TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fa566e354549ab76bc3bd9bea0c06b259668ef59 / . / library / ssl_cli.c.orig
blob: 7f46cbb339b38c67f940750526f8e12124820fd9 [file] [log] [blame]
Manuel Pégourié-Gonnardfa566e32015-09-03 10:44:32 +0200[diff] [blame^]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
5 *
6 * This file is part of mbed TLS (https://tls.mbed.org)
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22
23#if !defined(POLARSSL_CONFIG_FILE)
24#include "polarssl/config.h"
25#else
26#include POLARSSL_CONFIG_FILE
27#endif
28
29#if defined(POLARSSL_SSL_CLI_C)
30
31#include "polarssl/debug.h"
32#include "polarssl/ssl.h"
33
34#include <string.h>
35
36#if defined(POLARSSL_PLATFORM_C)
37#include "polarssl/platform.h"
38#else
39#include <stdlib.h>
40#define polarssl_malloc malloc
41#define polarssl_free free
42#endif
43
44#if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
45#include <basetsd.h>
46typedef UINT32 uint32_t;
47#else
48#include <inttypes.h>
49#endif
50
51#if defined(POLARSSL_HAVE_TIME)
52#include <time.h>
53#endif
54
55#if defined(POLARSSL_SSL_SESSION_TICKETS)
56/* Implementation that should never be optimized out by the compiler */
57static void polarssl_zeroize( void *v, size_t n ) {
58 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
59}
60#endif
61
62#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
63static void ssl_write_hostname_ext( ssl_context *ssl,
64 unsigned char *buf,
65 size_t *olen )
66{
67 unsigned char *p = buf;
68
69 *olen = 0;
70
71 if( ssl->hostname == NULL )
72 return;
73
74 SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
75 ssl->hostname ) );
76
77 /*
78 * struct {
79 * NameType name_type;
80 * select (name_type) {
81 * case host_name: HostName;
82 * } name;
83 * } ServerName;
84 *
85 * enum {
86 * host_name(0), (255)
87 * } NameType;
88 *
89 * opaque HostName<1..2^16-1>;
90 *
91 * struct {
92 * ServerName server_name_list<1..2^16-1>
93 * } ServerNameList;
94 */
95 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
96 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
97
98 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
99 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
100
101 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
102 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
103
104 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
105 *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
106 *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
107
108 memcpy( p, ssl->hostname, ssl->hostname_len );
109
110 *olen = ssl->hostname_len + 9;
111}
112#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
113
114#if defined(POLARSSL_SSL_RENEGOTIATION)
115static void ssl_write_renegotiation_ext( ssl_context *ssl,
116 unsigned char *buf,
117 size_t *olen )
118{
119 unsigned char *p = buf;
120
121 *olen = 0;
122
123 if( ssl->renegotiation != SSL_RENEGOTIATION )
124 return;
125
126 SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
127
128 /*
129 * Secure renegotiation
130 */
131 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
132 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
133
134 *p++ = 0x00;
135 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
136 *p++ = ssl->verify_data_len & 0xFF;
137
138 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
139
140 *olen = 5 + ssl->verify_data_len;
141}
142#endif /* POLARSSL_SSL_RENEGOTIATION */
143
144/*
145 * Only if we handle at least one key exchange that needs signatures.
146 */
147#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
148 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
149static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
150 unsigned char *buf,
151 size_t *olen )
152{
153 unsigned char *p = buf;
154 size_t sig_alg_len = 0;
155#if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C)
156 unsigned char *sig_alg_list = buf + 6;
157#endif
158
159 *olen = 0;
160
161 if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
162 return;
163
164 SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
165
166 /*
167 * Prepare signature_algorithms extension (TLS 1.2)
168 */
169#if defined(POLARSSL_RSA_C)
170#if defined(POLARSSL_SHA512_C)
171 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
172 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
173 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
174 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
175#endif
176#if defined(POLARSSL_SHA256_C)
177 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
178 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
179 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
180 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
181#endif
182#if defined(POLARSSL_SHA1_C)
183 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
184 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
185#endif
186#if defined(POLARSSL_MD5_C)
187 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
188 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
189#endif
190#endif /* POLARSSL_RSA_C */
191#if defined(POLARSSL_ECDSA_C)
192#if defined(POLARSSL_SHA512_C)
193 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
194 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
195 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
196 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
197#endif
198#if defined(POLARSSL_SHA256_C)
199 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
200 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
201 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
202 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
203#endif
204#if defined(POLARSSL_SHA1_C)
205 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
206 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
207#endif
208#if defined(POLARSSL_MD5_C)
209 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
210 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
211#endif
212#endif /* POLARSSL_ECDSA_C */
213
214 /*
215 * enum {
216 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
217 * sha512(6), (255)
218 * } HashAlgorithm;
219 *
220 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
221 * SignatureAlgorithm;
222 *
223 * struct {
224 * HashAlgorithm hash;
225 * SignatureAlgorithm signature;
226 * } SignatureAndHashAlgorithm;
227 *
228 * SignatureAndHashAlgorithm
229 * supported_signature_algorithms<2..2^16-2>;
230 */
231 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
232 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
233
234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
235 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
236
237 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
238 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
239
240 *olen = 6 + sig_alg_len;
241}
242#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
243 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
244
245#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
246static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
247 unsigned char *buf,
248 size_t *olen )
249{
250 unsigned char *p = buf;
251 unsigned char *elliptic_curve_list = p + 6;
252 size_t elliptic_curve_len = 0;
253 const ecp_curve_info *info;
254#if defined(POLARSSL_SSL_SET_CURVES)
255 const ecp_group_id *grp_id;
256#else
257 ((void) ssl);
258#endif
259
260 *olen = 0;
261
262 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
263
264#if defined(POLARSSL_SSL_SET_CURVES)
265 for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
266 {
267 info = ecp_curve_info_from_grp_id( *grp_id );
268#else
269 for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
270 {
271#endif
272
273 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
274 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
275 }
276
277 if( elliptic_curve_len == 0 )
278 return;
279
280 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
281 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
282
283 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
284 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
285
286 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
287 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
288
289 *olen = 6 + elliptic_curve_len;
290}
291
292static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
293 unsigned char *buf,
294 size_t *olen )
295{
296 unsigned char *p = buf;
297 ((void) ssl);
298
299 *olen = 0;
300
301 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
302
303 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
304 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
305
306 *p++ = 0x00;
307 *p++ = 2;
308
309 *p++ = 1;
310 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
311
312 *olen = 6;
313}
314#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
315
316#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
317static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
318 unsigned char *buf,
319 size_t *olen )
320{
321 unsigned char *p = buf;
322
323 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
324 *olen = 0;
325 return;
326 }
327
328 SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
329
330 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
331 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
332
333 *p++ = 0x00;
334 *p++ = 1;
335
336 *p++ = ssl->mfl_code;
337
338 *olen = 5;
339}
340#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
341
342#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
343static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
344 unsigned char *buf, size_t *olen )
345{
346 unsigned char *p = buf;
347
348 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
349 {
350 *olen = 0;
351 return;
352 }
353
354 SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
355
356 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
357 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
358
359 *p++ = 0x00;
360 *p++ = 0x00;
361
362 *olen = 4;
363}
364#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
365
366#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
367static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
368 unsigned char *buf, size_t *olen )
369{
370 unsigned char *p = buf;
371
372 if( ssl->encrypt_then_mac == SSL_ETM_DISABLED ||
373 ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
374 {
375 *olen = 0;
376 return;
377 }
378
379 SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
380 "extension" ) );
381
382 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
383 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
384
385 *p++ = 0x00;
386 *p++ = 0x00;
387
388 *olen = 4;
389}
390#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
391
392#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
393static void ssl_write_extended_ms_ext( ssl_context *ssl,
394 unsigned char *buf, size_t *olen )
395{
396 unsigned char *p = buf;
397
398 if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
399 ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
400 {
401 *olen = 0;
402 return;
403 }
404
405 SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
406 "extension" ) );
407
408 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
409 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
410
411 *p++ = 0x00;
412 *p++ = 0x00;
413
414 *olen = 4;
415}
416#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
417
418#if defined(POLARSSL_SSL_SESSION_TICKETS)
419static void ssl_write_session_ticket_ext( ssl_context *ssl,
420 unsigned char *buf, size_t *olen )
421{
422 unsigned char *p = buf;
423 size_t tlen = ssl->session_negotiate->ticket_len;
424
425 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
426 {
427 *olen = 0;
428 return;
429 }
430
431 SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
432
433 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
434 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
435
436 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
437 *p++ = (unsigned char)( ( tlen ) & 0xFF );
438
439 *olen = 4;
440
441 if( ssl->session_negotiate->ticket == NULL ||
442 ssl->session_negotiate->ticket_len == 0 )
443 {
444 return;
445 }
446
447 SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
448
449 memcpy( p, ssl->session_negotiate->ticket, tlen );
450
451 *olen += tlen;
452}
453#endif /* POLARSSL_SSL_SESSION_TICKETS */
454
455#if defined(POLARSSL_SSL_ALPN)
456static void ssl_write_alpn_ext( ssl_context *ssl,
457 unsigned char *buf, size_t *olen )
458{
459 unsigned char *p = buf;
460 const char **cur;
461
462 if( ssl->alpn_list == NULL )
463 {
464 *olen = 0;
465 return;
466 }
467
468 SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
469
470 *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
471 *p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
472
473 /*
474 * opaque ProtocolName<1..2^8-1>;
475 *
476 * struct {
477 * ProtocolName protocol_name_list<2..2^16-1>
478 * } ProtocolNameList;
479 */
480
481 /* Skip writing extension and list length for now */
482 p += 4;
483
484 for( cur = ssl->alpn_list; *cur != NULL; cur++ )
485 {
486 *p = (unsigned char)( strlen( *cur ) & 0xFF );
487 memcpy( p + 1, *cur, *p );
488 p += 1 + *p;
489 }
490
491 *olen = p - buf;
492
493 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
494 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
495 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
496
497 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
498 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
499 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
500}
501#endif /* POLARSSL_SSL_ALPN */
502
503static int ssl_write_client_hello( ssl_context *ssl )
504{
505 int ret;
506 size_t i, n, olen, ext_len = 0;
507 unsigned char *buf;
508 unsigned char *p, *q;
509#if defined(POLARSSL_HAVE_TIME)
510 time_t t;
511#endif
512 const int *ciphersuites;
513 const ssl_ciphersuite_t *ciphersuite_info;
514
515 SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
516
517 if( ssl->f_rng == NULL )
518 {
519 SSL_DEBUG_MSG( 1, ( "no RNG provided") );
520 return( POLARSSL_ERR_SSL_NO_RNG );
521 }
522
523#if defined(POLARSSL_SSL_RENEGOTIATION)
524 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
525#endif
526 {
527 ssl->major_ver = ssl->min_major_ver;
528 ssl->minor_ver = ssl->min_minor_ver;
529 }
530
531 if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
532 {
533 ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
534 ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
535 }
536
537 /*
538 * 0 . 0 handshake type
539 * 1 . 3 handshake length
540 * 4 . 5 highest version supported
541 * 6 . 9 current UNIX time
542 * 10 . 37 random bytes
543 */
544 buf = ssl->out_msg;
545 p = buf + 4;
546
547 *p++ = (unsigned char) ssl->max_major_ver;
548 *p++ = (unsigned char) ssl->max_minor_ver;
549
550 SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
551 buf[4], buf[5] ) );
552
553#if defined(POLARSSL_HAVE_TIME)
554 t = time( NULL );
555 *p++ = (unsigned char)( t >> 24 );
556 *p++ = (unsigned char)( t >> 16 );
557 *p++ = (unsigned char)( t >> 8 );
558 *p++ = (unsigned char)( t );
559
560 SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
561#else
562 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
563 return( ret );
564
565 p += 4;
566#endif /* POLARSSL_HAVE_TIME */
567
568 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
569 return( ret );
570
571 p += 28;
572
573 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
574
575 SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
576
577 /*
578 * 38 . 38 session id length
579 * 39 . 39+n session id
580 * 40+n . 41+n ciphersuitelist length
581 * 42+n . .. ciphersuitelist
582 * .. . .. compression methods length
583 * .. . .. compression methods
584 * .. . .. extensions length
585 * .. . .. extensions
586 */
587 n = ssl->session_negotiate->length;
588
589 if( n < 16 || n > 32 ||
590#if defined(POLARSSL_SSL_RENEGOTIATION)
591 ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
592#endif
593 ssl->handshake->resume == 0 )
594 {
595 n = 0;
596 }
597
598#if defined(POLARSSL_SSL_SESSION_TICKETS)
599 /*
600 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
601 * generate and include a Session ID in the TLS ClientHello."
602 */
603#if defined(POLARSSL_SSL_RENEGOTIATION)
604 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
605#endif
606 {
607 if( ssl->session_negotiate->ticket != NULL &&
608 ssl->session_negotiate->ticket_len != 0 )
609 {
610 ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
611
612 if( ret != 0 )
613 return( ret );
614
615 ssl->session_negotiate->length = n = 32;
616 }
617 }
618#endif /* POLARSSL_SSL_SESSION_TICKETS */
619
620 *p++ = (unsigned char) n;
621
622 for( i = 0; i < n; i++ )
623 *p++ = ssl->session_negotiate->id[i];
624
625 SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
626 SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
627
628 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
629 n = 0;
630 q = p;
631
632 // Skip writing ciphersuite length for now
633 p += 2;
634
635 for( i = 0; ciphersuites[i] != 0; i++ )
636 {
637 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
638
639 if( ciphersuite_info == NULL )
640 continue;
641
642 if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
643 ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
644 continue;
645
646 if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
647 ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
648 continue;
649
650 SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
651 ciphersuites[i] ) );
652
653 n++;
654 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
655 *p++ = (unsigned char)( ciphersuites[i] );
656 }
657
658 /*
659 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
660 */
661#if defined(POLARSSL_SSL_RENEGOTIATION)
662 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
663#endif
664 {
665 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
666 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
667 n++;
668 }
669
670 /* Some versions of OpenSSL don't handle it correctly if not at end */
671#if defined(POLARSSL_SSL_FALLBACK_SCSV)
672 if( ssl->fallback == SSL_IS_FALLBACK )
673 {
674 SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
675 *p++ = (unsigned char)( SSL_FALLBACK_SCSV >> 8 );
676 *p++ = (unsigned char)( SSL_FALLBACK_SCSV );
677 n++;
678 }
679#endif
680
681 *q++ = (unsigned char)( n >> 7 );
682 *q++ = (unsigned char)( n << 1 );
683
684 SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
685
686
687#if defined(POLARSSL_ZLIB_SUPPORT)
688 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
689 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
690 SSL_COMPRESS_DEFLATE, SSL_COMPRESS_NULL ) );
691
692 *p++ = 2;
693 *p++ = SSL_COMPRESS_DEFLATE;
694 *p++ = SSL_COMPRESS_NULL;
695#else
696 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
697 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
698
699 *p++ = 1;
700 *p++ = SSL_COMPRESS_NULL;
701#endif /* POLARSSL_ZLIB_SUPPORT */
702
703 // First write extensions, then the total length
704 //
705#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
706 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
707 ext_len += olen;
708#endif
709
710#if defined(POLARSSL_SSL_RENEGOTIATION)
711 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
712 ext_len += olen;
713#endif
714
715#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
716 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
717 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
718 ext_len += olen;
719#endif
720
721#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
722 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
723 ext_len += olen;
724
725 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
726 ext_len += olen;
727#endif
728
729#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
730 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
731 ext_len += olen;
732#endif
733
734#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
735 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
736 ext_len += olen;
737#endif
738
739#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
740 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
741 ext_len += olen;
742#endif
743
744#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
745 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
746 ext_len += olen;
747#endif
748
749#if defined(POLARSSL_SSL_SESSION_TICKETS)
750 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
751 ext_len += olen;
752#endif
753
754#if defined(POLARSSL_SSL_ALPN)
755 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
756 ext_len += olen;
757#endif
758
759 /* olen unused if all extensions are disabled */
760 ((void) olen);
761
762 SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
763 ext_len ) );
764
765 if( ext_len > 0 )
766 {
767 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
768 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
769 p += ext_len;
770 }
771
772 ssl->out_msglen = p - buf;
773 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
774 ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
775
776 ssl->state++;
777
778 if( ( ret = ssl_write_record( ssl ) ) != 0 )
779 {
780 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
781 return( ret );
782 }
783
784 SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
785
786 return( 0 );
787}
788
789static int ssl_parse_renegotiation_info( ssl_context *ssl,
790 const unsigned char *buf,
791 size_t len )
792{
793 int ret;
794
795#if defined(POLARSSL_SSL_RENEGOTIATION)
796 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
797 {
798 /* Check verify-data in constant-time. The length OTOH is no secret */
799 if( len != 1 + ssl->verify_data_len * 2 ||
800 buf[0] != ssl->verify_data_len * 2 ||
801 safer_memcmp( buf + 1,
802 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
803 safer_memcmp( buf + 1 + ssl->verify_data_len,
804 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
805 {
806 SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
807
808 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
809 return( ret );
810
811 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
812 }
813 }
814 else
815#endif /* POLARSSL_SSL_RENEGOTIATION */
816 {
817 if( len != 1 || buf[0] != 0x00 )
818 {
819 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
820
821 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
822 return( ret );
823
824 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
825 }
826
827 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
828 }
829
830 return( 0 );
831}
832
833#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
834static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
835 const unsigned char *buf,
836 size_t len )
837{
838 /*
839 * server should use the extension only if we did,
840 * and if so the server's value should match ours (and len is always 1)
841 */
842 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
843 len != 1 ||
844 buf[0] != ssl->mfl_code )
845 {
846 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
847 }
848
849 return( 0 );
850}
851#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
852
853#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
854static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
855 const unsigned char *buf,
856 size_t len )
857{
858 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
859 len != 0 )
860 {
861 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
862 }
863
864 ((void) buf);
865
866 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
867
868 return( 0 );
869}
870#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
871
872#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
873static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl,
874 const unsigned char *buf,
875 size_t len )
876{
877 if( ssl->encrypt_then_mac == SSL_ETM_DISABLED ||
878 ssl->minor_ver == SSL_MINOR_VERSION_0 ||
879 len != 0 )
880 {
881 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
882 }
883
884 ((void) buf);
885
886 ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED;
887
888 return( 0 );
889}
890#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
891
892#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
893static int ssl_parse_extended_ms_ext( ssl_context *ssl,
894 const unsigned char *buf,
895 size_t len )
896{
897 if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
898 ssl->minor_ver == SSL_MINOR_VERSION_0 ||
899 len != 0 )
900 {
901 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
902 }
903
904 ((void) buf);
905
906 ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
907
908 return( 0 );
909}
910#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
911
912#if defined(POLARSSL_SSL_SESSION_TICKETS)
913static int ssl_parse_session_ticket_ext( ssl_context *ssl,
914 const unsigned char *buf,
915 size_t len )
916{
917 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ||
918 len != 0 )
919 {
920 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
921 }
922
923 ((void) buf);
924
925 ssl->handshake->new_session_ticket = 1;
926
927 return( 0 );
928}
929#endif /* POLARSSL_SSL_SESSION_TICKETS */
930
931#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
932static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
933 const unsigned char *buf,
934 size_t len )
935{
936 size_t list_size;
937 const unsigned char *p;
938
939 list_size = buf[0];
940 if( list_size + 1 != len )
941 {
942 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
943 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
944 }
945
946 p = buf + 1;
947 while( list_size > 0 )
948 {
949 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
950 p[0] == POLARSSL_ECP_PF_COMPRESSED )
951 {
952 ssl->handshake->ecdh_ctx.point_format = p[0];
953 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
954 return( 0 );
955 }
956
957 list_size--;
958 p++;
959 }
960
961 SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
962 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
963}
964#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
965
966#if defined(POLARSSL_SSL_ALPN)
967static int ssl_parse_alpn_ext( ssl_context *ssl,
968 const unsigned char *buf, size_t len )
969{
970 size_t list_len, name_len;
971 const char **p;
972
973 /* If we didn't send it, the server shouldn't send it */
974 if( ssl->alpn_list == NULL )
975 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
976
977 /*
978 * opaque ProtocolName<1..2^8-1>;
979 *
980 * struct {
981 * ProtocolName protocol_name_list<2..2^16-1>
982 * } ProtocolNameList;
983 *
984 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
985 */
986
987 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
988 if( len < 4 )
989 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
990
991 list_len = ( buf[0] << 8 ) | buf[1];
992 if( list_len != len - 2 )
993 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
994
995 name_len = buf[2];
996 if( name_len != list_len - 1 )
997 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
998
999 /* Check that the server chosen protocol was in our list and save it */
1000 for( p = ssl->alpn_list; *p != NULL; p++ )
1001 {
1002 if( name_len == strlen( *p ) &&
1003 memcmp( buf + 3, *p, name_len ) == 0 )
1004 {
1005 ssl->alpn_chosen = *p;
1006 return( 0 );
1007 }
1008 }
1009
1010 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1011}
1012#endif /* POLARSSL_SSL_ALPN */
1013
1014static int ssl_parse_server_hello( ssl_context *ssl )
1015{
1016 int ret, i, comp;
1017 size_t n;
1018 size_t ext_len;
1019 unsigned char *buf, *ext;
1020#if defined(POLARSSL_SSL_RENEGOTIATION)
1021 int renegotiation_info_seen = 0;
1022#endif
1023 int handshake_failure = 0;
1024 const ssl_ciphersuite_t *suite_info;
1025#if defined(POLARSSL_DEBUG_C)
1026 uint32_t t;
1027#endif
1028
1029 SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1030
1031 /*
1032 * 0 . 0 handshake type
1033 * 1 . 3 handshake length
1034 * 4 . 5 protocol version
1035 * 6 . 9 UNIX time()
1036 * 10 . 37 random bytes
1037 */
1038 buf = ssl->in_msg;
1039
1040 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1041 {
1042 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1043 return( ret );
1044 }
1045
1046 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1047 {
1048#if defined(POLARSSL_SSL_RENEGOTIATION)
1049 if( ssl->renegotiation == SSL_RENEGOTIATION )
1050 {
1051 ssl->renego_records_seen++;
1052
1053 if( ssl->renego_max_records >= 0 &&
1054 ssl->renego_records_seen > ssl->renego_max_records )
1055 {
1056 SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
1057 "but not honored by server" ) );
1058 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1059 }
1060
1061 SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
1062 return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1063 }
1064#endif /* POLARSSL_SSL_RENEGOTIATION */
1065
1066 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1067 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1068 }
1069
1070 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1071 buf[4], buf[5] ) );
1072
1073 if( ssl->in_hslen < 42 ||
1074 buf[0] != SSL_HS_SERVER_HELLO ||
1075 buf[4] != SSL_MAJOR_VERSION_3 )
1076 {
1077 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1078 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1079 }
1080
1081 if( buf[5] > ssl->max_minor_ver )
1082 {
1083 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1084 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1085 }
1086
1087 ssl->minor_ver = buf[5];
1088
1089 if( ssl->minor_ver < ssl->min_minor_ver )
1090 {
1091 SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
1092 " [%d:%d] < [%d:%d]", ssl->major_ver,
1093 ssl->minor_ver, buf[4], buf[5] ) );
1094
1095 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1096 SSL_ALERT_MSG_PROTOCOL_VERSION );
1097
1098 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1099 }
1100
1101#if defined(POLARSSL_DEBUG_C)
1102 t = ( (uint32_t) buf[6] << 24 )
1103 | ( (uint32_t) buf[7] << 16 )
1104 | ( (uint32_t) buf[8] << 8 )
1105 | ( (uint32_t) buf[9] );
1106 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1107#endif
1108
1109 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
1110
1111 n = buf[38];
1112
1113 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1114
1115 if( n > 32 )
1116 {
1117 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1118 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1119 }
1120
1121 /*
1122 * 38 . 38 session id length
1123 * 39 . 38+n session id
1124 * 39+n . 40+n chosen ciphersuite
1125 * 41+n . 41+n chosen compression alg.
1126 * 42+n . 43+n extensions length
1127 * 44+n . 44+n+m extensions
1128 */
1129 if( ssl->in_hslen > 43 + n )
1130 {
1131 ext_len = ( ( buf[42 + n] << 8 )
1132 | ( buf[43 + n] ) );
1133
1134 if( ( ext_len > 0 && ext_len < 4 ) ||
1135 ssl->in_hslen != 44 + n + ext_len )
1136 {
1137 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1138 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1139 }
1140 }
1141 else if( ssl->in_hslen == 42 + n )
1142 {
1143 ext_len = 0;
1144 }
1145 else
1146 {
1147 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1148 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1149 }
1150
1151 i = ( buf[39 + n] << 8 ) | buf[40 + n];
1152 comp = buf[41 + n];
1153
1154 /*
1155 * Initialize update checksum functions
1156 */
1157 ssl->transform_negotiate->ciphersuite_info = ssl_ciphersuite_from_id( i );
1158
1159 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1160 {
1161 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1162 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1163 }
1164
1165 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1166
1167 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1168 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1169
1170 /*
1171 * Check if the session can be resumed
1172 */
1173 if( ssl->handshake->resume == 0 || n == 0 ||
1174#if defined(POLARSSL_SSL_RENEGOTIATION)
1175 ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
1176#endif
1177 ssl->session_negotiate->ciphersuite != i ||
1178 ssl->session_negotiate->compression != comp ||
1179 ssl->session_negotiate->length != n ||
1180 memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
1181 {
1182 ssl->state++;
1183 ssl->handshake->resume = 0;
1184#if defined(POLARSSL_HAVE_TIME)
1185 ssl->session_negotiate->start = time( NULL );
1186#endif
1187 ssl->session_negotiate->ciphersuite = i;
1188 ssl->session_negotiate->compression = comp;
1189 ssl->session_negotiate->length = n;
1190 memcpy( ssl->session_negotiate->id, buf + 39, n );
1191 }
1192 else
1193 {
1194 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
1195
1196 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1197 {
1198 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1199 return( ret );
1200 }
1201 }
1202
1203 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1204 ssl->handshake->resume ? "a" : "no" ) );
1205
1206 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
1207 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
1208
1209 suite_info = ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
1210 if( suite_info == NULL ||
1211 ( ssl->arc4_disabled &&
1212 suite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) )
1213 {
1214 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1215 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1216 }
1217
1218
1219 i = 0;
1220 while( 1 )
1221 {
1222 if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
1223 {
1224 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1225 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1226 }
1227
1228 if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
1229 ssl->session_negotiate->ciphersuite )
1230 {
1231 break;
1232 }
1233 }
1234
1235 if( comp != SSL_COMPRESS_NULL
1236#if defined(POLARSSL_ZLIB_SUPPORT)
1237 && comp != SSL_COMPRESS_DEFLATE
1238#endif
1239 )
1240 {
1241 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1242 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1243 }
1244 ssl->session_negotiate->compression = comp;
1245
1246 ext = buf + 44 + n;
1247
1248 SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1249
1250 while( ext_len )
1251 {
1252 unsigned int ext_id = ( ( ext[0] << 8 )
1253 | ( ext[1] ) );
1254 unsigned int ext_size = ( ( ext[2] << 8 )
1255 | ( ext[3] ) );
1256
1257 if( ext_size + 4 > ext_len )
1258 {
1259 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1260 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1261 }
1262
1263 switch( ext_id )
1264 {
1265 case TLS_EXT_RENEGOTIATION_INFO:
1266 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1267#if defined(POLARSSL_SSL_RENEGOTIATION)
1268 renegotiation_info_seen = 1;
1269#endif
1270
1271 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1272 ext_size ) ) != 0 )
1273 return( ret );
1274
1275 break;
1276
1277#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1278 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1279 SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1280
1281 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1282 ext + 4, ext_size ) ) != 0 )
1283 {
1284 return( ret );
1285 }
1286
1287 break;
1288#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1289
1290#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1291 case TLS_EXT_TRUNCATED_HMAC:
1292 SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
1293
1294 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1295 ext + 4, ext_size ) ) != 0 )
1296 {
1297 return( ret );
1298 }
1299
1300 break;
1301#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1302
1303#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
1304 case TLS_EXT_ENCRYPT_THEN_MAC:
1305 SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
1306
1307 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1308 ext + 4, ext_size ) ) != 0 )
1309 {
1310 return( ret );
1311 }
1312
1313 break;
1314#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
1315
1316#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
1317 case TLS_EXT_EXTENDED_MASTER_SECRET:
1318 SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
1319
1320 if( ( ret = ssl_parse_extended_ms_ext( ssl,
1321 ext + 4, ext_size ) ) != 0 )
1322 {
1323 return( ret );
1324 }
1325
1326 break;
1327#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
1328
1329#if defined(POLARSSL_SSL_SESSION_TICKETS)
1330 case TLS_EXT_SESSION_TICKET:
1331 SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
1332
1333 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1334 ext + 4, ext_size ) ) != 0 )
1335 {
1336 return( ret );
1337 }
1338
1339 break;
1340#endif /* POLARSSL_SSL_SESSION_TICKETS */
1341
1342#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1343 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1344 SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1345
1346 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1347 ext + 4, ext_size ) ) != 0 )
1348 {
1349 return( ret );
1350 }
1351
1352 break;
1353#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1354
1355#if defined(POLARSSL_SSL_ALPN)
1356 case TLS_EXT_ALPN:
1357 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1358
1359 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1360 return( ret );
1361
1362 break;
1363#endif /* POLARSSL_SSL_ALPN */
1364
1365 default:
1366 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1367 ext_id ) );
1368 }
1369
1370 ext_len -= 4 + ext_size;
1371 ext += 4 + ext_size;
1372
1373 if( ext_len > 0 && ext_len < 4 )
1374 {
1375 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1376 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1377 }
1378 }
1379
1380 /*
1381 * Renegotiation security checks
1382 */
1383 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1384 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1385 {
1386 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1387 handshake_failure = 1;
1388 }
1389#if defined(POLARSSL_SSL_RENEGOTIATION)
1390 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1391 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1392 renegotiation_info_seen == 0 )
1393 {
1394 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1395 handshake_failure = 1;
1396 }
1397 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1398 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1399 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
1400 {
1401 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1402 handshake_failure = 1;
1403 }
1404 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1405 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1406 renegotiation_info_seen == 1 )
1407 {
1408 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1409 handshake_failure = 1;
1410 }
1411#endif /* POLARSSL_SSL_RENEGOTIATION */
1412
1413 if( handshake_failure == 1 )
1414 {
1415 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1416 return( ret );
1417
1418 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
1419 }
1420
1421 SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1422
1423 return( 0 );
1424}
1425
1426#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1427 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1428static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
1429 unsigned char *end )
1430{
1431 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1432
1433 /*
1434 * Ephemeral DH parameters:
1435 *
1436 * struct {
1437 * opaque dh_p<1..2^16-1>;
1438 * opaque dh_g<1..2^16-1>;
1439 * opaque dh_Ys<1..2^16-1>;
1440 * } ServerDHParams;
1441 */
1442 if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1443 {
1444 SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
1445 return( ret );
1446 }
1447
1448 if( ssl->handshake->dhm_ctx.len < SSL_MIN_DHM_BYTES ||
1449 ssl->handshake->dhm_ctx.len > 512 )
1450 {
1451 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
1452 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1453 }
1454
1455 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1456 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1457 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1458
1459 return( ret );
1460}
1461#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1462 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1463
1464#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1465 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1466 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1467 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1468 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1469static int ssl_check_server_ecdh_params( const ssl_context *ssl )
1470{
1471 const ecp_curve_info *curve_info;
1472
1473 curve_info = ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
1474 if( curve_info == NULL )
1475 {
1476 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1477 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1478 }
1479
1480 SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
1481
1482#if defined(POLARSSL_SSL_SET_CURVES)
1483 if( ! ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) )
1484#else
1485 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1486 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1487#endif
1488 return( -1 );
1489
1490 SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1491
1492 return( 0 );
1493}
1494#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1495 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1496 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1497 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1498 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1499
1500#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1501 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1502 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1503static int ssl_parse_server_ecdh_params( ssl_context *ssl,
1504 unsigned char **p,
1505 unsigned char *end )
1506{
1507 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1508
1509 /*
1510 * Ephemeral ECDH parameters:
1511 *
1512 * struct {
1513 * ECParameters curve_params;
1514 * ECPoint public;
1515 * } ServerECDHParams;
1516 */
1517 if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
1518 (const unsigned char **) p, end ) ) != 0 )
1519 {
1520 SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
1521 return( ret );
1522 }
1523
1524 if( ssl_check_server_ecdh_params( ssl ) != 0 )
1525 {
1526 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
1527 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1528 }
1529
1530 return( ret );
1531}
1532#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1533 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1534 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1535
1536#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1537static int ssl_parse_server_psk_hint( ssl_context *ssl,
1538 unsigned char **p,
1539 unsigned char *end )
1540{
1541 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1542 size_t len;
1543 ((void) ssl);
1544
1545 /*
1546 * PSK parameters:
1547 *
1548 * opaque psk_identity_hint<0..2^16-1>;
1549 */
1550 len = (*p)[0] << 8 | (*p)[1];
1551 *p += 2;
1552
1553 if( (*p) + len > end )
1554 {
1555 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1556 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1557 }
1558
1559 // TODO: Retrieve PSK identity hint and callback to app
1560 //
1561 *p += len;
1562 ret = 0;
1563
1564 return( ret );
1565}
1566#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1567
1568#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
1569 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1570/*
1571 * Generate a pre-master secret and encrypt it with the server's RSA key
1572 */
1573static int ssl_write_encrypted_pms( ssl_context *ssl,
1574 size_t offset, size_t *olen,
1575 size_t pms_offset )
1576{
1577 int ret;
1578 size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
1579 unsigned char *p = ssl->handshake->premaster + pms_offset;
1580
1581 if( offset + len_bytes > SSL_MAX_CONTENT_LEN )
1582 {
1583 SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
1584 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1585 }
1586
1587 /*
1588 * Generate (part of) the pre-master as
1589 * struct {
1590 * ProtocolVersion client_version;
1591 * opaque random[46];
1592 * } PreMasterSecret;
1593 */
1594 p[0] = (unsigned char) ssl->max_major_ver;
1595 p[1] = (unsigned char) ssl->max_minor_ver;
1596
1597 if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
1598 {
1599 SSL_DEBUG_RET( 1, "f_rng", ret );
1600 return( ret );
1601 }
1602
1603 ssl->handshake->pmslen = 48;
1604
1605 /*
1606 * Now write it out, encrypted
1607 */
1608 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1609 POLARSSL_PK_RSA ) )
1610 {
1611 SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1612 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
1613 }
1614
1615 if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
1616 p, ssl->handshake->pmslen,
1617 ssl->out_msg + offset + len_bytes, olen,
1618 SSL_MAX_CONTENT_LEN - offset - len_bytes,
1619 ssl->f_rng, ssl->p_rng ) ) != 0 )
1620 {
1621 SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1622 return( ret );
1623 }
1624
1625#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1626 defined(POLARSSL_SSL_PROTO_TLS1_2)
1627 if( len_bytes == 2 )
1628 {
1629 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1630 ssl->out_msg[offset+1] = (unsigned char)( *olen );
1631 *olen += 2;
1632 }
1633#endif
1634
1635 return( 0 );
1636}
1637#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
1638 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1639
1640#if defined(POLARSSL_SSL_PROTO_TLS1_2)
1641#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1642 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1643 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1644static int ssl_parse_signature_algorithm( ssl_context *ssl,
1645 unsigned char **p,
1646 unsigned char *end,
1647 md_type_t *md_alg,
1648 pk_type_t *pk_alg )
1649{
1650 ((void) ssl);
1651 *md_alg = POLARSSL_MD_NONE;
1652 *pk_alg = POLARSSL_PK_NONE;
1653
1654 /* Only in TLS 1.2 */
1655 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1656 {
1657 return( 0 );
1658 }
1659
1660 if( (*p) + 2 > end )
1661 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1662
1663 /*
1664 * Get hash algorithm
1665 */
1666 if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
1667 {
1668 SSL_DEBUG_MSG( 2, ( "Server used unsupported "
1669 "HashAlgorithm %d", *(p)[0] ) );
1670 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1671 }
1672
1673 /*
1674 * Get signature algorithm
1675 */
1676 if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
1677 {
1678 SSL_DEBUG_MSG( 2, ( "server used unsupported "
1679 "SignatureAlgorithm %d", (*p)[1] ) );
1680 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1681 }
1682
1683 SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1684 SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
1685 *p += 2;
1686
1687 return( 0 );
1688}
1689#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1690 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1691 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1692#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1693
1694
1695#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1696 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1697static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
1698{
1699 int ret;
1700 const ecp_keypair *peer_key;
1701
1702 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1703 POLARSSL_PK_ECKEY ) )
1704 {
1705 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
1706 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
1707 }
1708
1709 peer_key = pk_ec( ssl->session_negotiate->peer_cert->pk );
1710
1711 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
1712 POLARSSL_ECDH_THEIRS ) ) != 0 )
1713 {
1714 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
1715 return( ret );
1716 }
1717
1718 if( ssl_check_server_ecdh_params( ssl ) != 0 )
1719 {
1720 SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
1721 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1722 }
1723
1724 return( ret );
1725}
1726#endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
1727 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1728
1729static int ssl_parse_server_key_exchange( ssl_context *ssl )
1730{
1731 int ret;
1732 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1733 unsigned char *p, *end;
1734#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1735 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1736 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1737 size_t sig_len, params_len;
1738 unsigned char hash[64];
1739 md_type_t md_alg = POLARSSL_MD_NONE;
1740 size_t hashlen;
1741 pk_type_t pk_alg = POLARSSL_PK_NONE;
1742#endif
1743
1744 SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
1745
1746#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
1747 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
1748 {
1749 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1750 ssl->state++;
1751 return( 0 );
1752 }
1753 ((void) p);
1754 ((void) end);
1755#endif
1756
1757#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1758 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1759 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
1760 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
1761 {
1762 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
1763 {
1764 SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
1765 return( ret );
1766 }
1767
1768 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
1769 ssl->state++;
1770 return( 0 );
1771 }
1772 ((void) p);
1773 ((void) end);
1774#endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1775 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1776
1777 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1778 {
1779 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1780 return( ret );
1781 }
1782
1783 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1784 {
1785 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1786 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1787 }
1788
1789 /*
1790 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
1791 * doesn't use a psk_identity_hint
1792 */
1793 if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
1794 {
1795 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1796 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1797 {
1798 ssl->record_read = 1;
1799 goto exit;
1800 }
1801
1802 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1803 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1804 }
1805
1806 p = ssl->in_msg + 4;
1807 end = ssl->in_msg + ssl->in_hslen;
1808 SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 );
1809
1810#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1811 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1812 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
1813 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1814 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1815 {
1816 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
1817 {
1818 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1819 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1820 }
1821 } /* FALLTROUGH */
1822#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
1823
1824#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
1825 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
1826 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1827 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1828 ; /* nothing more to do */
1829 else
1830#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
1831 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
1832#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1833 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1834 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1835 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1836 {
1837 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
1838 {
1839 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1840 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1841 }
1842 }
1843 else
1844#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1845 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1846#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1847 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1848 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1849 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1850 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1851 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1852 {
1853 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
1854 {
1855 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1856 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1857 }
1858 }
1859 else
1860#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1861 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1862 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1863 {
1864 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1865 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1866 }
1867
1868#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1869 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1870 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1871 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1872 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1873 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1874 {
1875 params_len = p - ( ssl->in_msg + 4 );
1876
1877 /*
1878 * Handle the digitally-signed structure
1879 */
1880#if defined(POLARSSL_SSL_PROTO_TLS1_2)
1881 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1882 {
1883 if( ssl_parse_signature_algorithm( ssl, &p, end,
1884 &md_alg, &pk_alg ) != 0 )
1885 {
1886 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1887 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1888 }
1889
1890 if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
1891 {
1892 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1893 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1894 }
1895 }
1896 else
1897#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1898#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1899 defined(POLARSSL_SSL_PROTO_TLS1_1)
1900 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
1901 {
1902 pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
1903
1904 /* Default hash for ECDSA is SHA-1 */
1905 if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
1906 md_alg = POLARSSL_MD_SHA1;
1907 }
1908 else
1909#endif
1910 {
1911 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1912 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1913 }
1914
1915 /*
1916 * Read signature
1917 */
1918 sig_len = ( p[0] << 8 ) | p[1];
1919 p += 2;
1920
1921 if( end != p + sig_len )
1922 {
1923 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
1924 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1925 }
1926
1927 SSL_DEBUG_BUF( 3, "signature", p, sig_len );
1928
1929 /*
1930 * Compute the hash that has been signed
1931 */
1932#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1933 defined(POLARSSL_SSL_PROTO_TLS1_1)
1934 if( md_alg == POLARSSL_MD_NONE )
1935 {
1936 md5_context md5;
1937 sha1_context sha1;
1938
1939 md5_init( &md5 );
1940 sha1_init( &sha1 );
1941
1942 hashlen = 36;
1943
1944 /*
1945 * digitally-signed struct {
1946 * opaque md5_hash[16];
1947 * opaque sha_hash[20];
1948 * };
1949 *
1950 * md5_hash
1951 * MD5(ClientHello.random + ServerHello.random
1952 * + ServerParams);
1953 * sha_hash
1954 * SHA(ClientHello.random + ServerHello.random
1955 * + ServerParams);
1956 */
1957 md5_starts( &md5 );
1958 md5_update( &md5, ssl->handshake->randbytes, 64 );
1959 md5_update( &md5, ssl->in_msg + 4, params_len );
1960 md5_finish( &md5, hash );
1961
1962 sha1_starts( &sha1 );
1963 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1964 sha1_update( &sha1, ssl->in_msg + 4, params_len );
1965 sha1_finish( &sha1, hash + 16 );
1966
1967 md5_free( &md5 );
1968 sha1_free( &sha1 );
1969 }
1970 else
1971#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
1972 POLARSSL_SSL_PROTO_TLS1_1 */
1973#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1974 defined(POLARSSL_SSL_PROTO_TLS1_2)
1975 if( md_alg != POLARSSL_MD_NONE )
1976 {
1977 md_context_t ctx;
1978
1979 md_init( &ctx );
1980
1981 /* Info from md_alg will be used instead */
1982 hashlen = 0;
1983
1984 /*
1985 * digitally-signed struct {
1986 * opaque client_random[32];
1987 * opaque server_random[32];
1988 * ServerDHParams params;
1989 * };
1990 */
1991 if( ( ret = md_init_ctx( &ctx,
1992 md_info_from_type( md_alg ) ) ) != 0 )
1993 {
1994 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1995 return( ret );
1996 }
1997
1998 md_starts( &ctx );
1999 md_update( &ctx, ssl->handshake->randbytes, 64 );
2000 md_update( &ctx, ssl->in_msg + 4, params_len );
2001 md_finish( &ctx, hash );
2002 md_free( &ctx );
2003 }
2004 else
2005#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2006 POLARSSL_SSL_PROTO_TLS1_2 */
2007 {
2008 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2009 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2010 }
2011
2012 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2013 (unsigned int) ( md_info_from_type( md_alg ) )->size );
2014
2015 /*
2016 * Verify signature
2017 */
2018 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2019 {
2020 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2021 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
2022 }
2023
2024 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
2025 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
2026 {
2027 SSL_DEBUG_RET( 1, "pk_verify", ret );
2028 return( ret );
2029 }
2030 }
2031#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2032 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2033 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2034
2035exit:
2036 ssl->state++;
2037
2038 SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2039
2040 return( 0 );
2041}
2042
2043#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2044 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2045 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2046 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2047static int ssl_parse_certificate_request( ssl_context *ssl )
2048{
2049 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2050
2051 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2052
2053 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2054 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2055 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2056 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2057 {
2058 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2059 ssl->state++;
2060 return( 0 );
2061 }
2062
2063 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2064 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2065}
2066#else
2067static int ssl_parse_certificate_request( ssl_context *ssl )
2068{
2069 int ret;
2070 unsigned char *buf, *p;
2071 size_t n = 0, m = 0;
2072 size_t cert_type_len = 0, dn_len = 0;
2073 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2074
2075 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2076
2077 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2078 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2079 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2080 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2081 {
2082 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2083 ssl->state++;
2084 return( 0 );
2085 }
2086
2087 /*
2088 * 0 . 0 handshake type
2089 * 1 . 3 handshake length
2090 * 4 . 4 cert type count
2091 * 5 .. m-1 cert types
2092 * m .. m+1 sig alg length (TLS 1.2 only)
2093 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2094 * n .. n+1 length of all DNs
2095 * n+2 .. n+3 length of DN 1
2096 * n+4 .. ... Distinguished Name #1
2097 * ... .. ... length of DN 2, etc.
2098 */
2099 if( ssl->record_read == 0 )
2100 {
2101 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2102 {
2103 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2104 return( ret );
2105 }
2106
2107 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2108 {
2109 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2110 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2111 }
2112
2113 ssl->record_read = 1;
2114 }
2115
2116 ssl->client_auth = 0;
2117 ssl->state++;
2118
2119 if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
2120 ssl->client_auth++;
2121
2122 SSL_DEBUG_MSG( 3, ( "got %s certificate request",
2123 ssl->client_auth ? "a" : "no" ) );
2124
2125 if( ssl->client_auth == 0 )
2126 goto exit;
2127
2128 ssl->record_read = 0;
2129
2130 // TODO: handshake_failure alert for an anonymous server to request
2131 // client authentication
2132
2133 buf = ssl->in_msg;
2134
2135 // Retrieve cert types
2136 //
2137 cert_type_len = buf[4];
2138 n = cert_type_len;
2139
2140 if( ssl->in_hslen < 6 + n )
2141 {
2142 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2143 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2144 }
2145
2146 p = buf + 5;
2147 while( cert_type_len > 0 )
2148 {
2149#if defined(POLARSSL_RSA_C)
2150 if( *p == SSL_CERT_TYPE_RSA_SIGN &&
2151 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
2152 {
2153 ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN;
2154 break;
2155 }
2156 else
2157#endif
2158#if defined(POLARSSL_ECDSA_C)
2159 if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
2160 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
2161 {
2162 ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN;
2163 break;
2164 }
2165 else
2166#endif
2167 {
2168 ; /* Unsupported cert type, ignore */
2169 }
2170
2171 cert_type_len--;
2172 p++;
2173 }
2174
2175#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2176 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2177 {
2178 /* Ignored, see comments about hash in write_certificate_verify */
2179 // TODO: should check the signature part against our pk_key though
2180 size_t sig_alg_len = ( ( buf[5 + n] << 8 )
2181 | ( buf[6 + n] ) );
2182
2183 p = buf + 7 + n;
2184 m += 2;
2185 n += sig_alg_len;
2186
2187 if( ssl->in_hslen < 6 + n )
2188 {
2189 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2190 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2191 }
2192 }
2193#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2194
2195 /* Ignore certificate_authorities, we only have one cert anyway */
2196 // TODO: should not send cert if no CA matches
2197 dn_len = ( ( buf[5 + m + n] << 8 )
2198 | ( buf[6 + m + n] ) );
2199
2200 n += dn_len;
2201 if( ssl->in_hslen != 7 + m + n )
2202 {
2203 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2204 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2205 }
2206
2207exit:
2208 SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2209
2210 return( 0 );
2211}
2212#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2213 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2214 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2215 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2216
2217static int ssl_parse_server_hello_done( ssl_context *ssl )
2218{
2219 int ret;
2220
2221 SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
2222
2223 if( ssl->record_read == 0 )
2224 {
2225 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2226 {
2227 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2228 return( ret );
2229 }
2230
2231 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2232 {
2233 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2234 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2235 }
2236 }
2237 ssl->record_read = 0;
2238
2239 if( ssl->in_hslen != 4 ||
2240 ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
2241 {
2242 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2243 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
2244 }
2245
2246 ssl->state++;
2247
2248 SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
2249
2250 return( 0 );
2251}
2252
2253static int ssl_write_client_key_exchange( ssl_context *ssl )
2254{
2255 int ret;
2256 size_t i, n;
2257 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2258
2259 SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
2260
2261#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2262 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2263 {
2264 /*
2265 * DHM key exchange -- send G^X mod P
2266 */
2267 n = ssl->handshake->dhm_ctx.len;
2268
2269 ssl->out_msg[4] = (unsigned char)( n >> 8 );
2270 ssl->out_msg[5] = (unsigned char)( n );
2271 i = 6;
2272
2273 ret = dhm_make_public( &ssl->handshake->dhm_ctx,
2274 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2275 &ssl->out_msg[i], n,
2276 ssl->f_rng, ssl->p_rng );
2277 if( ret != 0 )
2278 {
2279 SSL_DEBUG_RET( 1, "dhm_make_public", ret );
2280 return( ret );
2281 }
2282
2283 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2284 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2285
2286 ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE;
2287
2288 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2289 ssl->handshake->premaster,
2290 &ssl->handshake->pmslen,
2291 ssl->f_rng, ssl->p_rng ) ) != 0 )
2292 {
2293 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2294 return( ret );
2295 }
2296
2297 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2298 }
2299 else
2300#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2301#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2302 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2303 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2304 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2305 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2306 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2307 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2308 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2309 {
2310 /*
2311 * ECDH key exchange -- send client public value
2312 */
2313 i = 4;
2314
2315 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
2316 &n,
2317 &ssl->out_msg[i], 1000,
2318 ssl->f_rng, ssl->p_rng );
2319 if( ret != 0 )
2320 {
2321 SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
2322 return( ret );
2323 }
2324
2325 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2326
2327 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2328 &ssl->handshake->pmslen,
2329 ssl->handshake->premaster,
2330 POLARSSL_MPI_MAX_SIZE,
2331 ssl->f_rng, ssl->p_rng ) ) != 0 )
2332 {
2333 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2334 return( ret );
2335 }
2336
2337 SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
2338 }
2339 else
2340#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2341 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2342 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2343 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2344#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2345 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2346 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2347 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2348 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2349 {
2350 /*
2351 * opaque psk_identity<0..2^16-1>;
2352 */
2353 if( ssl->psk == NULL || ssl->psk_identity == NULL )
2354 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2355
2356 i = 4;
2357 n = ssl->psk_identity_len;
2358
2359 if( i + 2 + n > SSL_MAX_CONTENT_LEN )
2360 {
2361 SSL_DEBUG_MSG( 1, ( "psk identity too long or "
2362 "SSL buffer too short" ) );
2363 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2364 }
2365
2366 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2367 ssl->out_msg[i++] = (unsigned char)( n );
2368
2369 memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
2370 i += ssl->psk_identity_len;
2371
2372#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2373 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2374 {
2375 n = 0;
2376 }
2377 else
2378#endif
2379#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2380 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2381 {
2382 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
2383 return( ret );
2384 }
2385 else
2386#endif
2387#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2388 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2389 {
2390 /*
2391 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2392 */
2393 n = ssl->handshake->dhm_ctx.len;
2394
2395 if( i + 2 + n > SSL_MAX_CONTENT_LEN )
2396 {
2397 SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
2398 " or SSL buffer too short" ) );
2399 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2400 }
2401
2402 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2403 ssl->out_msg[i++] = (unsigned char)( n );
2404
2405 ret = dhm_make_public( &ssl->handshake->dhm_ctx,
2406 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2407 &ssl->out_msg[i], n,
2408 ssl->f_rng, ssl->p_rng );
2409 if( ret != 0 )
2410 {
2411 SSL_DEBUG_RET( 1, "dhm_make_public", ret );
2412 return( ret );
2413 }
2414 }
2415 else
2416#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2417#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2418 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2419 {
2420 /*
2421 * ClientECDiffieHellmanPublic public;
2422 */
2423 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2424 &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
2425 ssl->f_rng, ssl->p_rng );
2426 if( ret != 0 )
2427 {
2428 SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
2429 return( ret );
2430 }
2431
2432 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2433 }
2434 else
2435#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2436 {
2437 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2438 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2439 }
2440
2441 if( ( ret = ssl_psk_derive_premaster( ssl,
2442 ciphersuite_info->key_exchange ) ) != 0 )
2443 {
2444 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2445 return( ret );
2446 }
2447 }
2448 else
2449#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2450#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2451 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2452 {
2453 i = 4;
2454 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
2455 return( ret );
2456 }
2457 else
2458#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2459 {
2460 ((void) ciphersuite_info);
2461 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2462 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2463 }
2464
2465 ssl->out_msglen = i + n;
2466 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2467 ssl->out_msg[0] = SSL_HS_CLIENT_KEY_EXCHANGE;
2468
2469 ssl->state++;
2470
2471 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2472 {
2473 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2474 return( ret );
2475 }
2476
2477 SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
2478
2479 return( 0 );
2480}
2481
2482#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2483 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2484 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2485 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2486static int ssl_write_certificate_verify( ssl_context *ssl )
2487{
2488 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2489 int ret;
2490
2491 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2492
2493 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2494 {
2495 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2496 return( ret );
2497 }
2498
2499 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2500 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2501 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2502 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2503 {
2504 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2505 ssl->state++;
2506 return( 0 );
2507 }
2508
2509 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2510 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2511}
2512#else
2513static int ssl_write_certificate_verify( ssl_context *ssl )
2514{
2515 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2516 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2517 size_t n = 0, offset = 0;
2518 unsigned char hash[48];
2519 unsigned char *hash_start = hash;
2520 md_type_t md_alg = POLARSSL_MD_NONE;
2521 unsigned int hashlen;
2522
2523 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2524
2525 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2526 {
2527 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2528 return( ret );
2529 }
2530
2531 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2532 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
2533 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2534 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2535 {
2536 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2537 ssl->state++;
2538 return( 0 );
2539 }
2540
2541 if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
2542 {
2543 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2544 ssl->state++;
2545 return( 0 );
2546 }
2547
2548 if( ssl_own_key( ssl ) == NULL )
2549 {
2550 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2551 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2552 }
2553
2554 /*
2555 * Make an RSA signature of the handshake digests
2556 */
2557 ssl->handshake->calc_verify( ssl, hash );
2558
2559#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2560 defined(POLARSSL_SSL_PROTO_TLS1_1)
2561 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2562 {
2563 /*
2564 * digitally-signed struct {
2565 * opaque md5_hash[16];
2566 * opaque sha_hash[20];
2567 * };
2568 *
2569 * md5_hash
2570 * MD5(handshake_messages);
2571 *
2572 * sha_hash
2573 * SHA(handshake_messages);
2574 */
2575 hashlen = 36;
2576 md_alg = POLARSSL_MD_NONE;
2577
2578 /*
2579 * For ECDSA, default hash is SHA-1 only
2580 */
2581 if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
2582 {
2583 hash_start += 16;
2584 hashlen -= 16;
2585 md_alg = POLARSSL_MD_SHA1;
2586 }
2587 }
2588 else
2589#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2590 POLARSSL_SSL_PROTO_TLS1_1 */
2591#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2592 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2593 {
2594 /*
2595 * digitally-signed struct {
2596 * opaque handshake_messages[handshake_messages_length];
2597 * };
2598 *
2599 * Taking shortcut here. We assume that the server always allows the
2600 * PRF Hash function and has sent it in the allowed signature
2601 * algorithms list received in the Certificate Request message.
2602 *
2603 * Until we encounter a server that does not, we will take this
2604 * shortcut.
2605 *
2606 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2607 * in order to satisfy 'weird' needs from the server side.
2608 */
2609 if( ssl->transform_negotiate->ciphersuite_info->mac ==
2610 POLARSSL_MD_SHA384 )
2611 {
2612 md_alg = POLARSSL_MD_SHA384;
2613 ssl->out_msg[4] = SSL_HASH_SHA384;
2614 }
2615 else
2616 {
2617 md_alg = POLARSSL_MD_SHA256;
2618 ssl->out_msg[4] = SSL_HASH_SHA256;
2619 }
2620 ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
2621
2622 /* Info from md_alg will be used instead */
2623 hashlen = 0;
2624 offset = 2;
2625 }
2626 else
2627#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2628 {
2629 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2630 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2631 }
2632
2633 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
2634 ssl->out_msg + 6 + offset, &n,
2635 ssl->f_rng, ssl->p_rng ) ) != 0 )
2636 {
2637 SSL_DEBUG_RET( 1, "pk_sign", ret );
2638 return( ret );
2639 }
2640
2641 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2642 ssl->out_msg[5 + offset] = (unsigned char)( n );
2643
2644 ssl->out_msglen = 6 + n + offset;
2645 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2646 ssl->out_msg[0] = SSL_HS_CERTIFICATE_VERIFY;
2647
2648 ssl->state++;
2649
2650 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2651 {
2652 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2653 return( ret );
2654 }
2655
2656 SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
2657
2658 return( ret );
2659}
2660#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2661 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2662 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2663
2664#if defined(POLARSSL_SSL_SESSION_TICKETS)
2665static int ssl_parse_new_session_ticket( ssl_context *ssl )
2666{
2667 int ret;
2668 uint32_t lifetime;
2669 size_t ticket_len;
2670 unsigned char *ticket;
2671
2672 SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2673
2674 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2675 {
2676 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2677 return( ret );
2678 }
2679
2680 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2681 {
2682 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2683 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2684 }
2685
2686 /*
2687 * struct {
2688 * uint32 ticket_lifetime_hint;
2689 * opaque ticket<0..2^16-1>;
2690 * } NewSessionTicket;
2691 *
2692 * 0 . 0 handshake message type
2693 * 1 . 3 handshake message length
2694 * 4 . 7 ticket_lifetime_hint
2695 * 8 . 9 ticket_len (n)
2696 * 10 . 9+n ticket content
2697 */
2698 if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
2699 ssl->in_hslen < 10 )
2700 {
2701 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2702 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
2703 }
2704
2705 lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
2706 ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] );
2707
2708 ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
2709
2710 if( ticket_len + 10 != ssl->in_hslen )
2711 {
2712 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2713 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
2714 }
2715
2716 SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
2717
2718 /* We're not waiting for a NewSessionTicket message any more */
2719 ssl->handshake->new_session_ticket = 0;
2720
2721 /*
2722 * Zero-length ticket means the server changed his mind and doesn't want
2723 * to send a ticket after all, so just forget it
2724 */
2725 if( ticket_len == 0 )
2726 return( 0 );
2727
2728 polarssl_zeroize( ssl->session_negotiate->ticket,
2729 ssl->session_negotiate->ticket_len );
2730 polarssl_free( ssl->session_negotiate->ticket );
2731 ssl->session_negotiate->ticket = NULL;
2732 ssl->session_negotiate->ticket_len = 0;
2733
2734 if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
2735 {
2736 SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
2737 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2738 }
2739
2740 memcpy( ticket, ssl->in_msg + 10, ticket_len );
2741
2742 ssl->session_negotiate->ticket = ticket;
2743 ssl->session_negotiate->ticket_len = ticket_len;
2744 ssl->session_negotiate->ticket_lifetime = lifetime;
2745
2746 /*
2747 * RFC 5077 section 3.4:
2748 * "If the client receives a session ticket from the server, then it
2749 * discards any Session ID that was sent in the ServerHello."
2750 */
2751 SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
2752 ssl->session_negotiate->length = 0;
2753
2754 SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2755
2756 return( 0 );
2757}
2758#endif /* POLARSSL_SSL_SESSION_TICKETS */
2759
2760/*
2761 * SSL handshake -- client side -- single step
2762 */
2763int ssl_handshake_client_step( ssl_context *ssl )
2764{
2765 int ret = 0;
2766
2767 if( ssl->state == SSL_HANDSHAKE_OVER )
2768 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2769
2770 SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
2771
2772 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2773 return( ret );
2774
2775 switch( ssl->state )
2776 {
2777 case SSL_HELLO_REQUEST:
2778 ssl->state = SSL_CLIENT_HELLO;
2779 break;
2780
2781 /*
2782 * ==> ClientHello
2783 */
2784 case SSL_CLIENT_HELLO:
2785 ret = ssl_write_client_hello( ssl );
2786 break;
2787
2788 /*
2789 * <== ServerHello
2790 * Certificate
2791 * ( ServerKeyExchange )
2792 * ( CertificateRequest )
2793 * ServerHelloDone
2794 */
2795 case SSL_SERVER_HELLO:
2796 ret = ssl_parse_server_hello( ssl );
2797 break;
2798
2799 case SSL_SERVER_CERTIFICATE:
2800 ret = ssl_parse_certificate( ssl );
2801 break;
2802
2803 case SSL_SERVER_KEY_EXCHANGE:
2804 ret = ssl_parse_server_key_exchange( ssl );
2805 break;
2806
2807 case SSL_CERTIFICATE_REQUEST:
2808 ret = ssl_parse_certificate_request( ssl );
2809 break;
2810
2811 case SSL_SERVER_HELLO_DONE:
2812 ret = ssl_parse_server_hello_done( ssl );
2813 break;
2814
2815 /*
2816 * ==> ( Certificate/Alert )
2817 * ClientKeyExchange
2818 * ( CertificateVerify )
2819 * ChangeCipherSpec
2820 * Finished
2821 */
2822 case SSL_CLIENT_CERTIFICATE:
2823 ret = ssl_write_certificate( ssl );
2824 break;
2825
2826 case SSL_CLIENT_KEY_EXCHANGE:
2827 ret = ssl_write_client_key_exchange( ssl );
2828 break;
2829
2830 case SSL_CERTIFICATE_VERIFY:
2831 ret = ssl_write_certificate_verify( ssl );
2832 break;
2833
2834 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2835 ret = ssl_write_change_cipher_spec( ssl );
2836 break;
2837
2838 case SSL_CLIENT_FINISHED:
2839 ret = ssl_write_finished( ssl );
2840 break;
2841
2842 /*
2843 * <== ( NewSessionTicket )
2844 * ChangeCipherSpec
2845 * Finished
2846 */
2847 case SSL_SERVER_CHANGE_CIPHER_SPEC:
2848#if defined(POLARSSL_SSL_SESSION_TICKETS)
2849 if( ssl->handshake->new_session_ticket != 0 )
2850 ret = ssl_parse_new_session_ticket( ssl );
2851 else
2852#endif
2853 ret = ssl_parse_change_cipher_spec( ssl );
2854 break;
2855
2856 case SSL_SERVER_FINISHED:
2857 ret = ssl_parse_finished( ssl );
2858 break;
2859
2860 case SSL_FLUSH_BUFFERS:
2861 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2862 ssl->state = SSL_HANDSHAKE_WRAPUP;
2863 break;
2864
2865 case SSL_HANDSHAKE_WRAPUP:
2866 ssl_handshake_wrapup( ssl );
2867 break;
2868
2869 default:
2870 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2871 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2872 }
2873
2874 return( ret );
2875}
2876#endif /* POLARSSL_SSL_CLI_C */