 #endif
02138
02139
02140
02141 #if defined(POLARSSL_SSL_SESSION_TICKETS)
02142 static int ssl_parse_new_session_ticket( ssl_context *ssl )
02143 {
02144 int ret;
02145 uint32_t lifetime;
02146 size_t ticket_len;
02147 unsigned char *ticket;
02148
02149 SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
02150
02151 if( ( ret = ssl_read_record( ssl ) ) != 0 )
02152 {
02153 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
02154 return( ret );
02155 }
02156
02157 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
02158 {
02159 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
02160 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
02161 }
02162
02163
02164
02165
02166
02167
02168
02169
02170
02171
02172
02173
02174
02175 if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
02176 ssl->in_hslen < 10 )
02177 {
02178 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
02179 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
02180 }
02181
02182 lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
02183 ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] );
02184
02185 ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
02186
02187 if( ticket_len + 10 != ssl->in_hslen )
02188 {
02189 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
02190 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
02191 }
02192
02193 SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
02194
02195
02196 ssl->handshake->new_session_ticket = 0;
02197
02198
02199
02200
02201
02202 if( ticket_len == 0)
02203 return( 0 );
02204
02205 polarssl_free( ssl->session_negotiate->ticket );
02206 ssl->session_negotiate->ticket = NULL;
02207 ssl->session_negotiate->ticket_len = 0;
02208
02209 if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
02210 {
02211 SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
02212 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
02213 }
02214
02215 memcpy( ticket, ssl->in_msg + 10, ticket_len );
02216
02217 ssl->session_negotiate->ticket = ticket;
02218 ssl->session_negotiate->ticket_len = ticket_len;
02219 ssl->session_negotiate->ticket_lifetime = lifetime;
02220
02221
02222
02223
02224
02225
02226 SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
02227 ssl->session_negotiate->length = 0;
02228
02229 SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
02230
02231 return( 0 );
02232 }
02233 #endif
02234
02235
02236
02237
02238 int ssl_handshake_client_step( ssl_context *ssl )
02239 {
02240 int ret = 0;
02241
02242 if( ssl->state == SSL_HANDSHAKE_OVER )
02243 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
02244
02245 SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
02246
02247 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
02248 return( ret );
02249
02250 switch( ssl->state )
02251 {
02252 case SSL_HELLO_REQUEST:
02253 ssl->state = SSL_CLIENT_HELLO;
02254 break;
02255
02256
02257
02258
02259 case SSL_CLIENT_HELLO:
02260 ret = ssl_write_client_hello( ssl );
02261 break;
02262
02263
02264
02265
02266
02267
02268
02269
02270 case SSL_SERVER_HELLO:
02271 ret = ssl_parse_server_hello( ssl );
02272 break;
02273
02274 case SSL_SERVER_CERTIFICATE:
02275 ret = ssl_parse_certificate( ssl );
02276 break;
02277
02278 case SSL_SERVER_KEY_EXCHANGE:
02279 ret = ssl_parse_server_key_exchange( ssl );
02280 break;
02281
02282 case SSL_CERTIFICATE_REQUEST:
02283 ret = ssl_parse_certificate_request( ssl );
02284 break;
02285
02286 case SSL_SERVER_HELLO_DONE:
02287 ret = ssl_parse_server_hello_done( ssl );
02288 break;
02289
02290
02291
02292
02293
02294
02295
02296
02297 case SSL_CLIENT_CERTIFICATE:
02298 ret = ssl_write_certificate( ssl );
02299 break;
02300
02301 case SSL_CLIENT_KEY_EXCHANGE:
02302 ret = ssl_write_client_key_exchange( ssl );
02303 break;
02304
02305 case SSL_CERTIFICATE_VERIFY:
02306 ret = ssl_write_certificate_verify( ssl );
02307 break;
02308
02309 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
02310 ret = ssl_write_change_cipher_spec( ssl );
02311 break;
02312
02313 case SSL_CLIENT_FINISHED:
02314 ret = ssl_write_finished( ssl );
02315 break;
02316
02317
02318
02319
02320
02321
02322 case SSL_SERVER_CHANGE_CIPHER_SPEC:
02323 #if defined(POLARSSL_SSL_SESSION_TICKETS)
02324 if( ssl->handshake->new_session_ticket != 0 )
02325 ret = ssl_parse_new_session_ticket( ssl );
02326 else
02327 #endif
02328 ret = ssl_parse_change_cipher_spec( ssl );
02329 break;
02330
02331 case SSL_SERVER_FINISHED:
02332 ret = ssl_parse_finished( ssl );
02333 break;
02334
02335 case SSL_FLUSH_BUFFERS:
02336 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
02337 ssl->state = SSL_HANDSHAKE_WRAPUP;
02338 break;
02339
02340 case SSL_HANDSHAKE_WRAPUP:
02341 ssl_handshake_wrapup( ssl );
02342 break;
02343
02344 default:
02345 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
02346 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
02347 }
02348
02349 return( ret );
02350 }
02351 #endif