mbed TLS library

Dependents:   HTTPClient-SSL WS_SERVER

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers ssl_srv.c Source File

ssl_srv.c

00001 /*
00002  *  SSLv3/TLSv1 server-side functions
00003  *
00004  *  Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
00005  *
00006  *  This file is part of mbed TLS (https://tls.mbed.org)
00007  *
00008  *  This program is free software; you can redistribute it and/or modify
00009  *  it under the terms of the GNU General Public License as published by
00010  *  the Free Software Foundation; either version 2 of the License, or
00011  *  (at your option) any later version.
00012  *
00013  *  This program is distributed in the hope that it will be useful,
00014  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00015  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00016  *  GNU General Public License for more details.
00017  *
00018  *  You should have received a copy of the GNU General Public License along
00019  *  with this program; if not, write to the Free Software Foundation, Inc.,
00020  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
00021  */
00022 
00023 #if !defined(POLARSSL_CONFIG_FILE)
00024 #include "polarssl/config.h"
00025 #else
00026 #include POLARSSL_CONFIG_FILE
00027 #endif
00028 
00029 #if defined(POLARSSL_SSL_SRV_C)
00030 
00031 #include "polarssl/debug.h"
00032 #include "polarssl/ssl.h"
00033 
00034 #include <string.h>
00035 
00036 #if defined(POLARSSL_ECP_C)
00037 #include "polarssl/ecp.h"
00038 #endif
00039 
00040 #if defined(POLARSSL_PLATFORM_C)
00041 #include "polarssl/platform.h"
00042 #else
00043 #include <stdlib.h>
00044 #define polarssl_malloc     malloc
00045 #define polarssl_free       free
00046 #endif
00047 
00048 #if defined(POLARSSL_HAVE_TIME)
00049 #include <time.h>
00050 #endif
00051 
00052 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00053 /* Implementation that should never be optimized out by the compiler */
00054 static void polarssl_zeroize( void *v, size_t n ) {
00055     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
00056 }
00057 
00058 /*
00059  * Serialize a session in the following format:
00060  *  0   .   n-1     session structure, n = sizeof(ssl_session)
00061  *  n   .   n+2     peer_cert length = m (0 if no certificate)
00062  *  n+3 .   n+2+m   peer cert ASN.1
00063  *
00064  *  Assumes ticket is NULL (always true on server side).
00065  */
00066 static int ssl_save_session( const ssl_session *session,
00067                              unsigned char *buf, size_t buf_len,
00068                              size_t *olen )
00069 {
00070     unsigned char *p = buf;
00071     size_t left = buf_len;
00072 #if defined(POLARSSL_X509_CRT_PARSE_C)
00073     size_t cert_len;
00074 #endif /* POLARSSL_X509_CRT_PARSE_C */
00075 
00076     if( left < sizeof( ssl_session ) )
00077         return( -1 );
00078 
00079     memcpy( p, session, sizeof( ssl_session ) );
00080     p += sizeof( ssl_session );
00081     left -= sizeof( ssl_session );
00082 
00083 #if defined(POLARSSL_X509_CRT_PARSE_C)
00084     if( session->peer_cert == NULL )
00085         cert_len = 0;
00086     else
00087         cert_len = session->peer_cert->raw.len;
00088 
00089     if( left < 3 + cert_len )
00090         return( -1 );
00091 
00092     *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
00093     *p++ = (unsigned char)( cert_len >>  8 & 0xFF );
00094     *p++ = (unsigned char)( cert_len       & 0xFF );
00095 
00096     if( session->peer_cert != NULL )
00097         memcpy( p, session->peer_cert->raw.p, cert_len );
00098 
00099     p += cert_len;
00100 #endif /* POLARSSL_X509_CRT_PARSE_C */
00101 
00102     *olen = p - buf;
00103 
00104     return( 0 );
00105 }
00106 
00107 /*
00108  * Unserialise session, see ssl_save_session()
00109  */
00110 static int ssl_load_session( ssl_session *session,
00111                              const unsigned char *buf, size_t len )
00112 {
00113     const unsigned char *p = buf;
00114     const unsigned char * const end = buf + len;
00115 #if defined(POLARSSL_X509_CRT_PARSE_C)
00116     size_t cert_len;
00117 #endif /* POLARSSL_X509_CRT_PARSE_C */
00118 
00119     if( p + sizeof( ssl_session ) > end )
00120         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00121 
00122     memcpy( session, p, sizeof( ssl_session ) );
00123     p += sizeof( ssl_session );
00124 
00125 #if defined(POLARSSL_X509_CRT_PARSE_C)
00126     if( p + 3 > end )
00127         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00128 
00129     cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
00130     p += 3;
00131 
00132     if( cert_len == 0 )
00133     {
00134         session->peer_cert = NULL;
00135     }
00136     else
00137     {
00138         int ret;
00139 
00140         if( p + cert_len > end )
00141             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00142 
00143         session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
00144 
00145         if( session->peer_cert == NULL )
00146             return( POLARSSL_ERR_SSL_MALLOC_FAILED );
00147 
00148         x509_crt_init( session->peer_cert );
00149 
00150         if( ( ret = x509_crt_parse_der( session->peer_cert,
00151                                         p, cert_len ) ) != 0 )
00152         {
00153             x509_crt_free( session->peer_cert );
00154             polarssl_free( session->peer_cert );
00155             session->peer_cert = NULL;
00156             return( ret );
00157         }
00158 
00159         p += cert_len;
00160     }
00161 #endif /* POLARSSL_X509_CRT_PARSE_C */
00162 
00163     if( p != end )
00164         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00165 
00166     return( 0 );
00167 }
00168 
00169 /*
00170  * Create session ticket, secured as recommended in RFC 5077 section 4:
00171  *
00172  *    struct {
00173  *        opaque key_name[16];
00174  *        opaque iv[16];
00175  *        opaque encrypted_state<0..2^16-1>;
00176  *        opaque mac[32];
00177  *    } ticket;
00178  *
00179  * (the internal state structure differs, however).
00180  */
00181 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
00182 {
00183     int ret;
00184     unsigned char * const start = ssl->out_msg + 10;
00185     unsigned char *p = start;
00186     unsigned char *state;
00187     unsigned char iv[16];
00188     size_t clear_len, enc_len, pad_len, i;
00189 
00190     *tlen = 0;
00191 
00192     if( ssl->ticket_keys == NULL )
00193         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00194 
00195     /* Write key name */
00196     memcpy( p, ssl->ticket_keys->key_name, 16 );
00197     p += 16;
00198 
00199     /* Generate and write IV (with a copy for aes_crypt) */
00200     if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
00201         return( ret );
00202     memcpy( iv, p, 16 );
00203     p += 16;
00204 
00205     /*
00206      * Dump session state
00207      *
00208      * After the session state itself, we still need room for 16 bytes of
00209      * padding and 32 bytes of MAC, so there's only so much room left
00210      */
00211     state = p + 2;
00212     if( ssl_save_session( ssl->session_negotiate, state,
00213                           SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48,
00214                           &clear_len ) != 0 )
00215     {
00216         return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
00217     }
00218     SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
00219 
00220     /* Apply PKCS padding */
00221     pad_len = 16 - clear_len % 16;
00222     enc_len = clear_len + pad_len;
00223     for( i = clear_len; i < enc_len; i++ )
00224         state[i] = (unsigned char) pad_len;
00225 
00226     /* Encrypt */
00227     if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
00228                                enc_len, iv, state, state ) ) != 0 )
00229     {
00230         return( ret );
00231     }
00232 
00233     /* Write length */
00234     *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
00235     *p++ = (unsigned char)( ( enc_len      ) & 0xFF );
00236     p = state + enc_len;
00237 
00238     /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
00239     sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
00240     p += 32;
00241 
00242     *tlen = p - start;
00243 
00244     SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
00245 
00246     return( 0 );
00247 }
00248 
00249 /*
00250  * Load session ticket (see ssl_write_ticket for structure)
00251  */
00252 static int ssl_parse_ticket( ssl_context *ssl,
00253                              unsigned char *buf,
00254                              size_t len )
00255 {
00256     int ret;
00257     ssl_session session;
00258     unsigned char *key_name = buf;
00259     unsigned char *iv = buf + 16;
00260     unsigned char *enc_len_p = iv + 16;
00261     unsigned char *ticket = enc_len_p + 2;
00262     unsigned char *mac;
00263     unsigned char computed_mac[32];
00264     size_t enc_len, clear_len, i;
00265     unsigned char pad_len, diff;
00266 
00267     SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
00268 
00269     if( len < 34 || ssl->ticket_keys == NULL )
00270         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00271 
00272     enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
00273     mac = ticket + enc_len;
00274 
00275     if( len != enc_len + 66 )
00276         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00277 
00278     /* Check name, in constant time though it's not a big secret */
00279     diff = 0;
00280     for( i = 0; i < 16; i++ )
00281         diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
00282     /* don't return yet, check the MAC anyway */
00283 
00284     /* Check mac, with constant-time buffer comparison */
00285     sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
00286                  computed_mac, 0 );
00287 
00288     for( i = 0; i < 32; i++ )
00289         diff |= mac[i] ^ computed_mac[i];
00290 
00291     /* Now return if ticket is not authentic, since we want to avoid
00292      * decrypting arbitrary attacker-chosen data */
00293     if( diff != 0 )
00294         return( POLARSSL_ERR_SSL_INVALID_MAC );
00295 
00296     /* Decrypt */
00297     if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
00298                                enc_len, iv, ticket, ticket ) ) != 0 )
00299     {
00300         return( ret );
00301     }
00302 
00303     /* Check PKCS padding */
00304     pad_len = ticket[enc_len - 1];
00305 
00306     ret = 0;
00307     for( i = 2; i < pad_len; i++ )
00308         if( ticket[enc_len - i] != pad_len )
00309             ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
00310     if( ret != 0 )
00311         return( ret );
00312 
00313     clear_len = enc_len - pad_len;
00314 
00315     SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
00316 
00317     /* Actually load session */
00318     if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
00319     {
00320         SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
00321         ssl_session_free( &session );
00322         return( ret );
00323     }
00324 
00325 #if defined(POLARSSL_HAVE_TIME)
00326     /* Check if still valid */
00327     if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
00328     {
00329         SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
00330         ssl_session_free( &session );
00331         return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
00332     }
00333 #endif
00334 
00335     /*
00336      * Keep the session ID sent by the client, since we MUST send it back to
00337      * inform him we're accepting the ticket  (RFC 5077 section 3.4)
00338      */
00339     session.length = ssl->session_negotiate->length;
00340     memcpy( &session.id, ssl->session_negotiate->id, session.length );
00341 
00342     ssl_session_free( ssl->session_negotiate );
00343     memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
00344 
00345     /* Zeroize instead of free as we copied the content */
00346     polarssl_zeroize( &session, sizeof( ssl_session ) );
00347 
00348     return( 0 );
00349 }
00350 #endif /* POLARSSL_SSL_SESSION_TICKETS */
00351 
00352 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
00353 /*
00354  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
00355  * making it act on ssl->hanshake->sni_key_cert instead.
00356  */
00357 static int ssl_sni_wrapper( ssl_context *ssl,
00358                             const unsigned char* name, size_t len )
00359 {
00360     int ret;
00361     ssl_key_cert *key_cert_ori = ssl->key_cert;
00362 
00363     ssl->key_cert = NULL;
00364     ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
00365     ssl->handshake->sni_key_cert = ssl->key_cert;
00366 
00367     ssl->key_cert = key_cert_ori;
00368 
00369     return( ret );
00370 }
00371 
00372 static int ssl_parse_servername_ext( ssl_context *ssl,
00373                                      const unsigned char *buf,
00374                                      size_t len )
00375 {
00376     int ret;
00377     size_t servername_list_size, hostname_len;
00378     const unsigned char *p;
00379 
00380     SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
00381 
00382     servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00383     if( servername_list_size + 2 != len )
00384     {
00385         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00386         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00387     }
00388 
00389     p = buf + 2;
00390     while( servername_list_size > 0 )
00391     {
00392         hostname_len = ( ( p[1] << 8 ) | p[2] );
00393         if( hostname_len + 3 > servername_list_size )
00394         {
00395             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00396             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00397         }
00398 
00399         if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
00400         {
00401             ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
00402             if( ret != 0 )
00403             {
00404                 SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
00405                 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
00406                         SSL_ALERT_MSG_UNRECOGNIZED_NAME );
00407                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00408             }
00409             return( 0 );
00410         }
00411 
00412         servername_list_size -= hostname_len + 3;
00413         p += hostname_len + 3;
00414     }
00415 
00416     if( servername_list_size != 0 )
00417     {
00418         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00419         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00420     }
00421 
00422     return( 0 );
00423 }
00424 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
00425 
00426 static int ssl_parse_renegotiation_info( ssl_context *ssl,
00427                                          const unsigned char *buf,
00428                                          size_t len )
00429 {
00430     int ret;
00431 
00432 #if defined(POLARSSL_SSL_RENEGOTIATION)
00433     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
00434     {
00435         /* Check verify-data in constant-time. The length OTOH is no secret */
00436         if( len    != 1 + ssl->verify_data_len ||
00437             buf[0] !=     ssl->verify_data_len ||
00438             safer_memcmp( buf + 1, ssl->peer_verify_data,
00439                           ssl->verify_data_len ) != 0 )
00440         {
00441             SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
00442 
00443             if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00444                 return( ret );
00445 
00446             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00447         }
00448     }
00449     else
00450 #endif /* POLARSSL_SSL_RENEGOTIATION */
00451     {
00452         if( len != 1 || buf[0] != 0x0 )
00453         {
00454             SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
00455 
00456             if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00457                 return( ret );
00458 
00459             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00460         }
00461 
00462         ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
00463     }
00464 
00465     return( 0 );
00466 }
00467 
00468 #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
00469     defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
00470 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
00471                                                const unsigned char *buf,
00472                                                size_t len )
00473 {
00474     size_t sig_alg_list_size;
00475     const unsigned char *p;
00476     const unsigned char *end = buf + len;
00477     const int *md_cur;
00478 
00479 
00480     sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00481     if( sig_alg_list_size + 2 != len ||
00482         sig_alg_list_size % 2 != 0 )
00483     {
00484         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00485         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00486     }
00487 
00488     /*
00489      * For now, ignore the SignatureAlgorithm part and rely on offered
00490      * ciphersuites only for that part. To be fixed later.
00491      *
00492      * So, just look at the HashAlgorithm part.
00493      */
00494     for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
00495         for( p = buf + 2; p < end; p += 2 ) {
00496             if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
00497                 ssl->handshake->sig_alg = p[0];
00498                 goto have_sig_alg;
00499             }
00500         }
00501     }
00502 
00503     /* Some key echanges do not need signatures at all */
00504     SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
00505     return( 0 );
00506 
00507 have_sig_alg:
00508     SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
00509                    ssl->handshake->sig_alg ) );
00510 
00511     return( 0 );
00512 }
00513 #endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
00514           POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
00515 
00516 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
00517 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
00518                                                 const unsigned char *buf,
00519                                                 size_t len )
00520 {
00521     size_t list_size, our_size;
00522     const unsigned char *p;
00523     const ecp_curve_info *curve_info, **curves;
00524 
00525     list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00526     if( list_size + 2 != len ||
00527         list_size % 2 != 0 )
00528     {
00529         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00530         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00531     }
00532 
00533     /* Should never happen unless client duplicates the extension */
00534     if( ssl->handshake->curves != NULL )
00535     {
00536         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00537         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00538     }
00539 
00540     /* Don't allow our peer to make us allocate too much memory,
00541      * and leave room for a final 0 */
00542     our_size = list_size / 2 + 1;
00543     if( our_size > POLARSSL_ECP_DP_MAX )
00544         our_size = POLARSSL_ECP_DP_MAX;
00545 
00546     if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
00547         return( POLARSSL_ERR_SSL_MALLOC_FAILED );
00548 
00549     /* explicit void pointer cast for buggy MS compiler */
00550     memset( (void *) curves, 0, our_size * sizeof( *curves ) );
00551     ssl->handshake->curves = curves;
00552 
00553     p = buf + 2;
00554     while( list_size > 0 && our_size > 1 )
00555     {
00556         curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
00557 
00558         if( curve_info != NULL )
00559         {
00560             *curves++ = curve_info;
00561             our_size--;
00562         }
00563 
00564         list_size -= 2;
00565         p += 2;
00566     }
00567 
00568     return( 0 );
00569 }
00570 
00571 static int ssl_parse_supported_point_formats( ssl_context *ssl,
00572                                               const unsigned char *buf,
00573                                               size_t len )
00574 {
00575     size_t list_size;
00576     const unsigned char *p;
00577 
00578     list_size = buf[0];
00579     if( list_size + 1 != len )
00580     {
00581         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00582         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00583     }
00584 
00585     p = buf + 2;
00586     while( list_size > 0 )
00587     {
00588         if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
00589             p[0] == POLARSSL_ECP_PF_COMPRESSED )
00590         {
00591             ssl->handshake->ecdh_ctx.point_format = p[0];
00592             SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
00593             return( 0 );
00594         }
00595 
00596         list_size--;
00597         p++;
00598     }
00599 
00600     return( 0 );
00601 }
00602 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
00603 
00604 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
00605 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
00606                                               const unsigned char *buf,
00607                                               size_t len )
00608 {
00609     if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
00610     {
00611         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00612         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00613     }
00614 
00615     ssl->session_negotiate->mfl_code = buf[0];
00616 
00617     return( 0 );
00618 }
00619 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
00620 
00621 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
00622 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
00623                                          const unsigned char *buf,
00624                                          size_t len )
00625 {
00626     if( len != 0 )
00627     {
00628         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00629         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00630     }
00631 
00632     ((void) buf);
00633 
00634     if( ssl->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
00635         ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
00636 
00637     return( 0 );
00638 }
00639 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
00640 
00641 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
00642 static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl,
00643                                       const unsigned char *buf,
00644                                       size_t len )
00645 {
00646     if( len != 0 )
00647     {
00648         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00649         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00650     }
00651 
00652     ((void) buf);
00653 
00654     if( ssl->encrypt_then_mac == SSL_ETM_ENABLED &&
00655         ssl->minor_ver != SSL_MINOR_VERSION_0 )
00656     {
00657         ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED;
00658     }
00659 
00660     return( 0 );
00661 }
00662 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
00663 
00664 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
00665 static int ssl_parse_extended_ms_ext( ssl_context *ssl,
00666                                       const unsigned char *buf,
00667                                       size_t len )
00668 {
00669     if( len != 0 )
00670     {
00671         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00672         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00673     }
00674 
00675     ((void) buf);
00676 
00677     if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED &&
00678         ssl->minor_ver != SSL_MINOR_VERSION_0 )
00679     {
00680         ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
00681     }
00682 
00683     return( 0 );
00684 }
00685 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
00686 
00687 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00688 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
00689                                          unsigned char *buf,
00690                                          size_t len )
00691 {
00692     int ret;
00693 
00694     if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
00695         return( 0 );
00696 
00697     /* Remember the client asked us to send a new ticket */
00698     ssl->handshake->new_session_ticket = 1;
00699 
00700     SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
00701 
00702     if( len == 0 )
00703         return( 0 );
00704 
00705 #if defined(POLARSSL_SSL_RENEGOTIATION)
00706     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
00707     {
00708         SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
00709         return( 0 );
00710     }
00711 #endif /* POLARSSL_SSL_RENEGOTIATION */
00712 
00713     /*
00714      * Failures are ok: just ignore the ticket and proceed.
00715      */
00716     if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
00717     {
00718         SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
00719         return( 0 );
00720     }
00721 
00722     SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
00723 
00724     ssl->handshake->resume = 1;
00725 
00726     /* Don't send a new ticket after all, this one is OK */
00727     ssl->handshake->new_session_ticket = 0;
00728 
00729     return( 0 );
00730 }
00731 #endif /* POLARSSL_SSL_SESSION_TICKETS */
00732 
00733 #if defined(POLARSSL_SSL_ALPN)
00734 static int ssl_parse_alpn_ext( ssl_context *ssl,
00735                                const unsigned char *buf, size_t len )
00736 {
00737     size_t list_len, cur_len, ours_len;
00738     const unsigned char *theirs, *start, *end;
00739     const char **ours;
00740 
00741     /* If ALPN not configured, just ignore the extension */
00742     if( ssl->alpn_list == NULL )
00743         return( 0 );
00744 
00745     /*
00746      * opaque ProtocolName<1..2^8-1>;
00747      *
00748      * struct {
00749      *     ProtocolName protocol_name_list<2..2^16-1>
00750      * } ProtocolNameList;
00751      */
00752 
00753     /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
00754     if( len < 4 )
00755         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00756 
00757     list_len = ( buf[0] << 8 ) | buf[1];
00758     if( list_len != len - 2 )
00759         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00760 
00761     /*
00762      * Use our order of preference
00763      */
00764     start = buf + 2;
00765     end = buf + len;
00766     for( ours = ssl->alpn_list; *ours != NULL; ours++ )
00767     {
00768         ours_len = strlen( *ours );
00769         for( theirs = start; theirs != end; theirs += cur_len )
00770         {
00771             /* If the list is well formed, we should get equality first */
00772             if( theirs > end )
00773                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00774 
00775             cur_len = *theirs++;
00776 
00777             /* Empty strings MUST NOT be included */
00778             if( cur_len == 0 )
00779                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00780 
00781             if( cur_len == ours_len &&
00782                 memcmp( theirs, *ours, cur_len ) == 0 )
00783             {
00784                 ssl->alpn_chosen = *ours;
00785                 return( 0 );
00786             }
00787         }
00788     }
00789 
00790     /* If we get there, no match was found */
00791     ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
00792                             SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
00793     return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00794 }
00795 #endif /* POLARSSL_SSL_ALPN */
00796 
00797 /*
00798  * Auxiliary functions for ServerHello parsing and related actions
00799  */
00800 
00801 #if defined(POLARSSL_X509_CRT_PARSE_C)
00802 /*
00803  * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
00804  */
00805 #if defined(POLARSSL_ECDSA_C)
00806 static int ssl_check_key_curve( pk_context *pk,
00807                                 const ecp_curve_info **curves )
00808 {
00809     const ecp_curve_info **crv = curves;
00810     ecp_group_id grp_id = pk_ec( *pk )->grp.id;
00811 
00812     while( *crv != NULL )
00813     {
00814         if( (*crv)->grp_id == grp_id )
00815             return( 0 );
00816         crv++;
00817     }
00818 
00819     return( -1 );
00820 }
00821 #endif /* POLARSSL_ECDSA_C */
00822 
00823 /*
00824  * Try picking a certificate for this ciphersuite,
00825  * return 0 on success and -1 on failure.
00826  */
00827 static int ssl_pick_cert( ssl_context *ssl,
00828                           const ssl_ciphersuite_t * ciphersuite_info )
00829 {
00830     ssl_key_cert *cur, *list, *fallback = NULL;
00831     pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
00832     int flags;
00833 
00834 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
00835     if( ssl->handshake->sni_key_cert != NULL )
00836         list = ssl->handshake->sni_key_cert;
00837     else
00838 #endif
00839         list = ssl->handshake->key_cert;
00840 
00841     if( pk_alg == POLARSSL_PK_NONE )
00842         return( 0 );
00843 
00844     SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
00845 
00846     for( cur = list; cur != NULL; cur = cur->next )
00847     {
00848         SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
00849                           cur->cert );
00850 
00851         if( ! pk_can_do( cur->key, pk_alg ) )
00852         {
00853             SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
00854             continue;
00855         }
00856 
00857         /*
00858          * This avoids sending the client a cert it'll reject based on
00859          * keyUsage or other extensions.
00860          *
00861          * It also allows the user to provision different certificates for
00862          * different uses based on keyUsage, eg if they want to avoid signing
00863          * and decrypting with the same RSA key.
00864          */
00865         if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
00866                                   SSL_IS_SERVER, &flags ) != 0 )
00867         {
00868             SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
00869                                 "(extended) key usage extension" ) );
00870             continue;
00871         }
00872 
00873 #if defined(POLARSSL_ECDSA_C)
00874         if( pk_alg == POLARSSL_PK_ECDSA &&
00875             ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
00876         {
00877             SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
00878             continue;
00879         }
00880 #endif
00881 
00882         /*
00883          * Try to select a SHA-1 certificate for pre-1.2 clients, but still
00884          * present them a SHA-higher cert rather than failing if it's the only
00885          * one we got that satisfies the other conditions.
00886          */
00887         if( ssl->minor_ver < SSL_MINOR_VERSION_3 &&
00888             cur->cert->sig_md != POLARSSL_MD_SHA1 )
00889         {
00890             if( fallback == NULL )
00891                 fallback = cur;
00892             {
00893                 SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
00894                                     "sha-2 with pre-TLS 1.2 client" ) );
00895             continue;
00896             }
00897         }
00898 
00899         /* If we get there, we got a winner */
00900         break;
00901     }
00902 
00903     if( cur == NULL )
00904         cur = fallback;
00905 
00906 
00907     /* Do not update ssl->handshake->key_cert unless the is a match */
00908     if( cur != NULL )
00909     {
00910         ssl->handshake->key_cert = cur;
00911         SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
00912                           ssl->handshake->key_cert->cert );
00913         return( 0 );
00914     }
00915 
00916     return( -1 );
00917 }
00918 #endif /* POLARSSL_X509_CRT_PARSE_C */
00919 
00920 /*
00921  * Check if a given ciphersuite is suitable for use with our config/keys/etc
00922  * Sets ciphersuite_info only if the suite matches.
00923  */
00924 static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
00925                                   const ssl_ciphersuite_t **ciphersuite_info )
00926 {
00927     const ssl_ciphersuite_t *suite_info;
00928 
00929     suite_info = ssl_ciphersuite_from_id( suite_id );
00930     if( suite_info == NULL )
00931     {
00932         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
00933         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
00934     }
00935 
00936     SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
00937 
00938     if( suite_info->min_minor_ver > ssl->minor_ver ||
00939         suite_info->max_minor_ver < ssl->minor_ver )
00940     {
00941         SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
00942         return( 0 );
00943     }
00944 
00945     if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
00946             suite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
00947     {
00948         SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
00949         return( 0 );
00950     }
00951 
00952 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
00953     if( ssl_ciphersuite_uses_ec( suite_info ) &&
00954         ( ssl->handshake->curves == NULL ||
00955           ssl->handshake->curves[0] == NULL ) )
00956     {
00957         SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
00958                             "no common elliptic curve" ) );
00959         return( 0 );
00960     }
00961 #endif
00962 
00963 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
00964     /* If the ciphersuite requires a pre-shared key and we don't
00965      * have one, skip it now rather than failing later */
00966     if( ssl_ciphersuite_uses_psk( suite_info ) &&
00967         ssl->f_psk == NULL &&
00968         ( ssl->psk == NULL || ssl->psk_identity == NULL ||
00969           ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
00970     {
00971         SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
00972         return( 0 );
00973     }
00974 #endif
00975 
00976 #if defined(POLARSSL_X509_CRT_PARSE_C)
00977     /*
00978      * Final check: if ciphersuite requires us to have a
00979      * certificate/key of a particular type:
00980      * - select the appropriate certificate if we have one, or
00981      * - try the next ciphersuite if we don't
00982      * This must be done last since we modify the key_cert list.
00983      */
00984     if( ssl_pick_cert( ssl, suite_info ) != 0 )
00985     {
00986         SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
00987                             "no suitable certificate" ) );
00988         return( 0 );
00989     }
00990 #endif
00991 
00992     *ciphersuite_info = suite_info;
00993     return( 0 );
00994 }
00995 
00996 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
00997 static int ssl_parse_client_hello_v2( ssl_context *ssl )
00998 {
00999     int ret, got_common_suite;
01000     unsigned int i, j;
01001     size_t n;
01002     unsigned int ciph_len, sess_len, chal_len;
01003     unsigned char *buf, *p;
01004     const int *ciphersuites;
01005     const ssl_ciphersuite_t *ciphersuite_info;
01006 
01007     SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
01008 
01009 #if defined(POLARSSL_SSL_RENEGOTIATION)
01010     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
01011     {
01012         SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
01013 
01014         if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01015             return( ret );
01016 
01017         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01018     }
01019 #endif /* POLARSSL_SSL_RENEGOTIATION */
01020 
01021     buf = ssl->in_hdr;
01022 
01023     SSL_DEBUG_BUF( 4, "record header", buf, 5 );
01024 
01025     SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
01026                    buf[2] ) );
01027     SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
01028                    ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
01029     SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
01030                    buf[3], buf[4] ) );
01031 
01032     /*
01033      * SSLv2 Client Hello
01034      *
01035      * Record layer:
01036      *     0  .   1   message length
01037      *
01038      * SSL layer:
01039      *     2  .   2   message type
01040      *     3  .   4   protocol version
01041      */
01042     if( buf[2] != SSL_HS_CLIENT_HELLO ||
01043         buf[3] != SSL_MAJOR_VERSION_3 )
01044     {
01045         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01046         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01047     }
01048 
01049     n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
01050 
01051     if( n < 17 || n > 512 )
01052     {
01053         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01054         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01055     }
01056 
01057     ssl->major_ver = SSL_MAJOR_VERSION_3;
01058     ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
01059                      ? buf[4]  : ssl->max_minor_ver;
01060 
01061     if( ssl->minor_ver < ssl->min_minor_ver )
01062     {
01063         SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
01064                             " [%d:%d] < [%d:%d]",
01065                             ssl->major_ver, ssl->minor_ver,
01066                             ssl->min_major_ver, ssl->min_minor_ver ) );
01067 
01068         ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
01069                                      SSL_ALERT_MSG_PROTOCOL_VERSION );
01070         return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
01071     }
01072 
01073     ssl->handshake->max_major_ver = buf[3];
01074     ssl->handshake->max_minor_ver = buf[4];
01075 
01076     if( ( ret = ssl_fetch_input ( ssl, 2 + n ) ) != 0 )
01077     {
01078         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
01079         return( ret );
01080     }
01081 
01082     ssl->handshake->update_checksum( ssl, buf + 2, n );
01083 
01084     buf = ssl->in_msg;
01085     n = ssl->in_left - 5;
01086 
01087     /*
01088      *    0  .   1   ciphersuitelist length
01089      *    2  .   3   session id length
01090      *    4  .   5   challenge length
01091      *    6  .  ..   ciphersuitelist
01092      *   ..  .  ..   session id
01093      *   ..  .  ..   challenge
01094      */
01095     SSL_DEBUG_BUF( 4, "record contents", buf, n );
01096 
01097     ciph_len = ( buf[0] << 8 ) | buf[1];
01098     sess_len = ( buf[2] << 8 ) | buf[3];
01099     chal_len = ( buf[4] << 8 ) | buf[5];
01100 
01101     SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
01102                    ciph_len, sess_len, chal_len ) );
01103 
01104     /*
01105      * Make sure each parameter length is valid
01106      */
01107     if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
01108     {
01109         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01110         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01111     }
01112 
01113     if( sess_len > 32 )
01114     {
01115         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01116         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01117     }
01118 
01119     if( chal_len < 8 || chal_len > 32 )
01120     {
01121         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01122         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01123     }
01124 
01125     if( n != 6 + ciph_len + sess_len + chal_len )
01126     {
01127         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01128         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01129     }
01130 
01131     SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01132                    buf + 6, ciph_len );
01133     SSL_DEBUG_BUF( 3, "client hello, session id",
01134                    buf + 6 + ciph_len, sess_len );
01135     SSL_DEBUG_BUF( 3, "client hello, challenge",
01136                    buf + 6 + ciph_len + sess_len, chal_len );
01137 
01138     p = buf + 6 + ciph_len;
01139     ssl->session_negotiate->length = sess_len;
01140     memset( ssl->session_negotiate->id, 0,
01141             sizeof( ssl->session_negotiate->id ) );
01142     memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
01143 
01144     p += sess_len;
01145     memset( ssl->handshake->randbytes, 0, 64 );
01146     memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
01147 
01148     /*
01149      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
01150      */
01151     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
01152     {
01153         if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
01154         {
01155             SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01156 #if defined(POLARSSL_SSL_RENEGOTIATION)
01157             if( ssl->renegotiation == SSL_RENEGOTIATION )
01158             {
01159                 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
01160                                     "during renegotiation" ) );
01161 
01162                 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01163                     return( ret );
01164 
01165                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01166             }
01167 #endif /* POLARSSL_SSL_RENEGOTIATION */
01168             ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
01169             break;
01170         }
01171     }
01172 
01173 #if defined(POLARSSL_SSL_FALLBACK_SCSV)
01174     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
01175     {
01176         if( p[0] == 0 &&
01177             p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
01178             p[2] == (unsigned char)( ( SSL_FALLBACK_SCSV      ) & 0xff ) )
01179         {
01180             SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
01181 
01182             if( ssl->minor_ver < ssl->max_minor_ver )
01183             {
01184                 SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
01185 
01186                 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
01187                                         SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
01188 
01189                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01190             }
01191 
01192             break;
01193         }
01194     }
01195 #endif /* POLARSSL_SSL_FALLBACK_SCSV */
01196 
01197     got_common_suite = 0;
01198     ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
01199     ciphersuite_info = NULL;
01200 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
01201     for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
01202     {
01203         for( i = 0; ciphersuites[i] != 0; i++ )
01204 #else
01205     for( i = 0; ciphersuites[i] != 0; i++ )
01206     {
01207         for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
01208 #endif
01209         {
01210             if( p[0] != 0 ||
01211                 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
01212                 p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
01213                 continue;
01214 
01215             got_common_suite = 1;
01216 
01217             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
01218                                                &ciphersuite_info ) ) != 0 )
01219                 return( ret );
01220 
01221             if( ciphersuite_info != NULL )
01222                 goto have_ciphersuite_v2;
01223         }
01224     }
01225 
01226     if( got_common_suite )
01227     {
01228         SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
01229                             "but none of them usable" ) );
01230         return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE );
01231     }
01232     else
01233     {
01234         SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01235         return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
01236     }
01237 
01238 have_ciphersuite_v2:
01239     SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
01240 
01241     ssl->session_negotiate->ciphersuite = ciphersuites[i];
01242     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01243     ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
01244 
01245     /*
01246      * SSLv2 Client Hello relevant renegotiation security checks
01247      */
01248     if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01249         ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
01250     {
01251         SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01252 
01253         if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01254             return( ret );
01255 
01256         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01257     }
01258 
01259     ssl->in_left = 0;
01260     ssl->state++;
01261 
01262     SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
01263 
01264     return( 0 );
01265 }
01266 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
01267 
01268 static int ssl_parse_client_hello( ssl_context *ssl )
01269 {
01270     int ret, got_common_suite;
01271     unsigned int i, j;
01272     size_t n;
01273     unsigned int ciph_len, sess_len;
01274     unsigned int comp_len;
01275     unsigned int ext_len = 0;
01276     unsigned char *buf, *p, *ext;
01277 #if defined(POLARSSL_SSL_RENEGOTIATION)
01278     int renegotiation_info_seen = 0;
01279 #endif
01280     int handshake_failure = 0;
01281     const int *ciphersuites;
01282     const ssl_ciphersuite_t *ciphersuite_info;
01283 
01284     SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
01285 
01286 #if defined(POLARSSL_SSL_RENEGOTIATION)
01287     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
01288 #endif
01289     {
01290         if( ( ret = ssl_fetch_input ( ssl, 5 ) ) != 0 )
01291         {
01292             SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
01293             return( ret );
01294         }
01295     }
01296 
01297     buf = ssl->in_hdr;
01298 
01299 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
01300     if( ( buf[0] & 0x80 ) != 0 )
01301         return ssl_parse_client_hello_v2( ssl );
01302 #endif
01303 
01304     SSL_DEBUG_BUF( 4, "record header", buf, 5 );
01305 
01306     SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
01307                    buf[0] ) );
01308     SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
01309                    ( buf[3] << 8 ) | buf[4] ) );
01310     SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
01311                    buf[1], buf[2] ) );
01312 
01313     /*
01314      * SSLv3/TLS Client Hello
01315      *
01316      * Record layer:
01317      *     0  .   0   message type
01318      *     1  .   2   protocol version
01319      *     3  .   4   message length
01320      */
01321 
01322     /* According to RFC 5246 Appendix E.1, the version here is typically
01323      * "{03,00}, the lowest version number supported by the client, [or] the
01324      * value of ClientHello.client_version", so the only meaningful check here
01325      * is the major version shouldn't be less than 3 */
01326     if( buf[0] != SSL_MSG_HANDSHAKE ||
01327         buf[1] < SSL_MAJOR_VERSION_3 )
01328     {
01329         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01330         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01331     }
01332 
01333     n = ( buf[3] << 8 ) | buf[4];
01334 
01335     if( n < 45 || n > SSL_MAX_CONTENT_LEN )
01336     {
01337         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01338         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01339     }
01340 
01341 #if defined(POLARSSL_SSL_RENEGOTIATION)
01342     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
01343 #endif
01344     {
01345         if( ( ret = ssl_fetch_input ( ssl, 5 + n ) ) != 0 )
01346         {
01347             SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
01348             return( ret );
01349         }
01350     }
01351 
01352     buf = ssl->in_msg;
01353 #if defined(POLARSSL_SSL_RENEGOTIATION)
01354     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
01355         n = ssl->in_msglen;
01356     else
01357 #endif
01358         n = ssl->in_left - 5;
01359 
01360     ssl->handshake->update_checksum( ssl, buf, n );
01361 
01362     /*
01363      * SSL layer:
01364      *     0  .   0   handshake type
01365      *     1  .   3   handshake length
01366      *     4  .   5   protocol version
01367      *     6  .   9   UNIX time()
01368      *    10  .  37   random bytes
01369      *    38  .  38   session id length
01370      *    39  . 38+x  session id
01371      *   39+x . 40+x  ciphersuitelist length
01372      *   41+x . 40+y  ciphersuitelist
01373      *   41+y . 41+y  compression alg length
01374      *   42+y . 41+z  compression algs
01375      *    ..  .  ..   extensions
01376      */
01377     SSL_DEBUG_BUF( 4, "record contents", buf, n );
01378 
01379     SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
01380                    buf[0] ) );
01381     SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
01382                    ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
01383     SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
01384                    buf[4], buf[5] ) );
01385 
01386     /*
01387      * Check the handshake type and protocol version
01388      */
01389     if( buf[0] != SSL_HS_CLIENT_HELLO )
01390     {
01391         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01392         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01393     }
01394 
01395     ssl->major_ver = buf[4];
01396     ssl->minor_ver = buf[5];
01397 
01398     ssl->handshake->max_major_ver = ssl->major_ver;
01399     ssl->handshake->max_minor_ver = ssl->minor_ver;
01400 
01401     if( ssl->major_ver < ssl->min_major_ver ||
01402         ssl->minor_ver < ssl->min_minor_ver )
01403     {
01404         SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
01405                             " [%d:%d] < [%d:%d]",
01406                             ssl->major_ver, ssl->minor_ver,
01407                             ssl->min_major_ver, ssl->min_minor_ver ) );
01408 
01409         ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
01410                                      SSL_ALERT_MSG_PROTOCOL_VERSION );
01411 
01412         return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
01413     }
01414 
01415     if( ssl->major_ver > ssl->max_major_ver )
01416     {
01417         ssl->major_ver = ssl->max_major_ver;
01418         ssl->minor_ver = ssl->max_minor_ver;
01419     }
01420     else if( ssl->minor_ver > ssl->max_minor_ver )
01421         ssl->minor_ver = ssl->max_minor_ver;
01422 
01423     memcpy( ssl->handshake->randbytes, buf + 6, 32 );
01424 
01425     /*
01426      * Check the handshake message length
01427      */
01428     if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
01429     {
01430         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01431         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01432     }
01433 
01434     /*
01435      * Check the session length
01436      */
01437     sess_len = buf[38];
01438 
01439     if( sess_len > 32 || sess_len > n - 42 )
01440     {
01441         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01442         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01443     }
01444 
01445     ssl->session_negotiate->length = sess_len;
01446     memset( ssl->session_negotiate->id, 0,
01447             sizeof( ssl->session_negotiate->id ) );
01448     memcpy( ssl->session_negotiate->id, buf + 39,
01449             ssl->session_negotiate->length );
01450 
01451     /*
01452      * Check the ciphersuitelist length
01453      */
01454     ciph_len = ( buf[39 + sess_len] << 8 )
01455              | ( buf[40 + sess_len]      );
01456 
01457     if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
01458     {
01459         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01460         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01461     }
01462 
01463     /*
01464      * Check the compression algorithms length
01465      */
01466     comp_len = buf[41 + sess_len + ciph_len];
01467 
01468     if( comp_len < 1 || comp_len > 16 ||
01469         comp_len > n - 42 - sess_len - ciph_len )
01470     {
01471         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01472         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01473     }
01474 
01475     /*
01476      * Check the extension length
01477      */
01478     if( n > 42 + sess_len + ciph_len + comp_len )
01479     {
01480         ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
01481                 | ( buf[43 + sess_len + ciph_len + comp_len]      );
01482 
01483         if( ( ext_len > 0 && ext_len < 4 ) ||
01484             n != 44 + sess_len + ciph_len + comp_len + ext_len )
01485         {
01486             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01487             SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
01488             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01489         }
01490     }
01491 
01492     ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
01493 #if defined(POLARSSL_ZLIB_SUPPORT)
01494     for( i = 0; i < comp_len; ++i )
01495     {
01496         if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
01497         {
01498             ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
01499             break;
01500         }
01501     }
01502 #endif
01503 
01504     SSL_DEBUG_BUF( 3, "client hello, random bytes",
01505                    buf +  6,  32 );
01506     SSL_DEBUG_BUF( 3, "client hello, session id",
01507                    buf + 38,  sess_len );
01508     SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01509                    buf + 41 + sess_len,  ciph_len );
01510     SSL_DEBUG_BUF( 3, "client hello, compression",
01511                    buf + 42 + sess_len + ciph_len, comp_len );
01512 
01513     /*
01514      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
01515      */
01516     for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
01517     {
01518         if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
01519         {
01520             SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01521 #if defined(POLARSSL_SSL_RENEGOTIATION)
01522             if( ssl->renegotiation == SSL_RENEGOTIATION )
01523             {
01524                 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
01525 
01526                 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01527                     return( ret );
01528 
01529                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01530             }
01531             renegotiation_info_seen = 1;
01532 #endif /* POLARSSL_SSL_RENEGOTIATION */
01533             ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
01534             break;
01535         }
01536     }
01537 
01538 #if defined(POLARSSL_SSL_FALLBACK_SCSV)
01539     for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
01540     {
01541         if( p[0] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
01542             p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV      ) & 0xff ) )
01543         {
01544             SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) );
01545 
01546             if( ssl->minor_ver < ssl->max_minor_ver )
01547             {
01548                 SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) );
01549 
01550                 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
01551                                         SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
01552 
01553                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01554             }
01555 
01556             break;
01557         }
01558     }
01559 #endif /* POLARSSL_SSL_FALLBACK_SCSV */
01560 
01561     ext = buf + 44 + sess_len + ciph_len + comp_len;
01562 
01563     while( ext_len )
01564     {
01565         unsigned int ext_id   = ( ( ext[0] <<  8 )
01566                                 | ( ext[1]       ) );
01567         unsigned int ext_size = ( ( ext[2] <<  8 )
01568                                 | ( ext[3]       ) );
01569 
01570         if( ext_size + 4 > ext_len )
01571         {
01572             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01573             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01574         }
01575         switch( ext_id )
01576         {
01577 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
01578         case TLS_EXT_SERVERNAME:
01579             SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
01580             if( ssl->f_sni == NULL )
01581                 break;
01582 
01583             ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
01584             if( ret != 0 )
01585                 return( ret );
01586             break;
01587 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
01588 
01589         case TLS_EXT_RENEGOTIATION_INFO:
01590             SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
01591 #if defined(POLARSSL_SSL_RENEGOTIATION)
01592             renegotiation_info_seen = 1;
01593 #endif
01594 
01595             ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
01596             if( ret != 0 )
01597                 return( ret );
01598             break;
01599 
01600 #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
01601     defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
01602         case TLS_EXT_SIG_ALG:
01603             SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
01604 #if defined(POLARSSL_SSL_RENEGOTIATION)
01605             if( ssl->renegotiation == SSL_RENEGOTIATION )
01606                 break;
01607 #endif
01608 
01609             ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
01610             if( ret != 0 )
01611                 return( ret );
01612             break;
01613 #endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
01614           POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
01615 
01616 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01617         case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
01618             SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
01619 
01620             ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
01621             if( ret != 0 )
01622                 return( ret );
01623             break;
01624 
01625         case TLS_EXT_SUPPORTED_POINT_FORMATS:
01626             SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
01627             ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
01628 
01629             ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
01630             if( ret != 0 )
01631                 return( ret );
01632             break;
01633 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
01634 
01635 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
01636         case TLS_EXT_MAX_FRAGMENT_LENGTH:
01637             SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
01638 
01639             ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
01640             if( ret != 0 )
01641                 return( ret );
01642             break;
01643 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
01644 
01645 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
01646         case TLS_EXT_TRUNCATED_HMAC:
01647             SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
01648 
01649             ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
01650             if( ret != 0 )
01651                 return( ret );
01652             break;
01653 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
01654 
01655 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
01656         case TLS_EXT_ENCRYPT_THEN_MAC:
01657             SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
01658 
01659             ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
01660             if( ret != 0 )
01661                 return( ret );
01662             break;
01663 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
01664 
01665 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
01666         case TLS_EXT_EXTENDED_MASTER_SECRET:
01667             SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
01668 
01669             ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
01670             if( ret != 0 )
01671                 return( ret );
01672             break;
01673 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
01674 
01675 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01676         case TLS_EXT_SESSION_TICKET:
01677             SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
01678 
01679             ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
01680             if( ret != 0 )
01681                 return( ret );
01682             break;
01683 #endif /* POLARSSL_SSL_SESSION_TICKETS */
01684 
01685 #if defined(POLARSSL_SSL_ALPN)
01686         case TLS_EXT_ALPN:
01687             SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
01688 
01689             ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
01690             if( ret != 0 )
01691                 return( ret );
01692             break;
01693 #endif /* POLARSSL_SSL_SESSION_TICKETS */
01694 
01695         default:
01696             SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
01697                            ext_id ) );
01698         }
01699 
01700         ext_len -= 4 + ext_size;
01701         ext += 4 + ext_size;
01702 
01703         if( ext_len > 0 && ext_len < 4 )
01704         {
01705             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01706             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01707         }
01708     }
01709 
01710     /*
01711      * Renegotiation security checks
01712      */
01713     if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION &&
01714         ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
01715     {
01716         SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01717         handshake_failure = 1;
01718     }
01719 #if defined(POLARSSL_SSL_RENEGOTIATION)
01720     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01721              ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
01722              renegotiation_info_seen == 0 )
01723     {
01724         SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
01725         handshake_failure = 1;
01726     }
01727     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01728              ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01729              ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
01730     {
01731         SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
01732         handshake_failure = 1;
01733     }
01734     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01735              ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01736              renegotiation_info_seen == 1 )
01737     {
01738         SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
01739         handshake_failure = 1;
01740     }
01741 #endif /* POLARSSL_SSL_RENEGOTIATION */
01742 
01743     if( handshake_failure == 1 )
01744     {
01745         if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01746             return( ret );
01747 
01748         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01749     }
01750 
01751     /*
01752      * Search for a matching ciphersuite
01753      * (At the end because we need information from the EC-based extensions
01754      * and certificate from the SNI callback triggered by the SNI extension.)
01755      */
01756     got_common_suite = 0;
01757     ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
01758     ciphersuite_info = NULL;
01759 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
01760     for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
01761     {
01762         for( i = 0; ciphersuites[i] != 0; i++ )
01763 #else
01764     for( i = 0; ciphersuites[i] != 0; i++ )
01765     {
01766         for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
01767 #endif
01768         {
01769             if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
01770                 p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
01771                 continue;
01772 
01773             got_common_suite = 1;
01774 
01775             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
01776                                                &ciphersuite_info ) ) != 0 )
01777                 return( ret );
01778 
01779             if( ciphersuite_info != NULL )
01780                 goto have_ciphersuite;
01781         }
01782     }
01783 
01784     if( got_common_suite )
01785     {
01786         SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
01787                             "but none of them usable" ) );
01788         ssl_send_fatal_handshake_failure( ssl );
01789         return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE );
01790     }
01791     else
01792     {
01793         SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01794         ssl_send_fatal_handshake_failure( ssl );
01795         return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
01796     }
01797 
01798 have_ciphersuite:
01799     SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
01800 
01801     ssl->session_negotiate->ciphersuite = ciphersuites[i];
01802     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01803     ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
01804 
01805     ssl->in_left = 0;
01806     ssl->state++;
01807 
01808     SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
01809 
01810     return( 0 );
01811 }
01812 
01813 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
01814 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
01815                                           unsigned char *buf,
01816                                           size_t *olen )
01817 {
01818     unsigned char *p = buf;
01819 
01820     if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
01821     {
01822         *olen = 0;
01823         return;
01824     }
01825 
01826     SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
01827 
01828     *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
01829     *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
01830 
01831     *p++ = 0x00;
01832     *p++ = 0x00;
01833 
01834     *olen = 4;
01835 }
01836 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
01837 
01838 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
01839 static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
01840                                             unsigned char *buf,
01841                                             size_t *olen )
01842 {
01843     unsigned char *p = buf;
01844     const ssl_ciphersuite_t *suite = NULL;
01845     const cipher_info_t *cipher = NULL;
01846 
01847     if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED ||
01848         ssl->minor_ver == SSL_MINOR_VERSION_0 )
01849     {
01850         *olen = 0;
01851         return;
01852     }
01853 
01854     /*
01855      * RFC 7366: "If a server receives an encrypt-then-MAC request extension
01856      * from a client and then selects a stream or Authenticated Encryption
01857      * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
01858      * encrypt-then-MAC response extension back to the client."
01859      */
01860     if( ( suite = ssl_ciphersuite_from_id(
01861                     ssl->session_negotiate->ciphersuite ) ) == NULL ||
01862         ( cipher = cipher_info_from_type( suite->cipher ) ) == NULL ||
01863         cipher->mode != POLARSSL_MODE_CBC )
01864     {
01865         *olen = 0;
01866         return;
01867     }
01868 
01869     SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
01870 
01871     *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
01872     *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
01873 
01874     *p++ = 0x00;
01875     *p++ = 0x00;
01876 
01877     *olen = 4;
01878 }
01879 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
01880 
01881 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
01882 static void ssl_write_extended_ms_ext( ssl_context *ssl,
01883                                        unsigned char *buf,
01884                                        size_t *olen )
01885 {
01886     unsigned char *p = buf;
01887 
01888     if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ||
01889         ssl->minor_ver == SSL_MINOR_VERSION_0 )
01890     {
01891         *olen = 0;
01892         return;
01893     }
01894 
01895     SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
01896                         "extension" ) );
01897 
01898     *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
01899     *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
01900 
01901     *p++ = 0x00;
01902     *p++ = 0x00;
01903 
01904     *olen = 4;
01905 }
01906 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
01907 
01908 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01909 static void ssl_write_session_ticket_ext( ssl_context *ssl,
01910                                           unsigned char *buf,
01911                                           size_t *olen )
01912 {
01913     unsigned char *p = buf;
01914 
01915     if( ssl->handshake->new_session_ticket == 0 )
01916     {
01917         *olen = 0;
01918         return;
01919     }
01920 
01921     SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
01922 
01923     *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
01924     *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET      ) & 0xFF );
01925 
01926     *p++ = 0x00;
01927     *p++ = 0x00;
01928 
01929     *olen = 4;
01930 }
01931 #endif /* POLARSSL_SSL_SESSION_TICKETS */
01932 
01933 static void ssl_write_renegotiation_ext( ssl_context *ssl,
01934                                          unsigned char *buf,
01935                                          size_t *olen )
01936 {
01937     unsigned char *p = buf;
01938 
01939     if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
01940     {
01941         *olen = 0;
01942         return;
01943     }
01944 
01945     SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
01946 
01947     *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
01948     *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
01949 
01950 #if defined(POLARSSL_SSL_RENEGOTIATION)
01951     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
01952     {
01953         *p++ = 0x00;
01954         *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
01955         *p++ = ssl->verify_data_len * 2 & 0xFF;
01956 
01957         memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
01958         p += ssl->verify_data_len;
01959         memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
01960         p += ssl->verify_data_len;
01961 
01962         *olen = 5 + ssl->verify_data_len * 2;
01963     }
01964     else
01965 #endif /* POLARSSL_SSL_RENEGOTIATION */
01966     {
01967         *p++ = 0x00;
01968         *p++ = 0x01;
01969         *p++ = 0x00;
01970 
01971         *olen = 5;
01972     }
01973 }
01974 
01975 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
01976 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
01977                                                unsigned char *buf,
01978                                                size_t *olen )
01979 {
01980     unsigned char *p = buf;
01981 
01982     if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
01983     {
01984         *olen = 0;
01985         return;
01986     }
01987 
01988     SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
01989 
01990     *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
01991     *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
01992 
01993     *p++ = 0x00;
01994     *p++ = 1;
01995 
01996     *p++ = ssl->session_negotiate->mfl_code;
01997 
01998     *olen = 5;
01999 }
02000 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
02001 
02002 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
02003 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
02004                                                    unsigned char *buf,
02005                                                    size_t *olen )
02006 {
02007     unsigned char *p = buf;
02008     ((void) ssl);
02009 
02010     if( ( ssl->handshake->cli_exts &
02011           TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
02012     {
02013         *olen = 0;
02014         return;
02015     }
02016 
02017     SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
02018 
02019     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
02020     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
02021 
02022     *p++ = 0x00;
02023     *p++ = 2;
02024 
02025     *p++ = 1;
02026     *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
02027 
02028     *olen = 6;
02029 }
02030 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
02031 
02032 #if defined(POLARSSL_SSL_ALPN )
02033 static void ssl_write_alpn_ext( ssl_context *ssl,
02034                                 unsigned char *buf, size_t *olen )
02035 {
02036     if( ssl->alpn_chosen == NULL )
02037     {
02038         *olen = 0;
02039         return;
02040     }
02041 
02042     SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
02043 
02044     /*
02045      * 0 . 1    ext identifier
02046      * 2 . 3    ext length
02047      * 4 . 5    protocol list length
02048      * 6 . 6    protocol name length
02049      * 7 . 7+n  protocol name
02050      */
02051     buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
02052     buf[1] = (unsigned char)( ( TLS_EXT_ALPN      ) & 0xFF );
02053 
02054     *olen = 7 + strlen( ssl->alpn_chosen );
02055 
02056     buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
02057     buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
02058 
02059     buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
02060     buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
02061 
02062     buf[6] = (unsigned char)( ( ( *olen - 7 )      ) & 0xFF );
02063 
02064     memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
02065 }
02066 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
02067 
02068 static int ssl_write_server_hello( ssl_context *ssl )
02069 {
02070 #if defined(POLARSSL_HAVE_TIME)
02071     time_t t;
02072 #endif
02073     int ret;
02074     size_t olen, ext_len = 0, n;
02075     unsigned char *buf, *p;
02076 
02077     SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
02078 
02079     if( ssl->f_rng == NULL )
02080     {
02081         SSL_DEBUG_MSG( 1, ( "no RNG provided") );
02082         return( POLARSSL_ERR_SSL_NO_RNG );
02083     }
02084 
02085     /*
02086      *     0  .   0   handshake type
02087      *     1  .   3   handshake length
02088      *     4  .   5   protocol version
02089      *     6  .   9   UNIX time()
02090      *    10  .  37   random bytes
02091      */
02092     buf = ssl->out_msg;
02093     p = buf + 4;
02094 
02095     *p++ = (unsigned char) ssl->major_ver;
02096     *p++ = (unsigned char) ssl->minor_ver;
02097 
02098     SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
02099                    buf[4], buf[5] ) );
02100 
02101 #if defined(POLARSSL_HAVE_TIME)
02102     t = time( NULL );
02103     *p++ = (unsigned char)( t >> 24 );
02104     *p++ = (unsigned char)( t >> 16 );
02105     *p++ = (unsigned char)( t >>  8 );
02106     *p++ = (unsigned char)( t       );
02107 
02108     SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
02109 #else
02110     if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
02111         return( ret );
02112 
02113     p += 4;
02114 #endif /* POLARSSL_HAVE_TIME */
02115 
02116     if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
02117         return( ret );
02118 
02119     p += 28;
02120 
02121     memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
02122 
02123     SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
02124 
02125     /*
02126      * Resume is 0  by default, see ssl_handshake_init().
02127      * It may be already set to 1 by ssl_parse_session_ticket_ext().
02128      * If not, try looking up session ID in our cache.
02129      */
02130     if( ssl->handshake->resume == 0 &&
02131 #if defined(POLARSSL_SSL_RENEGOTIATION)
02132         ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
02133 #endif
02134         ssl->session_negotiate->length != 0 &&
02135         ssl->f_get_cache != NULL &&
02136         ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
02137     {
02138         SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
02139         ssl->handshake->resume = 1;
02140     }
02141 
02142     if( ssl->handshake->resume == 0 )
02143     {
02144         /*
02145          * New session, create a new session id,
02146          * unless we're about to issue a session ticket
02147          */
02148         ssl->state++;
02149 
02150 #if defined(POLARSSL_HAVE_TIME)
02151         ssl->session_negotiate->start = time( NULL );
02152 #endif
02153 
02154 #if defined(POLARSSL_SSL_SESSION_TICKETS)
02155         if( ssl->handshake->new_session_ticket != 0 )
02156         {
02157             ssl->session_negotiate->length = n = 0;
02158             memset( ssl->session_negotiate->id, 0, 32 );
02159         }
02160         else
02161 #endif /* POLARSSL_SSL_SESSION_TICKETS */
02162         {
02163             ssl->session_negotiate->length = n = 32;
02164             if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
02165                                     n ) ) != 0 )
02166                 return( ret );
02167         }
02168     }
02169     else
02170     {
02171         /*
02172          * Resuming a session
02173          */
02174         n = ssl->session_negotiate->length;
02175         ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
02176 
02177         if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
02178         {
02179             SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
02180             return( ret );
02181         }
02182     }
02183 
02184     /*
02185      *    38  .  38     session id length
02186      *    39  . 38+n    session id
02187      *   39+n . 40+n    chosen ciphersuite
02188      *   41+n . 41+n    chosen compression alg.
02189      *   42+n . 43+n    extensions length
02190      *   44+n . 43+n+m  extensions
02191      */
02192     *p++ = (unsigned char) ssl->session_negotiate->length;
02193     memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
02194     p += ssl->session_negotiate->length;
02195 
02196     SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
02197     SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
02198     SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
02199                    ssl->handshake->resume ? "a" : "no" ) );
02200 
02201     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
02202     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
02203     *p++ = (unsigned char)( ssl->session_negotiate->compression      );
02204 
02205     SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
02206            ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
02207     SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
02208                    ssl->session_negotiate->compression ) );
02209 
02210     /*
02211      *  First write extensions, then the total length
02212      */
02213     ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
02214     ext_len += olen;
02215 
02216 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
02217     ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
02218     ext_len += olen;
02219 #endif
02220 
02221 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
02222     ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
02223     ext_len += olen;
02224 #endif
02225 
02226 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
02227     ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
02228     ext_len += olen;
02229 #endif
02230 
02231 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
02232     ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
02233     ext_len += olen;
02234 #endif
02235 
02236 #if defined(POLARSSL_SSL_SESSION_TICKETS)
02237     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
02238     ext_len += olen;
02239 #endif
02240 
02241 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
02242     ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
02243     ext_len += olen;
02244 #endif
02245 
02246 #if defined(POLARSSL_SSL_ALPN)
02247     ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
02248     ext_len += olen;
02249 #endif
02250 
02251     SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
02252 
02253     if( ext_len > 0 )
02254     {
02255         *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
02256         *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
02257         p += ext_len;
02258     }
02259 
02260     ssl->out_msglen  = p - buf;
02261     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02262     ssl->out_msg[0]  = SSL_HS_SERVER_HELLO;
02263 
02264     ret = ssl_write_record( ssl );
02265 
02266     SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
02267 
02268     return( ret );
02269 }
02270 
02271 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
02272     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
02273     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
02274     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02275 static int ssl_write_certificate_request( ssl_context *ssl )
02276 {
02277     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02278 
02279     SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
02280 
02281     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
02282         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
02283         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
02284         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
02285     {
02286         SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
02287         ssl->state++;
02288         return( 0 );
02289     }
02290 
02291     SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02292     return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
02293 }
02294 #else
02295 static int ssl_write_certificate_request( ssl_context *ssl )
02296 {
02297     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02298     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02299     size_t dn_size, total_dn_size; /* excluding length bytes */
02300     size_t ct_len, sa_len; /* including length bytes */
02301     unsigned char *buf, *p;
02302     const x509_crt *crt;
02303 
02304     SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
02305 
02306     ssl->state++;
02307 
02308     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
02309         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
02310         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
02311         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
02312         ssl->authmode == SSL_VERIFY_NONE )
02313     {
02314         SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
02315         return( 0 );
02316     }
02317 
02318     /*
02319      *     0  .   0   handshake type
02320      *     1  .   3   handshake length
02321      *     4  .   4   cert type count
02322      *     5  .. m-1  cert types
02323      *     m  .. m+1  sig alg length (TLS 1.2 only)
02324      *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
02325      *     n  .. n+1  length of all DNs
02326      *    n+2 .. n+3  length of DN 1
02327      *    n+4 .. ...  Distinguished Name #1
02328      *    ... .. ...  length of DN 2, etc.
02329      */
02330     buf = ssl->out_msg;
02331     p = buf + 4;
02332 
02333     /*
02334      * Supported certificate types
02335      *
02336      *     ClientCertificateType certificate_types<1..2^8-1>;
02337      *     enum { (255) } ClientCertificateType;
02338      */
02339     ct_len = 0;
02340 
02341 #if defined(POLARSSL_RSA_C)
02342     p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
02343 #endif
02344 #if defined(POLARSSL_ECDSA_C)
02345     p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
02346 #endif
02347 
02348     p[0] = (unsigned char) ct_len++;
02349     p += ct_len;
02350 
02351     sa_len = 0;
02352 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02353     /*
02354      * Add signature_algorithms for verify (TLS 1.2)
02355      *
02356      *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
02357      *
02358      *     struct {
02359      *           HashAlgorithm hash;
02360      *           SignatureAlgorithm signature;
02361      *     } SignatureAndHashAlgorithm;
02362      *
02363      *     enum { (255) } HashAlgorithm;
02364      *     enum { (255) } SignatureAlgorithm;
02365      */
02366     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02367     {
02368         /*
02369          * Only use current running hash algorithm that is already required
02370          * for requested ciphersuite.
02371          */
02372         ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
02373 
02374         if( ssl->transform_negotiate->ciphersuite_info->mac ==
02375             POLARSSL_MD_SHA384 )
02376         {
02377             ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
02378         }
02379 
02380         /*
02381          * Supported signature algorithms
02382          */
02383 #if defined(POLARSSL_RSA_C)
02384         p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
02385         p[2 + sa_len++] = SSL_SIG_RSA;
02386 #endif
02387 #if defined(POLARSSL_ECDSA_C)
02388         p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
02389         p[2 + sa_len++] = SSL_SIG_ECDSA;
02390 #endif
02391 
02392         p[0] = (unsigned char)( sa_len >> 8 );
02393         p[1] = (unsigned char)( sa_len      );
02394         sa_len += 2;
02395         p += sa_len;
02396     }
02397 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
02398 
02399     /*
02400      * DistinguishedName certificate_authorities<0..2^16-1>;
02401      * opaque DistinguishedName<1..2^16-1>;
02402      */
02403     p += 2;
02404     crt = ssl->ca_chain;
02405 
02406     total_dn_size = 0;
02407     while( crt != NULL && crt->version != 0 )
02408     {
02409         if( p - buf > 4096 )
02410             break;
02411 
02412         dn_size = crt->subject_raw.len;
02413         *p++ = (unsigned char)( dn_size >> 8 );
02414         *p++ = (unsigned char)( dn_size      );
02415         memcpy( p, crt->subject_raw.p, dn_size );
02416         p += dn_size;
02417 
02418         SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
02419 
02420         total_dn_size += 2 + dn_size;
02421         crt = crt->next;
02422     }
02423 
02424     ssl->out_msglen  = p - buf;
02425     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02426     ssl->out_msg[0]  = SSL_HS_CERTIFICATE_REQUEST;
02427     ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
02428     ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
02429 
02430     ret = ssl_write_record( ssl );
02431 
02432     SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
02433 
02434     return( ret );
02435 }
02436 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
02437           !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
02438           !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
02439           !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
02440 
02441 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
02442     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
02443 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
02444 {
02445     int ret;
02446 
02447     if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
02448     {
02449         SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
02450         return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
02451     }
02452 
02453     if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
02454                                  pk_ec( *ssl_own_key( ssl ) ),
02455                                  POLARSSL_ECDH_OURS ) ) != 0 )
02456     {
02457         SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
02458         return( ret );
02459     }
02460 
02461     return( 0 );
02462 }
02463 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
02464           POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
02465 
02466 static int ssl_write_server_key_exchange( ssl_context *ssl )
02467 {
02468     int ret;
02469     size_t n = 0;
02470     const ssl_ciphersuite_t *ciphersuite_info =
02471                             ssl->transform_negotiate->ciphersuite_info;
02472 
02473 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
02474     defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                       \
02475     defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
02476     defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
02477     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02478     unsigned char *p = ssl->out_msg + 4;
02479     unsigned char *dig_signed = p;
02480     size_t dig_signed_len = 0, len;
02481     ((void) dig_signed);
02482     ((void) dig_signed_len);
02483 #endif
02484 
02485     SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
02486 
02487 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) ||                           \
02488     defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) ||                           \
02489     defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
02490     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
02491         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
02492         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
02493     {
02494         SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
02495         ssl->state++;
02496         return( 0 );
02497     }
02498 #endif
02499 
02500 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
02501     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
02502     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
02503         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
02504     {
02505         ssl_get_ecdh_params_from_cert( ssl );
02506 
02507         SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
02508         ssl->state++;
02509         return( 0 );
02510     }
02511 #endif
02512 
02513 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                       \
02514     defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
02515     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
02516         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
02517     {
02518         /* TODO: Support identity hints */
02519         *(p++) = 0x00;
02520         *(p++) = 0x00;
02521 
02522         n += 2;
02523     }
02524 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
02525           POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
02526 
02527 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
02528     defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
02529     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
02530         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
02531     {
02532         /*
02533          * Ephemeral DH parameters:
02534          *
02535          * struct {
02536          *     opaque dh_p<1..2^16-1>;
02537          *     opaque dh_g<1..2^16-1>;
02538          *     opaque dh_Ys<1..2^16-1>;
02539          * } ServerDHParams;
02540          */
02541         if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
02542             ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
02543         {
02544             SSL_DEBUG_RET( 1, "mpi_copy", ret );
02545             return( ret );
02546         }
02547 
02548         if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
02549                         (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
02550                         p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
02551         {
02552             SSL_DEBUG_RET( 1, "dhm_make_params", ret );
02553             return( ret );
02554         }
02555 
02556         dig_signed = p;
02557         dig_signed_len = len;
02558 
02559         p += len;
02560         n += len;
02561 
02562         SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
02563         SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
02564         SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
02565         SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
02566     }
02567 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
02568           POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
02569 
02570 #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
02571     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
02572         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
02573         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
02574     {
02575         /*
02576          * Ephemeral ECDH parameters:
02577          *
02578          * struct {
02579          *     ECParameters curve_params;
02580          *     ECPoint      public;
02581          * } ServerECDHParams;
02582          */
02583         const ecp_curve_info **curve = NULL;
02584 #if defined(POLARSSL_SSL_SET_CURVES)
02585         const ecp_group_id *gid;
02586 
02587         /* Match our preference list against the offered curves */
02588         for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
02589             for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
02590                 if( (*curve)->grp_id == *gid )
02591                     goto curve_matching_done;
02592 
02593 curve_matching_done:
02594 #else
02595         curve = ssl->handshake->curves;
02596 #endif
02597 
02598         if( *curve == NULL )
02599         {
02600             SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
02601             return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
02602         }
02603 
02604         SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
02605 
02606         if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
02607                                        (*curve)->grp_id ) ) != 0 )
02608         {
02609             SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
02610             return( ret );
02611         }
02612 
02613         if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
02614                                       p, SSL_MAX_CONTENT_LEN - n,
02615                                       ssl->f_rng, ssl->p_rng ) ) != 0 )
02616         {
02617             SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
02618             return( ret );
02619         }
02620 
02621         dig_signed = p;
02622         dig_signed_len = len;
02623 
02624         p += len;
02625         n += len;
02626 
02627         SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
02628     }
02629 #endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
02630 
02631 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
02632     defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
02633     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02634     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
02635         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
02636         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
02637     {
02638         size_t signature_len = 0;
02639         unsigned int hashlen = 0;
02640         unsigned char hash[64];
02641         md_type_t md_alg = POLARSSL_MD_NONE;
02642 
02643         /*
02644          * Choose hash algorithm. NONE means MD5 + SHA1 here.
02645          */
02646 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02647         if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02648         {
02649             md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
02650 
02651             if( md_alg == POLARSSL_MD_NONE )
02652             {
02653                 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02654                 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
02655             }
02656         }
02657         else
02658 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
02659 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02660     defined(POLARSSL_SSL_PROTO_TLS1_1)
02661         if( ciphersuite_info->key_exchange ==
02662                   POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
02663         {
02664             md_alg = POLARSSL_MD_SHA1;
02665         }
02666         else
02667 #endif
02668         {
02669             md_alg = POLARSSL_MD_NONE;
02670         }
02671 
02672         /*
02673          * Compute the hash to be signed
02674          */
02675 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02676     defined(POLARSSL_SSL_PROTO_TLS1_1)
02677         if( md_alg == POLARSSL_MD_NONE )
02678         {
02679             md5_context md5;
02680             sha1_context sha1;
02681 
02682             md5_init(  &md5  );
02683             sha1_init( &sha1 );
02684 
02685             /*
02686              * digitally-signed struct {
02687              *     opaque md5_hash[16];
02688              *     opaque sha_hash[20];
02689              * };
02690              *
02691              * md5_hash
02692              *     MD5(ClientHello.random + ServerHello.random
02693              *                            + ServerParams);
02694              * sha_hash
02695              *     SHA(ClientHello.random + ServerHello.random
02696              *                            + ServerParams);
02697              */
02698             md5_starts( &md5 );
02699             md5_update( &md5, ssl->handshake->randbytes,  64 );
02700             md5_update( &md5, dig_signed, dig_signed_len );
02701             md5_finish( &md5, hash );
02702 
02703             sha1_starts( &sha1 );
02704             sha1_update( &sha1, ssl->handshake->randbytes,  64 );
02705             sha1_update( &sha1, dig_signed, dig_signed_len );
02706             sha1_finish( &sha1, hash + 16 );
02707 
02708             hashlen = 36;
02709 
02710             md5_free(  &md5  );
02711             sha1_free( &sha1 );
02712         }
02713         else
02714 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
02715           POLARSSL_SSL_PROTO_TLS1_1 */
02716 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
02717     defined(POLARSSL_SSL_PROTO_TLS1_2)
02718         if( md_alg != POLARSSL_MD_NONE )
02719         {
02720             md_context_t ctx;
02721             const md_info_t *md_info = md_info_from_type( md_alg );
02722 
02723             md_init( &ctx );
02724 
02725             /* Info from md_alg will be used instead */
02726             hashlen = 0;
02727 
02728             /*
02729              * digitally-signed struct {
02730              *     opaque client_random[32];
02731              *     opaque server_random[32];
02732              *     ServerDHParams params;
02733              * };
02734              */
02735             if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 )
02736             {
02737                 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
02738                 return( ret );
02739             }
02740 
02741             md_starts( &ctx );
02742             md_update( &ctx, ssl->handshake->randbytes, 64 );
02743             md_update( &ctx, dig_signed, dig_signed_len );
02744             md_finish( &ctx, hash );
02745             md_free( &ctx );
02746         }
02747         else
02748 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
02749           POLARSSL_SSL_PROTO_TLS1_2 */
02750         {
02751             SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02752             return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
02753         }
02754 
02755         SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
02756                 (unsigned int) ( md_info_from_type( md_alg ) )->size );
02757 
02758         /*
02759          * Make the signature
02760          */
02761         if( ssl_own_key( ssl ) == NULL )
02762         {
02763             SSL_DEBUG_MSG( 1, ( "got no private key" ) );
02764             return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02765         }
02766 
02767 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02768         if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02769         {
02770             *(p++) = ssl->handshake->sig_alg;
02771             *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
02772 
02773             n += 2;
02774         }
02775 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
02776 
02777         if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
02778                         p + 2 , &signature_len,
02779                         ssl->f_rng, ssl->p_rng ) ) != 0 )
02780         {
02781             SSL_DEBUG_RET( 1, "pk_sign", ret );
02782             return( ret );
02783         }
02784 
02785         *(p++) = (unsigned char)( signature_len >> 8 );
02786         *(p++) = (unsigned char)( signature_len      );
02787         n += 2;
02788 
02789         SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
02790 
02791         p += signature_len;
02792         n += signature_len;
02793     }
02794 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
02795           POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
02796           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
02797 
02798     ssl->out_msglen  = 4 + n;
02799     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02800     ssl->out_msg[0]  = SSL_HS_SERVER_KEY_EXCHANGE;
02801 
02802     ssl->state++;
02803 
02804     if( ( ret = ssl_write_record( ssl ) ) != 0 )
02805     {
02806         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02807         return( ret );
02808     }
02809 
02810     SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
02811 
02812     return( 0 );
02813 }
02814 
02815 static int ssl_write_server_hello_done( ssl_context *ssl )
02816 {
02817     int ret;
02818 
02819     SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
02820 
02821     ssl->out_msglen  = 4;
02822     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02823     ssl->out_msg[0]  = SSL_HS_SERVER_HELLO_DONE;
02824 
02825     ssl->state++;
02826 
02827     if( ( ret = ssl_write_record( ssl ) ) != 0 )
02828     {
02829         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02830         return( ret );
02831     }
02832 
02833     SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
02834 
02835     return( 0 );
02836 }
02837 
02838 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
02839     defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
02840 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
02841                                        const unsigned char *end )
02842 {
02843     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02844     size_t n;
02845 
02846     /*
02847      * Receive G^Y mod P, premaster = (G^Y)^X mod P
02848      */
02849     if( *p + 2 > end )
02850     {
02851         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02852         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02853     }
02854 
02855     n = ( (*p)[0] << 8 ) | (*p)[1];
02856     *p += 2;
02857 
02858     if( *p + n > end )
02859     {
02860         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02861         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02862     }
02863 
02864     if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
02865     {
02866         SSL_DEBUG_RET( 1, "dhm_read_public", ret );
02867         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
02868     }
02869 
02870     *p += n;
02871 
02872     SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
02873 
02874     return( ret );
02875 }
02876 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
02877           POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
02878 
02879 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) ||                           \
02880     defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
02881 static int ssl_parse_encrypted_pms( ssl_context *ssl,
02882                                     const unsigned char *p,
02883                                     const unsigned char *end,
02884                                     size_t pms_offset )
02885 {
02886     int ret;
02887     size_t len = pk_get_len( ssl_own_key( ssl ) );
02888     unsigned char *pms = ssl->handshake->premaster + pms_offset;
02889     unsigned char fake_pms[48], peer_pms[48];
02890     unsigned char mask;
02891     size_t i, diff, peer_pmslen;
02892 
02893     if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
02894     {
02895         SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
02896         return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02897     }
02898 
02899     /*
02900      * Decrypt the premaster using own private RSA key
02901      */
02902 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
02903     defined(POLARSSL_SSL_PROTO_TLS1_2)
02904     if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
02905     {
02906         if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
02907             *p++ != ( ( len      ) & 0xFF ) )
02908         {
02909             SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02910             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02911         }
02912     }
02913 #endif
02914 
02915     if( p + len != end )
02916     {
02917         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02918         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02919     }
02920 
02921     /*
02922      * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
02923      * must not cause the connection to end immediately; instead, send a
02924      * bad_record_mac later in the handshake.
02925      * Also, avoid data-dependant branches here to protect against
02926      * timing-based variants.
02927      */
02928     ret = ssl->f_rng( ssl->p_rng, fake_pms, sizeof( fake_pms ) );
02929     if( ret != 0 )
02930         return( ret );
02931 
02932     ret = pk_decrypt( ssl_own_key( ssl ), p, len,
02933                       peer_pms, &peer_pmslen,
02934                       sizeof( peer_pms ),
02935                       ssl->f_rng, ssl->p_rng );
02936 
02937     diff  = (size_t) ret;
02938     diff |= peer_pmslen ^ 48;
02939     diff |= peer_pms[0] ^ ssl->handshake->max_major_ver;
02940     diff |= peer_pms[1] ^ ssl->handshake->max_minor_ver;
02941 
02942 #if defined(POLARSSL_SSL_DEBUG_ALL)
02943     if( diff != 0 )
02944         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02945 #endif
02946 
02947     if( sizeof( ssl->handshake->premaster ) < pms_offset ||
02948         sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
02949     {
02950         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02951         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
02952     }
02953     ssl->handshake->pmslen = 48;
02954 
02955     mask = ( diff | - diff ) >> ( sizeof( size_t ) * 8 - 1 );
02956     mask = (unsigned char)( - ( ret != 0 ) ); /* mask = diff ? 0xff : 0x00 */
02957     for( i = 0; i < ssl->handshake->pmslen; i++ )
02958         pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
02959 
02960     return( 0 );
02961 }
02962 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
02963           POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
02964 
02965 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
02966 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
02967                                           const unsigned char *end )
02968 {
02969     int ret = 0;
02970     size_t n;
02971 
02972     if( ssl->f_psk == NULL &&
02973         ( ssl->psk == NULL || ssl->psk_identity == NULL ||
02974           ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
02975     {
02976         SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
02977         return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02978     }
02979 
02980     /*
02981      * Receive client pre-shared key identity name
02982      */
02983     if( *p + 2 > end )
02984     {
02985         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02986         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02987     }
02988 
02989     n = ( (*p)[0] << 8 ) | (*p)[1];
02990     *p += 2;
02991 
02992     if( n < 1 || n > 65535 || *p + n > end )
02993     {
02994         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02995         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02996     }
02997 
02998     if( ssl->f_psk != NULL )
02999     {
03000         if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 )
03001             ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
03002     }
03003     else
03004     {
03005         /* Identity is not a big secret since clients send it in the clear,
03006          * but treat it carefully anyway, just in case */
03007         if( n != ssl->psk_identity_len ||
03008             safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
03009         {
03010             ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
03011         }
03012     }
03013 
03014     if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
03015     {
03016         SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
03017         if( ( ret = ssl_send_alert_message( ssl,
03018                               SSL_ALERT_LEVEL_FATAL,
03019                               SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
03020         {
03021             return( ret );
03022         }
03023 
03024         return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
03025     }
03026 
03027     *p += n;
03028 
03029     return( 0 );
03030 }
03031 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
03032 
03033 static int ssl_parse_client_key_exchange( ssl_context *ssl )
03034 {
03035     int ret;
03036     const ssl_ciphersuite_t *ciphersuite_info;
03037 
03038     ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
03039 
03040     SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
03041 
03042     if( ( ret = ssl_read_record( ssl ) ) != 0 )
03043     {
03044         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
03045         return( ret );
03046     }
03047 
03048     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
03049     {
03050         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03051         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03052     }
03053 
03054     if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
03055     {
03056         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
03057         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03058     }
03059 
03060 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
03061     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
03062     {
03063         unsigned char *p = ssl->in_msg + 4;
03064         unsigned char *end = ssl->in_msg + ssl->in_hslen;
03065 
03066         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
03067         {
03068             SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
03069             return( ret );
03070         }
03071 
03072         if( p != end )
03073         {
03074             SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03075             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03076         }
03077 
03078         ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE;
03079 
03080         if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
03081                                       ssl->handshake->premaster,
03082                                      &ssl->handshake->pmslen,
03083                                       ssl->f_rng, ssl->p_rng ) ) != 0 )
03084         {
03085             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
03086             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
03087         }
03088 
03089         SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
03090     }
03091     else
03092 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
03093 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
03094     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
03095     defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
03096     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
03097     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
03098         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
03099         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
03100         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
03101     {
03102         if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
03103                         ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 )
03104         {
03105             SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
03106             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03107         }
03108 
03109         SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
03110 
03111         if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
03112                                       &ssl->handshake->pmslen,
03113                                        ssl->handshake->premaster,
03114                                        POLARSSL_MPI_MAX_SIZE,
03115                                        ssl->f_rng, ssl->p_rng ) ) != 0 )
03116         {
03117             SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
03118             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
03119         }
03120 
03121         SSL_DEBUG_MPI( 3, "ECDH: z  ", &ssl->handshake->ecdh_ctx.z );
03122     }
03123     else
03124 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
03125           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
03126           POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
03127           POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
03128 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
03129     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
03130     {
03131         unsigned char *p = ssl->in_msg + 4;
03132         unsigned char *end = ssl->in_msg + ssl->in_hslen;
03133 
03134         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03135         {
03136             SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03137             return( ret );
03138         }
03139 
03140         if( p != end )
03141         {
03142             SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03143             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03144         }
03145 
03146         if( ( ret = ssl_psk_derive_premaster( ssl,
03147                         ciphersuite_info->key_exchange ) ) != 0 )
03148         {
03149             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
03150             return( ret );
03151         }
03152     }
03153     else
03154 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
03155 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
03156     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
03157     {
03158         unsigned char *p = ssl->in_msg + 4;
03159         unsigned char *end = ssl->in_msg + ssl->in_hslen;
03160 
03161         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03162         {
03163             SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03164             return( ret );
03165         }
03166 
03167         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
03168         {
03169             SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
03170             return( ret );
03171         }
03172 
03173         if( ( ret = ssl_psk_derive_premaster( ssl,
03174                         ciphersuite_info->key_exchange ) ) != 0 )
03175         {
03176             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
03177             return( ret );
03178         }
03179     }
03180     else
03181 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
03182 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
03183     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
03184     {
03185         unsigned char *p = ssl->in_msg + 4;
03186         unsigned char *end = ssl->in_msg + ssl->in_hslen;
03187 
03188         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03189         {
03190             SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03191             return( ret );
03192         }
03193         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
03194         {
03195             SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
03196             return( ret );
03197         }
03198 
03199         if( p != end )
03200         {
03201             SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
03202             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
03203         }
03204 
03205         if( ( ret = ssl_psk_derive_premaster( ssl,
03206                         ciphersuite_info->key_exchange ) ) != 0 )
03207         {
03208             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
03209             return( ret );
03210         }
03211     }
03212     else
03213 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
03214 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
03215     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
03216     {
03217         unsigned char *p = ssl->in_msg + 4;
03218         unsigned char *end = ssl->in_msg + ssl->in_hslen;
03219 
03220         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
03221         {
03222             SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
03223             return( ret );
03224         }
03225 
03226         if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
03227                                        p, end - p ) ) != 0 )
03228         {
03229             SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
03230             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
03231         }
03232 
03233         SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
03234 
03235         if( ( ret = ssl_psk_derive_premaster( ssl,
03236                         ciphersuite_info->key_exchange ) ) != 0 )
03237         {
03238             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
03239             return( ret );
03240         }
03241     }
03242     else
03243 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
03244 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
03245     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
03246     {
03247         if( ( ret = ssl_parse_encrypted_pms( ssl,
03248                                              ssl->in_msg + 4,
03249                                              ssl->in_msg + ssl->in_hslen,
03250                                              0 ) ) != 0 )
03251         {
03252             SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
03253             return( ret );
03254         }
03255     }
03256     else
03257 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
03258     {
03259         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03260         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
03261     }
03262 
03263     if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
03264     {
03265         SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
03266         return( ret );
03267     }
03268 
03269     ssl->state++;
03270 
03271     SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
03272 
03273     return( 0 );
03274 }
03275 
03276 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
03277     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
03278     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
03279     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
03280 static int ssl_parse_certificate_verify( ssl_context *ssl )
03281 {
03282     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
03283 
03284     SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
03285 
03286     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
03287         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
03288         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
03289         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
03290     {
03291         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03292         ssl->state++;
03293         return( 0 );
03294     }
03295 
03296     SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03297     return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
03298 }
03299 #else
03300 static int ssl_parse_certificate_verify( ssl_context *ssl )
03301 {
03302     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
03303     size_t sa_len, sig_len;
03304     unsigned char hash[48];
03305     unsigned char *hash_start = hash;
03306     size_t hashlen;
03307 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
03308     pk_type_t pk_alg;
03309 #endif
03310     md_type_t md_alg;
03311     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
03312 
03313     SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
03314 
03315     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
03316         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
03317         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
03318         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
03319     {
03320         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03321         ssl->state++;
03322         return( 0 );
03323     }
03324 
03325     if( ssl->session_negotiate->peer_cert == NULL )
03326     {
03327         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
03328         ssl->state++;
03329         return( 0 );
03330     }
03331 
03332     ssl->handshake->calc_verify( ssl, hash );
03333 
03334     if( ( ret = ssl_read_record( ssl ) ) != 0 )
03335     {
03336         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
03337         return( ret );
03338     }
03339 
03340     ssl->state++;
03341 
03342     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
03343     {
03344         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03345         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03346     }
03347 
03348     if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
03349     {
03350         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03351         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03352     }
03353 
03354     /*
03355      *     0  .   0   handshake type
03356      *     1  .   3   handshake length
03357      *     4  .   5   sig alg (TLS 1.2 only)
03358      *    4+n .  5+n  signature length (n = sa_len)
03359      *    6+n . 6+n+m signature (m = sig_len)
03360      */
03361 
03362 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
03363     defined(POLARSSL_SSL_PROTO_TLS1_1)
03364     if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
03365     {
03366         sa_len = 0;
03367 
03368         md_alg = POLARSSL_MD_NONE;
03369         hashlen = 36;
03370 
03371         /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
03372         if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
03373                         POLARSSL_PK_ECDSA ) )
03374         {
03375             hash_start += 16;
03376             hashlen -= 16;
03377             md_alg = POLARSSL_MD_SHA1;
03378         }
03379     }
03380     else
03381 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 ||
03382           POLARSSL_SSL_PROTO_TLS1_1 */
03383 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
03384     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
03385     {
03386         sa_len = 2;
03387 
03388         /*
03389          * Hash
03390          */
03391         if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
03392         {
03393             SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
03394                                 " for verify message" ) );
03395             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03396         }
03397 
03398         md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
03399 
03400         /* Info from md_alg will be used instead */
03401         hashlen = 0;
03402 
03403         /*
03404          * Signature
03405          */
03406         if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
03407                         == POLARSSL_PK_NONE )
03408         {
03409             SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
03410                                 " for verify message" ) );
03411             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03412         }
03413 
03414         /*
03415          * Check the certificate's key type matches the signature alg
03416          */
03417         if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
03418         {
03419             SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
03420             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03421         }
03422     }
03423     else
03424 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
03425     {
03426         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
03427         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
03428     }
03429 
03430     sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
03431 
03432     if( sa_len + sig_len + 6 != ssl->in_hslen )
03433     {
03434         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
03435         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
03436     }
03437 
03438     if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
03439                            md_alg, hash_start, hashlen,
03440                            ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
03441     {
03442         SSL_DEBUG_RET( 1, "pk_verify", ret );
03443         return( ret );
03444     }
03445 
03446     SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
03447 
03448     return( ret );
03449 }
03450 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
03451           !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
03452           !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
03453 
03454 #if defined(POLARSSL_SSL_SESSION_TICKETS)
03455 static int ssl_write_new_session_ticket( ssl_context *ssl )
03456 {
03457     int ret;
03458     size_t tlen;
03459     uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
03460 
03461     SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
03462 
03463     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
03464     ssl->out_msg[0]  = SSL_HS_NEW_SESSION_TICKET;
03465 
03466     /*
03467      * struct {
03468      *     uint32 ticket_lifetime_hint;
03469      *     opaque ticket<0..2^16-1>;
03470      * } NewSessionTicket;
03471      *
03472      * 4  .  7   ticket_lifetime_hint (0 = unspecified)
03473      * 8  .  9   ticket_len (n)
03474      * 10 .  9+n ticket content
03475      */
03476 
03477     ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
03478     ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
03479     ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
03480     ssl->out_msg[7] = ( lifetime       ) & 0xFF;
03481 
03482     if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
03483     {
03484         SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
03485         tlen = 0;
03486     }
03487 
03488     ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
03489     ssl->out_msg[9] = (unsigned char)( ( tlen      ) & 0xFF );
03490 
03491     ssl->out_msglen = 10 + tlen;
03492 
03493     /*
03494      * Morally equivalent to updating ssl->state, but NewSessionTicket and
03495      * ChangeCipherSpec share the same state.
03496      */
03497     ssl->handshake->new_session_ticket = 0;
03498 
03499     if( ( ret = ssl_write_record( ssl ) ) != 0 )
03500     {
03501         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
03502         return( ret );
03503     }
03504 
03505     SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
03506 
03507     return( 0 );
03508 }
03509 #endif /* POLARSSL_SSL_SESSION_TICKETS */
03510 
03511 /*
03512  * SSL handshake -- server side -- single step
03513  */
03514 int ssl_handshake_server_step( ssl_context *ssl )
03515 {
03516     int ret = 0;
03517 
03518     if( ssl->state == SSL_HANDSHAKE_OVER )
03519         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
03520 
03521     SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
03522 
03523     if( ( ret = ssl_flush_output( ssl ) ) != 0 )
03524         return( ret );
03525 
03526     switch( ssl->state )
03527     {
03528         case SSL_HELLO_REQUEST:
03529             ssl->state = SSL_CLIENT_HELLO;
03530             break;
03531 
03532         /*
03533          *  <==   ClientHello
03534          */
03535         case SSL_CLIENT_HELLO:
03536             ret = ssl_parse_client_hello( ssl );
03537             break;
03538 
03539         /*
03540          *  ==>   ServerHello
03541          *        Certificate
03542          *      ( ServerKeyExchange  )
03543          *      ( CertificateRequest )
03544          *        ServerHelloDone
03545          */
03546         case SSL_SERVER_HELLO:
03547             ret = ssl_write_server_hello( ssl );
03548             break;
03549 
03550         case SSL_SERVER_CERTIFICATE:
03551             ret = ssl_write_certificate( ssl );
03552             break;
03553 
03554         case SSL_SERVER_KEY_EXCHANGE:
03555             ret = ssl_write_server_key_exchange( ssl );
03556             break;
03557 
03558         case SSL_CERTIFICATE_REQUEST:
03559             ret = ssl_write_certificate_request( ssl );
03560             break;
03561 
03562         case SSL_SERVER_HELLO_DONE:
03563             ret = ssl_write_server_hello_done( ssl );
03564             break;
03565 
03566         /*
03567          *  <== ( Certificate/Alert  )
03568          *        ClientKeyExchange
03569          *      ( CertificateVerify  )
03570          *        ChangeCipherSpec
03571          *        Finished
03572          */
03573         case SSL_CLIENT_CERTIFICATE:
03574             ret = ssl_parse_certificate( ssl );
03575             break;
03576 
03577         case SSL_CLIENT_KEY_EXCHANGE:
03578             ret = ssl_parse_client_key_exchange( ssl );
03579             break;
03580 
03581         case SSL_CERTIFICATE_VERIFY:
03582             ret = ssl_parse_certificate_verify( ssl );
03583             break;
03584 
03585         case SSL_CLIENT_CHANGE_CIPHER_SPEC:
03586             ret = ssl_parse_change_cipher_spec( ssl );
03587             break;
03588 
03589         case SSL_CLIENT_FINISHED:
03590             ret = ssl_parse_finished( ssl );
03591             break;
03592 
03593         /*
03594          *  ==> ( NewSessionTicket )
03595          *        ChangeCipherSpec
03596          *        Finished
03597          */
03598         case SSL_SERVER_CHANGE_CIPHER_SPEC:
03599 #if defined(POLARSSL_SSL_SESSION_TICKETS)
03600             if( ssl->handshake->new_session_ticket != 0 )
03601                 ret = ssl_write_new_session_ticket( ssl );
03602             else
03603 #endif
03604                 ret = ssl_write_change_cipher_spec( ssl );
03605             break;
03606 
03607         case SSL_SERVER_FINISHED:
03608             ret = ssl_write_finished( ssl );
03609             break;
03610 
03611         case SSL_FLUSH_BUFFERS:
03612             SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
03613             ssl->state = SSL_HANDSHAKE_WRAPUP;
03614             break;
03615 
03616         case SSL_HANDSHAKE_WRAPUP:
03617             ssl_handshake_wrapup( ssl );
03618             break;
03619 
03620         default:
03621             SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
03622             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
03623     }
03624 
03625     return( ret );
03626 }
03627 #endif /* POLARSSL_SSL_SRV_C */
03628