Doug Anson
mbed TLS library
Dependents: HTTPClient-SSL WS_SERVER
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved 00005 * 00006 * This file is part of mbed TLS (https://tls.mbed.org) 00007 * 00008 * This program is free software; you can redistribute it and/or modify 00009 * it under the terms of the GNU General Public License as published by 00010 * the Free Software Foundation; either version 2 of the License, or 00011 * (at your option) any later version. 00012 * 00013 * This program is distributed in the hope that it will be useful, 00014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00016 * GNU General Public License for more details. 00017 * 00018 * You should have received a copy of the GNU General Public License along 00019 * with this program; if not, write to the Free Software Foundation, Inc., 00020 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00021 */ 00022 00023 #if !defined(POLARSSL_CONFIG_FILE) 00024 #include "polarssl/config.h" 00025 #else 00026 #include POLARSSL_CONFIG_FILE 00027 #endif 00028 00029 #if defined(POLARSSL_SSL_CLI_C) 00030 00031 #include "polarssl/debug.h" 00032 #include "polarssl/ssl.h" 00033 00034 #include <string.h> 00035 00036 #if defined(POLARSSL_PLATFORM_C) 00037 #include "polarssl/platform.h" 00038 #else 00039 #include <stdlib.h> 00040 #define polarssl_malloc malloc 00041 #define polarssl_free free 00042 #endif 00043 00044 #if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32) 00045 #include <basetsd.h> 00046 typedef UINT32 uint32_t; 00047 #else 00048 #include <inttypes.h> 00049 #endif 00050 00051 #if defined(POLARSSL_HAVE_TIME) 00052 #include <time.h> 00053 #endif 00054 00055 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00056 /* Implementation that should never be optimized out by the compiler */ 00057 static void polarssl_zeroize( void *v, size_t n ) { 00058 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00059 } 00060 #endif 00061 00062 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 00063 static void ssl_write_hostname_ext( ssl_context *ssl, 00064 unsigned char *buf, 00065 size_t *olen ) 00066 { 00067 unsigned char *p = buf; 00068 00069 *olen = 0; 00070 00071 if( ssl->hostname == NULL ) 00072 return; 00073 00074 SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00075 ssl->hostname ) ); 00076 00077 /* 00078 * struct { 00079 * NameType name_type; 00080 * select (name_type) { 00081 * case host_name: HostName; 00082 * } name; 00083 * } ServerName; 00084 * 00085 * enum { 00086 * host_name(0), (255) 00087 * } NameType; 00088 * 00089 * opaque HostName<1..2^16-1>; 00090 * 00091 * struct { 00092 * ServerName server_name_list<1..2^16-1> 00093 * } ServerNameList; 00094 */ 00095 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00096 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF ); 00097 00098 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF ); 00099 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF ); 00100 00101 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF ); 00102 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF ); 00103 00104 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00105 *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF ); 00106 *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF ); 00107 00108 memcpy( p, ssl->hostname, ssl->hostname_len ); 00109 00110 *olen = ssl->hostname_len + 9; 00111 } 00112 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ 00113 00114 #if defined(POLARSSL_SSL_RENEGOTIATION) 00115 static void ssl_write_renegotiation_ext( ssl_context *ssl, 00116 unsigned char *buf, 00117 size_t *olen ) 00118 { 00119 unsigned char *p = buf; 00120 00121 *olen = 0; 00122 00123 if( ssl->renegotiation != SSL_RENEGOTIATION ) 00124 return; 00125 00126 SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00127 00128 /* 00129 * Secure renegotiation 00130 */ 00131 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00132 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00133 00134 *p++ = 0x00; 00135 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00136 *p++ = ssl->verify_data_len & 0xFF; 00137 00138 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00139 00140 *olen = 5 + ssl->verify_data_len; 00141 } 00142 #endif /* POLARSSL_SSL_RENEGOTIATION */ 00143 00144 /* 00145 * Only if we handle at least one key exchange that needs signatures. 00146 */ 00147 #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \ 00148 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED) 00149 static void ssl_write_signature_algorithms_ext( ssl_context *ssl, 00150 unsigned char *buf, 00151 size_t *olen ) 00152 { 00153 unsigned char *p = buf; 00154 size_t sig_alg_len = 0; 00155 #if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C) 00156 unsigned char *sig_alg_list = buf + 6; 00157 #endif 00158 00159 *olen = 0; 00160 00161 if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 ) 00162 return; 00163 00164 SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00165 00166 /* 00167 * Prepare signature_algorithms extension (TLS 1.2) 00168 */ 00169 #if defined(POLARSSL_RSA_C) 00170 #if defined(POLARSSL_SHA512_C) 00171 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512; 00172 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00173 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384; 00174 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00175 #endif 00176 #if defined(POLARSSL_SHA256_C) 00177 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256; 00178 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00179 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224; 00180 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00181 #endif 00182 #if defined(POLARSSL_SHA1_C) 00183 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1; 00184 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00185 #endif 00186 #if defined(POLARSSL_MD5_C) 00187 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5; 00188 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00189 #endif 00190 #endif /* POLARSSL_RSA_C */ 00191 #if defined(POLARSSL_ECDSA_C) 00192 #if defined(POLARSSL_SHA512_C) 00193 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512; 00194 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00195 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384; 00196 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00197 #endif 00198 #if defined(POLARSSL_SHA256_C) 00199 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256; 00200 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00201 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224; 00202 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00203 #endif 00204 #if defined(POLARSSL_SHA1_C) 00205 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1; 00206 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00207 #endif 00208 #if defined(POLARSSL_MD5_C) 00209 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5; 00210 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00211 #endif 00212 #endif /* POLARSSL_ECDSA_C */ 00213 00214 /* 00215 * enum { 00216 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00217 * sha512(6), (255) 00218 * } HashAlgorithm; 00219 * 00220 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00221 * SignatureAlgorithm; 00222 * 00223 * struct { 00224 * HashAlgorithm hash; 00225 * SignatureAlgorithm signature; 00226 * } SignatureAndHashAlgorithm; 00227 * 00228 * SignatureAndHashAlgorithm 00229 * supported_signature_algorithms<2..2^16-2>; 00230 */ 00231 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00232 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF ); 00233 00234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00235 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00236 00237 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00238 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00239 00240 *olen = 6 + sig_alg_len; 00241 } 00242 #endif /* POLARSSL_SSL_PROTO_TLS1_2 && 00243 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00244 00245 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00246 static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl, 00247 unsigned char *buf, 00248 size_t *olen ) 00249 { 00250 unsigned char *p = buf; 00251 unsigned char *elliptic_curve_list = p + 6; 00252 size_t elliptic_curve_len = 0; 00253 const ecp_curve_info *info; 00254 #if defined(POLARSSL_SSL_SET_CURVES) 00255 const ecp_group_id *grp_id; 00256 #else 00257 ((void) ssl); 00258 #endif 00259 00260 *olen = 0; 00261 00262 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00263 00264 #if defined(POLARSSL_SSL_SET_CURVES) 00265 for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ ) 00266 { 00267 info = ecp_curve_info_from_grp_id( *grp_id ); 00268 #else 00269 for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ ) 00270 { 00271 #endif 00272 00273 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00274 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00275 } 00276 00277 if( elliptic_curve_len == 0 ) 00278 return; 00279 00280 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00281 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00282 00283 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00284 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00285 00286 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00287 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00288 00289 *olen = 6 + elliptic_curve_len; 00290 } 00291 00292 static void ssl_write_supported_point_formats_ext( ssl_context *ssl, 00293 unsigned char *buf, 00294 size_t *olen ) 00295 { 00296 unsigned char *p = buf; 00297 ((void) ssl); 00298 00299 *olen = 0; 00300 00301 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00302 00303 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00304 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00305 00306 *p++ = 0x00; 00307 *p++ = 2; 00308 00309 *p++ = 1; 00310 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED; 00311 00312 *olen = 6; 00313 } 00314 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 00315 00316 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 00317 static void ssl_write_max_fragment_length_ext( ssl_context *ssl, 00318 unsigned char *buf, 00319 size_t *olen ) 00320 { 00321 unsigned char *p = buf; 00322 00323 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) { 00324 *olen = 0; 00325 return; 00326 } 00327 00328 SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00329 00330 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00331 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00332 00333 *p++ = 0x00; 00334 *p++ = 1; 00335 00336 *p++ = ssl->mfl_code; 00337 00338 *olen = 5; 00339 } 00340 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 00341 00342 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 00343 static void ssl_write_truncated_hmac_ext( ssl_context *ssl, 00344 unsigned char *buf, size_t *olen ) 00345 { 00346 unsigned char *p = buf; 00347 00348 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ) 00349 { 00350 *olen = 0; 00351 return; 00352 } 00353 00354 SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00355 00356 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00357 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00358 00359 *p++ = 0x00; 00360 *p++ = 0x00; 00361 00362 *olen = 4; 00363 } 00364 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 00365 00366 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) 00367 static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl, 00368 unsigned char *buf, size_t *olen ) 00369 { 00370 unsigned char *p = buf; 00371 00372 if( ssl->encrypt_then_mac == SSL_ETM_DISABLED || 00373 ssl->max_minor_ver == SSL_MINOR_VERSION_0 ) 00374 { 00375 *olen = 0; 00376 return; 00377 } 00378 00379 SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00380 "extension" ) ); 00381 00382 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00383 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00384 00385 *p++ = 0x00; 00386 *p++ = 0x00; 00387 00388 *olen = 4; 00389 } 00390 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ 00391 00392 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) 00393 static void ssl_write_extended_ms_ext( ssl_context *ssl, 00394 unsigned char *buf, size_t *olen ) 00395 { 00396 unsigned char *p = buf; 00397 00398 if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED || 00399 ssl->max_minor_ver == SSL_MINOR_VERSION_0 ) 00400 { 00401 *olen = 0; 00402 return; 00403 } 00404 00405 SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00406 "extension" ) ); 00407 00408 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00409 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00410 00411 *p++ = 0x00; 00412 *p++ = 0x00; 00413 00414 *olen = 4; 00415 } 00416 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ 00417 00418 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00419 static void ssl_write_session_ticket_ext( ssl_context *ssl, 00420 unsigned char *buf, size_t *olen ) 00421 { 00422 unsigned char *p = buf; 00423 size_t tlen = ssl->session_negotiate->ticket_len; 00424 00425 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ) 00426 { 00427 *olen = 0; 00428 return; 00429 } 00430 00431 SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00432 00433 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00434 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF ); 00435 00436 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00437 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00438 00439 *olen = 4; 00440 00441 if( ssl->session_negotiate->ticket == NULL || 00442 ssl->session_negotiate->ticket_len == 0 ) 00443 { 00444 return; 00445 } 00446 00447 SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00448 00449 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00450 00451 *olen += tlen; 00452 } 00453 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00454 00455 #if defined(POLARSSL_SSL_ALPN) 00456 static void ssl_write_alpn_ext( ssl_context *ssl, 00457 unsigned char *buf, size_t *olen ) 00458 { 00459 unsigned char *p = buf; 00460 const char **cur; 00461 00462 if( ssl->alpn_list == NULL ) 00463 { 00464 *olen = 0; 00465 return; 00466 } 00467 00468 SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00469 00470 *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF ); 00471 *p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF ); 00472 00473 /* 00474 * opaque ProtocolName<1..2^8-1>; 00475 * 00476 * struct { 00477 * ProtocolName protocol_name_list<2..2^16-1> 00478 * } ProtocolNameList; 00479 */ 00480 00481 /* Skip writing extension and list length for now */ 00482 p += 4; 00483 00484 for( cur = ssl->alpn_list; *cur != NULL; cur++ ) 00485 { 00486 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00487 memcpy( p + 1, *cur, *p ); 00488 p += 1 + *p; 00489 } 00490 00491 *olen = p - buf; 00492 00493 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00494 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00495 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00496 00497 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00498 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00499 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00500 } 00501 #endif /* POLARSSL_SSL_ALPN */ 00502 00503 static int ssl_write_client_hello( ssl_context *ssl ) 00504 { 00505 int ret; 00506 size_t i, n, olen, ext_len = 0; 00507 unsigned char *buf; 00508 unsigned char *p, *q; 00509 #if defined(POLARSSL_HAVE_TIME) 00510 time_t t; 00511 #endif 00512 const int *ciphersuites; 00513 const ssl_ciphersuite_t *ciphersuite_info; 00514 00515 SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00516 00517 if( ssl->f_rng == NULL ) 00518 { 00519 SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00520 return( POLARSSL_ERR_SSL_NO_RNG ); 00521 } 00522 00523 #if defined(POLARSSL_SSL_RENEGOTIATION) 00524 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 00525 #endif 00526 { 00527 ssl->major_ver = ssl->min_major_ver; 00528 ssl->minor_ver = ssl->min_minor_ver; 00529 } 00530 00531 if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 ) 00532 { 00533 ssl->max_major_ver = SSL_MAX_MAJOR_VERSION; 00534 ssl->max_minor_ver = SSL_MAX_MINOR_VERSION; 00535 } 00536 00537 /* 00538 * 0 . 0 handshake type 00539 * 1 . 3 handshake length 00540 * 4 . 5 highest version supported 00541 * 6 . 9 current UNIX time 00542 * 10 . 37 random bytes 00543 */ 00544 buf = ssl->out_msg; 00545 p = buf + 4; 00546 00547 *p++ = (unsigned char) ssl->max_major_ver; 00548 *p++ = (unsigned char) ssl->max_minor_ver; 00549 00550 SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00551 buf[4], buf[5] ) ); 00552 00553 #if defined(POLARSSL_HAVE_TIME) 00554 t = time( NULL ); 00555 *p++ = (unsigned char)( t >> 24 ); 00556 *p++ = (unsigned char)( t >> 16 ); 00557 *p++ = (unsigned char)( t >> 8 ); 00558 *p++ = (unsigned char)( t ); 00559 00560 SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00561 #else 00562 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 ) 00563 return( ret ); 00564 00565 p += 4; 00566 #endif /* POLARSSL_HAVE_TIME */ 00567 00568 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 ) 00569 return( ret ); 00570 00571 p += 28; 00572 00573 memcpy( ssl->handshake->randbytes, buf + 6, 32 ); 00574 00575 SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 ); 00576 00577 /* 00578 * 38 . 38 session id length 00579 * 39 . 39+n session id 00580 * 40+n . 41+n ciphersuitelist length 00581 * 42+n . .. ciphersuitelist 00582 * .. . .. compression methods length 00583 * .. . .. compression methods 00584 * .. . .. extensions length 00585 * .. . .. extensions 00586 */ 00587 n = ssl->session_negotiate->length; 00588 00589 if( n < 16 || n > 32 || 00590 #if defined(POLARSSL_SSL_RENEGOTIATION) 00591 ssl->renegotiation != SSL_INITIAL_HANDSHAKE || 00592 #endif 00593 ssl->handshake->resume == 0 ) 00594 { 00595 n = 0; 00596 } 00597 00598 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00599 /* 00600 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00601 * generate and include a Session ID in the TLS ClientHello." 00602 */ 00603 #if defined(POLARSSL_SSL_RENEGOTIATION) 00604 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 00605 #endif 00606 { 00607 if( ssl->session_negotiate->ticket != NULL && 00608 ssl->session_negotiate->ticket_len != 0 ) 00609 { 00610 ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 ); 00611 00612 if( ret != 0 ) 00613 return( ret ); 00614 00615 ssl->session_negotiate->length = n = 32; 00616 } 00617 } 00618 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00619 00620 *p++ = (unsigned char) n; 00621 00622 for( i = 0; i < n; i++ ) 00623 *p++ = ssl->session_negotiate->id[i]; 00624 00625 SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00626 SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00627 00628 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; 00629 n = 0; 00630 q = p; 00631 00632 // Skip writing ciphersuite length for now 00633 p += 2; 00634 00635 for( i = 0; ciphersuites[i] != 0; i++ ) 00636 { 00637 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] ); 00638 00639 if( ciphersuite_info == NULL ) 00640 continue; 00641 00642 if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver || 00643 ciphersuite_info->max_minor_ver < ssl->min_minor_ver ) 00644 continue; 00645 00646 if( ssl->arc4_disabled == SSL_ARC4_DISABLED && 00647 ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) 00648 continue; 00649 00650 SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", 00651 ciphersuites[i] ) ); 00652 00653 n++; 00654 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00655 *p++ = (unsigned char)( ciphersuites[i] ); 00656 } 00657 00658 /* 00659 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00660 */ 00661 #if defined(POLARSSL_SSL_RENEGOTIATION) 00662 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 00663 #endif 00664 { 00665 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00666 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO ); 00667 n++; 00668 } 00669 00670 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00671 #if defined(POLARSSL_SSL_FALLBACK_SCSV) 00672 if( ssl->fallback == SSL_IS_FALLBACK ) 00673 { 00674 SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00675 *p++ = (unsigned char)( SSL_FALLBACK_SCSV >> 8 ); 00676 *p++ = (unsigned char)( SSL_FALLBACK_SCSV ); 00677 n++; 00678 } 00679 #endif 00680 00681 *q++ = (unsigned char)( n >> 7 ); 00682 *q++ = (unsigned char)( n << 1 ); 00683 00684 SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00685 00686 00687 #if defined(POLARSSL_ZLIB_SUPPORT) 00688 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00689 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00690 SSL_COMPRESS_DEFLATE, SSL_COMPRESS_NULL ) ); 00691 00692 *p++ = 2; 00693 *p++ = SSL_COMPRESS_DEFLATE; 00694 *p++ = SSL_COMPRESS_NULL; 00695 #else 00696 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00697 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) ); 00698 00699 *p++ = 1; 00700 *p++ = SSL_COMPRESS_NULL; 00701 #endif /* POLARSSL_ZLIB_SUPPORT */ 00702 00703 // First write extensions, then the total length 00704 // 00705 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 00706 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00707 ext_len += olen; 00708 #endif 00709 00710 #if defined(POLARSSL_SSL_RENEGOTIATION) 00711 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00712 ext_len += olen; 00713 #endif 00714 00715 #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \ 00716 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED) 00717 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00718 ext_len += olen; 00719 #endif 00720 00721 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00722 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00723 ext_len += olen; 00724 00725 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00726 ext_len += olen; 00727 #endif 00728 00729 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 00730 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 00731 ext_len += olen; 00732 #endif 00733 00734 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 00735 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 00736 ext_len += olen; 00737 #endif 00738 00739 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) 00740 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 00741 ext_len += olen; 00742 #endif 00743 00744 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) 00745 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 00746 ext_len += olen; 00747 #endif 00748 00749 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00750 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 00751 ext_len += olen; 00752 #endif 00753 00754 #if defined(POLARSSL_SSL_ALPN) 00755 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 00756 ext_len += olen; 00757 #endif 00758 00759 /* olen unused if all extensions are disabled */ 00760 ((void) olen); 00761 00762 SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 00763 ext_len ) ); 00764 00765 if( ext_len > 0 ) 00766 { 00767 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 00768 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 00769 p += ext_len; 00770 } 00771 00772 ssl->out_msglen = p - buf; 00773 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00774 ssl->out_msg[0] = SSL_HS_CLIENT_HELLO; 00775 00776 ssl->state++; 00777 00778 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 00779 { 00780 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 00781 return( ret ); 00782 } 00783 00784 SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 00785 00786 return( 0 ); 00787 } 00788 00789 static int ssl_parse_renegotiation_info( ssl_context *ssl, 00790 const unsigned char *buf, 00791 size_t len ) 00792 { 00793 int ret; 00794 00795 #if defined(POLARSSL_SSL_RENEGOTIATION) 00796 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) 00797 { 00798 /* Check verify-data in constant-time. The length OTOH is no secret */ 00799 if( len != 1 + ssl->verify_data_len * 2 || 00800 buf[0] != ssl->verify_data_len * 2 || 00801 safer_memcmp( buf + 1, 00802 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 00803 safer_memcmp( buf + 1 + ssl->verify_data_len, 00804 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 00805 { 00806 SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 00807 00808 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00809 return( ret ); 00810 00811 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00812 } 00813 } 00814 else 00815 #endif /* POLARSSL_SSL_RENEGOTIATION */ 00816 { 00817 if( len != 1 || buf[0] != 0x00 ) 00818 { 00819 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 00820 00821 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00822 return( ret ); 00823 00824 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00825 } 00826 00827 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; 00828 } 00829 00830 return( 0 ); 00831 } 00832 00833 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 00834 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl, 00835 const unsigned char *buf, 00836 size_t len ) 00837 { 00838 /* 00839 * server should use the extension only if we did, 00840 * and if so the server's value should match ours (and len is always 1) 00841 */ 00842 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE || 00843 len != 1 || 00844 buf[0] != ssl->mfl_code ) 00845 { 00846 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00847 } 00848 00849 return( 0 ); 00850 } 00851 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 00852 00853 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 00854 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, 00855 const unsigned char *buf, 00856 size_t len ) 00857 { 00858 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED || 00859 len != 0 ) 00860 { 00861 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00862 } 00863 00864 ((void) buf); 00865 00866 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; 00867 00868 return( 0 ); 00869 } 00870 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 00871 00872 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) 00873 static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl, 00874 const unsigned char *buf, 00875 size_t len ) 00876 { 00877 if( ssl->encrypt_then_mac == SSL_ETM_DISABLED || 00878 ssl->minor_ver == SSL_MINOR_VERSION_0 || 00879 len != 0 ) 00880 { 00881 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00882 } 00883 00884 ((void) buf); 00885 00886 ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED; 00887 00888 return( 0 ); 00889 } 00890 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ 00891 00892 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) 00893 static int ssl_parse_extended_ms_ext( ssl_context *ssl, 00894 const unsigned char *buf, 00895 size_t len ) 00896 { 00897 if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED || 00898 ssl->minor_ver == SSL_MINOR_VERSION_0 || 00899 len != 0 ) 00900 { 00901 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00902 } 00903 00904 ((void) buf); 00905 00906 ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED; 00907 00908 return( 0 ); 00909 } 00910 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ 00911 00912 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00913 static int ssl_parse_session_ticket_ext( ssl_context *ssl, 00914 const unsigned char *buf, 00915 size_t len ) 00916 { 00917 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED || 00918 len != 0 ) 00919 { 00920 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00921 } 00922 00923 ((void) buf); 00924 00925 ssl->handshake->new_session_ticket = 1; 00926 00927 return( 0 ); 00928 } 00929 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00930 00931 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00932 static int ssl_parse_supported_point_formats_ext( ssl_context *ssl, 00933 const unsigned char *buf, 00934 size_t len ) 00935 { 00936 size_t list_size; 00937 const unsigned char *p; 00938 00939 list_size = buf[0]; 00940 if( list_size + 1 != len ) 00941 { 00942 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 00943 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00944 } 00945 00946 p = buf + 1; 00947 while( list_size > 0 ) 00948 { 00949 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED || 00950 p[0] == POLARSSL_ECP_PF_COMPRESSED ) 00951 { 00952 ssl->handshake->ecdh_ctx.point_format = p[0]; 00953 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00954 return( 0 ); 00955 } 00956 00957 list_size--; 00958 p++; 00959 } 00960 00961 SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 00962 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00963 } 00964 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 00965 00966 #if defined(POLARSSL_SSL_ALPN) 00967 static int ssl_parse_alpn_ext( ssl_context *ssl, 00968 const unsigned char *buf, size_t len ) 00969 { 00970 size_t list_len, name_len; 00971 const char **p; 00972 00973 /* If we didn't send it, the server shouldn't send it */ 00974 if( ssl->alpn_list == NULL ) 00975 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00976 00977 /* 00978 * opaque ProtocolName<1..2^8-1>; 00979 * 00980 * struct { 00981 * ProtocolName protocol_name_list<2..2^16-1> 00982 * } ProtocolNameList; 00983 * 00984 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 00985 */ 00986 00987 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00988 if( len < 4 ) 00989 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00990 00991 list_len = ( buf[0] << 8 ) | buf[1]; 00992 if( list_len != len - 2 ) 00993 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00994 00995 name_len = buf[2]; 00996 if( name_len != list_len - 1 ) 00997 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00998 00999 /* Check that the server chosen protocol was in our list and save it */ 01000 for( p = ssl->alpn_list; *p != NULL; p++ ) 01001 { 01002 if( name_len == strlen( *p ) && 01003 memcmp( buf + 3, *p, name_len ) == 0 ) 01004 { 01005 ssl->alpn_chosen = *p; 01006 return( 0 ); 01007 } 01008 } 01009 01010 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01011 } 01012 #endif /* POLARSSL_SSL_ALPN */ 01013 01014 static int ssl_parse_server_hello( ssl_context *ssl ) 01015 { 01016 int ret, i, comp; 01017 size_t n; 01018 size_t ext_len; 01019 unsigned char *buf, *ext; 01020 #if defined(POLARSSL_SSL_RENEGOTIATION) 01021 int renegotiation_info_seen = 0; 01022 #endif 01023 int handshake_failure = 0; 01024 const ssl_ciphersuite_t *suite_info; 01025 #if defined(POLARSSL_DEBUG_C) 01026 uint32_t t; 01027 #endif 01028 01029 SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01030 01031 /* 01032 * 0 . 0 handshake type 01033 * 1 . 3 handshake length 01034 * 4 . 5 protocol version 01035 * 6 . 9 UNIX time() 01036 * 10 . 37 random bytes 01037 */ 01038 buf = ssl->in_msg; 01039 01040 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 01041 { 01042 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 01043 return( ret ); 01044 } 01045 01046 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 01047 { 01048 #if defined(POLARSSL_SSL_RENEGOTIATION) 01049 if( ssl->renegotiation == SSL_RENEGOTIATION ) 01050 { 01051 ssl->renego_records_seen++; 01052 01053 if( ssl->renego_max_records >= 0 && 01054 ssl->renego_records_seen > ssl->renego_max_records ) 01055 { 01056 SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01057 "but not honored by server" ) ); 01058 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01059 } 01060 01061 SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01062 return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01063 } 01064 #endif /* POLARSSL_SSL_RENEGOTIATION */ 01065 01066 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01067 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01068 } 01069 01070 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 01071 buf[4], buf[5] ) ); 01072 01073 if( ssl->in_hslen < 42 || 01074 buf[0] != SSL_HS_SERVER_HELLO || 01075 buf[4] != SSL_MAJOR_VERSION_3 ) 01076 { 01077 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01078 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01079 } 01080 01081 if( buf[5] > ssl->max_minor_ver ) 01082 { 01083 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01084 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01085 } 01086 01087 ssl->minor_ver = buf[5]; 01088 01089 if( ssl->minor_ver < ssl->min_minor_ver ) 01090 { 01091 SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum" 01092 " [%d:%d] < [%d:%d]", ssl->major_ver, 01093 ssl->minor_ver, buf[4], buf[5] ) ); 01094 01095 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 01096 SSL_ALERT_MSG_PROTOCOL_VERSION ); 01097 01098 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01099 } 01100 01101 #if defined(POLARSSL_DEBUG_C) 01102 t = ( (uint32_t) buf[6] << 24 ) 01103 | ( (uint32_t) buf[7] << 16 ) 01104 | ( (uint32_t) buf[8] << 8 ) 01105 | ( (uint32_t) buf[9] ); 01106 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 01107 #endif 01108 01109 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 01110 01111 n = buf[38]; 01112 01113 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 01114 01115 if( n > 32 ) 01116 { 01117 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01118 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01119 } 01120 01121 /* 01122 * 38 . 38 session id length 01123 * 39 . 38+n session id 01124 * 39+n . 40+n chosen ciphersuite 01125 * 41+n . 41+n chosen compression alg. 01126 * 42+n . 43+n extensions length 01127 * 44+n . 44+n+m extensions 01128 */ 01129 if( ssl->in_hslen > 43 + n ) 01130 { 01131 ext_len = ( ( buf[42 + n] << 8 ) 01132 | ( buf[43 + n] ) ); 01133 01134 if( ( ext_len > 0 && ext_len < 4 ) || 01135 ssl->in_hslen != 44 + n + ext_len ) 01136 { 01137 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01138 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01139 } 01140 } 01141 else if( ssl->in_hslen == 42 + n ) 01142 { 01143 ext_len = 0; 01144 } 01145 else 01146 { 01147 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01148 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01149 } 01150 01151 i = ( buf[39 + n] << 8 ) | buf[40 + n]; 01152 comp = buf[41 + n]; 01153 01154 /* 01155 * Initialize update checksum functions 01156 */ 01157 ssl->transform_negotiate->ciphersuite_info = ssl_ciphersuite_from_id( i ); 01158 01159 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01160 { 01161 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01162 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 01163 } 01164 01165 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01166 01167 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01168 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 01169 01170 /* 01171 * Check if the session can be resumed 01172 */ 01173 if( ssl->handshake->resume == 0 || n == 0 || 01174 #if defined(POLARSSL_SSL_RENEGOTIATION) 01175 ssl->renegotiation != SSL_INITIAL_HANDSHAKE || 01176 #endif 01177 ssl->session_negotiate->ciphersuite != i || 01178 ssl->session_negotiate->compression != comp || 01179 ssl->session_negotiate->length != n || 01180 memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 ) 01181 { 01182 ssl->state++; 01183 ssl->handshake->resume = 0; 01184 #if defined(POLARSSL_HAVE_TIME) 01185 ssl->session_negotiate->start = time( NULL ); 01186 #endif 01187 ssl->session_negotiate->ciphersuite = i; 01188 ssl->session_negotiate->compression = comp; 01189 ssl->session_negotiate->length = n; 01190 memcpy( ssl->session_negotiate->id, buf + 39, n ); 01191 } 01192 else 01193 { 01194 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC; 01195 01196 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 01197 { 01198 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 01199 return( ret ); 01200 } 01201 } 01202 01203 SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01204 ssl->handshake->resume ? "a" : "no" ) ); 01205 01206 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) ); 01207 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) ); 01208 01209 suite_info = ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01210 if( suite_info == NULL || 01211 ( ssl->arc4_disabled && 01212 suite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) ) 01213 { 01214 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01215 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01216 } 01217 01218 01219 i = 0; 01220 while( 1 ) 01221 { 01222 if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01223 { 01224 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01225 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01226 } 01227 01228 if( ssl->ciphersuite_list[ssl->minor_ver][i++] == 01229 ssl->session_negotiate->ciphersuite ) 01230 { 01231 break; 01232 } 01233 } 01234 01235 if( comp != SSL_COMPRESS_NULL 01236 #if defined(POLARSSL_ZLIB_SUPPORT) 01237 && comp != SSL_COMPRESS_DEFLATE 01238 #endif 01239 ) 01240 { 01241 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01242 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01243 } 01244 ssl->session_negotiate->compression = comp; 01245 01246 ext = buf + 44 + n; 01247 01248 SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01249 01250 while( ext_len ) 01251 { 01252 unsigned int ext_id = ( ( ext[0] << 8 ) 01253 | ( ext[1] ) ); 01254 unsigned int ext_size = ( ( ext[2] << 8 ) 01255 | ( ext[3] ) ); 01256 01257 if( ext_size + 4 > ext_len ) 01258 { 01259 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01260 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01261 } 01262 01263 switch( ext_id ) 01264 { 01265 case TLS_EXT_RENEGOTIATION_INFO: 01266 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01267 #if defined(POLARSSL_SSL_RENEGOTIATION) 01268 renegotiation_info_seen = 1; 01269 #endif 01270 01271 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01272 ext_size ) ) != 0 ) 01273 return( ret ); 01274 01275 break; 01276 01277 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 01278 case TLS_EXT_MAX_FRAGMENT_LENGTH: 01279 SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01280 01281 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01282 ext + 4, ext_size ) ) != 0 ) 01283 { 01284 return( ret ); 01285 } 01286 01287 break; 01288 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 01289 01290 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 01291 case TLS_EXT_TRUNCATED_HMAC: 01292 SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01293 01294 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01295 ext + 4, ext_size ) ) != 0 ) 01296 { 01297 return( ret ); 01298 } 01299 01300 break; 01301 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 01302 01303 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) 01304 case TLS_EXT_ENCRYPT_THEN_MAC: 01305 SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01306 01307 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01308 ext + 4, ext_size ) ) != 0 ) 01309 { 01310 return( ret ); 01311 } 01312 01313 break; 01314 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ 01315 01316 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) 01317 case TLS_EXT_EXTENDED_MASTER_SECRET: 01318 SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01319 01320 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01321 ext + 4, ext_size ) ) != 0 ) 01322 { 01323 return( ret ); 01324 } 01325 01326 break; 01327 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ 01328 01329 #if defined(POLARSSL_SSL_SESSION_TICKETS) 01330 case TLS_EXT_SESSION_TICKET: 01331 SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01332 01333 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01334 ext + 4, ext_size ) ) != 0 ) 01335 { 01336 return( ret ); 01337 } 01338 01339 break; 01340 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01341 01342 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 01343 case TLS_EXT_SUPPORTED_POINT_FORMATS: 01344 SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01345 01346 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01347 ext + 4, ext_size ) ) != 0 ) 01348 { 01349 return( ret ); 01350 } 01351 01352 break; 01353 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 01354 01355 #if defined(POLARSSL_SSL_ALPN) 01356 case TLS_EXT_ALPN: 01357 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01358 01359 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01360 return( ret ); 01361 01362 break; 01363 #endif /* POLARSSL_SSL_ALPN */ 01364 01365 default: 01366 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01367 ext_id ) ); 01368 } 01369 01370 ext_len -= 4 + ext_size; 01371 ext += 4 + ext_size; 01372 01373 if( ext_len > 0 && ext_len < 4 ) 01374 { 01375 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01376 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01377 } 01378 } 01379 01380 /* 01381 * Renegotiation security checks 01382 */ 01383 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01384 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) 01385 { 01386 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01387 handshake_failure = 1; 01388 } 01389 #if defined(POLARSSL_SSL_RENEGOTIATION) 01390 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01391 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && 01392 renegotiation_info_seen == 0 ) 01393 { 01394 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01395 handshake_failure = 1; 01396 } 01397 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01398 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01399 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) 01400 { 01401 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01402 handshake_failure = 1; 01403 } 01404 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01405 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01406 renegotiation_info_seen == 1 ) 01407 { 01408 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01409 handshake_failure = 1; 01410 } 01411 #endif /* POLARSSL_SSL_RENEGOTIATION */ 01412 01413 if( handshake_failure == 1 ) 01414 { 01415 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01416 return( ret ); 01417 01418 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01419 } 01420 01421 SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01422 01423 return( 0 ); 01424 } 01425 01426 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01427 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 01428 static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p, 01429 unsigned char *end ) 01430 { 01431 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01432 01433 /* 01434 * Ephemeral DH parameters: 01435 * 01436 * struct { 01437 * opaque dh_p<1..2^16-1>; 01438 * opaque dh_g<1..2^16-1>; 01439 * opaque dh_Ys<1..2^16-1>; 01440 * } ServerDHParams; 01441 */ 01442 if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01443 { 01444 SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret ); 01445 return( ret ); 01446 } 01447 01448 if( ssl->handshake->dhm_ctx.len < 64 || 01449 ssl->handshake->dhm_ctx.len > 512 ) 01450 { 01451 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) ); 01452 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01453 } 01454 01455 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01456 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01457 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01458 01459 return( ret ); 01460 } 01461 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 01462 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01463 01464 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01465 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01466 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01467 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01468 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01469 static int ssl_check_server_ecdh_params( const ssl_context *ssl ) 01470 { 01471 const ecp_curve_info *curve_info; 01472 01473 curve_info = ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01474 if( curve_info == NULL ) 01475 { 01476 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01477 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 01478 } 01479 01480 SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01481 01482 #if defined(POLARSSL_SSL_SET_CURVES) 01483 if( ! ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) ) 01484 #else 01485 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01486 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01487 #endif 01488 return( -1 ); 01489 01490 SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 01491 01492 return( 0 ); 01493 } 01494 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01495 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01496 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01497 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01498 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01499 01500 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01501 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01502 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01503 static int ssl_parse_server_ecdh_params( ssl_context *ssl, 01504 unsigned char **p, 01505 unsigned char *end ) 01506 { 01507 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01508 01509 /* 01510 * Ephemeral ECDH parameters: 01511 * 01512 * struct { 01513 * ECParameters curve_params; 01514 * ECPoint public; 01515 * } ServerECDHParams; 01516 */ 01517 if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx, 01518 (const unsigned char **) p, end ) ) != 0 ) 01519 { 01520 SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret ); 01521 return( ret ); 01522 } 01523 01524 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01525 { 01526 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 01527 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01528 } 01529 01530 return( ret ); 01531 } 01532 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01533 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01534 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01535 01536 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 01537 static int ssl_parse_server_psk_hint( ssl_context *ssl, 01538 unsigned char **p, 01539 unsigned char *end ) 01540 { 01541 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01542 size_t len; 01543 ((void) ssl); 01544 01545 /* 01546 * PSK parameters: 01547 * 01548 * opaque psk_identity_hint<0..2^16-1>; 01549 */ 01550 len = (*p)[0] << 8 | (*p)[1]; 01551 *p += 2; 01552 01553 if( (*p) + len > end ) 01554 { 01555 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) ); 01556 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01557 } 01558 01559 // TODO: Retrieve PSK identity hint and callback to app 01560 // 01561 *p += len; 01562 ret = 0; 01563 01564 return( ret ); 01565 } 01566 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01567 01568 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \ 01569 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 01570 /* 01571 * Generate a pre-master secret and encrypt it with the server's RSA key 01572 */ 01573 static int ssl_write_encrypted_pms( ssl_context *ssl, 01574 size_t offset, size_t *olen, 01575 size_t pms_offset ) 01576 { 01577 int ret; 01578 size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2; 01579 unsigned char *p = ssl->handshake->premaster + pms_offset; 01580 01581 /* 01582 * Generate (part of) the pre-master as 01583 * struct { 01584 * ProtocolVersion client_version; 01585 * opaque random[46]; 01586 * } PreMasterSecret; 01587 */ 01588 p[0] = (unsigned char) ssl->max_major_ver; 01589 p[1] = (unsigned char) ssl->max_minor_ver; 01590 01591 if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 ) 01592 { 01593 SSL_DEBUG_RET( 1, "f_rng", ret ); 01594 return( ret ); 01595 } 01596 01597 ssl->handshake->pmslen = 48; 01598 01599 /* 01600 * Now write it out, encrypted 01601 */ 01602 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, 01603 POLARSSL_PK_RSA ) ) 01604 { 01605 SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 01606 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); 01607 } 01608 01609 if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 01610 p, ssl->handshake->pmslen, 01611 ssl->out_msg + offset + len_bytes, olen, 01612 SSL_MAX_CONTENT_LEN - offset - len_bytes, 01613 ssl->f_rng, ssl->p_rng ) ) != 0 ) 01614 { 01615 SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret ); 01616 return( ret ); 01617 } 01618 01619 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ 01620 defined(POLARSSL_SSL_PROTO_TLS1_2) 01621 if( len_bytes == 2 ) 01622 { 01623 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 01624 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 01625 *olen += 2; 01626 } 01627 #endif 01628 01629 return( 0 ); 01630 } 01631 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED || 01632 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01633 01634 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 01635 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01636 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01637 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01638 static int ssl_parse_signature_algorithm( ssl_context *ssl, 01639 unsigned char **p, 01640 unsigned char *end, 01641 md_type_t *md_alg, 01642 pk_type_t *pk_alg ) 01643 { 01644 ((void) ssl); 01645 *md_alg = POLARSSL_MD_NONE; 01646 *pk_alg = POLARSSL_PK_NONE; 01647 01648 /* Only in TLS 1.2 */ 01649 if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) 01650 { 01651 return( 0 ); 01652 } 01653 01654 if( (*p) + 2 > end ) 01655 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01656 01657 /* 01658 * Get hash algorithm 01659 */ 01660 if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE ) 01661 { 01662 SSL_DEBUG_MSG( 2, ( "Server used unsupported " 01663 "HashAlgorithm %d", *(p)[0] ) ); 01664 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01665 } 01666 01667 /* 01668 * Get signature algorithm 01669 */ 01670 if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE ) 01671 { 01672 SSL_DEBUG_MSG( 2, ( "server used unsupported " 01673 "SignatureAlgorithm %d", (*p)[1] ) ); 01674 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01675 } 01676 01677 SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 01678 SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 01679 *p += 2; 01680 01681 return( 0 ); 01682 } 01683 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 01684 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01685 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 01686 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 01687 01688 01689 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01690 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01691 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl ) 01692 { 01693 int ret; 01694 const ecp_keypair *peer_key; 01695 01696 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, 01697 POLARSSL_PK_ECKEY ) ) 01698 { 01699 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 01700 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); 01701 } 01702 01703 peer_key = pk_ec( ssl->session_negotiate->peer_cert->pk ); 01704 01705 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 01706 POLARSSL_ECDH_THEIRS ) ) != 0 ) 01707 { 01708 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret ); 01709 return( ret ); 01710 } 01711 01712 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01713 { 01714 SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 01715 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); 01716 } 01717 01718 return( ret ); 01719 } 01720 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 01721 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01722 01723 static int ssl_parse_server_key_exchange( ssl_context *ssl ) 01724 { 01725 int ret; 01726 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 01727 unsigned char *p, *end; 01728 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01729 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01730 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01731 size_t sig_len, params_len; 01732 unsigned char hash[64]; 01733 md_type_t md_alg = POLARSSL_MD_NONE; 01734 size_t hashlen; 01735 pk_type_t pk_alg = POLARSSL_PK_NONE; 01736 #endif 01737 01738 SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 01739 01740 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) 01741 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ) 01742 { 01743 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 01744 ssl->state++; 01745 return( 0 ); 01746 } 01747 ((void) p); 01748 ((void) end); 01749 #endif 01750 01751 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01752 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01753 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || 01754 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) 01755 { 01756 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 01757 { 01758 SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 01759 return( ret ); 01760 } 01761 01762 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 01763 ssl->state++; 01764 return( 0 ); 01765 } 01766 ((void) p); 01767 ((void) end); 01768 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01769 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01770 01771 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 01772 { 01773 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 01774 return( ret ); 01775 } 01776 01777 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 01778 { 01779 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01780 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01781 } 01782 01783 /* 01784 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 01785 * doesn't use a psk_identity_hint 01786 */ 01787 if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE ) 01788 { 01789 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01790 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 01791 { 01792 ssl->record_read = 1; 01793 goto exit; 01794 } 01795 01796 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01797 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01798 } 01799 01800 p = ssl->in_msg + 4; 01801 end = ssl->in_msg + ssl->in_hslen; 01802 SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 ); 01803 01804 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 01805 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01806 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 01807 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 01808 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 01809 { 01810 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 01811 { 01812 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01813 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01814 } 01815 } /* FALLTROUGH */ 01816 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01817 01818 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \ 01819 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 01820 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01821 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 01822 ; /* nothing more to do */ 01823 else 01824 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED || 01825 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01826 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01827 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 01828 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || 01829 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 01830 { 01831 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 01832 { 01833 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01834 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01835 } 01836 } 01837 else 01838 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 01839 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01840 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01841 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01842 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01843 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 01844 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 01845 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) 01846 { 01847 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 01848 { 01849 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01850 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01851 } 01852 } 01853 else 01854 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01855 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01856 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 01857 { 01858 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01859 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 01860 } 01861 01862 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01863 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01864 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01865 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || 01866 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 01867 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) 01868 { 01869 params_len = p - ( ssl->in_msg + 4 ); 01870 01871 /* 01872 * Handle the digitally-signed structure 01873 */ 01874 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 01875 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 01876 { 01877 if( ssl_parse_signature_algorithm( ssl, &p, end, 01878 &md_alg, &pk_alg ) != 0 ) 01879 { 01880 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01881 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01882 } 01883 01884 if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 01885 { 01886 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01887 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01888 } 01889 } 01890 else 01891 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 01892 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 01893 defined(POLARSSL_SSL_PROTO_TLS1_1) 01894 if( ssl->minor_ver < SSL_MINOR_VERSION_3 ) 01895 { 01896 pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 01897 01898 /* Default hash for ECDSA is SHA-1 */ 01899 if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE ) 01900 md_alg = POLARSSL_MD_SHA1; 01901 } 01902 else 01903 #endif 01904 { 01905 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01906 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 01907 } 01908 01909 /* 01910 * Read signature 01911 */ 01912 sig_len = ( p[0] << 8 ) | p[1]; 01913 p += 2; 01914 01915 if( end != p + sig_len ) 01916 { 01917 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01918 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01919 } 01920 01921 SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 01922 01923 /* 01924 * Compute the hash that has been signed 01925 */ 01926 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 01927 defined(POLARSSL_SSL_PROTO_TLS1_1) 01928 if( md_alg == POLARSSL_MD_NONE ) 01929 { 01930 md5_context md5; 01931 sha1_context sha1; 01932 01933 md5_init( &md5 ); 01934 sha1_init( &sha1 ); 01935 01936 hashlen = 36; 01937 01938 /* 01939 * digitally-signed struct { 01940 * opaque md5_hash[16]; 01941 * opaque sha_hash[20]; 01942 * }; 01943 * 01944 * md5_hash 01945 * MD5(ClientHello.random + ServerHello.random 01946 * + ServerParams); 01947 * sha_hash 01948 * SHA(ClientHello.random + ServerHello.random 01949 * + ServerParams); 01950 */ 01951 md5_starts( &md5 ); 01952 md5_update( &md5, ssl->handshake->randbytes, 64 ); 01953 md5_update( &md5, ssl->in_msg + 4, params_len ); 01954 md5_finish( &md5, hash ); 01955 01956 sha1_starts( &sha1 ); 01957 sha1_update( &sha1, ssl->handshake->randbytes, 64 ); 01958 sha1_update( &sha1, ssl->in_msg + 4, params_len ); 01959 sha1_finish( &sha1, hash + 16 ); 01960 01961 md5_free( &md5 ); 01962 sha1_free( &sha1 ); 01963 } 01964 else 01965 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \ 01966 POLARSSL_SSL_PROTO_TLS1_1 */ 01967 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ 01968 defined(POLARSSL_SSL_PROTO_TLS1_2) 01969 if( md_alg != POLARSSL_MD_NONE ) 01970 { 01971 md_context_t ctx; 01972 01973 md_init( &ctx ); 01974 01975 /* Info from md_alg will be used instead */ 01976 hashlen = 0; 01977 01978 /* 01979 * digitally-signed struct { 01980 * opaque client_random[32]; 01981 * opaque server_random[32]; 01982 * ServerDHParams params; 01983 * }; 01984 */ 01985 if( ( ret = md_init_ctx( &ctx, 01986 md_info_from_type( md_alg ) ) ) != 0 ) 01987 { 01988 SSL_DEBUG_RET( 1, "md_init_ctx", ret ); 01989 return( ret ); 01990 } 01991 01992 md_starts( &ctx ); 01993 md_update( &ctx, ssl->handshake->randbytes, 64 ); 01994 md_update( &ctx, ssl->in_msg + 4, params_len ); 01995 md_finish( &ctx, hash ); 01996 md_free( &ctx ); 01997 } 01998 else 01999 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \ 02000 POLARSSL_SSL_PROTO_TLS1_2 */ 02001 { 02002 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02003 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02004 } 02005 02006 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02007 (unsigned int) ( md_info_from_type( md_alg ) )->size ); 02008 02009 /* 02010 * Verify signature 02011 */ 02012 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02013 { 02014 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02015 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); 02016 } 02017 02018 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk, 02019 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02020 { 02021 SSL_DEBUG_RET( 1, "pk_verify", ret ); 02022 return( ret ); 02023 } 02024 } 02025 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 02026 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02027 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02028 02029 exit: 02030 ssl->state++; 02031 02032 SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02033 02034 return( 0 ); 02035 } 02036 02037 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ 02038 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02039 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02040 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02041 static int ssl_parse_certificate_request( ssl_context *ssl ) 02042 { 02043 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02044 02045 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02046 02047 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02048 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02049 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 02050 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02051 { 02052 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02053 ssl->state++; 02054 return( 0 ); 02055 } 02056 02057 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02058 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02059 } 02060 #else 02061 static int ssl_parse_certificate_request( ssl_context *ssl ) 02062 { 02063 int ret; 02064 unsigned char *buf, *p; 02065 size_t n = 0, m = 0; 02066 size_t cert_type_len = 0, dn_len = 0; 02067 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02068 02069 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02070 02071 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02072 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02073 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 02074 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02075 { 02076 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02077 ssl->state++; 02078 return( 0 ); 02079 } 02080 02081 /* 02082 * 0 . 0 handshake type 02083 * 1 . 3 handshake length 02084 * 4 . 4 cert type count 02085 * 5 .. m-1 cert types 02086 * m .. m+1 sig alg length (TLS 1.2 only) 02087 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02088 * n .. n+1 length of all DNs 02089 * n+2 .. n+3 length of DN 1 02090 * n+4 .. ... Distinguished Name #1 02091 * ... .. ... length of DN 2, etc. 02092 */ 02093 if( ssl->record_read == 0 ) 02094 { 02095 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 02096 { 02097 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 02098 return( ret ); 02099 } 02100 02101 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 02102 { 02103 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02104 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 02105 } 02106 02107 ssl->record_read = 1; 02108 } 02109 02110 ssl->client_auth = 0; 02111 ssl->state++; 02112 02113 if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST ) 02114 ssl->client_auth++; 02115 02116 SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02117 ssl->client_auth ? "a" : "no" ) ); 02118 02119 if( ssl->client_auth == 0 ) 02120 goto exit; 02121 02122 ssl->record_read = 0; 02123 02124 // TODO: handshake_failure alert for an anonymous server to request 02125 // client authentication 02126 02127 buf = ssl->in_msg; 02128 02129 // Retrieve cert types 02130 // 02131 cert_type_len = buf[4]; 02132 n = cert_type_len; 02133 02134 if( ssl->in_hslen < 6 + n ) 02135 { 02136 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02137 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02138 } 02139 02140 p = buf + 5; 02141 while( cert_type_len > 0 ) 02142 { 02143 #if defined(POLARSSL_RSA_C) 02144 if( *p == SSL_CERT_TYPE_RSA_SIGN && 02145 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) ) 02146 { 02147 ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN; 02148 break; 02149 } 02150 else 02151 #endif 02152 #if defined(POLARSSL_ECDSA_C) 02153 if( *p == SSL_CERT_TYPE_ECDSA_SIGN && 02154 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) ) 02155 { 02156 ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN; 02157 break; 02158 } 02159 else 02160 #endif 02161 { 02162 ; /* Unsupported cert type, ignore */ 02163 } 02164 02165 cert_type_len--; 02166 p++; 02167 } 02168 02169 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02170 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02171 { 02172 /* Ignored, see comments about hash in write_certificate_verify */ 02173 // TODO: should check the signature part against our pk_key though 02174 size_t sig_alg_len = ( ( buf[5 + n] << 8 ) 02175 | ( buf[6 + n] ) ); 02176 02177 p = buf + 7 + n; 02178 m += 2; 02179 n += sig_alg_len; 02180 02181 if( ssl->in_hslen < 6 + n ) 02182 { 02183 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02184 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02185 } 02186 } 02187 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 02188 02189 /* Ignore certificate_authorities, we only have one cert anyway */ 02190 // TODO: should not send cert if no CA matches 02191 dn_len = ( ( buf[5 + m + n] << 8 ) 02192 | ( buf[6 + m + n] ) ); 02193 02194 n += dn_len; 02195 if( ssl->in_hslen != 7 + m + n ) 02196 { 02197 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02198 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02199 } 02200 02201 exit: 02202 SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02203 02204 return( 0 ); 02205 } 02206 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && 02207 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && 02208 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02209 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02210 02211 static int ssl_parse_server_hello_done( ssl_context *ssl ) 02212 { 02213 int ret; 02214 02215 SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02216 02217 if( ssl->record_read == 0 ) 02218 { 02219 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 02220 { 02221 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 02222 return( ret ); 02223 } 02224 02225 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 02226 { 02227 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02228 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 02229 } 02230 } 02231 ssl->record_read = 0; 02232 02233 if( ssl->in_hslen != 4 || 02234 ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE ) 02235 { 02236 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02237 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02238 } 02239 02240 ssl->state++; 02241 02242 SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02243 02244 return( 0 ); 02245 } 02246 02247 static int ssl_write_client_key_exchange( ssl_context *ssl ) 02248 { 02249 int ret; 02250 size_t i, n; 02251 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02252 02253 SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02254 02255 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) 02256 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ) 02257 { 02258 /* 02259 * DHM key exchange -- send G^X mod P 02260 */ 02261 n = ssl->handshake->dhm_ctx.len; 02262 02263 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02264 ssl->out_msg[5] = (unsigned char)( n ); 02265 i = 6; 02266 02267 ret = dhm_make_public( &ssl->handshake->dhm_ctx, 02268 (int) mpi_size( &ssl->handshake->dhm_ctx.P ), 02269 &ssl->out_msg[i], n, 02270 ssl->f_rng, ssl->p_rng ); 02271 if( ret != 0 ) 02272 { 02273 SSL_DEBUG_RET( 1, "dhm_make_public", ret ); 02274 return( ret ); 02275 } 02276 02277 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02278 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02279 02280 ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE; 02281 02282 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, 02283 ssl->handshake->premaster, 02284 &ssl->handshake->pmslen, 02285 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02286 { 02287 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); 02288 return( ret ); 02289 } 02290 02291 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02292 } 02293 else 02294 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02295 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02296 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02297 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02298 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02299 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 02300 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA || 02301 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || 02302 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) 02303 { 02304 /* 02305 * ECDH key exchange -- send client public value 02306 */ 02307 i = 4; 02308 02309 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, 02310 &n, 02311 &ssl->out_msg[i], 1000, 02312 ssl->f_rng, ssl->p_rng ); 02313 if( ret != 0 ) 02314 { 02315 SSL_DEBUG_RET( 1, "ecdh_make_public", ret ); 02316 return( ret ); 02317 } 02318 02319 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02320 02321 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02322 &ssl->handshake->pmslen, 02323 ssl->handshake->premaster, 02324 POLARSSL_MPI_MAX_SIZE, 02325 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02326 { 02327 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret ); 02328 return( ret ); 02329 } 02330 02331 SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02332 } 02333 else 02334 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02335 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02336 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02337 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02338 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 02339 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02340 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02341 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 02342 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02343 { 02344 /* 02345 * opaque psk_identity<0..2^16-1>; 02346 */ 02347 if( ssl->psk == NULL || ssl->psk_identity == NULL ) 02348 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02349 02350 i = 4; 02351 n = ssl->psk_identity_len; 02352 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02353 ssl->out_msg[i++] = (unsigned char)( n ); 02354 02355 memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len ); 02356 i += ssl->psk_identity_len; 02357 02358 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) 02359 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ) 02360 { 02361 n = 0; 02362 } 02363 else 02364 #endif 02365 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 02366 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 02367 { 02368 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02369 return( ret ); 02370 } 02371 else 02372 #endif 02373 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 02374 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02375 { 02376 /* 02377 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02378 */ 02379 n = ssl->handshake->dhm_ctx.len; 02380 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02381 ssl->out_msg[i++] = (unsigned char)( n ); 02382 02383 ret = dhm_make_public( &ssl->handshake->dhm_ctx, 02384 (int) mpi_size( &ssl->handshake->dhm_ctx.P ), 02385 &ssl->out_msg[i], n, 02386 ssl->f_rng, ssl->p_rng ); 02387 if( ret != 0 ) 02388 { 02389 SSL_DEBUG_RET( 1, "dhm_make_public", ret ); 02390 return( ret ); 02391 } 02392 } 02393 else 02394 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02395 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02396 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02397 { 02398 /* 02399 * ClientECDiffieHellmanPublic public; 02400 */ 02401 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02402 &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i, 02403 ssl->f_rng, ssl->p_rng ); 02404 if( ret != 0 ) 02405 { 02406 SSL_DEBUG_RET( 1, "ecdh_make_public", ret ); 02407 return( ret ); 02408 } 02409 02410 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02411 } 02412 else 02413 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02414 { 02415 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02416 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02417 } 02418 02419 if( ( ret = ssl_psk_derive_premaster( ssl, 02420 ciphersuite_info->key_exchange ) ) != 0 ) 02421 { 02422 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 02423 return( ret ); 02424 } 02425 } 02426 else 02427 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02428 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) 02429 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ) 02430 { 02431 i = 4; 02432 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02433 return( ret ); 02434 } 02435 else 02436 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */ 02437 { 02438 ((void) ciphersuite_info); 02439 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02440 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02441 } 02442 02443 ssl->out_msglen = i + n; 02444 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02445 ssl->out_msg[0] = SSL_HS_CLIENT_KEY_EXCHANGE; 02446 02447 ssl->state++; 02448 02449 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02450 { 02451 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02452 return( ret ); 02453 } 02454 02455 SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 02456 02457 return( 0 ); 02458 } 02459 02460 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ 02461 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02462 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02463 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02464 static int ssl_write_certificate_verify( ssl_context *ssl ) 02465 { 02466 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02467 int ret; 02468 02469 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02470 02471 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 02472 { 02473 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 02474 return( ret ); 02475 } 02476 02477 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02478 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02479 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 02480 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02481 { 02482 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02483 ssl->state++; 02484 return( 0 ); 02485 } 02486 02487 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02488 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02489 } 02490 #else 02491 static int ssl_write_certificate_verify( ssl_context *ssl ) 02492 { 02493 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02494 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02495 size_t n = 0, offset = 0; 02496 unsigned char hash[48]; 02497 unsigned char *hash_start = hash; 02498 md_type_t md_alg = POLARSSL_MD_NONE; 02499 unsigned int hashlen; 02500 02501 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02502 02503 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 02504 { 02505 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 02506 return( ret ); 02507 } 02508 02509 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02510 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02511 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 02512 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02513 { 02514 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02515 ssl->state++; 02516 return( 0 ); 02517 } 02518 02519 if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL ) 02520 { 02521 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02522 ssl->state++; 02523 return( 0 ); 02524 } 02525 02526 if( ssl_own_key( ssl ) == NULL ) 02527 { 02528 SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 02529 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02530 } 02531 02532 /* 02533 * Make an RSA signature of the handshake digests 02534 */ 02535 ssl->handshake->calc_verify( ssl, hash ); 02536 02537 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 02538 defined(POLARSSL_SSL_PROTO_TLS1_1) 02539 if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) 02540 { 02541 /* 02542 * digitally-signed struct { 02543 * opaque md5_hash[16]; 02544 * opaque sha_hash[20]; 02545 * }; 02546 * 02547 * md5_hash 02548 * MD5(handshake_messages); 02549 * 02550 * sha_hash 02551 * SHA(handshake_messages); 02552 */ 02553 hashlen = 36; 02554 md_alg = POLARSSL_MD_NONE; 02555 02556 /* 02557 * For ECDSA, default hash is SHA-1 only 02558 */ 02559 if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) ) 02560 { 02561 hash_start += 16; 02562 hashlen -= 16; 02563 md_alg = POLARSSL_MD_SHA1; 02564 } 02565 } 02566 else 02567 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \ 02568 POLARSSL_SSL_PROTO_TLS1_1 */ 02569 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02570 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02571 { 02572 /* 02573 * digitally-signed struct { 02574 * opaque handshake_messages[handshake_messages_length]; 02575 * }; 02576 * 02577 * Taking shortcut here. We assume that the server always allows the 02578 * PRF Hash function and has sent it in the allowed signature 02579 * algorithms list received in the Certificate Request message. 02580 * 02581 * Until we encounter a server that does not, we will take this 02582 * shortcut. 02583 * 02584 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 02585 * in order to satisfy 'weird' needs from the server side. 02586 */ 02587 if( ssl->transform_negotiate->ciphersuite_info->mac == 02588 POLARSSL_MD_SHA384 ) 02589 { 02590 md_alg = POLARSSL_MD_SHA384; 02591 ssl->out_msg[4] = SSL_HASH_SHA384; 02592 } 02593 else 02594 { 02595 md_alg = POLARSSL_MD_SHA256; 02596 ssl->out_msg[4] = SSL_HASH_SHA256; 02597 } 02598 ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) ); 02599 02600 /* Info from md_alg will be used instead */ 02601 hashlen = 0; 02602 offset = 2; 02603 } 02604 else 02605 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 02606 { 02607 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02608 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02609 } 02610 02611 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen, 02612 ssl->out_msg + 6 + offset, &n, 02613 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02614 { 02615 SSL_DEBUG_RET( 1, "pk_sign", ret ); 02616 return( ret ); 02617 } 02618 02619 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 02620 ssl->out_msg[5 + offset] = (unsigned char)( n ); 02621 02622 ssl->out_msglen = 6 + n + offset; 02623 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02624 ssl->out_msg[0] = SSL_HS_CERTIFICATE_VERIFY; 02625 02626 ssl->state++; 02627 02628 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02629 { 02630 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02631 return( ret ); 02632 } 02633 02634 SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 02635 02636 return( ret ); 02637 } 02638 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && 02639 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && 02640 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ 02641 02642 #if defined(POLARSSL_SSL_SESSION_TICKETS) 02643 static int ssl_parse_new_session_ticket( ssl_context *ssl ) 02644 { 02645 int ret; 02646 uint32_t lifetime; 02647 size_t ticket_len; 02648 unsigned char *ticket; 02649 02650 SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 02651 02652 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 02653 { 02654 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 02655 return( ret ); 02656 } 02657 02658 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 02659 { 02660 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 02661 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 02662 } 02663 02664 /* 02665 * struct { 02666 * uint32 ticket_lifetime_hint; 02667 * opaque ticket<0..2^16-1>; 02668 * } NewSessionTicket; 02669 * 02670 * 0 . 0 handshake message type 02671 * 1 . 3 handshake message length 02672 * 4 . 7 ticket_lifetime_hint 02673 * 8 . 9 ticket_len (n) 02674 * 10 . 9+n ticket content 02675 */ 02676 if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET || 02677 ssl->in_hslen < 10 ) 02678 { 02679 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 02680 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 02681 } 02682 02683 lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) | 02684 ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] ); 02685 02686 ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] ); 02687 02688 if( ticket_len + 10 != ssl->in_hslen ) 02689 { 02690 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 02691 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 02692 } 02693 02694 SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 02695 02696 /* We're not waiting for a NewSessionTicket message any more */ 02697 ssl->handshake->new_session_ticket = 0; 02698 02699 /* 02700 * Zero-length ticket means the server changed his mind and doesn't want 02701 * to send a ticket after all, so just forget it 02702 */ 02703 if( ticket_len == 0 ) 02704 return( 0 ); 02705 02706 polarssl_zeroize( ssl->session_negotiate->ticket, 02707 ssl->session_negotiate->ticket_len ); 02708 polarssl_free( ssl->session_negotiate->ticket ); 02709 ssl->session_negotiate->ticket = NULL; 02710 ssl->session_negotiate->ticket_len = 0; 02711 02712 if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL ) 02713 { 02714 SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) ); 02715 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 02716 } 02717 02718 memcpy( ticket, ssl->in_msg + 10, ticket_len ); 02719 02720 ssl->session_negotiate->ticket = ticket; 02721 ssl->session_negotiate->ticket_len = ticket_len; 02722 ssl->session_negotiate->ticket_lifetime = lifetime; 02723 02724 /* 02725 * RFC 5077 section 3.4: 02726 * "If the client receives a session ticket from the server, then it 02727 * discards any Session ID that was sent in the ServerHello." 02728 */ 02729 SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 02730 ssl->session_negotiate->length = 0; 02731 02732 SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 02733 02734 return( 0 ); 02735 } 02736 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 02737 02738 /* 02739 * SSL handshake -- client side -- single step 02740 */ 02741 int ssl_handshake_client_step( ssl_context *ssl ) 02742 { 02743 int ret = 0; 02744 02745 if( ssl->state == SSL_HANDSHAKE_OVER ) 02746 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 02747 02748 SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 02749 02750 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 02751 return( ret ); 02752 02753 switch( ssl->state ) 02754 { 02755 case SSL_HELLO_REQUEST: 02756 ssl->state = SSL_CLIENT_HELLO; 02757 break; 02758 02759 /* 02760 * ==> ClientHello 02761 */ 02762 case SSL_CLIENT_HELLO: 02763 ret = ssl_write_client_hello( ssl ); 02764 break; 02765 02766 /* 02767 * <== ServerHello 02768 * Certificate 02769 * ( ServerKeyExchange ) 02770 * ( CertificateRequest ) 02771 * ServerHelloDone 02772 */ 02773 case SSL_SERVER_HELLO: 02774 ret = ssl_parse_server_hello( ssl ); 02775 break; 02776 02777 case SSL_SERVER_CERTIFICATE: 02778 ret = ssl_parse_certificate( ssl ); 02779 break; 02780 02781 case SSL_SERVER_KEY_EXCHANGE: 02782 ret = ssl_parse_server_key_exchange( ssl ); 02783 break; 02784 02785 case SSL_CERTIFICATE_REQUEST: 02786 ret = ssl_parse_certificate_request( ssl ); 02787 break; 02788 02789 case SSL_SERVER_HELLO_DONE: 02790 ret = ssl_parse_server_hello_done( ssl ); 02791 break; 02792 02793 /* 02794 * ==> ( Certificate/Alert ) 02795 * ClientKeyExchange 02796 * ( CertificateVerify ) 02797 * ChangeCipherSpec 02798 * Finished 02799 */ 02800 case SSL_CLIENT_CERTIFICATE: 02801 ret = ssl_write_certificate( ssl ); 02802 break; 02803 02804 case SSL_CLIENT_KEY_EXCHANGE: 02805 ret = ssl_write_client_key_exchange( ssl ); 02806 break; 02807 02808 case SSL_CERTIFICATE_VERIFY: 02809 ret = ssl_write_certificate_verify( ssl ); 02810 break; 02811 02812 case SSL_CLIENT_CHANGE_CIPHER_SPEC: 02813 ret = ssl_write_change_cipher_spec( ssl ); 02814 break; 02815 02816 case SSL_CLIENT_FINISHED: 02817 ret = ssl_write_finished( ssl ); 02818 break; 02819 02820 /* 02821 * <== ( NewSessionTicket ) 02822 * ChangeCipherSpec 02823 * Finished 02824 */ 02825 case SSL_SERVER_CHANGE_CIPHER_SPEC: 02826 #if defined(POLARSSL_SSL_SESSION_TICKETS) 02827 if( ssl->handshake->new_session_ticket != 0 ) 02828 ret = ssl_parse_new_session_ticket( ssl ); 02829 else 02830 #endif 02831 ret = ssl_parse_change_cipher_spec( ssl ); 02832 break; 02833 02834 case SSL_SERVER_FINISHED: 02835 ret = ssl_parse_finished( ssl ); 02836 break; 02837 02838 case SSL_FLUSH_BUFFERS: 02839 SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 02840 ssl->state = SSL_HANDSHAKE_WRAPUP; 02841 break; 02842 02843 case SSL_HANDSHAKE_WRAPUP: 02844 ssl_handshake_wrapup( ssl ); 02845 break; 02846 02847 default: 02848 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 02849 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 02850 } 02851 02852 return( ret ); 02853 } 02854 #endif /* POLARSSL_SSL_CLI_C */ 02855
Generated on Tue Jul 12 2022 13:50:38 by
1.7.2