Strona główna Odkrywaj Pomoc
Zaloguj się
nots0ap
/
Dolphin
kopia lustrzana https://github.com/dolphin-emu/dolphin
Obserwuj 1
Polub 0
Forkuj 0
Pliki Problemy 0 Wiki
Gałąź: stable
Gałęzie Tagi
Dolphin
/
Externals
/
polarssl
/
library
/
ssl_cli.c

ssl_cli.c 80 KB
Bezpośredni odnośnik Historia Czysty

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636 
  1. /*
    2. 

  2.  *  SSLv3/TLSv1 client-side functions
    3. 

  3.  *
    4. 

  4.  *  Copyright (C) 2006-2014, Brainspark B.V.
    5. 

  5.  *
    6. 

  6.  *  This file is part of PolarSSL (http://www.polarssl.org)
    7. 

  7.  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
    8. 

  8.  *
    9. 

  9.  *  All rights reserved.
    10. 

  10.  *
    11. 

  11.  *  This program is free software; you can redistribute it and/or modify
    12. 

  12.  *  it under the terms of the GNU General Public License as published by
    13. 

  13.  *  the Free Software Foundation; either version 2 of the License, or
    14. 

  14.  *  (at your option) any later version.
    15. 

  15.  *
    16. 

  16.  *  This program is distributed in the hope that it will be useful,
    17. 

  17.  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
    18. 

  18.  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    19. 

  19.  *  GNU General Public License for more details.
    20. 

  20.  *
    21. 

  21.  *  You should have received a copy of the GNU General Public License along
    22. 

  22.  *  with this program; if not, write to the Free Software Foundation, Inc.,
    23. 

  23.  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
    24. 

  24.  */
    25. 

  25. 

  26. #if !defined(POLARSSL_CONFIG_FILE)
    27. 

  27. #include "polarssl/config.h"
    28. 

  28. #else
    29. 

  29. #include POLARSSL_CONFIG_FILE
    30. 

  30. #endif
    31. 

  31. 

  32. #if defined(POLARSSL_SSL_CLI_C)
    33. 

  33. 

  34. #include "polarssl/debug.h"
    35. 

  35. #include "polarssl/ssl.h"
    36. 

  36. 

  37. #if defined(POLARSSL_PLATFORM_C)
    38. 

  38. #include "polarssl/platform.h"
    39. 

  39. #else
    40. 

  40. #define polarssl_malloc     malloc
    41. 

  41. #define polarssl_free       free
    42. 

  42. #endif
    43. 

  43. 

  44. #include <stdlib.h>
    45. 

  45. #include <stdio.h>
    46. 

  46. 

  47. #if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32)
    48. 

  48. #include <basetsd.h>
    49. 

  49. typedef UINT32 uint32_t;
    50. 

  50. #else
    51. 

  51. #include <inttypes.h>
    52. 

  52. #endif
    53. 

  53. 

  54. #if defined(POLARSSL_HAVE_TIME)
    55. 

  55. #include <time.h>
    56. 

  56. #endif
    57. 

  57. 

  58. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    59. 

  59. /* Implementation that should never be optimized out by the compiler */
    60. 

  60. static void polarssl_zeroize( void *v, size_t n ) {
    61. 

  61.     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
    62. 

  62. }
    63. 

  63. #endif
    64. 

  64. 

  65. #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    66. 

  66. static void ssl_write_hostname_ext( ssl_context *ssl,
    67. 

  67.                                     unsigned char *buf,
    68. 

  68.                                     size_t *olen )
    69. 

  69. {
    70. 

  70.     unsigned char *p = buf;
    71. 

  71. 

  72.     *olen = 0;
    73. 

  73. 

  74.     if( ssl->hostname == NULL )
    75. 

  75.         return;
    76. 

  76. 

  77.     SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
    78. 

  78.                    ssl->hostname ) );
    79. 

  79. 

  80.     /*
    81. 

  81.      * struct {
    82. 

  82.      *     NameType name_type;
    83. 

  83.      *     select (name_type) {
    84. 

  84.      *         case host_name: HostName;
    85. 

  85.      *     } name;
    86. 

  86.      * } ServerName;
    87. 

  87.      *
    88. 

  88.      * enum {
    89. 

  89.      *     host_name(0), (255)
    90. 

  90.      * } NameType;
    91. 

  91.      *
    92. 

  92.      * opaque HostName<1..2^16-1>;
    93. 

  93.      *
    94. 

  94.      * struct {
    95. 

  95.      *     ServerName server_name_list<1..2^16-1>
    96. 

  96.      * } ServerNameList;
    97. 

  97.      */
    98. 

  98.     *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
    99. 

  99.     *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME      ) & 0xFF );
    100. 

  100. 

  101.     *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
    102. 

  102.     *p++ = (unsigned char)( ( (ssl->hostname_len + 5)      ) & 0xFF );
    103. 

  103. 

  104.     *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
    105. 

  105.     *p++ = (unsigned char)( ( (ssl->hostname_len + 3)      ) & 0xFF );
    106. 

  106. 

  107.     *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
    108. 

  108.     *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
    109. 

  109.     *p++ = (unsigned char)( ( ssl->hostname_len      ) & 0xFF );
    110. 

  110. 

  111.     memcpy( p, ssl->hostname, ssl->hostname_len );
    112. 

  112. 

  113.     *olen = ssl->hostname_len + 9;
    114. 

  114. }
    115. 

  115. #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
    116. 

  116. 

  117. static void ssl_write_renegotiation_ext( ssl_context *ssl,
    118. 

  118.                                          unsigned char *buf,
    119. 

  119.                                          size_t *olen )
    120. 

  120. {
    121. 

  121.     unsigned char *p = buf;
    122. 

  122. 

  123.     *olen = 0;
    124. 

  124. 

  125.     if( ssl->renegotiation != SSL_RENEGOTIATION )
    126. 

  126.         return;
    127. 

  127. 

  128.     SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
    129. 

  129. 

  130.     /*
    131. 

  131.      * Secure renegotiation
    132. 

  132.      */
    133. 

  133.     *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
    134. 

  134.     *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
    135. 

  135. 

  136.     *p++ = 0x00;
    137. 

  137.     *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
    138. 

  138.     *p++ = ssl->verify_data_len & 0xFF;
    139. 

  139. 

  140.     memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
    141. 

  141. 

  142.     *olen = 5 + ssl->verify_data_len;
    143. 

  143. }
    144. 

  144. 

  145. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    146. 

  146. static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
    147. 

  147.                                                 unsigned char *buf,
    148. 

  148.                                                 size_t *olen )
    149. 

  149. {
    150. 

  150.     unsigned char *p = buf;
    151. 

  151.     size_t sig_alg_len = 0;
    152. 

  152. #if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C)
    153. 

  153.     unsigned char *sig_alg_list = buf + 6;
    154. 

  154. #endif
    155. 

  155. 

  156.     *olen = 0;
    157. 

  157. 

  158.     if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 )
    159. 

  159.         return;
    160. 

  160. 

  161.     SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
    162. 

  162. 

  163.     /*
    164. 

  164.      * Prepare signature_algorithms extension (TLS 1.2)
    165. 

  165.      */
    166. 

  166. #if defined(POLARSSL_RSA_C)
    167. 

  167. #if defined(POLARSSL_SHA512_C)
    168. 

  168.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
    169. 

  169.     sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
    170. 

  170.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
    171. 

  171.     sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
    172. 

  172. #endif
    173. 

  173. #if defined(POLARSSL_SHA256_C)
    174. 

  174.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
    175. 

  175.     sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
    176. 

  176.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
    177. 

  177.     sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
    178. 

  178. #endif
    179. 

  179. #if defined(POLARSSL_SHA1_C)
    180. 

  180.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
    181. 

  181.     sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
    182. 

  182. #endif
    183. 

  183. #if defined(POLARSSL_MD5_C)
    184. 

  184.     sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
    185. 

  185.     sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
    186. 

  186. #endif
    187. 

  187. #endif /* POLARSSL_RSA_C */
    188. 

  188. #if defined(POLARSSL_ECDSA_C)
    189. 

  189. #if defined(POLARSSL_SHA512_C)
    190. 

  190.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
    191. 

  191.     sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
    192. 

  192.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
    193. 

  193.     sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
    194. 

  194. #endif
    195. 

  195. #if defined(POLARSSL_SHA256_C)
    196. 

  196.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
    197. 

  197.     sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
    198. 

  198.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
    199. 

  199.     sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
    200. 

  200. #endif
    201. 

  201. #if defined(POLARSSL_SHA1_C)
    202. 

  202.     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
    203. 

  203.     sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
    204. 

  204. #endif
    205. 

  205. #if defined(POLARSSL_MD5_C)
    206. 

  206.     sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
    207. 

  207.     sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA;
    208. 

  208. #endif
    209. 

  209. #endif /* POLARSSL_ECDSA_C */
    210. 

  210. 

  211.     /*
    212. 

  212.      * enum {
    213. 

  213.      *     none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
    214. 

  214.      *     sha512(6), (255)
    215. 

  215.      * } HashAlgorithm;
    216. 

  216.      *
    217. 

  217.      * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
    218. 

  218.      *   SignatureAlgorithm;
    219. 

  219.      *
    220. 

  220.      * struct {
    221. 

  221.      *     HashAlgorithm hash;
    222. 

  222.      *     SignatureAlgorithm signature;
    223. 

  223.      * } SignatureAndHashAlgorithm;
    224. 

  224.      *
    225. 

  225.      * SignatureAndHashAlgorithm
    226. 

  226.      *   supported_signature_algorithms<2..2^16-2>;
    227. 

  227.      */
    228. 

  228.     *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
    229. 

  229.     *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG      ) & 0xFF );
    230. 

  230. 

  231.     *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
    232. 

  232.     *p++ = (unsigned char)( ( ( sig_alg_len + 2 )      ) & 0xFF );
    233. 

  233. 

  234.     *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
    235. 

  235.     *p++ = (unsigned char)( ( sig_alg_len      ) & 0xFF );
    236. 

  236. 

  237.     *olen = 6 + sig_alg_len;
    238. 

  238. }
    239. 

  239. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    240. 

  240. 

  241. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    242. 

  242. static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
    243. 

  243.                                                      unsigned char *buf,
    244. 

  244.                                                      size_t *olen )
    245. 

  245. {
    246. 

  246.     unsigned char *p = buf;
    247. 

  247.     unsigned char *elliptic_curve_list = p + 6;
    248. 

  248.     size_t elliptic_curve_len = 0;
    249. 

  249.     const ecp_curve_info *info;
    250. 

  250. #if defined(POLARSSL_SSL_SET_CURVES)
    251. 

  251.     const ecp_group_id *grp_id;
    252. 

  252. #else
    253. 

  253.     ((void) ssl);
    254. 

  254. #endif
    255. 

  255. 

  256.     *olen = 0;
    257. 

  257. 

  258.     SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
    259. 

  259. 

  260. #if defined(POLARSSL_SSL_SET_CURVES)
    261. 

  261.     for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
    262. 

  262.     {
    263. 

  263.         info = ecp_curve_info_from_grp_id( *grp_id );
    264. 

  264. #else
    265. 

  265.     for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
    266. 

  266.     {
    267. 

  267. #endif
    268. 

  268. 

  269.         elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
    270. 

  270.         elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
    271. 

  271.     }
    272. 

  272. 

  273.     if( elliptic_curve_len == 0 )
    274. 

  274.         return;
    275. 

  275. 

  276.     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
    277. 

  277.     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES      ) & 0xFF );
    278. 

  278. 

  279.     *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
    280. 

  280.     *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 )      ) & 0xFF );
    281. 

  281. 

  282.     *p++ = (unsigned char)( ( ( elliptic_curve_len     ) >> 8 ) & 0xFF );
    283. 

  283.     *p++ = (unsigned char)( ( ( elliptic_curve_len     )      ) & 0xFF );
    284. 

  284. 

  285.     *olen = 6 + elliptic_curve_len;
    286. 

  286. }
    287. 

  287. 

  288. static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
    289. 

  289.                                                    unsigned char *buf,
    290. 

  290.                                                    size_t *olen )
    291. 

  291. {
    292. 

  292.     unsigned char *p = buf;
    293. 

  293.     ((void) ssl);
    294. 

  294. 

  295.     *olen = 0;
    296. 

  296. 

  297.     SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
    298. 

  298. 

  299.     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
    300. 

  300.     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
    301. 

  301. 

  302.     *p++ = 0x00;
    303. 

  303.     *p++ = 2;
    304. 

  304. 

  305.     *p++ = 1;
    306. 

  306.     *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
    307. 

  307. 

  308.     *olen = 6;
    309. 

  309. }
    310. 

  310. #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
    311. 

  311. 

  312. #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
    313. 

  313. static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
    314. 

  314.                                                unsigned char *buf,
    315. 

  315.                                                size_t *olen )
    316. 

  316. {
    317. 

  317.     unsigned char *p = buf;
    318. 

  318. 

  319.     if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
    320. 

  320.         *olen = 0;
    321. 

  321.         return;
    322. 

  322.     }
    323. 

  323. 

  324.     SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
    325. 

  325. 

  326.     *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
    327. 

  327.     *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
    328. 

  328. 

  329.     *p++ = 0x00;
    330. 

  330.     *p++ = 1;
    331. 

  331. 

  332.     *p++ = ssl->mfl_code;
    333. 

  333. 

  334.     *olen = 5;
    335. 

  335. }
    336. 

  336. #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
    337. 

  337. 

  338. #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
    339. 

  339. static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
    340. 

  340.                                           unsigned char *buf, size_t *olen )
    341. 

  341. {
    342. 

  342.     unsigned char *p = buf;
    343. 

  343. 

  344.     if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
    345. 

  345.     {
    346. 

  346.         *olen = 0;
    347. 

  347.         return;
    348. 

  348.     }
    349. 

  349. 

  350.     SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
    351. 

  351. 

  352.     *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
    353. 

  353.     *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
    354. 

  354. 

  355.     *p++ = 0x00;
    356. 

  356.     *p++ = 0x00;
    357. 

  357. 

  358.     *olen = 4;
    359. 

  359. }
    360. 

  360. #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
    361. 

  361. 

  362. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    363. 

  363. static void ssl_write_session_ticket_ext( ssl_context *ssl,
    364. 

  364.                                           unsigned char *buf, size_t *olen )
    365. 

  365. {
    366. 

  366.     unsigned char *p = buf;
    367. 

  367.     size_t tlen = ssl->session_negotiate->ticket_len;
    368. 

  368. 

  369.     if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
    370. 

  370.     {
    371. 

  371.         *olen = 0;
    372. 

  372.         return;
    373. 

  373.     }
    374. 

  374. 

  375.     SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
    376. 

  376. 

  377.     *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
    378. 

  378.     *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET      ) & 0xFF );
    379. 

  379. 

  380.     *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
    381. 

  381.     *p++ = (unsigned char)( ( tlen      ) & 0xFF );
    382. 

  382. 

  383.     *olen = 4;
    384. 

  384. 

  385.     if( ssl->session_negotiate->ticket == NULL ||
    386. 

  386.         ssl->session_negotiate->ticket_len == 0 )
    387. 

  387.     {
    388. 

  388.         return;
    389. 

  389.     }
    390. 

  390. 

  391.     SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
    392. 

  392. 

  393.     memcpy( p, ssl->session_negotiate->ticket, tlen );
    394. 

  394. 

  395.     *olen += tlen;
    396. 

  396. }
    397. 

  397. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    398. 

  398. 

  399. #if defined(POLARSSL_SSL_ALPN)
    400. 

  400. static void ssl_write_alpn_ext( ssl_context *ssl,
    401. 

  401.                                 unsigned char *buf, size_t *olen )
    402. 

  402. {
    403. 

  403.     unsigned char *p = buf;
    404. 

  404.     const char **cur;
    405. 

  405. 

  406.     if( ssl->alpn_list == NULL )
    407. 

  407.     {
    408. 

  408.         *olen = 0;
    409. 

  409.         return;
    410. 

  410.     }
    411. 

  411. 

  412.     SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
    413. 

  413. 

  414.     *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
    415. 

  415.     *p++ = (unsigned char)( ( TLS_EXT_ALPN      ) & 0xFF );
    416. 

  416. 

  417.     /*
    418. 

  418.      * opaque ProtocolName<1..2^8-1>;
    419. 

  419.      *
    420. 

  420.      * struct {
    421. 

  421.      *     ProtocolName protocol_name_list<2..2^16-1>
    422. 

  422.      * } ProtocolNameList;
    423. 

  423.      */
    424. 

  424. 

  425.     /* Skip writing extension and list length for now */
    426. 

  426.     p += 4;
    427. 

  427. 

  428.     for( cur = ssl->alpn_list; *cur != NULL; cur++ )
    429. 

  429.     {
    430. 

  430.         *p = (unsigned char)( strlen( *cur ) & 0xFF );
    431. 

  431.         memcpy( p + 1, *cur, *p );
    432. 

  432.         p += 1 + *p;
    433. 

  433.     }
    434. 

  434. 

  435.     *olen = p - buf;
    436. 

  436. 

  437.     /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
    438. 

  438.     buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
    439. 

  439.     buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
    440. 

  440. 

  441.     /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
    442. 

  442.     buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
    443. 

  443.     buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
    444. 

  444. }
    445. 

  445. #endif /* POLARSSL_SSL_ALPN */
    446. 

  446. 

  447. static int ssl_write_client_hello( ssl_context *ssl )
    448. 

  448. {
    449. 

  449.     int ret;
    450. 

  450.     size_t i, n, olen, ext_len = 0;
    451. 

  451.     unsigned char *buf;
    452. 

  452.     unsigned char *p, *q;
    453. 

  453. #if defined(POLARSSL_HAVE_TIME)
    454. 

  454.     time_t t;
    455. 

  455. #endif
    456. 

  456.     const int *ciphersuites;
    457. 

  457.     const ssl_ciphersuite_t *ciphersuite_info;
    458. 

  458. 

  459.     SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
    460. 

  460. 

  461.     if( ssl->f_rng == NULL )
    462. 

  462.     {
    463. 

  463.         SSL_DEBUG_MSG( 1, ( "no RNG provided") );
    464. 

  464.         return( POLARSSL_ERR_SSL_NO_RNG );
    465. 

  465.     }
    466. 

  466. 

  467.     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
    468. 

  468.     {
    469. 

  469.         ssl->major_ver = ssl->min_major_ver;
    470. 

  470.         ssl->minor_ver = ssl->min_minor_ver;
    471. 

  471.     }
    472. 

  472. 

  473.     if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
    474. 

  474.     {
    475. 

  475.         ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
    476. 

  476.         ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
    477. 

  477.     }
    478. 

  478. 

  479.     /*
    480. 

  480.      *     0  .   0   handshake type
    481. 

  481.      *     1  .   3   handshake length
    482. 

  482.      *     4  .   5   highest version supported
    483. 

  483.      *     6  .   9   current UNIX time
    484. 

  484.      *    10  .  37   random bytes
    485. 

  485.      */
    486. 

  486.     buf = ssl->out_msg;
    487. 

  487.     p = buf + 4;
    488. 

  488. 

  489.     *p++ = (unsigned char) ssl->max_major_ver;
    490. 

  490.     *p++ = (unsigned char) ssl->max_minor_ver;
    491. 

  491. 

  492.     SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
    493. 

  493.                    buf[4], buf[5] ) );
    494. 

  494. 

  495. #if defined(POLARSSL_HAVE_TIME)
    496. 

  496.     t = time( NULL );
    497. 

  497.     *p++ = (unsigned char)( t >> 24 );
    498. 

  498.     *p++ = (unsigned char)( t >> 16 );
    499. 

  499.     *p++ = (unsigned char)( t >>  8 );
    500. 

  500.     *p++ = (unsigned char)( t       );
    501. 

  501. 

  502.     SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
    503. 

  503. #else
    504. 

  504.     if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
    505. 

  505.         return( ret );
    506. 

  506. 

  507.     p += 4;
    508. 

  508. #endif /* POLARSSL_HAVE_TIME */
    509. 

  509. 

  510.     if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
    511. 

  511.         return( ret );
    512. 

  512. 

  513.     p += 28;
    514. 

  514. 

  515.     memcpy( ssl->handshake->randbytes, buf + 6, 32 );
    516. 

  516. 

  517.     SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
    518. 

  518. 

  519.     /*
    520. 

  520.      *    38  .  38   session id length
    521. 

  521.      *    39  . 39+n  session id
    522. 

  522.      *   40+n . 41+n  ciphersuitelist length
    523. 

  523.      *   42+n . ..    ciphersuitelist
    524. 

  524.      *   ..   . ..    compression methods length
    525. 

  525.      *   ..   . ..    compression methods
    526. 

  526.      *   ..   . ..    extensions length
    527. 

  527.      *   ..   . ..    extensions
    528. 

  528.      */
    529. 

  529.     n = ssl->session_negotiate->length;
    530. 

  530. 

  531.     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
    532. 

  532.         ssl->handshake->resume == 0 )
    533. 

  533.     {
    534. 

  534.         n = 0;
    535. 

  535.     }
    536. 

  536. 

  537. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    538. 

  538.     /*
    539. 

  539.      * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
    540. 

  540.      * generate and include a Session ID in the TLS ClientHello."
    541. 

  541.      */
    542. 

  542.     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
    543. 

  543.         ssl->session_negotiate->ticket != NULL &&
    544. 

  544.         ssl->session_negotiate->ticket_len != 0 )
    545. 

  545.     {
    546. 

  546.         ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
    547. 

  547. 

  548.         if( ret != 0 )
    549. 

  549.             return( ret );
    550. 

  550. 

  551.         ssl->session_negotiate->length = n = 32;
    552. 

  552.     }
    553. 

  553. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    554. 

  554. 

  555.     *p++ = (unsigned char) n;
    556. 

  556. 

  557.     for( i = 0; i < n; i++ )
    558. 

  558.         *p++ = ssl->session_negotiate->id[i];
    559. 

  559. 

  560.     SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
    561. 

  561.     SSL_DEBUG_BUF( 3,   "client hello, session id", buf + 39, n );
    562. 

  562. 

  563.     ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
    564. 

  564.     n = 0;
    565. 

  565.     q = p;
    566. 

  566. 

  567.     // Skip writing ciphersuite length for now
    568. 

  568.     p += 2;
    569. 

  569. 

  570.     /*
    571. 

  571.      * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    572. 

  572.      */
    573. 

  573.     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
    574. 

  574.     {
    575. 

  575.         *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
    576. 

  576.         *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO      );
    577. 

  577.         n++;
    578. 

  578.     }
    579. 

  579. 

  580.     for( i = 0; ciphersuites[i] != 0; i++ )
    581. 

  581.     {
    582. 

  582.         ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
    583. 

  583. 

  584.         if( ciphersuite_info == NULL )
    585. 

  585.             continue;
    586. 

  586. 

  587.         if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver ||
    588. 

  588.             ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
    589. 

  589.             continue;
    590. 

  590. 

  591.         SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
    592. 

  592.                        ciphersuites[i] ) );
    593. 

  593. 

  594.         n++;
    595. 

  595.         *p++ = (unsigned char)( ciphersuites[i] >> 8 );
    596. 

  596.         *p++ = (unsigned char)( ciphersuites[i]      );
    597. 

  597.     }
    598. 

  598. 

  599.     *q++ = (unsigned char)( n >> 7 );
    600. 

  600.     *q++ = (unsigned char)( n << 1 );
    601. 

  601. 

  602.     SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
    603. 

  603. 

  604. 

  605. #if defined(POLARSSL_ZLIB_SUPPORT)
    606. 

  606.     SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
    607. 

  607.     SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
    608. 

  608.                         SSL_COMPRESS_DEFLATE, SSL_COMPRESS_NULL ) );
    609. 

  609. 

  610.     *p++ = 2;
    611. 

  611.     *p++ = SSL_COMPRESS_DEFLATE;
    612. 

  612.     *p++ = SSL_COMPRESS_NULL;
    613. 

  613. #else
    614. 

  614.     SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
    615. 

  615.     SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
    616. 

  616. 

  617.     *p++ = 1;
    618. 

  618.     *p++ = SSL_COMPRESS_NULL;
    619. 

  619. #endif /* POLARSSL_ZLIB_SUPPORT */
    620. 

  620. 

  621.     // First write extensions, then the total length
    622. 

  622.     //
    623. 

  623. #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    624. 

  624.     ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
    625. 

  625.     ext_len += olen;
    626. 

  626. #endif
    627. 

  627. 

  628.     ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
    629. 

  629.     ext_len += olen;
    630. 

  630. 

  631. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    632. 

  632.     ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
    633. 

  633.     ext_len += olen;
    634. 

  634. #endif
    635. 

  635. 

  636. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    637. 

  637.     ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
    638. 

  638.     ext_len += olen;
    639. 

  639. 

  640.     ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
    641. 

  641.     ext_len += olen;
    642. 

  642. #endif
    643. 

  643. 

  644. #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
    645. 

  645.     ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
    646. 

  646.     ext_len += olen;
    647. 

  647. #endif
    648. 

  648. 

  649. #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
    650. 

  650.     ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
    651. 

  651.     ext_len += olen;
    652. 

  652. #endif
    653. 

  653. 

  654. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    655. 

  655.     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
    656. 

  656.     ext_len += olen;
    657. 

  657. #endif
    658. 

  658. 

  659. #if defined(POLARSSL_SSL_ALPN)
    660. 

  660.     ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
    661. 

  661.     ext_len += olen;
    662. 

  662. #endif
    663. 

  663. 

  664.     SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
    665. 

  665.                    ext_len ) );
    666. 

  666. 

  667.     if( ext_len > 0 )
    668. 

  668.     {
    669. 

  669.         *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
    670. 

  670.         *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
    671. 

  671.         p += ext_len;
    672. 

  672.     }
    673. 

  673. 

  674.     ssl->out_msglen  = p - buf;
    675. 

  675.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    676. 

  676.     ssl->out_msg[0]  = SSL_HS_CLIENT_HELLO;
    677. 

  677. 

  678.     ssl->state++;
    679. 

  679. 

  680.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    681. 

  681.     {
    682. 

  682.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    683. 

  683.         return( ret );
    684. 

  684.     }
    685. 

  685. 

  686.     SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
    687. 

  687. 

  688.     return( 0 );
    689. 

  689. }
    690. 

  690. 

  691. static int ssl_parse_renegotiation_info( ssl_context *ssl,
    692. 

  692.                                          const unsigned char *buf,
    693. 

  693.                                          size_t len )
    694. 

  694. {
    695. 

  695.     int ret;
    696. 

  696. 

  697.     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
    698. 

  698.     {
    699. 

  699.         if( len != 1 || buf[0] != 0x0 )
    700. 

  700.         {
    701. 

  701.             SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
    702. 

  702. 

  703.             if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    704. 

  704.                 return( ret );
    705. 

  705. 

  706.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    707. 

  707.         }
    708. 

  708. 

  709.         ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
    710. 

  710.     }
    711. 

  711.     else
    712. 

  712.     {
    713. 

  713.         /* Check verify-data in constant-time. The length OTOH is no secret */
    714. 

  714.         if( len    != 1 + ssl->verify_data_len * 2 ||
    715. 

  715.             buf[0] !=     ssl->verify_data_len * 2 ||
    716. 

  716.             safer_memcmp( buf + 1,
    717. 

  717.                           ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
    718. 

  718.             safer_memcmp( buf + 1 + ssl->verify_data_len,
    719. 

  719.                           ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
    720. 

  720.         {
    721. 

  721.             SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
    722. 

  722. 

  723.             if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    724. 

  724.                 return( ret );
    725. 

  725. 

  726.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    727. 

  727.         }
    728. 

  728.     }
    729. 

  729. 

  730.     return( 0 );
    731. 

  731. }
    732. 

  732. 

  733. #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
    734. 

  734. static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
    735. 

  735.                                               const unsigned char *buf,
    736. 

  736.                                               size_t len )
    737. 

  737. {
    738. 

  738.     /*
    739. 

  739.      * server should use the extension only if we did,
    740. 

  740.      * and if so the server's value should match ours (and len is always 1)
    741. 

  741.      */
    742. 

  742.     if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ||
    743. 

  743.         len != 1 ||
    744. 

  744.         buf[0] != ssl->mfl_code )
    745. 

  745.     {
    746. 

  746.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    747. 

  747.     }
    748. 

  748. 

  749.     return( 0 );
    750. 

  750. }
    751. 

  751. #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
    752. 

  752. 

  753. #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
    754. 

  754. static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
    755. 

  755.                                          const unsigned char *buf,
    756. 

  756.                                          size_t len )
    757. 

  757. {
    758. 

  758.     if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
    759. 

  759.         len != 0 )
    760. 

  760.     {
    761. 

  761.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    762. 

  762.     }
    763. 

  763. 

  764.     ((void) buf);
    765. 

  765. 

  766.     ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
    767. 

  767. 

  768.     return( 0 );
    769. 

  769. }
    770. 

  770. #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
    771. 

  771. 

  772. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    773. 

  773. static int ssl_parse_session_ticket_ext( ssl_context *ssl,
    774. 

  774.                                          const unsigned char *buf,
    775. 

  775.                                          size_t len )
    776. 

  776. {
    777. 

  777.     if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ||
    778. 

  778.         len != 0 )
    779. 

  779.     {
    780. 

  780.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    781. 

  781.     }
    782. 

  782. 

  783.     ((void) buf);
    784. 

  784. 

  785.     ssl->handshake->new_session_ticket = 1;
    786. 

  786. 

  787.     return( 0 );
    788. 

  788. }
    789. 

  789. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    790. 

  790. 

  791. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    792. 

  792. static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
    793. 

  793.                                                   const unsigned char *buf,
    794. 

  794.                                                   size_t len )
    795. 

  795. {
    796. 

  796.     size_t list_size;
    797. 

  797.     const unsigned char *p;
    798. 

  798. 

  799.     list_size = buf[0];
    800. 

  800.     if( list_size + 1 != len )
    801. 

  801.     {
    802. 

  802.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    803. 

  803.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    804. 

  804.     }
    805. 

  805. 

  806.     p = buf + 1;
    807. 

  807.     while( list_size > 0 )
    808. 

  808.     {
    809. 

  809.         if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
    810. 

  810.             p[0] == POLARSSL_ECP_PF_COMPRESSED )
    811. 

  811.         {
    812. 

  812.             ssl->handshake->ecdh_ctx.point_format = p[0];
    813. 

  813.             SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
    814. 

  814.             return( 0 );
    815. 

  815.         }
    816. 

  816. 

  817.         list_size--;
    818. 

  818.         p++;
    819. 

  819.     }
    820. 

  820. 

  821.     SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
    822. 

  822.     return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    823. 

  823. }
    824. 

  824. #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
    825. 

  825. 

  826. #if defined(POLARSSL_SSL_ALPN)
    827. 

  827. static int ssl_parse_alpn_ext( ssl_context *ssl,
    828. 

  828.                                const unsigned char *buf, size_t len )
    829. 

  829. {
    830. 

  830.     size_t list_len, name_len;
    831. 

  831.     const char **p;
    832. 

  832. 

  833.     /* If we didn't send it, the server shouldn't send it */
    834. 

  834.     if( ssl->alpn_list == NULL )
    835. 

  835.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    836. 

  836. 

  837.     /*
    838. 

  838.      * opaque ProtocolName<1..2^8-1>;
    839. 

  839.      *
    840. 

  840.      * struct {
    841. 

  841.      *     ProtocolName protocol_name_list<2..2^16-1>
    842. 

  842.      * } ProtocolNameList;
    843. 

  843.      *
    844. 

  844.      * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
    845. 

  845.      */
    846. 

  846. 

  847.     /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
    848. 

  848.     if( len < 4 )
    849. 

  849.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    850. 

  850. 

  851.     list_len = ( buf[0] << 8 ) | buf[1];
    852. 

  852.     if( list_len != len - 2 )
    853. 

  853.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    854. 

  854. 

  855.     name_len = buf[2];
    856. 

  856.     if( name_len != list_len - 1 )
    857. 

  857.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    858. 

  858. 

  859.     /* Check that the server chosen protocol was in our list and save it */
    860. 

  860.     for( p = ssl->alpn_list; *p != NULL; p++ )
    861. 

  861.     {
    862. 

  862.         if( name_len == strlen( *p ) &&
    863. 

  863.             memcmp( buf + 3, *p, name_len ) == 0 )
    864. 

  864.         {
    865. 

  865.             ssl->alpn_chosen = *p;
    866. 

  866.             return( 0 );
    867. 

  867.         }
    868. 

  868.     }
    869. 

  869. 

  870.     return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    871. 

  871. }
    872. 

  872. #endif /* POLARSSL_SSL_ALPN */
    873. 

  873. 

  874. static int ssl_parse_server_hello( ssl_context *ssl )
    875. 

  875. {
    876. 

  876.     int ret, i, comp;
    877. 

  877.     size_t n;
    878. 

  878.     size_t ext_len = 0;
    879. 

  879.     unsigned char *buf, *ext;
    880. 

  880.     int renegotiation_info_seen = 0;
    881. 

  881.     int handshake_failure = 0;
    882. 

  882. #if defined(POLARSSL_DEBUG_C)
    883. 

  883.     uint32_t t;
    884. 

  884. #endif
    885. 

  885. 

  886.     SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
    887. 

  887. 

  888.     /*
    889. 

  889.      *     0  .   0   handshake type
    890. 

  890.      *     1  .   3   handshake length
    891. 

  891.      *     4  .   5   protocol version
    892. 

  892.      *     6  .   9   UNIX time()
    893. 

  893.      *    10  .  37   random bytes
    894. 

  894.      */
    895. 

  895.     buf = ssl->in_msg;
    896. 

  896. 

  897.     if( ( ret = ssl_read_record( ssl ) ) != 0 )
    898. 

  898.     {
    899. 

  899.         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    900. 

  900.         return( ret );
    901. 

  901.     }
    902. 

  902. 

  903.     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    904. 

  904.     {
    905. 

  905.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    906. 

  906.         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    907. 

  907.     }
    908. 

  908. 

  909.     SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
    910. 

  910.                    buf[4], buf[5] ) );
    911. 

  911. 

  912.     if( ssl->in_hslen < 42 ||
    913. 

  913.         buf[0] != SSL_HS_SERVER_HELLO ||
    914. 

  914.         buf[4] != SSL_MAJOR_VERSION_3 )
    915. 

  915.     {
    916. 

  916.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    917. 

  917.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    918. 

  918.     }
    919. 

  919. 

  920.     if( buf[5] > ssl->max_minor_ver )
    921. 

  921.     {
    922. 

  922.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    923. 

  923.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    924. 

  924.     }
    925. 

  925. 

  926.     ssl->minor_ver = buf[5];
    927. 

  927. 

  928.     if( ssl->minor_ver < ssl->min_minor_ver )
    929. 

  929.     {
    930. 

  930.         SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
    931. 

  931.                             " [%d:%d] < [%d:%d]", ssl->major_ver,
    932. 

  932.                             ssl->minor_ver, buf[4], buf[5] ) );
    933. 

  933. 

  934.         ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
    935. 

  935.                                      SSL_ALERT_MSG_PROTOCOL_VERSION );
    936. 

  936. 

  937.         return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
    938. 

  938.     }
    939. 

  939. 

  940. #if defined(POLARSSL_DEBUG_C)
    941. 

  941.     t = ( (uint32_t) buf[6] << 24 )
    942. 

  942.       | ( (uint32_t) buf[7] << 16 )
    943. 

  943.       | ( (uint32_t) buf[8] <<  8 )
    944. 

  944.       | ( (uint32_t) buf[9]       );
    945. 

  945.     SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
    946. 

  946. #endif
    947. 

  947. 

  948.     memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
    949. 

  949. 

  950.     n = buf[38];
    951. 

  951. 

  952.     SSL_DEBUG_BUF( 3,   "server hello, random bytes", buf + 6, 32 );
    953. 

  953. 

  954.     if( n > 32 )
    955. 

  955.     {
    956. 

  956.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    957. 

  957.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    958. 

  958.     }
    959. 

  959. 

  960.     /*
    961. 

  961.      *    38  .  38   session id length
    962. 

  962.      *    39  . 38+n  session id
    963. 

  963.      *   39+n . 40+n  chosen ciphersuite
    964. 

  964.      *   41+n . 41+n  chosen compression alg.
    965. 

  965.      *   42+n . 43+n  extensions length
    966. 

  966.      *   44+n . 44+n+m extensions
    967. 

  967.      */
    968. 

  968.     if( ssl->in_hslen > 42 + n )
    969. 

  969.     {
    970. 

  970.         ext_len = ( ( buf[42 + n] <<  8 )
    971. 

  971.                   | ( buf[43 + n]       ) );
    972. 

  972. 

  973.         if( ( ext_len > 0 && ext_len < 4 ) ||
    974. 

  974.             ssl->in_hslen != 44 + n + ext_len )
    975. 

  975.         {
    976. 

  976.             SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    977. 

  977.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    978. 

  978.         }
    979. 

  979.     }
    980. 

  980. 

  981.     i = ( buf[39 + n] << 8 ) | buf[40 + n];
    982. 

  982.     comp = buf[41 + n];
    983. 

  983. 

  984.     /*
    985. 

  985.      * Initialize update checksum functions
    986. 

  986.      */
    987. 

  987.     ssl->transform_negotiate->ciphersuite_info = ssl_ciphersuite_from_id( i );
    988. 

  988. 

  989.     if( ssl->transform_negotiate->ciphersuite_info == NULL )
    990. 

  990.     {
    991. 

  991.         SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
    992. 

  992.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    993. 

  993.     }
    994. 

  994. 

  995.     ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
    996. 

  996. 

  997.     SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
    998. 

  998.     SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
    999. 

  999. 

  1000.     /*
    1001. 

  1001.      * Check if the session can be resumed
    1002. 

  1002.      */
    1003. 

  1003.     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
    1004. 

  1004.         ssl->handshake->resume == 0 || n == 0 ||
    1005. 

  1005.         ssl->session_negotiate->ciphersuite != i ||
    1006. 

  1006.         ssl->session_negotiate->compression != comp ||
    1007. 

  1007.         ssl->session_negotiate->length != n ||
    1008. 

  1008.         memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
    1009. 

  1009.     {
    1010. 

  1010.         ssl->state++;
    1011. 

  1011.         ssl->handshake->resume = 0;
    1012. 

  1012. #if defined(POLARSSL_HAVE_TIME)
    1013. 

  1013.         ssl->session_negotiate->start = time( NULL );
    1014. 

  1014. #endif
    1015. 

  1015.         ssl->session_negotiate->ciphersuite = i;
    1016. 

  1016.         ssl->session_negotiate->compression = comp;
    1017. 

  1017.         ssl->session_negotiate->length = n;
    1018. 

  1018.         memcpy( ssl->session_negotiate->id, buf + 39, n );
    1019. 

  1019.     }
    1020. 

  1020.     else
    1021. 

  1021.     {
    1022. 

  1022.         ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
    1023. 

  1023. 

  1024.         if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
    1025. 

  1025.         {
    1026. 

  1026.             SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
    1027. 

  1027.             return( ret );
    1028. 

  1028.         }
    1029. 

  1029.     }
    1030. 

  1030. 

  1031.     SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
    1032. 

  1032.                    ssl->handshake->resume ? "a" : "no" ) );
    1033. 

  1033. 

  1034.     SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
    1035. 

  1035.     SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
    1036. 

  1036. 

  1037.     i = 0;
    1038. 

  1038.     while( 1 )
    1039. 

  1039.     {
    1040. 

  1040.         if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
    1041. 

  1041.         {
    1042. 

  1042.             SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    1043. 

  1043.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    1044. 

  1044.         }
    1045. 

  1045. 

  1046.         if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
    1047. 

  1047.             ssl->session_negotiate->ciphersuite )
    1048. 

  1048.         {
    1049. 

  1049.             break;
    1050. 

  1050.         }
    1051. 

  1051.     }
    1052. 

  1052. 

  1053.     if( comp != SSL_COMPRESS_NULL
    1054. 

  1054. #if defined(POLARSSL_ZLIB_SUPPORT)
    1055. 

  1055.         && comp != SSL_COMPRESS_DEFLATE
    1056. 

  1056. #endif
    1057. 

  1057.       )
    1058. 

  1058.     {
    1059. 

  1059.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    1060. 

  1060.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    1061. 

  1061.     }
    1062. 

  1062.     ssl->session_negotiate->compression = comp;
    1063. 

  1063. 

  1064.     ext = buf + 44 + n;
    1065. 

  1065. 

  1066.     SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
    1067. 

  1067. 

  1068.     while( ext_len )
    1069. 

  1069.     {
    1070. 

  1070.         unsigned int ext_id   = ( ( ext[0] <<  8 )
    1071. 

  1071.                                 | ( ext[1]       ) );
    1072. 

  1072.         unsigned int ext_size = ( ( ext[2] <<  8 )
    1073. 

  1073.                                 | ( ext[3]       ) );
    1074. 

  1074. 

  1075.         if( ext_size + 4 > ext_len )
    1076. 

  1076.         {
    1077. 

  1077.             SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    1078. 

  1078.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    1079. 

  1079.         }
    1080. 

  1080. 

  1081.         switch( ext_id )
    1082. 

  1082.         {
    1083. 

  1083.         case TLS_EXT_RENEGOTIATION_INFO:
    1084. 

  1084.             SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
    1085. 

  1085.             renegotiation_info_seen = 1;
    1086. 

  1086. 

  1087.             if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
    1088. 

  1088.                                                       ext_size ) ) != 0 )
    1089. 

  1089.                 return( ret );
    1090. 

  1090. 

  1091.             break;
    1092. 

  1092. 

  1093. #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
    1094. 

  1094.         case TLS_EXT_MAX_FRAGMENT_LENGTH:
    1095. 

  1095.             SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
    1096. 

  1096. 

  1097.             if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
    1098. 

  1098.                             ext + 4, ext_size ) ) != 0 )
    1099. 

  1099.             {
    1100. 

  1100.                 return( ret );
    1101. 

  1101.             }
    1102. 

  1102. 

  1103.             break;
    1104. 

  1104. #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
    1105. 

  1105. 

  1106. #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
    1107. 

  1107.         case TLS_EXT_TRUNCATED_HMAC:
    1108. 

  1108.             SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
    1109. 

  1109. 

  1110.             if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
    1111. 

  1111.                             ext + 4, ext_size ) ) != 0 )
    1112. 

  1112.             {
    1113. 

  1113.                 return( ret );
    1114. 

  1114.             }
    1115. 

  1115. 

  1116.             break;
    1117. 

  1117. #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
    1118. 

  1118. 

  1119. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    1120. 

  1120.         case TLS_EXT_SESSION_TICKET:
    1121. 

  1121.             SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
    1122. 

  1122. 

  1123.             if( ( ret = ssl_parse_session_ticket_ext( ssl,
    1124. 

  1124.                             ext + 4, ext_size ) ) != 0 )
    1125. 

  1125.             {
    1126. 

  1126.                 return( ret );
    1127. 

  1127.             }
    1128. 

  1128. 

  1129.             break;
    1130. 

  1130. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    1131. 

  1131. 

  1132. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    1133. 

  1133.         case TLS_EXT_SUPPORTED_POINT_FORMATS:
    1134. 

  1134.             SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
    1135. 

  1135. 

  1136.             if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
    1137. 

  1137.                             ext + 4, ext_size ) ) != 0 )
    1138. 

  1138.             {
    1139. 

  1139.                 return( ret );
    1140. 

  1140.             }
    1141. 

  1141. 

  1142.             break;
    1143. 

  1143. #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
    1144. 

  1144. 

  1145. #if defined(POLARSSL_SSL_ALPN)
    1146. 

  1146.         case TLS_EXT_ALPN:
    1147. 

  1147.             SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
    1148. 

  1148. 

  1149.             if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
    1150. 

  1150.                 return( ret );
    1151. 

  1151. 

  1152.             break;
    1153. 

  1153. #endif /* POLARSSL_SSL_ALPN */
    1154. 

  1154. 

  1155.         default:
    1156. 

  1156.             SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
    1157. 

  1157.                            ext_id ) );
    1158. 

  1158.         }
    1159. 

  1159. 

  1160.         ext_len -= 4 + ext_size;
    1161. 

  1161.         ext += 4 + ext_size;
    1162. 

  1162. 

  1163.         if( ext_len > 0 && ext_len < 4 )
    1164. 

  1164.         {
    1165. 

  1165.             SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    1166. 

  1166.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    1167. 

  1167.         }
    1168. 

  1168.     }
    1169. 

  1169. 

  1170.     /*
    1171. 

  1171.      * Renegotiation security checks
    1172. 

  1172.      */
    1173. 

  1173.     if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
    1174. 

  1174.         ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
    1175. 

  1175.     {
    1176. 

  1176.         SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
    1177. 

  1177.         handshake_failure = 1;
    1178. 

  1178.     }
    1179. 

  1179.     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
    1180. 

  1180.              ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
    1181. 

  1181.              renegotiation_info_seen == 0 )
    1182. 

  1182.     {
    1183. 

  1183.         SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
    1184. 

  1184.         handshake_failure = 1;
    1185. 

  1185.     }
    1186. 

  1186.     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
    1187. 

  1187.              ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
    1188. 

  1188.              ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
    1189. 

  1189.     {
    1190. 

  1190.         SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
    1191. 

  1191.         handshake_failure = 1;
    1192. 

  1192.     }
    1193. 

  1193.     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
    1194. 

  1194.              ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
    1195. 

  1195.              renegotiation_info_seen == 1 )
    1196. 

  1196.     {
    1197. 

  1197.         SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
    1198. 

  1198.         handshake_failure = 1;
    1199. 

  1199.     }
    1200. 

  1200. 

  1201.     if( handshake_failure == 1 )
    1202. 

  1202.     {
    1203. 

  1203.         if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    1204. 

  1204.             return( ret );
    1205. 

  1205. 

  1206.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    1207. 

  1207.     }
    1208. 

  1208. 

  1209.     SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
    1210. 

  1210. 

  1211.     return( 0 );
    1212. 

  1212. }
    1213. 

  1213. 

  1214. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    1215. 

  1215.     defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
    1216. 

  1216. static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
    1217. 

  1217.                                        unsigned char *end )
    1218. 

  1218. {
    1219. 

  1219.     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
    1220. 

  1220. 

  1221.     /*
    1222. 

  1222.      * Ephemeral DH parameters:
    1223. 

  1223.      *
    1224. 

  1224.      * struct {
    1225. 

  1225.      *     opaque dh_p<1..2^16-1>;
    1226. 

  1226.      *     opaque dh_g<1..2^16-1>;
    1227. 

  1227.      *     opaque dh_Ys<1..2^16-1>;
    1228. 

  1228.      * } ServerDHParams;
    1229. 

  1229.      */
    1230. 

  1230.     if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
    1231. 

  1231.     {
    1232. 

  1232.         SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret );
    1233. 

  1233.         return( ret );
    1234. 

  1234.     }
    1235. 

  1235. 

  1236.     if( ssl->handshake->dhm_ctx.len < 64  ||
    1237. 

  1237.         ssl->handshake->dhm_ctx.len > 512 )
    1238. 

  1238.     {
    1239. 

  1239.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
    1240. 

  1240.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1241. 

  1241.     }
    1242. 

  1242. 

  1243.     SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
    1244. 

  1244.     SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
    1245. 

  1245.     SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
    1246. 

  1246. 

  1247.     return( ret );
    1248. 

  1248. }
    1249. 

  1249. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
    1250. 

  1250.           POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
    1251. 

  1251. 

  1252. #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    1253. 

  1253.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
    1254. 

  1254.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
    1255. 

  1255.     defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
    1256. 

  1256.     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
    1257. 

  1257. static int ssl_check_server_ecdh_params( const ssl_context *ssl )
    1258. 

  1258. {
    1259. 

  1259.     const ecp_curve_info *curve_info;
    1260. 

  1260. 

  1261.     curve_info = ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
    1262. 

  1262.     if( curve_info == NULL )
    1263. 

  1263.     {
    1264. 

  1264.         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    1265. 

  1265.         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    1266. 

  1266.     }
    1267. 

  1267. 

  1268.     SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
    1269. 

  1269. 

  1270. #if defined(POLARSSL_SSL_ECP_SET_CURVES)
    1271. 

  1271.     if( ! ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) )
    1272. 

  1272. #else
    1273. 

  1273.     if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
    1274. 

  1274.         ssl->handshake->ecdh_ctx.grp.nbits > 521 )
    1275. 

  1275. #endif
    1276. 

  1276.         return( -1 );
    1277. 

  1277. 

  1278.     SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
    1279. 

  1279. 

  1280.     return( 0 );
    1281. 

  1281. }
    1282. 

  1282. #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
    1283. 

  1283.           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
    1284. 

  1284.           POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
    1285. 

  1285.           POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
    1286. 

  1286.           POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
    1287. 

  1287. 

  1288. #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    1289. 

  1289.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
    1290. 

  1290.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
    1291. 

  1291. static int ssl_parse_server_ecdh_params( ssl_context *ssl,
    1292. 

  1292.                                          unsigned char **p,
    1293. 

  1293.                                          unsigned char *end )
    1294. 

  1294. {
    1295. 

  1295.     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
    1296. 

  1296. 

  1297.     /*
    1298. 

  1298.      * Ephemeral ECDH parameters:
    1299. 

  1299.      *
    1300. 

  1300.      * struct {
    1301. 

  1301.      *     ECParameters curve_params;
    1302. 

  1302.      *     ECPoint      public;
    1303. 

  1303.      * } ServerECDHParams;
    1304. 

  1304.      */
    1305. 

  1305.     if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx,
    1306. 

  1306.                                   (const unsigned char **) p, end ) ) != 0 )
    1307. 

  1307.     {
    1308. 

  1308.         SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret );
    1309. 

  1309.         return( ret );
    1310. 

  1310.     }
    1311. 

  1311. 

  1312.     if( ssl_check_server_ecdh_params( ssl ) != 0 )
    1313. 

  1313.     {
    1314. 

  1314.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
    1315. 

  1315.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1316. 

  1316.     }
    1317. 

  1317. 

  1318.     return( ret );
    1319. 

  1319. }
    1320. 

  1320. #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
    1321. 

  1321.           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
    1322. 

  1322.           POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
    1323. 

  1323. 

  1324. #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
    1325. 

  1325. static int ssl_parse_server_psk_hint( ssl_context *ssl,
    1326. 

  1326.                                       unsigned char **p,
    1327. 

  1327.                                       unsigned char *end )
    1328. 

  1328. {
    1329. 

  1329.     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
    1330. 

  1330.     size_t  len;
    1331. 

  1331.     ((void) ssl);
    1332. 

  1332. 

  1333.     /*
    1334. 

  1334.      * PSK parameters:
    1335. 

  1335.      *
    1336. 

  1336.      * opaque psk_identity_hint<0..2^16-1>;
    1337. 

  1337.      */
    1338. 

  1338.     len = (*p)[0] << 8 | (*p)[1];
    1339. 

  1339.     *p += 2;
    1340. 

  1340. 

  1341.     if( (*p) + len > end )
    1342. 

  1342.     {
    1343. 

  1343.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
    1344. 

  1344.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1345. 

  1345.     }
    1346. 

  1346. 

  1347.     // TODO: Retrieve PSK identity hint and callback to app
    1348. 

  1348.     //
    1349. 

  1349.     *p += len;
    1350. 

  1350.     ret = 0;
    1351. 

  1351. 

  1352.     return( ret );
    1353. 

  1353. }
    1354. 

  1354. #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
    1355. 

  1355. 

  1356. #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) ||                           \
    1357. 

  1357.     defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
    1358. 

  1358. /*
    1359. 

  1359.  * Generate a pre-master secret and encrypt it with the server's RSA key
    1360. 

  1360.  */
    1361. 

  1361. static int ssl_write_encrypted_pms( ssl_context *ssl,
    1362. 

  1362.                                     size_t offset, size_t *olen,
    1363. 

  1363.                                     size_t pms_offset )
    1364. 

  1364. {
    1365. 

  1365.     int ret;
    1366. 

  1366.     size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2;
    1367. 

  1367.     unsigned char *p = ssl->handshake->premaster + pms_offset;
    1368. 

  1368. 

  1369.     /*
    1370. 

  1370.      * Generate (part of) the pre-master as
    1371. 

  1371.      *  struct {
    1372. 

  1372.      *      ProtocolVersion client_version;
    1373. 

  1373.      *      opaque random[46];
    1374. 

  1374.      *  } PreMasterSecret;
    1375. 

  1375.      */
    1376. 

  1376.     p[0] = (unsigned char) ssl->max_major_ver;
    1377. 

  1377.     p[1] = (unsigned char) ssl->max_minor_ver;
    1378. 

  1378. 

  1379.     if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 )
    1380. 

  1380.     {
    1381. 

  1381.         SSL_DEBUG_RET( 1, "f_rng", ret );
    1382. 

  1382.         return( ret );
    1383. 

  1383.     }
    1384. 

  1384. 

  1385.     ssl->handshake->pmslen = 48;
    1386. 

  1386. 

  1387.     /*
    1388. 

  1388.      * Now write it out, encrypted
    1389. 

  1389.      */
    1390. 

  1390.     if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
    1391. 

  1391.                 POLARSSL_PK_RSA ) )
    1392. 

  1392.     {
    1393. 

  1393.         SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
    1394. 

  1394.         return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
    1395. 

  1395.     }
    1396. 

  1396. 

  1397.     if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
    1398. 

  1398.                             p, ssl->handshake->pmslen,
    1399. 

  1399.                             ssl->out_msg + offset + len_bytes, olen,
    1400. 

  1400.                             SSL_MAX_CONTENT_LEN - offset - len_bytes,
    1401. 

  1401.                             ssl->f_rng, ssl->p_rng ) ) != 0 )
    1402. 

  1402.     {
    1403. 

  1403.         SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
    1404. 

  1404.         return( ret );
    1405. 

  1405.     }
    1406. 

  1406. 

  1407. #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
    1408. 

  1408.     defined(POLARSSL_SSL_PROTO_TLS1_2)
    1409. 

  1409.     if( len_bytes == 2 )
    1410. 

  1410.     {
    1411. 

  1411.         ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
    1412. 

  1412.         ssl->out_msg[offset+1] = (unsigned char)( *olen      );
    1413. 

  1413.         *olen += 2;
    1414. 

  1414.     }
    1415. 

  1415. #endif
    1416. 

  1416. 

  1417.     return( 0 );
    1418. 

  1418. }
    1419. 

  1419. #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
    1420. 

  1420.           POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
    1421. 

  1421. 

  1422. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    1423. 

  1423. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    1424. 

  1424.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    1425. 

  1425.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    1426. 

  1426. static int ssl_parse_signature_algorithm( ssl_context *ssl,
    1427. 

  1427.                                           unsigned char **p,
    1428. 

  1428.                                           unsigned char *end,
    1429. 

  1429.                                           md_type_t *md_alg,
    1430. 

  1430.                                           pk_type_t *pk_alg )
    1431. 

  1431. {
    1432. 

  1432.     ((void) ssl);
    1433. 

  1433.     *md_alg = POLARSSL_MD_NONE;
    1434. 

  1434.     *pk_alg = POLARSSL_PK_NONE;
    1435. 

  1435. 

  1436.     /* Only in TLS 1.2 */
    1437. 

  1437.     if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
    1438. 

  1438.     {
    1439. 

  1439.         return( 0 );
    1440. 

  1440.     }
    1441. 

  1441. 

  1442.     if( (*p) + 2 > end )
    1443. 

  1443.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1444. 

  1444. 

  1445.     /*
    1446. 

  1446.      * Get hash algorithm
    1447. 

  1447.      */
    1448. 

  1448.     if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE )
    1449. 

  1449.     {
    1450. 

  1450.         SSL_DEBUG_MSG( 2, ( "Server used unsupported "
    1451. 

  1451.                             "HashAlgorithm %d", *(p)[0] ) );
    1452. 

  1452.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1453. 

  1453.     }
    1454. 

  1454. 

  1455.     /*
    1456. 

  1456.      * Get signature algorithm
    1457. 

  1457.      */
    1458. 

  1458.     if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE )
    1459. 

  1459.     {
    1460. 

  1460.         SSL_DEBUG_MSG( 2, ( "server used unsupported "
    1461. 

  1461.                             "SignatureAlgorithm %d", (*p)[1] ) );
    1462. 

  1462.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1463. 

  1463.     }
    1464. 

  1464. 

  1465.     SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
    1466. 

  1466.     SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
    1467. 

  1467.     *p += 2;
    1468. 

  1468. 

  1469.     return( 0 );
    1470. 

  1470. }
    1471. 

  1471. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
    1472. 

  1472.           POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
    1473. 

  1473.           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
    1474. 

  1474. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    1475. 

  1475. 

  1476. 

  1477. #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
    1478. 

  1478.     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
    1479. 

  1479. static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
    1480. 

  1480. {
    1481. 

  1481.     int ret;
    1482. 

  1482.     const ecp_keypair *peer_key;
    1483. 

  1483. 

  1484.     if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
    1485. 

  1485.                      POLARSSL_PK_ECKEY ) )
    1486. 

  1486.     {
    1487. 

  1487.         SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
    1488. 

  1488.         return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
    1489. 

  1489.     }
    1490. 

  1490. 

  1491.     peer_key = pk_ec( ssl->session_negotiate->peer_cert->pk );
    1492. 

  1492. 

  1493.     if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
    1494. 

  1494.                                  POLARSSL_ECDH_THEIRS ) ) != 0 )
    1495. 

  1495.     {
    1496. 

  1496.         SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
    1497. 

  1497.         return( ret );
    1498. 

  1498.     }
    1499. 

  1499. 

  1500.     if( ssl_check_server_ecdh_params( ssl ) != 0 )
    1501. 

  1501.     {
    1502. 

  1502.         SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
    1503. 

  1503.         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
    1504. 

  1504.     }
    1505. 

  1505. 

  1506.     return( ret );
    1507. 

  1507. }
    1508. 

  1508. #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
    1509. 

  1509.           POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
    1510. 

  1510. 

  1511. static int ssl_parse_server_key_exchange( ssl_context *ssl )
    1512. 

  1512. {
    1513. 

  1513.     int ret;
    1514. 

  1514.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    1515. 

  1515.     unsigned char *p, *end;
    1516. 

  1516. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    1517. 

  1517.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    1518. 

  1518.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    1519. 

  1519.     size_t sig_len, params_len;
    1520. 

  1520.     unsigned char hash[64];
    1521. 

  1521.     md_type_t md_alg = POLARSSL_MD_NONE;
    1522. 

  1522.     size_t hashlen;
    1523. 

  1523.     pk_type_t pk_alg = POLARSSL_PK_NONE;
    1524. 

  1524. #endif
    1525. 

  1525. 

  1526.     SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
    1527. 

  1527. 

  1528. #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
    1529. 

  1529.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
    1530. 

  1530.     {
    1531. 

  1531.         SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
    1532. 

  1532.         ssl->state++;
    1533. 

  1533.         return( 0 );
    1534. 

  1534.     }
    1535. 

  1535.     ((void) p);
    1536. 

  1536.     ((void) end);
    1537. 

  1537. #endif
    1538. 

  1538. 

  1539. #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
    1540. 

  1540.     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
    1541. 

  1541.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
    1542. 

  1542.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
    1543. 

  1543.     {
    1544. 

  1544.         if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
    1545. 

  1545.         {
    1546. 

  1546.             SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
    1547. 

  1547.             return( ret );
    1548. 

  1548.         }
    1549. 

  1549. 

  1550.         SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
    1551. 

  1551.         ssl->state++;
    1552. 

  1552.         return( 0 );
    1553. 

  1553.     }
    1554. 

  1554.     ((void) p);
    1555. 

  1555.     ((void) end);
    1556. 

  1556. #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
    1557. 

  1557.           POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
    1558. 

  1558. 

  1559.     if( ( ret = ssl_read_record( ssl ) ) != 0 )
    1560. 

  1560.     {
    1561. 

  1561.         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    1562. 

  1562.         return( ret );
    1563. 

  1563.     }
    1564. 

  1564. 

  1565.     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    1566. 

  1566.     {
    1567. 

  1567.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1568. 

  1568.         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    1569. 

  1569.     }
    1570. 

  1570. 

  1571.     /*
    1572. 

  1572.      * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
    1573. 

  1573.      * doesn't use a psk_identity_hint
    1574. 

  1574.      */
    1575. 

  1575.     if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
    1576. 

  1576.     {
    1577. 

  1577.         if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    1578. 

  1578.             ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
    1579. 

  1579.         {
    1580. 

  1580.             ssl->record_read = 1;
    1581. 

  1581.             goto exit;
    1582. 

  1582.         }
    1583. 

  1583. 

  1584.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1585. 

  1585.         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    1586. 

  1586.     }
    1587. 

  1587. 

  1588.     p   = ssl->in_msg + 4;
    1589. 

  1589.     end = ssl->in_msg + ssl->in_hslen;
    1590. 

  1590.     SSL_DEBUG_BUF( 3,   "server key exchange", p, ssl->in_hslen - 4 );
    1591. 

  1591. 

  1592. #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
    1593. 

  1593.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    1594. 

  1594.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    1595. 

  1595.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
    1596. 

  1596.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    1597. 

  1597.     {
    1598. 

  1598.         if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
    1599. 

  1599.         {
    1600. 

  1600.             SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1601. 

  1601.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1602. 

  1602.         }
    1603. 

  1603.     } /* FALLTROUGH */
    1604. 

  1604. #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
    1605. 

  1605. 

  1606. #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) ||                       \
    1607. 

  1607.     defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
    1608. 

  1608.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    1609. 

  1609.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
    1610. 

  1610.         ; /* nothing more to do */
    1611. 

  1611.     else
    1612. 

  1612. #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
    1613. 

  1613.           POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
    1614. 

  1614. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    1615. 

  1615.     defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
    1616. 

  1616.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
    1617. 

  1617.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
    1618. 

  1618.     {
    1619. 

  1619.         if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
    1620. 

  1620.         {
    1621. 

  1621.             SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1622. 

  1622.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1623. 

  1623.         }
    1624. 

  1624.     }
    1625. 

  1625.     else
    1626. 

  1626. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
    1627. 

  1627.           POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
    1628. 

  1628. #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    1629. 

  1629.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
    1630. 

  1630.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    1631. 

  1631.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
    1632. 

  1632.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
    1633. 

  1633.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
    1634. 

  1634.     {
    1635. 

  1635.         if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
    1636. 

  1636.         {
    1637. 

  1637.             SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1638. 

  1638.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1639. 

  1639.         }
    1640. 

  1640.     }
    1641. 

  1641.     else
    1642. 

  1642. #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
    1643. 

  1643.           POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
    1644. 

  1644.           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
    1645. 

  1645.     {
    1646. 

  1646.         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    1647. 

  1647.         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    1648. 

  1648.     }
    1649. 

  1649. 

  1650. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    1651. 

  1651.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    1652. 

  1652.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    1653. 

  1653.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
    1654. 

  1654.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
    1655. 

  1655.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
    1656. 

  1656.     {
    1657. 

  1657.         params_len = p - ( ssl->in_msg + 4 );
    1658. 

  1658. 

  1659.         /*
    1660. 

  1660.          * Handle the digitally-signed structure
    1661. 

  1661.          */
    1662. 

  1662. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    1663. 

  1663.         if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
    1664. 

  1664.         {
    1665. 

  1665.             if( ssl_parse_signature_algorithm( ssl, &p, end,
    1666. 

  1666.                                                &md_alg, &pk_alg ) != 0 )
    1667. 

  1667.             {
    1668. 

  1668.                 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1669. 

  1669.                 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1670. 

  1670.             }
    1671. 

  1671. 

  1672.             if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
    1673. 

  1673.             {
    1674. 

  1674.                 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1675. 

  1675.                 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1676. 

  1676.             }
    1677. 

  1677.         }
    1678. 

  1678.         else
    1679. 

  1679. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    1680. 

  1680. #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
    1681. 

  1681.     defined(POLARSSL_SSL_PROTO_TLS1_1)
    1682. 

  1682.         if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
    1683. 

  1683.         {
    1684. 

  1684.             pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
    1685. 

  1685. 

  1686.             /* Default hash for ECDSA is SHA-1 */
    1687. 

  1687.             if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE )
    1688. 

  1688.                 md_alg = POLARSSL_MD_SHA1;
    1689. 

  1689.         }
    1690. 

  1690.         else
    1691. 

  1691. #endif
    1692. 

  1692.         {
    1693. 

  1693.             SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    1694. 

  1694.             return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    1695. 

  1695.         }
    1696. 

  1696. 

  1697.         /*
    1698. 

  1698.          * Read signature
    1699. 

  1699.          */
    1700. 

  1700.         sig_len = ( p[0] << 8 ) | p[1];
    1701. 

  1701.         p += 2;
    1702. 

  1702. 

  1703.         if( end != p + sig_len )
    1704. 

  1704.         {
    1705. 

  1705.             SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1706. 

  1706.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    1707. 

  1707.         }
    1708. 

  1708. 

  1709.         SSL_DEBUG_BUF( 3, "signature", p, sig_len );
    1710. 

  1710. 

  1711.         /*
    1712. 

  1712.          * Compute the hash that has been signed
    1713. 

  1713.          */
    1714. 

  1714. #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
    1715. 

  1715.     defined(POLARSSL_SSL_PROTO_TLS1_1)
    1716. 

  1716.         if( md_alg == POLARSSL_MD_NONE )
    1717. 

  1717.         {
    1718. 

  1718.             md5_context md5;
    1719. 

  1719.             sha1_context sha1;
    1720. 

  1720. 

  1721.             md5_init(  &md5  );
    1722. 

  1722.             sha1_init( &sha1 );
    1723. 

  1723. 

  1724.             hashlen = 36;
    1725. 

  1725. 

  1726.             /*
    1727. 

  1727.              * digitally-signed struct {
    1728. 

  1728.              *     opaque md5_hash[16];
    1729. 

  1729.              *     opaque sha_hash[20];
    1730. 

  1730.              * };
    1731. 

  1731.              *
    1732. 

  1732.              * md5_hash
    1733. 

  1733.              *     MD5(ClientHello.random + ServerHello.random
    1734. 

  1734.              *                            + ServerParams);
    1735. 

  1735.              * sha_hash
    1736. 

  1736.              *     SHA(ClientHello.random + ServerHello.random
    1737. 

  1737.              *                            + ServerParams);
    1738. 

  1738.              */
    1739. 

  1739.             md5_starts( &md5 );
    1740. 

  1740.             md5_update( &md5, ssl->handshake->randbytes, 64 );
    1741. 

  1741.             md5_update( &md5, ssl->in_msg + 4, params_len );
    1742. 

  1742.             md5_finish( &md5, hash );
    1743. 

  1743. 

  1744.             sha1_starts( &sha1 );
    1745. 

  1745.             sha1_update( &sha1, ssl->handshake->randbytes, 64 );
    1746. 

  1746.             sha1_update( &sha1, ssl->in_msg + 4, params_len );
    1747. 

  1747.             sha1_finish( &sha1, hash + 16 );
    1748. 

  1748. 

  1749.             md5_free(  &md5  );
    1750. 

  1750.             sha1_free( &sha1 );
    1751. 

  1751.         }
    1752. 

  1752.         else
    1753. 

  1753. #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
    1754. 

  1754.           POLARSSL_SSL_PROTO_TLS1_1 */
    1755. 

  1755. #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
    1756. 

  1756.     defined(POLARSSL_SSL_PROTO_TLS1_2)
    1757. 

  1757.         if( md_alg != POLARSSL_MD_NONE )
    1758. 

  1758.         {
    1759. 

  1759.             md_context_t ctx;
    1760. 

  1760. 

  1761.             md_init( &ctx );
    1762. 

  1762. 

  1763.             /* Info from md_alg will be used instead */
    1764. 

  1764.             hashlen = 0;
    1765. 

  1765. 

  1766.             /*
    1767. 

  1767.              * digitally-signed struct {
    1768. 

  1768.              *     opaque client_random[32];
    1769. 

  1769.              *     opaque server_random[32];
    1770. 

  1770.              *     ServerDHParams params;
    1771. 

  1771.              * };
    1772. 

  1772.              */
    1773. 

  1773.             if( ( ret = md_init_ctx( &ctx,
    1774. 

  1774.                                      md_info_from_type( md_alg ) ) ) != 0 )
    1775. 

  1775.             {
    1776. 

  1776.                 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
    1777. 

  1777.                 return( ret );
    1778. 

  1778.             }
    1779. 

  1779. 

  1780.             md_starts( &ctx );
    1781. 

  1781.             md_update( &ctx, ssl->handshake->randbytes, 64 );
    1782. 

  1782.             md_update( &ctx, ssl->in_msg + 4, params_len );
    1783. 

  1783.             md_finish( &ctx, hash );
    1784. 

  1784.             md_free( &ctx );
    1785. 

  1785.         }
    1786. 

  1786.         else
    1787. 

  1787. #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
    1788. 

  1788.           POLARSSL_SSL_PROTO_TLS1_2 */
    1789. 

  1789.         {
    1790. 

  1790.             SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    1791. 

  1791.             return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    1792. 

  1792.         }
    1793. 

  1793. 

  1794.         SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
    1795. 

  1795.                 (unsigned int) ( md_info_from_type( md_alg ) )->size );
    1796. 

  1796. 

  1797.         /*
    1798. 

  1798.          * Verify signature
    1799. 

  1799.          */
    1800. 

  1800.         if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
    1801. 

  1801.         {
    1802. 

  1802.             SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    1803. 

  1803.             return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
    1804. 

  1804.         }
    1805. 

  1805. 

  1806.         if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
    1807. 

  1807.                                md_alg, hash, hashlen, p, sig_len ) ) != 0 )
    1808. 

  1808.         {
    1809. 

  1809.             SSL_DEBUG_RET( 1, "pk_verify", ret );
    1810. 

  1810.             return( ret );
    1811. 

  1811.         }
    1812. 

  1812.     }
    1813. 

  1813. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
    1814. 

  1814.           POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
    1815. 

  1815.           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
    1816. 

  1816. 

  1817. exit:
    1818. 

  1818.     ssl->state++;
    1819. 

  1819. 

  1820.     SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
    1821. 

  1821. 

  1822.     return( 0 );
    1823. 

  1823. }
    1824. 

  1824. 

  1825. #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
    1826. 

  1826.     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
    1827. 

  1827.     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
    1828. 

  1828.     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    1829. 

  1829. static int ssl_parse_certificate_request( ssl_context *ssl )
    1830. 

  1830. {
    1831. 

  1831.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    1832. 

  1832. 

  1833.     SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
    1834. 

  1834. 

  1835.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    1836. 

  1836.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    1837. 

  1837.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
    1838. 

  1838.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    1839. 

  1839.     {
    1840. 

  1840.         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
    1841. 

  1841.         ssl->state++;
    1842. 

  1842.         return( 0 );
    1843. 

  1843.     }
    1844. 

  1844. 

  1845.     SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    1846. 

  1846.     return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    1847. 

  1847. }
    1848. 

  1848. #else
    1849. 

  1849. static int ssl_parse_certificate_request( ssl_context *ssl )
    1850. 

  1850. {
    1851. 

  1851.     int ret;
    1852. 

  1852.     unsigned char *buf, *p;
    1853. 

  1853.     size_t n = 0, m = 0;
    1854. 

  1854.     size_t cert_type_len = 0, dn_len = 0;
    1855. 

  1855.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    1856. 

  1856. 

  1857.     SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
    1858. 

  1858. 

  1859.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    1860. 

  1860.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    1861. 

  1861.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
    1862. 

  1862.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    1863. 

  1863.     {
    1864. 

  1864.         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
    1865. 

  1865.         ssl->state++;
    1866. 

  1866.         return( 0 );
    1867. 

  1867.     }
    1868. 

  1868. 

  1869.     /*
    1870. 

  1870.      *     0  .   0   handshake type
    1871. 

  1871.      *     1  .   3   handshake length
    1872. 

  1872.      *     4  .   4   cert type count
    1873. 

  1873.      *     5  .. m-1  cert types
    1874. 

  1874.      *     m  .. m+1  sig alg length (TLS 1.2 only)
    1875. 

  1875.      *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
    1876. 

  1876.      *     n  .. n+1  length of all DNs
    1877. 

  1877.      *    n+2 .. n+3  length of DN 1
    1878. 

  1878.      *    n+4 .. ...  Distinguished Name #1
    1879. 

  1879.      *    ... .. ...  length of DN 2, etc.
    1880. 

  1880.      */
    1881. 

  1881.     if( ssl->record_read == 0 )
    1882. 

  1882.     {
    1883. 

  1883.         if( ( ret = ssl_read_record( ssl ) ) != 0 )
    1884. 

  1884.         {
    1885. 

  1885.             SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    1886. 

  1886.             return( ret );
    1887. 

  1887.         }
    1888. 

  1888. 

  1889.         if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    1890. 

  1890.         {
    1891. 

  1891.             SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
    1892. 

  1892.             return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    1893. 

  1893.         }
    1894. 

  1894. 

  1895.         ssl->record_read = 1;
    1896. 

  1896.     }
    1897. 

  1897. 

  1898.     ssl->client_auth = 0;
    1899. 

  1899.     ssl->state++;
    1900. 

  1900. 

  1901.     if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
    1902. 

  1902.         ssl->client_auth++;
    1903. 

  1903. 

  1904.     SSL_DEBUG_MSG( 3, ( "got %s certificate request",
    1905. 

  1905.                         ssl->client_auth ? "a" : "no" ) );
    1906. 

  1906. 

  1907.     if( ssl->client_auth == 0 )
    1908. 

  1908.         goto exit;
    1909. 

  1909. 

  1910.     ssl->record_read = 0;
    1911. 

  1911. 

  1912.     // TODO: handshake_failure alert for an anonymous server to request
    1913. 

  1913.     // client authentication
    1914. 

  1914. 

  1915.     buf = ssl->in_msg;
    1916. 

  1916. 

  1917.     // Retrieve cert types
    1918. 

  1918.     //
    1919. 

  1919.     cert_type_len = buf[4];
    1920. 

  1920.     n = cert_type_len;
    1921. 

  1921. 

  1922.     if( ssl->in_hslen < 6 + n )
    1923. 

  1923.     {
    1924. 

  1924.         SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
    1925. 

  1925.         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
    1926. 

  1926.     }
    1927. 

  1927. 

  1928.     p = buf + 5;
    1929. 

  1929.     while( cert_type_len > 0 )
    1930. 

  1930.     {
    1931. 

  1931. #if defined(POLARSSL_RSA_C)
    1932. 

  1932.         if( *p == SSL_CERT_TYPE_RSA_SIGN &&
    1933. 

  1933.             pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
    1934. 

  1934.         {
    1935. 

  1935.             ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN;
    1936. 

  1936.             break;
    1937. 

  1937.         }
    1938. 

  1938.         else
    1939. 

  1939. #endif
    1940. 

  1940. #if defined(POLARSSL_ECDSA_C)
    1941. 

  1941.         if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
    1942. 

  1942.             pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
    1943. 

  1943.         {
    1944. 

  1944.             ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN;
    1945. 

  1945.             break;
    1946. 

  1946.         }
    1947. 

  1947.         else
    1948. 

  1948. #endif
    1949. 

  1949.         {
    1950. 

  1950.             ; /* Unsupported cert type, ignore */
    1951. 

  1951.         }
    1952. 

  1952. 

  1953.         cert_type_len--;
    1954. 

  1954.         p++;
    1955. 

  1955.     }
    1956. 

  1956. 

  1957. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    1958. 

  1958.     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
    1959. 

  1959.     {
    1960. 

  1960.         /* Ignored, see comments about hash in write_certificate_verify */
    1961. 

  1961.         // TODO: should check the signature part against our pk_key though
    1962. 

  1962.         size_t sig_alg_len = ( ( buf[5 + n] <<  8 )
    1963. 

  1963.                              | ( buf[6 + n]       ) );
    1964. 

  1964. 

  1965.         p = buf + 7 + n;
    1966. 

  1966.         m += 2;
    1967. 

  1967.         n += sig_alg_len;
    1968. 

  1968. 

  1969.         if( ssl->in_hslen < 6 + n )
    1970. 

  1970.         {
    1971. 

  1971.             SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
    1972. 

  1972.             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
    1973. 

  1973.         }
    1974. 

  1974.     }
    1975. 

  1975. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    1976. 

  1976. 

  1977.     /* Ignore certificate_authorities, we only have one cert anyway */
    1978. 

  1978.     // TODO: should not send cert if no CA matches
    1979. 

  1979.     dn_len = ( ( buf[5 + m + n] <<  8 )
    1980. 

  1980.              | ( buf[6 + m + n]       ) );
    1981. 

  1981. 

  1982.     n += dn_len;
    1983. 

  1983.     if( ssl->in_hslen != 7 + m + n )
    1984. 

  1984.     {
    1985. 

  1985.         SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
    1986. 

  1986.         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
    1987. 

  1987.     }
    1988. 

  1988. 

  1989. exit:
    1990. 

  1990.     SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
    1991. 

  1991. 

  1992.     return( 0 );
    1993. 

  1993. }
    1994. 

  1994. #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
    1995. 

  1995.           !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
    1996. 

  1996.           !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
    1997. 

  1997.           !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
    1998. 

  1998. 

  1999. static int ssl_parse_server_hello_done( ssl_context *ssl )
    2000. 

  2000. {
    2001. 

  2001.     int ret;
    2002. 

  2002. 

  2003.     SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
    2004. 

  2004. 

  2005.     if( ssl->record_read == 0 )
    2006. 

  2006.     {
    2007. 

  2007.         if( ( ret = ssl_read_record( ssl ) ) != 0 )
    2008. 

  2008.         {
    2009. 

  2009.             SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    2010. 

  2010.             return( ret );
    2011. 

  2011.         }
    2012. 

  2012. 

  2013.         if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    2014. 

  2014.         {
    2015. 

  2015.             SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
    2016. 

  2016.             return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    2017. 

  2017.         }
    2018. 

  2018.     }
    2019. 

  2019.     ssl->record_read = 0;
    2020. 

  2020. 

  2021.     if( ssl->in_hslen  != 4 ||
    2022. 

  2022.         ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
    2023. 

  2023.     {
    2024. 

  2024.         SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
    2025. 

  2025.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
    2026. 

  2026.     }
    2027. 

  2027. 

  2028.     ssl->state++;
    2029. 

  2029. 

  2030.     SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
    2031. 

  2031. 

  2032.     return( 0 );
    2033. 

  2033. }
    2034. 

  2034. 

  2035. static int ssl_write_client_key_exchange( ssl_context *ssl )
    2036. 

  2036. {
    2037. 

  2037.     int ret;
    2038. 

  2038.     size_t i, n;
    2039. 

  2039.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    2040. 

  2040. 

  2041.     SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
    2042. 

  2042. 

  2043. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
    2044. 

  2044.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
    2045. 

  2045.     {
    2046. 

  2046.         /*
    2047. 

  2047.          * DHM key exchange -- send G^X mod P
    2048. 

  2048.          */
    2049. 

  2049.         n = ssl->handshake->dhm_ctx.len;
    2050. 

  2050. 

  2051.         ssl->out_msg[4] = (unsigned char)( n >> 8 );
    2052. 

  2052.         ssl->out_msg[5] = (unsigned char)( n      );
    2053. 

  2053.         i = 6;
    2054. 

  2054. 

  2055.         ret = dhm_make_public( &ssl->handshake->dhm_ctx,
    2056. 

  2056.                                 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
    2057. 

  2057.                                &ssl->out_msg[i], n,
    2058. 

  2058.                                 ssl->f_rng, ssl->p_rng );
    2059. 

  2059.         if( ret != 0 )
    2060. 

  2060.         {
    2061. 

  2061.             SSL_DEBUG_RET( 1, "dhm_make_public", ret );
    2062. 

  2062.             return( ret );
    2063. 

  2063.         }
    2064. 

  2064. 

  2065.         SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
    2066. 

  2066.         SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
    2067. 

  2067. 

  2068.         ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE;
    2069. 

  2069. 

  2070.         if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
    2071. 

  2071.                                       ssl->handshake->premaster,
    2072. 

  2072.                                      &ssl->handshake->pmslen,
    2073. 

  2073.                                       ssl->f_rng, ssl->p_rng ) ) != 0 )
    2074. 

  2074.         {
    2075. 

  2075.             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
    2076. 

  2076.             return( ret );
    2077. 

  2077.         }
    2078. 

  2078. 

  2079.         SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
    2080. 

  2080.     }
    2081. 

  2081.     else
    2082. 

  2082. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
    2083. 

  2083. #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    2084. 

  2084.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
    2085. 

  2085.     defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
    2086. 

  2086.     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
    2087. 

  2087.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
    2088. 

  2088.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
    2089. 

  2089.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
    2090. 

  2090.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
    2091. 

  2091.     {
    2092. 

  2092.         /*
    2093. 

  2093.          * ECDH key exchange -- send client public value
    2094. 

  2094.          */
    2095. 

  2095.         i = 4;
    2096. 

  2096. 

  2097.         ret = ecdh_make_public( &ssl->handshake->ecdh_ctx,
    2098. 

  2098.                                 &n,
    2099. 

  2099.                                 &ssl->out_msg[i], 1000,
    2100. 

  2100.                                 ssl->f_rng, ssl->p_rng );
    2101. 

  2101.         if( ret != 0 )
    2102. 

  2102.         {
    2103. 

  2103.             SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
    2104. 

  2104.             return( ret );
    2105. 

  2105.         }
    2106. 

  2106. 

  2107.         SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
    2108. 

  2108. 

  2109.         if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
    2110. 

  2110.                                       &ssl->handshake->pmslen,
    2111. 

  2111.                                        ssl->handshake->premaster,
    2112. 

  2112.                                        POLARSSL_MPI_MAX_SIZE,
    2113. 

  2113.                                        ssl->f_rng, ssl->p_rng ) ) != 0 )
    2114. 

  2114.         {
    2115. 

  2115.             SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
    2116. 

  2116.             return( ret );
    2117. 

  2117.         }
    2118. 

  2118. 

  2119.         SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
    2120. 

  2120.     }
    2121. 

  2121.     else
    2122. 

  2122. #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
    2123. 

  2123.           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
    2124. 

  2124.           POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
    2125. 

  2125.           POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
    2126. 

  2126. #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
    2127. 

  2127.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    2128. 

  2128.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    2129. 

  2129.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
    2130. 

  2130.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    2131. 

  2131.     {
    2132. 

  2132.         /*
    2133. 

  2133.          * opaque psk_identity<0..2^16-1>;
    2134. 

  2134.          */
    2135. 

  2135.         if( ssl->psk == NULL || ssl->psk_identity == NULL )
    2136. 

  2136.             return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
    2137. 

  2137. 

  2138.         i = 4;
    2139. 

  2139.         n = ssl->psk_identity_len;
    2140. 

  2140.         ssl->out_msg[i++] = (unsigned char)( n >> 8 );
    2141. 

  2141.         ssl->out_msg[i++] = (unsigned char)( n      );
    2142. 

  2142. 

  2143.         memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len );
    2144. 

  2144.         i += ssl->psk_identity_len;
    2145. 

  2145. 

  2146. #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
    2147. 

  2147.         if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
    2148. 

  2148.         {
    2149. 

  2149.             n = 0;
    2150. 

  2150.         }
    2151. 

  2151.         else
    2152. 

  2152. #endif
    2153. 

  2153. #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
    2154. 

  2154.         if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
    2155. 

  2155.         {
    2156. 

  2156.             if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
    2157. 

  2157.                 return( ret );
    2158. 

  2158.         }
    2159. 

  2159.         else
    2160. 

  2160. #endif
    2161. 

  2161. #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
    2162. 

  2162.         if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
    2163. 

  2163.         {
    2164. 

  2164.             /*
    2165. 

  2165.              * ClientDiffieHellmanPublic public (DHM send G^X mod P)
    2166. 

  2166.              */
    2167. 

  2167.             n = ssl->handshake->dhm_ctx.len;
    2168. 

  2168.             ssl->out_msg[i++] = (unsigned char)( n >> 8 );
    2169. 

  2169.             ssl->out_msg[i++] = (unsigned char)( n      );
    2170. 

  2170. 

  2171.             ret = dhm_make_public( &ssl->handshake->dhm_ctx,
    2172. 

  2172.                     (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
    2173. 

  2173.                     &ssl->out_msg[i], n,
    2174. 

  2174.                     ssl->f_rng, ssl->p_rng );
    2175. 

  2175.             if( ret != 0 )
    2176. 

  2176.             {
    2177. 

  2177.                 SSL_DEBUG_RET( 1, "dhm_make_public", ret );
    2178. 

  2178.                 return( ret );
    2179. 

  2179.             }
    2180. 

  2180.         }
    2181. 

  2181.         else
    2182. 

  2182. #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
    2183. 

  2183. #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
    2184. 

  2184.         if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    2185. 

  2185.         {
    2186. 

  2186.             /*
    2187. 

  2187.              * ClientECDiffieHellmanPublic public;
    2188. 

  2188.              */
    2189. 

  2189.             ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
    2190. 

  2190.                     &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i,
    2191. 

  2191.                     ssl->f_rng, ssl->p_rng );
    2192. 

  2192.             if( ret != 0 )
    2193. 

  2193.             {
    2194. 

  2194.                 SSL_DEBUG_RET( 1, "ecdh_make_public", ret );
    2195. 

  2195.                 return( ret );
    2196. 

  2196.             }
    2197. 

  2197. 

  2198.             SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
    2199. 

  2199.         }
    2200. 

  2200.         else
    2201. 

  2201. #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
    2202. 

  2202.         {
    2203. 

  2203.             SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    2204. 

  2204.             return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    2205. 

  2205.         }
    2206. 

  2206. 

  2207.         if( ( ret = ssl_psk_derive_premaster( ssl,
    2208. 

  2208.                         ciphersuite_info->key_exchange ) ) != 0 )
    2209. 

  2209.         {
    2210. 

  2210.             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
    2211. 

  2211.             return( ret );
    2212. 

  2212.         }
    2213. 

  2213.     }
    2214. 

  2214.     else
    2215. 

  2215. #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
    2216. 

  2216. #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
    2217. 

  2217.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
    2218. 

  2218.     {
    2219. 

  2219.         i = 4;
    2220. 

  2220.         if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
    2221. 

  2221.             return( ret );
    2222. 

  2222.     }
    2223. 

  2223.     else
    2224. 

  2224. #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
    2225. 

  2225.     {
    2226. 

  2226.         ((void) ciphersuite_info);
    2227. 

  2227.         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    2228. 

  2228.         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    2229. 

  2229.     }
    2230. 

  2230. 

  2231.     if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
    2232. 

  2232.     {
    2233. 

  2233.         SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
    2234. 

  2234.         return( ret );
    2235. 

  2235.     }
    2236. 

  2236. 

  2237.     ssl->out_msglen  = i + n;
    2238. 

  2238.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    2239. 

  2239.     ssl->out_msg[0]  = SSL_HS_CLIENT_KEY_EXCHANGE;
    2240. 

  2240. 

  2241.     ssl->state++;
    2242. 

  2242. 

  2243.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    2244. 

  2244.     {
    2245. 

  2245.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    2246. 

  2246.         return( ret );
    2247. 

  2247.     }
    2248. 

  2248. 

  2249.     SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
    2250. 

  2250. 

  2251.     return( 0 );
    2252. 

  2252. }
    2253. 

  2253. 

  2254. #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
    2255. 

  2255.     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
    2256. 

  2256.     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
    2257. 

  2257.     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    2258. 

  2258. static int ssl_write_certificate_verify( ssl_context *ssl )
    2259. 

  2259. {
    2260. 

  2260.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    2261. 

  2261. 

  2262.     SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
    2263. 

  2263. 

  2264.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    2265. 

  2265.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    2266. 

  2266.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
    2267. 

  2267.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
    2268. 

  2268.     {
    2269. 

  2269.         SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
    2270. 

  2270.         ssl->state++;
    2271. 

  2271.         return( 0 );
    2272. 

  2272.     }
    2273. 

  2273. 

  2274.     SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    2275. 

  2275.     return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    2276. 

  2276. }
    2277. 

  2277. #else
    2278. 

  2278. static int ssl_write_certificate_verify( ssl_context *ssl )
    2279. 

  2279. {
    2280. 

  2280.     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
    2281. 

  2281.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    2282. 

  2282.     size_t n = 0, offset = 0;
    2283. 

  2283.     unsigned char hash[48];
    2284. 

  2284.     unsigned char *hash_start = hash;
    2285. 

  2285.     md_type_t md_alg = POLARSSL_MD_NONE;
    2286. 

  2286.     unsigned int hashlen;
    2287. 

  2287. 

  2288.     SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
    2289. 

  2289. 

  2290.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    2291. 

  2291.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    2292. 

  2292.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
    2293. 

  2293.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
    2294. 

  2294.     {
    2295. 

  2295.         SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
    2296. 

  2296.         ssl->state++;
    2297. 

  2297.         return( 0 );
    2298. 

  2298.     }
    2299. 

  2299. 

  2300.     if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL )
    2301. 

  2301.     {
    2302. 

  2302.         SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
    2303. 

  2303.         ssl->state++;
    2304. 

  2304.         return( 0 );
    2305. 

  2305.     }
    2306. 

  2306. 

  2307.     if( ssl_own_key( ssl ) == NULL )
    2308. 

  2308.     {
    2309. 

  2309.         SSL_DEBUG_MSG( 1, ( "got no private key" ) );
    2310. 

  2310.         return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
    2311. 

  2311.     }
    2312. 

  2312. 

  2313.     /*
    2314. 

  2314.      * Make an RSA signature of the handshake digests
    2315. 

  2315.      */
    2316. 

  2316.     ssl->handshake->calc_verify( ssl, hash );
    2317. 

  2317. 

  2318. #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
    2319. 

  2319.     defined(POLARSSL_SSL_PROTO_TLS1_1)
    2320. 

  2320.     if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
    2321. 

  2321.     {
    2322. 

  2322.         /*
    2323. 

  2323.          * digitally-signed struct {
    2324. 

  2324.          *     opaque md5_hash[16];
    2325. 

  2325.          *     opaque sha_hash[20];
    2326. 

  2326.          * };
    2327. 

  2327.          *
    2328. 

  2328.          * md5_hash
    2329. 

  2329.          *     MD5(handshake_messages);
    2330. 

  2330.          *
    2331. 

  2331.          * sha_hash
    2332. 

  2332.          *     SHA(handshake_messages);
    2333. 

  2333.          */
    2334. 

  2334.         hashlen = 36;
    2335. 

  2335.         md_alg = POLARSSL_MD_NONE;
    2336. 

  2336. 

  2337.         /*
    2338. 

  2338.          * For ECDSA, default hash is SHA-1 only
    2339. 

  2339.          */
    2340. 

  2340.         if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) )
    2341. 

  2341.         {
    2342. 

  2342.             hash_start += 16;
    2343. 

  2343.             hashlen -= 16;
    2344. 

  2344.             md_alg = POLARSSL_MD_SHA1;
    2345. 

  2345.         }
    2346. 

  2346.     }
    2347. 

  2347.     else
    2348. 

  2348. #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
    2349. 

  2349.           POLARSSL_SSL_PROTO_TLS1_1 */
    2350. 

  2350. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    2351. 

  2351.     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
    2352. 

  2352.     {
    2353. 

  2353.         /*
    2354. 

  2354.          * digitally-signed struct {
    2355. 

  2355.          *     opaque handshake_messages[handshake_messages_length];
    2356. 

  2356.          * };
    2357. 

  2357.          *
    2358. 

  2358.          * Taking shortcut here. We assume that the server always allows the
    2359. 

  2359.          * PRF Hash function and has sent it in the allowed signature
    2360. 

  2360.          * algorithms list received in the Certificate Request message.
    2361. 

  2361.          *
    2362. 

  2362.          * Until we encounter a server that does not, we will take this
    2363. 

  2363.          * shortcut.
    2364. 

  2364.          *
    2365. 

  2365.          * Reason: Otherwise we should have running hashes for SHA512 and SHA224
    2366. 

  2366.          *         in order to satisfy 'weird' needs from the server side.
    2367. 

  2367.          */
    2368. 

  2368.         if( ssl->transform_negotiate->ciphersuite_info->mac ==
    2369. 

  2369.             POLARSSL_MD_SHA384 )
    2370. 

  2370.         {
    2371. 

  2371.             md_alg = POLARSSL_MD_SHA384;
    2372. 

  2372.             ssl->out_msg[4] = SSL_HASH_SHA384;
    2373. 

  2373.         }
    2374. 

  2374.         else
    2375. 

  2375.         {
    2376. 

  2376.             md_alg = POLARSSL_MD_SHA256;
    2377. 

  2377.             ssl->out_msg[4] = SSL_HASH_SHA256;
    2378. 

  2378.         }
    2379. 

  2379.         ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) );
    2380. 

  2380. 

  2381.         /* Info from md_alg will be used instead */
    2382. 

  2382.         hashlen = 0;
    2383. 

  2383.         offset = 2;
    2384. 

  2384.     }
    2385. 

  2385.     else
    2386. 

  2386. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    2387. 

  2387.     {
    2388. 

  2388.         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    2389. 

  2389.         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    2390. 

  2390.     }
    2391. 

  2391. 

  2392.     if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen,
    2393. 

  2393.                          ssl->out_msg + 6 + offset, &n,
    2394. 

  2394.                          ssl->f_rng, ssl->p_rng ) ) != 0 )
    2395. 

  2395.     {
    2396. 

  2396.         SSL_DEBUG_RET( 1, "pk_sign", ret );
    2397. 

  2397.         return( ret );
    2398. 

  2398.     }
    2399. 

  2399. 

  2400.     ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
    2401. 

  2401.     ssl->out_msg[5 + offset] = (unsigned char)( n      );
    2402. 

  2402. 

  2403.     ssl->out_msglen  = 6 + n + offset;
    2404. 

  2404.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    2405. 

  2405.     ssl->out_msg[0]  = SSL_HS_CERTIFICATE_VERIFY;
    2406. 

  2406. 

  2407.     ssl->state++;
    2408. 

  2408. 

  2409.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    2410. 

  2410.     {
    2411. 

  2411.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    2412. 

  2412.         return( ret );
    2413. 

  2413.     }
    2414. 

  2414. 

  2415.     SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
    2416. 

  2416. 

  2417.     return( ret );
    2418. 

  2418. }
    2419. 

  2419. #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
    2420. 

  2420.           !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
    2421. 

  2421.           !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
    2422. 

  2422. 

  2423. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    2424. 

  2424. static int ssl_parse_new_session_ticket( ssl_context *ssl )
    2425. 

  2425. {
    2426. 

  2426.     int ret;
    2427. 

  2427.     uint32_t lifetime;
    2428. 

  2428.     size_t ticket_len;
    2429. 

  2429.     unsigned char *ticket;
    2430. 

  2430. 

  2431.     SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
    2432. 

  2432. 

  2433.     if( ( ret = ssl_read_record( ssl ) ) != 0 )
    2434. 

  2434.     {
    2435. 

  2435.         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    2436. 

  2436.         return( ret );
    2437. 

  2437.     }
    2438. 

  2438. 

  2439.     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    2440. 

  2440.     {
    2441. 

  2441.         SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
    2442. 

  2442.         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    2443. 

  2443.     }
    2444. 

  2444. 

  2445.     /*
    2446. 

  2446.      * struct {
    2447. 

  2447.      *     uint32 ticket_lifetime_hint;
    2448. 

  2448.      *     opaque ticket<0..2^16-1>;
    2449. 

  2449.      * } NewSessionTicket;
    2450. 

  2450.      *
    2451. 

  2451.      * 0  .  0   handshake message type
    2452. 

  2452.      * 1  .  3   handshake message length
    2453. 

  2453.      * 4  .  7   ticket_lifetime_hint
    2454. 

  2454.      * 8  .  9   ticket_len (n)
    2455. 

  2455.      * 10 .  9+n ticket content
    2456. 

  2456.      */
    2457. 

  2457.     if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET ||
    2458. 

  2458.         ssl->in_hslen < 10 )
    2459. 

  2459.     {
    2460. 

  2460.         SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
    2461. 

  2461.         return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
    2462. 

  2462.     }
    2463. 

  2463. 

  2464.     lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) |
    2465. 

  2465.                ( ssl->in_msg[6] <<  8 ) | ( ssl->in_msg[7]       );
    2466. 

  2466. 

  2467.     ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] );
    2468. 

  2468. 

  2469.     if( ticket_len + 10 != ssl->in_hslen )
    2470. 

  2470.     {
    2471. 

  2471.         SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
    2472. 

  2472.         return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
    2473. 

  2473.     }
    2474. 

  2474. 

  2475.     SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
    2476. 

  2476. 

  2477.     /* We're not waiting for a NewSessionTicket message any more */
    2478. 

  2478.     ssl->handshake->new_session_ticket = 0;
    2479. 

  2479. 

  2480.     /*
    2481. 

  2481.      * Zero-length ticket means the server changed his mind and doesn't want
    2482. 

  2482.      * to send a ticket after all, so just forget it
    2483. 

  2483.      */
    2484. 

  2484.     if( ticket_len == 0 )
    2485. 

  2485.         return( 0 );
    2486. 

  2486. 

  2487.     polarssl_zeroize( ssl->session_negotiate->ticket,
    2488. 

  2488.                       ssl->session_negotiate->ticket_len );
    2489. 

  2489.     polarssl_free( ssl->session_negotiate->ticket );
    2490. 

  2490.     ssl->session_negotiate->ticket = NULL;
    2491. 

  2491.     ssl->session_negotiate->ticket_len = 0;
    2492. 

  2492. 

  2493.     if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL )
    2494. 

  2494.     {
    2495. 

  2495.         SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) );
    2496. 

  2496.         return( POLARSSL_ERR_SSL_MALLOC_FAILED );
    2497. 

  2497.     }
    2498. 

  2498. 

  2499.     memcpy( ticket, ssl->in_msg + 10, ticket_len );
    2500. 

  2500. 

  2501.     ssl->session_negotiate->ticket = ticket;
    2502. 

  2502.     ssl->session_negotiate->ticket_len = ticket_len;
    2503. 

  2503.     ssl->session_negotiate->ticket_lifetime = lifetime;
    2504. 

  2504. 

  2505.     /*
    2506. 

  2506.      * RFC 5077 section 3.4:
    2507. 

  2507.      * "If the client receives a session ticket from the server, then it
    2508. 

  2508.      * discards any Session ID that was sent in the ServerHello."
    2509. 

  2509.      */
    2510. 

  2510.     SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
    2511. 

  2511.     ssl->session_negotiate->length = 0;
    2512. 

  2512. 

  2513.     SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
    2514. 

  2514. 

  2515.     return( 0 );
    2516. 

  2516. }
    2517. 

  2517. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    2518. 

  2518. 

  2519. /*
    2520. 

  2520.  * SSL handshake -- client side -- single step
    2521. 

  2521.  */
    2522. 

  2522. int ssl_handshake_client_step( ssl_context *ssl )
    2523. 

  2523. {
    2524. 

  2524.     int ret = 0;
    2525. 

  2525. 

  2526.     if( ssl->state == SSL_HANDSHAKE_OVER )
    2527. 

  2527.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    2528. 

  2528. 

  2529.     SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
    2530. 

  2530. 

  2531.     if( ( ret = ssl_flush_output( ssl ) ) != 0 )
    2532. 

  2532.         return( ret );
    2533. 

  2533. 

  2534.     switch( ssl->state )
    2535. 

  2535.     {
    2536. 

  2536.         case SSL_HELLO_REQUEST:
    2537. 

  2537.             ssl->state = SSL_CLIENT_HELLO;
    2538. 

  2538.             break;
    2539. 

  2539. 

  2540.        /*
    2541. 

  2541.         *  ==>   ClientHello
    2542. 

  2542.         */
    2543. 

  2543.        case SSL_CLIENT_HELLO:
    2544. 

  2544.            ret = ssl_write_client_hello( ssl );
    2545. 

  2545.            break;
    2546. 

  2546. 

  2547.        /*
    2548. 

  2548.         *  <==   ServerHello
    2549. 

  2549.         *        Certificate
    2550. 

  2550.         *      ( ServerKeyExchange  )
    2551. 

  2551.         *      ( CertificateRequest )
    2552. 

  2552.         *        ServerHelloDone
    2553. 

  2553.         */
    2554. 

  2554.        case SSL_SERVER_HELLO:
    2555. 

  2555.            ret = ssl_parse_server_hello( ssl );
    2556. 

  2556.            break;
    2557. 

  2557. 

  2558.        case SSL_SERVER_CERTIFICATE:
    2559. 

  2559.            ret = ssl_parse_certificate( ssl );
    2560. 

  2560.            break;
    2561. 

  2561. 

  2562.        case SSL_SERVER_KEY_EXCHANGE:
    2563. 

  2563.            ret = ssl_parse_server_key_exchange( ssl );
    2564. 

  2564.            break;
    2565. 

  2565. 

  2566.        case SSL_CERTIFICATE_REQUEST:
    2567. 

  2567.            ret = ssl_parse_certificate_request( ssl );
    2568. 

  2568.            break;
    2569. 

  2569. 

  2570.        case SSL_SERVER_HELLO_DONE:
    2571. 

  2571.            ret = ssl_parse_server_hello_done( ssl );
    2572. 

  2572.            break;
    2573. 

  2573. 

  2574.        /*
    2575. 

  2575.         *  ==> ( Certificate/Alert  )
    2576. 

  2576.         *        ClientKeyExchange
    2577. 

  2577.         *      ( CertificateVerify  )
    2578. 

  2578.         *        ChangeCipherSpec
    2579. 

  2579.         *        Finished
    2580. 

  2580.         */
    2581. 

  2581.        case SSL_CLIENT_CERTIFICATE:
    2582. 

  2582.            ret = ssl_write_certificate( ssl );
    2583. 

  2583.            break;
    2584. 

  2584. 

  2585.        case SSL_CLIENT_KEY_EXCHANGE:
    2586. 

  2586.            ret = ssl_write_client_key_exchange( ssl );
    2587. 

  2587.            break;
    2588. 

  2588. 

  2589.        case SSL_CERTIFICATE_VERIFY:
    2590. 

  2590.            ret = ssl_write_certificate_verify( ssl );
    2591. 

  2591.            break;
    2592. 

  2592. 

  2593.        case SSL_CLIENT_CHANGE_CIPHER_SPEC:
    2594. 

  2594.            ret = ssl_write_change_cipher_spec( ssl );
    2595. 

  2595.            break;
    2596. 

  2596. 

  2597.        case SSL_CLIENT_FINISHED:
    2598. 

  2598.            ret = ssl_write_finished( ssl );
    2599. 

  2599.            break;
    2600. 

  2600. 

  2601.        /*
    2602. 

  2602.         *  <==   ( NewSessionTicket )
    2603. 

  2603.         *        ChangeCipherSpec
    2604. 

  2604.         *        Finished
    2605. 

  2605.         */
    2606. 

  2606.        case SSL_SERVER_CHANGE_CIPHER_SPEC:
    2607. 

  2607. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    2608. 

  2608.            if( ssl->handshake->new_session_ticket != 0 )
    2609. 

  2609.                ret = ssl_parse_new_session_ticket( ssl );
    2610. 

  2610.            else
    2611. 

  2611. #endif
    2612. 

  2612.                ret = ssl_parse_change_cipher_spec( ssl );
    2613. 

  2613.            break;
    2614. 

  2614. 

  2615.        case SSL_SERVER_FINISHED:
    2616. 

  2616.            ret = ssl_parse_finished( ssl );
    2617. 

  2617.            break;
    2618. 

  2618. 

  2619.        case SSL_FLUSH_BUFFERS:
    2620. 

  2620.            SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
    2621. 

  2621.            ssl->state = SSL_HANDSHAKE_WRAPUP;
    2622. 

  2622.            break;
    2623. 

  2623. 

  2624.        case SSL_HANDSHAKE_WRAPUP:
    2625. 

  2625.            ssl_handshake_wrapup( ssl );
    2626. 

  2626.            break;
    2627. 

  2627. 

  2628.        default:
    2629. 

  2629.            SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
    2630. 

  2630.            return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    2631. 

  2631.    }
    2632. 

  2632. 

  2633.     return( ret );
    2634. 

  2634. }
    2635. 

  2635. #endif /* POLARSSL_SSL_CLI_C */
    2636. 

  2636.