Головна сторінка Огляд Довідка
Увійти
nots0ap
/
Dolphin
дзеркало https://github.com/dolphin-emu/dolphin
Слідкувати 1
Зірка 0
Відгалуження 0
Файли Проблеми 0 Wiki
Гілка: stable
Гілки Теги
Dolphin
/
Externals
/
polarssl
/
library
/
ssl_srv.c

ssl_srv.c 99 KB
Постійне посилання Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270 
  1. /*
    2. 

  2.  *  SSLv3/TLSv1 server-side functions
    3. 

  3.  *
    4. 

  4.  *  Copyright (C) 2006-2014, Brainspark B.V.
    5. 

  5.  *
    6. 

  6.  *  This file is part of PolarSSL (http://www.polarssl.org)
    7. 

  7.  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
    8. 

  8.  *
    9. 

  9.  *  All rights reserved.
    10. 

  10.  *
    11. 

  11.  *  This program is free software; you can redistribute it and/or modify
    12. 

  12.  *  it under the terms of the GNU General Public License as published by
    13. 

  13.  *  the Free Software Foundation; either version 2 of the License, or
    14. 

  14.  *  (at your option) any later version.
    15. 

  15.  *
    16. 

  16.  *  This program is distributed in the hope that it will be useful,
    17. 

  17.  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
    18. 

  18.  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    19. 

  19.  *  GNU General Public License for more details.
    20. 

  20.  *
    21. 

  21.  *  You should have received a copy of the GNU General Public License along
    22. 

  22.  *  with this program; if not, write to the Free Software Foundation, Inc.,
    23. 

  23.  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
    24. 

  24.  */
    25. 

  25. 

  26. #if !defined(POLARSSL_CONFIG_FILE)
    27. 

  27. #include "polarssl/config.h"
    28. 

  28. #else
    29. 

  29. #include POLARSSL_CONFIG_FILE
    30. 

  30. #endif
    31. 

  31. 

  32. #if defined(POLARSSL_SSL_SRV_C)
    33. 

  33. 

  34. #include "polarssl/debug.h"
    35. 

  35. #include "polarssl/ssl.h"
    36. 

  36. #if defined(POLARSSL_ECP_C)
    37. 

  37. #include "polarssl/ecp.h"
    38. 

  38. #endif
    39. 

  39. 

  40. #if defined(POLARSSL_PLATFORM_C)
    41. 

  41. #include "polarssl/platform.h"
    42. 

  42. #else
    43. 

  43. #define polarssl_malloc     malloc
    44. 

  44. #define polarssl_free       free
    45. 

  45. #endif
    46. 

  46. 

  47. #include <stdlib.h>
    48. 

  48. #include <stdio.h>
    49. 

  49. 

  50. #if defined(POLARSSL_HAVE_TIME)
    51. 

  51. #include <time.h>
    52. 

  52. #endif
    53. 

  53. 

  54. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    55. 

  55. /* Implementation that should never be optimized out by the compiler */
    56. 

  56. static void polarssl_zeroize( void *v, size_t n ) {
    57. 

  57.     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
    58. 

  58. }
    59. 

  59. 

  60. /*
    61. 

  61.  * Serialize a session in the following format:
    62. 

  62.  *  0   .   n-1     session structure, n = sizeof(ssl_session)
    63. 

  63.  *  n   .   n+2     peer_cert length = m (0 if no certificate)
    64. 

  64.  *  n+3 .   n+2+m   peer cert ASN.1
    65. 

  65.  *
    66. 

  66.  *  Assumes ticket is NULL (always true on server side).
    67. 

  67.  */
    68. 

  68. static int ssl_save_session( const ssl_session *session,
    69. 

  69.                              unsigned char *buf, size_t buf_len,
    70. 

  70.                              size_t *olen )
    71. 

  71. {
    72. 

  72.     unsigned char *p = buf;
    73. 

  73.     size_t left = buf_len;
    74. 

  74. #if defined(POLARSSL_X509_CRT_PARSE_C)
    75. 

  75.     size_t cert_len;
    76. 

  76. #endif /* POLARSSL_X509_CRT_PARSE_C */
    77. 

  77. 

  78.     if( left < sizeof( ssl_session ) )
    79. 

  79.         return( -1 );
    80. 

  80. 

  81.     memcpy( p, session, sizeof( ssl_session ) );
    82. 

  82.     p += sizeof( ssl_session );
    83. 

  83.     left -= sizeof( ssl_session );
    84. 

  84. 

  85. #if defined(POLARSSL_X509_CRT_PARSE_C)
    86. 

  86.     if( session->peer_cert == NULL )
    87. 

  87.         cert_len = 0;
    88. 

  88.     else
    89. 

  89.         cert_len = session->peer_cert->raw.len;
    90. 

  90. 

  91.     if( left < 3 + cert_len )
    92. 

  92.         return( -1 );
    93. 

  93. 

  94.     *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
    95. 

  95.     *p++ = (unsigned char)( cert_len >>  8 & 0xFF );
    96. 

  96.     *p++ = (unsigned char)( cert_len       & 0xFF );
    97. 

  97. 

  98.     if( session->peer_cert != NULL )
    99. 

  99.         memcpy( p, session->peer_cert->raw.p, cert_len );
    100. 

  100. 

  101.     p += cert_len;
    102. 

  102. #endif /* POLARSSL_X509_CRT_PARSE_C */
    103. 

  103. 

  104.     *olen = p - buf;
    105. 

  105. 

  106.     return( 0 );
    107. 

  107. }
    108. 

  108. 

  109. /*
    110. 

  110.  * Unserialise session, see ssl_save_session()
    111. 

  111.  */
    112. 

  112. static int ssl_load_session( ssl_session *session,
    113. 

  113.                              const unsigned char *buf, size_t len )
    114. 

  114. {
    115. 

  115.     const unsigned char *p = buf;
    116. 

  116.     const unsigned char * const end = buf + len;
    117. 

  117. #if defined(POLARSSL_X509_CRT_PARSE_C)
    118. 

  118.     size_t cert_len;
    119. 

  119. #endif /* POLARSSL_X509_CRT_PARSE_C */
    120. 

  120. 

  121.     if( p + sizeof( ssl_session ) > end )
    122. 

  122.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    123. 

  123. 

  124.     memcpy( session, p, sizeof( ssl_session ) );
    125. 

  125.     p += sizeof( ssl_session );
    126. 

  126. 

  127. #if defined(POLARSSL_X509_CRT_PARSE_C)
    128. 

  128.     if( p + 3 > end )
    129. 

  129.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    130. 

  130. 

  131.     cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
    132. 

  132.     p += 3;
    133. 

  133. 

  134.     if( cert_len == 0 )
    135. 

  135.     {
    136. 

  136.         session->peer_cert = NULL;
    137. 

  137.     }
    138. 

  138.     else
    139. 

  139.     {
    140. 

  140.         int ret;
    141. 

  141. 

  142.         if( p + cert_len > end )
    143. 

  143.             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    144. 

  144. 

  145.         session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
    146. 

  146. 

  147.         if( session->peer_cert == NULL )
    148. 

  148.             return( POLARSSL_ERR_SSL_MALLOC_FAILED );
    149. 

  149. 

  150.         x509_crt_init( session->peer_cert );
    151. 

  151. 

  152.         if( ( ret = x509_crt_parse_der( session->peer_cert,
    153. 

  153.                                         p, cert_len ) ) != 0 )
    154. 

  154.         {
    155. 

  155.             x509_crt_free( session->peer_cert );
    156. 

  156.             polarssl_free( session->peer_cert );
    157. 

  157.             session->peer_cert = NULL;
    158. 

  158.             return( ret );
    159. 

  159.         }
    160. 

  160. 

  161.         p += cert_len;
    162. 

  162.     }
    163. 

  163. #endif /* POLARSSL_X509_CRT_PARSE_C */
    164. 

  164. 

  165.     if( p != end )
    166. 

  166.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    167. 

  167. 

  168.     return( 0 );
    169. 

  169. }
    170. 

  170. 

  171. /*
    172. 

  172.  * Create session ticket, secured as recommended in RFC 5077 section 4:
    173. 

  173.  *
    174. 

  174.  *    struct {
    175. 

  175.  *        opaque key_name[16];
    176. 

  176.  *        opaque iv[16];
    177. 

  177.  *        opaque encrypted_state<0..2^16-1>;
    178. 

  178.  *        opaque mac[32];
    179. 

  179.  *    } ticket;
    180. 

  180.  *
    181. 

  181.  * (the internal state structure differs, however).
    182. 

  182.  */
    183. 

  183. static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
    184. 

  184. {
    185. 

  185.     int ret;
    186. 

  186.     unsigned char * const start = ssl->out_msg + 10;
    187. 

  187.     unsigned char *p = start;
    188. 

  188.     unsigned char *state;
    189. 

  189.     unsigned char iv[16];
    190. 

  190.     size_t clear_len, enc_len, pad_len, i;
    191. 

  191. 

  192.     *tlen = 0;
    193. 

  193. 

  194.     if( ssl->ticket_keys == NULL )
    195. 

  195.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    196. 

  196. 

  197.     /* Write key name */
    198. 

  198.     memcpy( p, ssl->ticket_keys->key_name, 16 );
    199. 

  199.     p += 16;
    200. 

  200. 

  201.     /* Generate and write IV (with a copy for aes_crypt) */
    202. 

  202.     if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
    203. 

  203.         return( ret );
    204. 

  204.     memcpy( iv, p, 16 );
    205. 

  205.     p += 16;
    206. 

  206. 

  207.     /*
    208. 

  208.      * Dump session state
    209. 

  209.      *
    210. 

  210.      * After the session state itself, we still need room for 16 bytes of
    211. 

  211.      * padding and 32 bytes of MAC, so there's only so much room left
    212. 

  212.      */
    213. 

  213.     state = p + 2;
    214. 

  214.     if( ssl_save_session( ssl->session_negotiate, state,
    215. 

  215.                           SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48,
    216. 

  216.                           &clear_len ) != 0 )
    217. 

  217.     {
    218. 

  218.         return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
    219. 

  219.     }
    220. 

  220.     SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
    221. 

  221. 

  222.     /* Apply PKCS padding */
    223. 

  223.     pad_len = 16 - clear_len % 16;
    224. 

  224.     enc_len = clear_len + pad_len;
    225. 

  225.     for( i = clear_len; i < enc_len; i++ )
    226. 

  226.         state[i] = (unsigned char) pad_len;
    227. 

  227. 

  228.     /* Encrypt */
    229. 

  229.     if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
    230. 

  230.                                enc_len, iv, state, state ) ) != 0 )
    231. 

  231.     {
    232. 

  232.         return( ret );
    233. 

  233.     }
    234. 

  234. 

  235.     /* Write length */
    236. 

  236.     *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
    237. 

  237.     *p++ = (unsigned char)( ( enc_len      ) & 0xFF );
    238. 

  238.     p = state + enc_len;
    239. 

  239. 

  240.     /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
    241. 

  241.     sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
    242. 

  242.     p += 32;
    243. 

  243. 

  244.     *tlen = p - start;
    245. 

  245. 

  246.     SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
    247. 

  247. 

  248.     return( 0 );
    249. 

  249. }
    250. 

  250. 

  251. /*
    252. 

  252.  * Load session ticket (see ssl_write_ticket for structure)
    253. 

  253.  */
    254. 

  254. static int ssl_parse_ticket( ssl_context *ssl,
    255. 

  255.                              unsigned char *buf,
    256. 

  256.                              size_t len )
    257. 

  257. {
    258. 

  258.     int ret;
    259. 

  259.     ssl_session session;
    260. 

  260.     unsigned char *key_name = buf;
    261. 

  261.     unsigned char *iv = buf + 16;
    262. 

  262.     unsigned char *enc_len_p = iv + 16;
    263. 

  263.     unsigned char *ticket = enc_len_p + 2;
    264. 

  264.     unsigned char *mac;
    265. 

  265.     unsigned char computed_mac[32];
    266. 

  266.     size_t enc_len, clear_len, i;
    267. 

  267.     unsigned char pad_len, diff;
    268. 

  268. 

  269.     SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
    270. 

  270. 

  271.     if( len < 34 || ssl->ticket_keys == NULL )
    272. 

  272.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    273. 

  273. 

  274.     enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
    275. 

  275.     mac = ticket + enc_len;
    276. 

  276. 

  277.     if( len != enc_len + 66 )
    278. 

  278.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    279. 

  279. 

  280.     /* Check name, in constant time though it's not a big secret */
    281. 

  281.     diff = 0;
    282. 

  282.     for( i = 0; i < 16; i++ )
    283. 

  283.         diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
    284. 

  284.     /* don't return yet, check the MAC anyway */
    285. 

  285. 

  286.     /* Check mac, with constant-time buffer comparison */
    287. 

  287.     sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
    288. 

  288.                  computed_mac, 0 );
    289. 

  289. 

  290.     for( i = 0; i < 32; i++ )
    291. 

  291.         diff |= mac[i] ^ computed_mac[i];
    292. 

  292. 

  293.     /* Now return if ticket is not authentic, since we want to avoid
    294. 

  294.      * decrypting arbitrary attacker-chosen data */
    295. 

  295.     if( diff != 0 )
    296. 

  296.         return( POLARSSL_ERR_SSL_INVALID_MAC );
    297. 

  297. 

  298.     /* Decrypt */
    299. 

  299.     if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
    300. 

  300.                                enc_len, iv, ticket, ticket ) ) != 0 )
    301. 

  301.     {
    302. 

  302.         return( ret );
    303. 

  303.     }
    304. 

  304. 

  305.     /* Check PKCS padding */
    306. 

  306.     pad_len = ticket[enc_len - 1];
    307. 

  307. 

  308.     ret = 0;
    309. 

  309.     for( i = 2; i < pad_len; i++ )
    310. 

  310.         if( ticket[enc_len - i] != pad_len )
    311. 

  311.             ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
    312. 

  312.     if( ret != 0 )
    313. 

  313.         return( ret );
    314. 

  314. 

  315.     clear_len = enc_len - pad_len;
    316. 

  316. 

  317.     SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
    318. 

  318. 

  319.     /* Actually load session */
    320. 

  320.     if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
    321. 

  321.     {
    322. 

  322.         SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
    323. 

  323.         ssl_session_free( &session );
    324. 

  324.         return( ret );
    325. 

  325.     }
    326. 

  326. 

  327. #if defined(POLARSSL_HAVE_TIME)
    328. 

  328.     /* Check if still valid */
    329. 

  329.     if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
    330. 

  330.     {
    331. 

  331.         SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
    332. 

  332.         ssl_session_free( &session );
    333. 

  333.         return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
    334. 

  334.     }
    335. 

  335. #endif
    336. 

  336. 

  337.     /*
    338. 

  338.      * Keep the session ID sent by the client, since we MUST send it back to
    339. 

  339.      * inform him we're accepting the ticket  (RFC 5077 section 3.4)
    340. 

  340.      */
    341. 

  341.     session.length = ssl->session_negotiate->length;
    342. 

  342.     memcpy( &session.id, ssl->session_negotiate->id, session.length );
    343. 

  343. 

  344.     ssl_session_free( ssl->session_negotiate );
    345. 

  345.     memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
    346. 

  346. 

  347.     /* Zeroize instead of free as we copied the content */
    348. 

  348.     polarssl_zeroize( &session, sizeof( ssl_session ) );
    349. 

  349. 

  350.     return( 0 );
    351. 

  351. }
    352. 

  352. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    353. 

  353. 

  354. #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    355. 

  355. /*
    356. 

  356.  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
    357. 

  357.  * making it act on ssl->hanshake->sni_key_cert instead.
    358. 

  358.  */
    359. 

  359. static int ssl_sni_wrapper( ssl_context *ssl,
    360. 

  360.                             const unsigned char* name, size_t len )
    361. 

  361. {
    362. 

  362.     int ret;
    363. 

  363.     ssl_key_cert *key_cert_ori = ssl->key_cert;
    364. 

  364. 

  365.     ssl->key_cert = NULL;
    366. 

  366.     ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
    367. 

  367.     ssl->handshake->sni_key_cert = ssl->key_cert;
    368. 

  368. 

  369.     ssl->key_cert = key_cert_ori;
    370. 

  370. 

  371.     return( ret );
    372. 

  372. }
    373. 

  373. 

  374. static int ssl_parse_servername_ext( ssl_context *ssl,
    375. 

  375.                                      const unsigned char *buf,
    376. 

  376.                                      size_t len )
    377. 

  377. {
    378. 

  378.     int ret;
    379. 

  379.     size_t servername_list_size, hostname_len;
    380. 

  380.     const unsigned char *p;
    381. 

  381. 

  382.     SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
    383. 

  383. 

  384.     servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
    385. 

  385.     if( servername_list_size + 2 != len )
    386. 

  386.     {
    387. 

  387.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    388. 

  388.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    389. 

  389.     }
    390. 

  390. 

  391.     p = buf + 2;
    392. 

  392.     while( servername_list_size > 0 )
    393. 

  393.     {
    394. 

  394.         hostname_len = ( ( p[1] << 8 ) | p[2] );
    395. 

  395.         if( hostname_len + 3 > servername_list_size )
    396. 

  396.         {
    397. 

  397.             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    398. 

  398.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    399. 

  399.         }
    400. 

  400. 

  401.         if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
    402. 

  402.         {
    403. 

  403.             ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
    404. 

  404.             if( ret != 0 )
    405. 

  405.             {
    406. 

  406.                 SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
    407. 

  407.                 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
    408. 

  408.                         SSL_ALERT_MSG_UNRECOGNIZED_NAME );
    409. 

  409.                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    410. 

  410.             }
    411. 

  411.             return( 0 );
    412. 

  412.         }
    413. 

  413. 

  414.         servername_list_size -= hostname_len + 3;
    415. 

  415.         p += hostname_len + 3;
    416. 

  416.     }
    417. 

  417. 

  418.     if( servername_list_size != 0 )
    419. 

  419.     {
    420. 

  420.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    421. 

  421.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    422. 

  422.     }
    423. 

  423. 

  424.     return( 0 );
    425. 

  425. }
    426. 

  426. #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
    427. 

  427. 

  428. static int ssl_parse_renegotiation_info( ssl_context *ssl,
    429. 

  429.                                          const unsigned char *buf,
    430. 

  430.                                          size_t len )
    431. 

  431. {
    432. 

  432.     int ret;
    433. 

  433. 

  434.     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
    435. 

  435.     {
    436. 

  436.         if( len != 1 || buf[0] != 0x0 )
    437. 

  437.         {
    438. 

  438.             SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
    439. 

  439. 

  440.             if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    441. 

  441.                 return( ret );
    442. 

  442. 

  443.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    444. 

  444.         }
    445. 

  445. 

  446.         ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
    447. 

  447.     }
    448. 

  448.     else
    449. 

  449.     {
    450. 

  450.         /* Check verify-data in constant-time. The length OTOH is no secret */
    451. 

  451.         if( len    != 1 + ssl->verify_data_len ||
    452. 

  452.             buf[0] !=     ssl->verify_data_len ||
    453. 

  453.             safer_memcmp( buf + 1, ssl->peer_verify_data,
    454. 

  454.                           ssl->verify_data_len ) != 0 )
    455. 

  455.         {
    456. 

  456.             SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
    457. 

  457. 

  458.             if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    459. 

  459.                 return( ret );
    460. 

  460. 

  461.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    462. 

  462.         }
    463. 

  463.     }
    464. 

  464. 

  465.     return( 0 );
    466. 

  466. }
    467. 

  467. 

  468. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    469. 

  469. static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
    470. 

  470.                                                const unsigned char *buf,
    471. 

  471.                                                size_t len )
    472. 

  472. {
    473. 

  473.     size_t sig_alg_list_size;
    474. 

  474.     const unsigned char *p;
    475. 

  475.     const unsigned char *end = buf + len;
    476. 

  476.     const int *md_cur;
    477. 

  477. 

  478. 

  479.     sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
    480. 

  480.     if( sig_alg_list_size + 2 != len ||
    481. 

  481.         sig_alg_list_size % 2 != 0 )
    482. 

  482.     {
    483. 

  483.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    484. 

  484.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    485. 

  485.     }
    486. 

  486. 

  487.     /*
    488. 

  488.      * For now, ignore the SignatureAlgorithm part and rely on offered
    489. 

  489.      * ciphersuites only for that part. To be fixed later.
    490. 

  490.      *
    491. 

  491.      * So, just look at the HashAlgorithm part.
    492. 

  492.      */
    493. 

  493.     for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
    494. 

  494.         for( p = buf + 2; p < end; p += 2 ) {
    495. 

  495.             if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
    496. 

  496.                 ssl->handshake->sig_alg = p[0];
    497. 

  497.                 break;
    498. 

  498.             }
    499. 

  499.         }
    500. 

  500.     }
    501. 

  501. 

  502.     SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
    503. 

  503.                    ssl->handshake->sig_alg ) );
    504. 

  504. 

  505.     return( 0 );
    506. 

  506. }
    507. 

  507. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    508. 

  508. 

  509. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    510. 

  510. static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
    511. 

  511.                                                 const unsigned char *buf,
    512. 

  512.                                                 size_t len )
    513. 

  513. {
    514. 

  514.     size_t list_size, our_size;
    515. 

  515.     const unsigned char *p;
    516. 

  516.     const ecp_curve_info *curve_info, **curves;
    517. 

  517. 

  518.     list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
    519. 

  519.     if( list_size + 2 != len ||
    520. 

  520.         list_size % 2 != 0 )
    521. 

  521.     {
    522. 

  522.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    523. 

  523.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    524. 

  524.     }
    525. 

  525. 

  526.     /* Don't allow our peer to make us allocate too much memory,
    527. 

  527.      * and leave room for a final 0 */
    528. 

  528.     our_size = list_size / 2 + 1;
    529. 

  529.     if( our_size > POLARSSL_ECP_DP_MAX )
    530. 

  530.         our_size = POLARSSL_ECP_DP_MAX;
    531. 

  531. 

  532.     if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
    533. 

  533.         return( POLARSSL_ERR_SSL_MALLOC_FAILED );
    534. 

  534. 

  535.     /* explicit void pointer cast for buggy MS compiler */
    536. 

  536.     memset( (void *) curves, 0, our_size * sizeof( *curves ) );
    537. 

  537.     ssl->handshake->curves = curves;
    538. 

  538. 

  539.     p = buf + 2;
    540. 

  540.     while( list_size > 0 && our_size > 1 )
    541. 

  541.     {
    542. 

  542.         curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
    543. 

  543. 

  544.         if( curve_info != NULL )
    545. 

  545.         {
    546. 

  546.             *curves++ = curve_info;
    547. 

  547.             our_size--;
    548. 

  548.         }
    549. 

  549. 

  550.         list_size -= 2;
    551. 

  551.         p += 2;
    552. 

  552.     }
    553. 

  553. 

  554.     return( 0 );
    555. 

  555. }
    556. 

  556. 

  557. static int ssl_parse_supported_point_formats( ssl_context *ssl,
    558. 

  558.                                               const unsigned char *buf,
    559. 

  559.                                               size_t len )
    560. 

  560. {
    561. 

  561.     size_t list_size;
    562. 

  562.     const unsigned char *p;
    563. 

  563. 

  564.     list_size = buf[0];
    565. 

  565.     if( list_size + 1 != len )
    566. 

  566.     {
    567. 

  567.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    568. 

  568.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    569. 

  569.     }
    570. 

  570. 

  571.     p = buf + 2;
    572. 

  572.     while( list_size > 0 )
    573. 

  573.     {
    574. 

  574.         if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
    575. 

  575.             p[0] == POLARSSL_ECP_PF_COMPRESSED )
    576. 

  576.         {
    577. 

  577.             ssl->handshake->ecdh_ctx.point_format = p[0];
    578. 

  578.             SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
    579. 

  579.             return( 0 );
    580. 

  580.         }
    581. 

  581. 

  582.         list_size--;
    583. 

  583.         p++;
    584. 

  584.     }
    585. 

  585. 

  586.     return( 0 );
    587. 

  587. }
    588. 

  588. #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
    589. 

  589. 

  590. #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
    591. 

  591. static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
    592. 

  592.                                               const unsigned char *buf,
    593. 

  593.                                               size_t len )
    594. 

  594. {
    595. 

  595.     if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
    596. 

  596.     {
    597. 

  597.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    598. 

  598.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    599. 

  599.     }
    600. 

  600. 

  601.     ssl->session_negotiate->mfl_code = buf[0];
    602. 

  602. 

  603.     return( 0 );
    604. 

  604. }
    605. 

  605. #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
    606. 

  606. 

  607. #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
    608. 

  608. static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
    609. 

  609.                                          const unsigned char *buf,
    610. 

  610.                                          size_t len )
    611. 

  611. {
    612. 

  612.     if( len != 0 )
    613. 

  613.     {
    614. 

  614.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    615. 

  615.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    616. 

  616.     }
    617. 

  617. 

  618.     ((void) buf);
    619. 

  619. 

  620.     ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
    621. 

  621. 

  622.     return( 0 );
    623. 

  623. }
    624. 

  624. #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
    625. 

  625. 

  626. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    627. 

  627. static int ssl_parse_session_ticket_ext( ssl_context *ssl,
    628. 

  628.                                          unsigned char *buf,
    629. 

  629.                                          size_t len )
    630. 

  630. {
    631. 

  631.     int ret;
    632. 

  632. 

  633.     if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
    634. 

  634.         return( 0 );
    635. 

  635. 

  636.     /* Remember the client asked us to send a new ticket */
    637. 

  637.     ssl->handshake->new_session_ticket = 1;
    638. 

  638. 

  639.     SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
    640. 

  640. 

  641.     if( len == 0 )
    642. 

  642.         return( 0 );
    643. 

  643. 

  644.     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
    645. 

  645.     {
    646. 

  646.         SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
    647. 

  647.         return( 0 );
    648. 

  648.     }
    649. 

  649. 

  650.     /*
    651. 

  651.      * Failures are ok: just ignore the ticket and proceed.
    652. 

  652.      */
    653. 

  653.     if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
    654. 

  654.     {
    655. 

  655.         SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
    656. 

  656.         return( 0 );
    657. 

  657.     }
    658. 

  658. 

  659.     SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
    660. 

  660. 

  661.     ssl->handshake->resume = 1;
    662. 

  662. 

  663.     /* Don't send a new ticket after all, this one is OK */
    664. 

  664.     ssl->handshake->new_session_ticket = 0;
    665. 

  665. 

  666.     return( 0 );
    667. 

  667. }
    668. 

  668. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    669. 

  669. 

  670. #if defined(POLARSSL_SSL_ALPN)
    671. 

  671. static int ssl_parse_alpn_ext( ssl_context *ssl,
    672. 

  672.                                const unsigned char *buf, size_t len )
    673. 

  673. {
    674. 

  674.     size_t list_len, cur_len, ours_len;
    675. 

  675.     const unsigned char *theirs, *start, *end;
    676. 

  676.     const char **ours;
    677. 

  677. 

  678.     /* If ALPN not configured, just ignore the extension */
    679. 

  679.     if( ssl->alpn_list == NULL )
    680. 

  680.         return( 0 );
    681. 

  681. 

  682.     /*
    683. 

  683.      * opaque ProtocolName<1..2^8-1>;
    684. 

  684.      *
    685. 

  685.      * struct {
    686. 

  686.      *     ProtocolName protocol_name_list<2..2^16-1>
    687. 

  687.      * } ProtocolNameList;
    688. 

  688.      */
    689. 

  689. 

  690.     /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
    691. 

  691.     if( len < 4 )
    692. 

  692.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    693. 

  693. 

  694.     list_len = ( buf[0] << 8 ) | buf[1];
    695. 

  695.     if( list_len != len - 2 )
    696. 

  696.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    697. 

  697. 

  698.     /*
    699. 

  699.      * Use our order of preference
    700. 

  700.      */
    701. 

  701.     start = buf + 2;
    702. 

  702.     end = buf + len;
    703. 

  703.     for( ours = ssl->alpn_list; *ours != NULL; ours++ )
    704. 

  704.     {
    705. 

  705.         ours_len = strlen( *ours );
    706. 

  706.         for( theirs = start; theirs != end; theirs += cur_len )
    707. 

  707.         {
    708. 

  708.             /* If the list is well formed, we should get equality first */
    709. 

  709.             if( theirs > end )
    710. 

  710.                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    711. 

  711. 

  712.             cur_len = *theirs++;
    713. 

  713. 

  714.             /* Empty strings MUST NOT be included */
    715. 

  715.             if( cur_len == 0 )
    716. 

  716.                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    717. 

  717. 

  718.             if( cur_len == ours_len &&
    719. 

  719.                 memcmp( theirs, *ours, cur_len ) == 0 )
    720. 

  720.             {
    721. 

  721.                 ssl->alpn_chosen = *ours;
    722. 

  722.                 return( 0 );
    723. 

  723.             }
    724. 

  724.         }
    725. 

  725.     }
    726. 

  726. 

  727.     /* If we get there, no match was found */
    728. 

  728.     ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
    729. 

  729.                             SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
    730. 

  730.     return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    731. 

  731. }
    732. 

  732. #endif /* POLARSSL_SSL_ALPN */
    733. 

  733. 

  734. /*
    735. 

  735.  * Auxiliary functions for ServerHello parsing and related actions
    736. 

  736.  */
    737. 

  737. 

  738. #if defined(POLARSSL_X509_CRT_PARSE_C)
    739. 

  739. /*
    740. 

  740.  * Return 1 if the given EC key uses the given curve, 0 otherwise
    741. 

  741.  */
    742. 

  742. #if defined(POLARSSL_ECDSA_C)
    743. 

  743. static int ssl_key_matches_curves( pk_context *pk,
    744. 

  744.                                    const ecp_curve_info **curves )
    745. 

  745. {
    746. 

  746.     const ecp_curve_info **crv = curves;
    747. 

  747.     ecp_group_id grp_id = pk_ec( *pk )->grp.id;
    748. 

  748. 

  749.     while( *crv != NULL )
    750. 

  750.     {
    751. 

  751.         if( (*crv)->grp_id == grp_id )
    752. 

  752.             return( 1 );
    753. 

  753.         crv++;
    754. 

  754.     }
    755. 

  755. 

  756.     return( 0 );
    757. 

  757. }
    758. 

  758. #endif /* POLARSSL_ECDSA_C */
    759. 

  759. 

  760. /*
    761. 

  761.  * Try picking a certificate for this ciphersuite,
    762. 

  762.  * return 0 on success and -1 on failure.
    763. 

  763.  */
    764. 

  764. static int ssl_pick_cert( ssl_context *ssl,
    765. 

  765.                           const ssl_ciphersuite_t * ciphersuite_info )
    766. 

  766. {
    767. 

  767.     ssl_key_cert *cur, *list;
    768. 

  768.     pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
    769. 

  769. 

  770. #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    771. 

  771.     if( ssl->handshake->sni_key_cert != NULL )
    772. 

  772.         list = ssl->handshake->sni_key_cert;
    773. 

  773.     else
    774. 

  774. #endif
    775. 

  775.         list = ssl->handshake->key_cert;
    776. 

  776. 

  777.     if( pk_alg == POLARSSL_PK_NONE )
    778. 

  778.         return( 0 );
    779. 

  779. 

  780.     for( cur = list; cur != NULL; cur = cur->next )
    781. 

  781.     {
    782. 

  782.         if( ! pk_can_do( cur->key, pk_alg ) )
    783. 

  783.             continue;
    784. 

  784. 

  785.         /*
    786. 

  786.          * This avoids sending the client a cert it'll reject based on
    787. 

  787.          * keyUsage or other extensions.
    788. 

  788.          *
    789. 

  789.          * It also allows the user to provision different certificates for
    790. 

  790.          * different uses based on keyUsage, eg if they want to avoid signing
    791. 

  791.          * and decrypting with the same RSA key.
    792. 

  792.          */
    793. 

  793.         if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
    794. 

  794.                                   SSL_IS_SERVER ) != 0 )
    795. 

  795.         {
    796. 

  796.             continue;
    797. 

  797.         }
    798. 

  798. 

  799. #if defined(POLARSSL_ECDSA_C)
    800. 

  800.         if( pk_alg == POLARSSL_PK_ECDSA )
    801. 

  801.         {
    802. 

  802.             if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
    803. 

  803.                 break;
    804. 

  804.         }
    805. 

  805.         else
    806. 

  806. #endif
    807. 

  807.             break;
    808. 

  808.     }
    809. 

  809. 

  810.     if( cur == NULL )
    811. 

  811.         return( -1 );
    812. 

  812. 

  813.     ssl->handshake->key_cert = cur;
    814. 

  814.     return( 0 );
    815. 

  815. }
    816. 

  816. #endif /* POLARSSL_X509_CRT_PARSE_C */
    817. 

  817. 

  818. /*
    819. 

  819.  * Check if a given ciphersuite is suitable for use with our config/keys/etc
    820. 

  820.  * Sets ciphersuite_info only if the suite matches.
    821. 

  821.  */
    822. 

  822. static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
    823. 

  823.                                   const ssl_ciphersuite_t **ciphersuite_info )
    824. 

  824. {
    825. 

  825.     const ssl_ciphersuite_t *suite_info;
    826. 

  826. 

  827.     suite_info = ssl_ciphersuite_from_id( suite_id );
    828. 

  828.     if( suite_info == NULL )
    829. 

  829.     {
    830. 

  830.         SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", suite_id ) );
    831. 

  831.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    832. 

  832.     }
    833. 

  833. 

  834.     if( suite_info->min_minor_ver > ssl->minor_ver ||
    835. 

  835.         suite_info->max_minor_ver < ssl->minor_ver )
    836. 

  836.         return( 0 );
    837. 

  837. 

  838. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    839. 

  839.     if( ssl_ciphersuite_uses_ec( suite_info ) &&
    840. 

  840.         ( ssl->handshake->curves == NULL ||
    841. 

  841.           ssl->handshake->curves[0] == NULL ) )
    842. 

  842.         return( 0 );
    843. 

  843. #endif
    844. 

  844. 

  845. #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
    846. 

  846.     /* If the ciphersuite requires a pre-shared key and we don't
    847. 

  847.      * have one, skip it now rather than failing later */
    848. 

  848.     if( ssl_ciphersuite_uses_psk( suite_info ) &&
    849. 

  849.         ssl->f_psk == NULL &&
    850. 

  850.         ( ssl->psk == NULL || ssl->psk_identity == NULL ||
    851. 

  851.           ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
    852. 

  852.         return( 0 );
    853. 

  853. #endif
    854. 

  854. 

  855. #if defined(POLARSSL_X509_CRT_PARSE_C)
    856. 

  856.     /*
    857. 

  857.      * Final check: if ciphersuite requires us to have a
    858. 

  858.      * certificate/key of a particular type:
    859. 

  859.      * - select the appropriate certificate if we have one, or
    860. 

  860.      * - try the next ciphersuite if we don't
    861. 

  861.      * This must be done last since we modify the key_cert list.
    862. 

  862.      */
    863. 

  863.     if( ssl_pick_cert( ssl, suite_info ) != 0 )
    864. 

  864.         return( 0 );
    865. 

  865. #endif
    866. 

  866. 

  867.     *ciphersuite_info = suite_info;
    868. 

  868.     return( 0 );
    869. 

  869. }
    870. 

  870. 

  871. #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
    872. 

  872. static int ssl_parse_client_hello_v2( ssl_context *ssl )
    873. 

  873. {
    874. 

  874.     int ret;
    875. 

  875.     unsigned int i, j;
    876. 

  876.     size_t n;
    877. 

  877.     unsigned int ciph_len, sess_len, chal_len;
    878. 

  878.     unsigned char *buf, *p;
    879. 

  879.     const int *ciphersuites;
    880. 

  880.     const ssl_ciphersuite_t *ciphersuite_info;
    881. 

  881. 

  882.     SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
    883. 

  883. 

  884.     if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
    885. 

  885.     {
    886. 

  886.         SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
    887. 

  887. 

  888.         if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    889. 

  889.             return( ret );
    890. 

  890. 

  891.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    892. 

  892.     }
    893. 

  893. 

  894.     buf = ssl->in_hdr;
    895. 

  895. 

  896.     SSL_DEBUG_BUF( 4, "record header", buf, 5 );
    897. 

  897. 

  898.     SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
    899. 

  899.                    buf[2] ) );
    900. 

  900.     SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
    901. 

  901.                    ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
    902. 

  902.     SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
    903. 

  903.                    buf[3], buf[4] ) );
    904. 

  904. 

  905.     /*
    906. 

  906.      * SSLv2 Client Hello
    907. 

  907.      *
    908. 

  908.      * Record layer:
    909. 

  909.      *     0  .   1   message length
    910. 

  910.      *
    911. 

  911.      * SSL layer:
    912. 

  912.      *     2  .   2   message type
    913. 

  913.      *     3  .   4   protocol version
    914. 

  914.      */
    915. 

  915.     if( buf[2] != SSL_HS_CLIENT_HELLO ||
    916. 

  916.         buf[3] != SSL_MAJOR_VERSION_3 )
    917. 

  917.     {
    918. 

  918.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    919. 

  919.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    920. 

  920.     }
    921. 

  921. 

  922.     n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
    923. 

  923. 

  924.     if( n < 17 || n > 512 )
    925. 

  925.     {
    926. 

  926.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    927. 

  927.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    928. 

  928.     }
    929. 

  929. 

  930.     ssl->major_ver = SSL_MAJOR_VERSION_3;
    931. 

  931.     ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
    932. 

  932.                      ? buf[4]  : ssl->max_minor_ver;
    933. 

  933. 

  934.     if( ssl->minor_ver < ssl->min_minor_ver )
    935. 

  935.     {
    936. 

  936.         SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
    937. 

  937.                             " [%d:%d] < [%d:%d]",
    938. 

  938.                             ssl->major_ver, ssl->minor_ver,
    939. 

  939.                             ssl->min_major_ver, ssl->min_minor_ver ) );
    940. 

  940. 

  941.         ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
    942. 

  942.                                      SSL_ALERT_MSG_PROTOCOL_VERSION );
    943. 

  943.         return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
    944. 

  944.     }
    945. 

  945. 

  946.     ssl->handshake->max_major_ver = buf[3];
    947. 

  947.     ssl->handshake->max_minor_ver = buf[4];
    948. 

  948. 

  949.     if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
    950. 

  950.     {
    951. 

  951.         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
    952. 

  952.         return( ret );
    953. 

  953.     }
    954. 

  954. 

  955.     ssl->handshake->update_checksum( ssl, buf + 2, n );
    956. 

  956. 

  957.     buf = ssl->in_msg;
    958. 

  958.     n = ssl->in_left - 5;
    959. 

  959. 

  960.     /*
    961. 

  961.      *    0  .   1   ciphersuitelist length
    962. 

  962.      *    2  .   3   session id length
    963. 

  963.      *    4  .   5   challenge length
    964. 

  964.      *    6  .  ..   ciphersuitelist
    965. 

  965.      *   ..  .  ..   session id
    966. 

  966.      *   ..  .  ..   challenge
    967. 

  967.      */
    968. 

  968.     SSL_DEBUG_BUF( 4, "record contents", buf, n );
    969. 

  969. 

  970.     ciph_len = ( buf[0] << 8 ) | buf[1];
    971. 

  971.     sess_len = ( buf[2] << 8 ) | buf[3];
    972. 

  972.     chal_len = ( buf[4] << 8 ) | buf[5];
    973. 

  973. 

  974.     SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
    975. 

  975.                    ciph_len, sess_len, chal_len ) );
    976. 

  976. 

  977.     /*
    978. 

  978.      * Make sure each parameter length is valid
    979. 

  979.      */
    980. 

  980.     if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
    981. 

  981.     {
    982. 

  982.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    983. 

  983.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    984. 

  984.     }
    985. 

  985. 

  986.     if( sess_len > 32 )
    987. 

  987.     {
    988. 

  988.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    989. 

  989.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    990. 

  990.     }
    991. 

  991. 

  992.     if( chal_len < 8 || chal_len > 32 )
    993. 

  993.     {
    994. 

  994.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    995. 

  995.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    996. 

  996.     }
    997. 

  997. 

  998.     if( n != 6 + ciph_len + sess_len + chal_len )
    999. 

  999.     {
    1000. 

  1000.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1001. 

  1001.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1002. 

  1002.     }
    1003. 

  1003. 

  1004.     SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
    1005. 

  1005.                    buf + 6, ciph_len );
    1006. 

  1006.     SSL_DEBUG_BUF( 3, "client hello, session id",
    1007. 

  1007.                    buf + 6 + ciph_len, sess_len );
    1008. 

  1008.     SSL_DEBUG_BUF( 3, "client hello, challenge",
    1009. 

  1009.                    buf + 6 + ciph_len + sess_len, chal_len );
    1010. 

  1010. 

  1011.     p = buf + 6 + ciph_len;
    1012. 

  1012.     ssl->session_negotiate->length = sess_len;
    1013. 

  1013.     memset( ssl->session_negotiate->id, 0,
    1014. 

  1014.             sizeof( ssl->session_negotiate->id ) );
    1015. 

  1015.     memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
    1016. 

  1016. 

  1017.     p += sess_len;
    1018. 

  1018.     memset( ssl->handshake->randbytes, 0, 64 );
    1019. 

  1019.     memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
    1020. 

  1020. 

  1021.     /*
    1022. 

  1022.      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    1023. 

  1023.      */
    1024. 

  1024.     for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
    1025. 

  1025.     {
    1026. 

  1026.         if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
    1027. 

  1027.         {
    1028. 

  1028.             SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
    1029. 

  1029.             if( ssl->renegotiation == SSL_RENEGOTIATION )
    1030. 

  1030.             {
    1031. 

  1031.                 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
    1032. 

  1032. 

  1033.                 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    1034. 

  1034.                     return( ret );
    1035. 

  1035. 

  1036.                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1037. 

  1037.             }
    1038. 

  1038.             ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
    1039. 

  1039.             break;
    1040. 

  1040.         }
    1041. 

  1041.     }
    1042. 

  1042. 

  1043.     ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
    1044. 

  1044.     ciphersuite_info = NULL;
    1045. 

  1045. #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
    1046. 

  1046.     for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
    1047. 

  1047.     {
    1048. 

  1048.         for( i = 0; ciphersuites[i] != 0; i++ )
    1049. 

  1049. #else
    1050. 

  1050.     for( i = 0; ciphersuites[i] != 0; i++ )
    1051. 

  1051.     {
    1052. 

  1052.         for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
    1053. 

  1053. #endif
    1054. 

  1054.         {
    1055. 

  1055.             if( p[0] != 0 ||
    1056. 

  1056.                 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
    1057. 

  1057.                 p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
    1058. 

  1058.                 continue;
    1059. 

  1059. 

  1060.             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
    1061. 

  1061.                                                &ciphersuite_info ) ) != 0 )
    1062. 

  1062.                 return( ret );
    1063. 

  1063. 

  1064.             if( ciphersuite_info != NULL )
    1065. 

  1065.                 goto have_ciphersuite_v2;
    1066. 

  1066.         }
    1067. 

  1067.     }
    1068. 

  1068. 

  1069.     SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
    1070. 

  1070. 

  1071.     return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
    1072. 

  1072. 

  1073. have_ciphersuite_v2:
    1074. 

  1074.     ssl->session_negotiate->ciphersuite = ciphersuites[i];
    1075. 

  1075.     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
    1076. 

  1076.     ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
    1077. 

  1077. 

  1078.     /*
    1079. 

  1079.      * SSLv2 Client Hello relevant renegotiation security checks
    1080. 

  1080.      */
    1081. 

  1081.     if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
    1082. 

  1082.         ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
    1083. 

  1083.     {
    1084. 

  1084.         SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
    1085. 

  1085. 

  1086.         if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    1087. 

  1087.             return( ret );
    1088. 

  1088. 

  1089.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1090. 

  1090.     }
    1091. 

  1091. 

  1092.     ssl->in_left = 0;
    1093. 

  1093.     ssl->state++;
    1094. 

  1094. 

  1095.     SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
    1096. 

  1096. 

  1097.     return( 0 );
    1098. 

  1098. }
    1099. 

  1099. #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
    1100. 

  1100. 

  1101. static int ssl_parse_client_hello( ssl_context *ssl )
    1102. 

  1102. {
    1103. 

  1103.     int ret;
    1104. 

  1104.     unsigned int i, j;
    1105. 

  1105.     size_t n;
    1106. 

  1106.     unsigned int ciph_len, sess_len;
    1107. 

  1107.     unsigned int comp_len;
    1108. 

  1108.     unsigned int ext_len = 0;
    1109. 

  1109.     unsigned char *buf, *p, *ext;
    1110. 

  1110.     int renegotiation_info_seen = 0;
    1111. 

  1111.     int handshake_failure = 0;
    1112. 

  1112.     const int *ciphersuites;
    1113. 

  1113.     const ssl_ciphersuite_t *ciphersuite_info;
    1114. 

  1114. 

  1115.     SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
    1116. 

  1116. 

  1117.     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
    1118. 

  1118.         ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
    1119. 

  1119.     {
    1120. 

  1120.         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
    1121. 

  1121.         return( ret );
    1122. 

  1122.     }
    1123. 

  1123. 

  1124.     buf = ssl->in_hdr;
    1125. 

  1125. 

  1126. #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
    1127. 

  1127.     if( ( buf[0] & 0x80 ) != 0 )
    1128. 

  1128.         return ssl_parse_client_hello_v2( ssl );
    1129. 

  1129. #endif
    1130. 

  1130. 

  1131.     SSL_DEBUG_BUF( 4, "record header", buf, 5 );
    1132. 

  1132. 

  1133.     SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
    1134. 

  1134.                    buf[0] ) );
    1135. 

  1135.     SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
    1136. 

  1136.                    ( buf[3] << 8 ) | buf[4] ) );
    1137. 

  1137.     SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
    1138. 

  1138.                    buf[1], buf[2] ) );
    1139. 

  1139. 

  1140.     /*
    1141. 

  1141.      * SSLv3/TLS Client Hello
    1142. 

  1142.      *
    1143. 

  1143.      * Record layer:
    1144. 

  1144.      *     0  .   0   message type
    1145. 

  1145.      *     1  .   2   protocol version
    1146. 

  1146.      *     3  .   4   message length
    1147. 

  1147.      */
    1148. 

  1148. 

  1149.     /* According to RFC 5246 Appendix E.1, the version here is typically
    1150. 

  1150.      * "{03,00}, the lowest version number supported by the client, [or] the
    1151. 

  1151.      * value of ClientHello.client_version", so the only meaningful check here
    1152. 

  1152.      * is the major version shouldn't be less than 3 */
    1153. 

  1153.     if( buf[0] != SSL_MSG_HANDSHAKE ||
    1154. 

  1154.         buf[1] < SSL_MAJOR_VERSION_3 )
    1155. 

  1155.     {
    1156. 

  1156.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1157. 

  1157.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1158. 

  1158.     }
    1159. 

  1159. 

  1160.     n = ( buf[3] << 8 ) | buf[4];
    1161. 

  1161. 

  1162.     if( n < 45 || n > SSL_MAX_CONTENT_LEN )
    1163. 

  1163.     {
    1164. 

  1164.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1165. 

  1165.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1166. 

  1166.     }
    1167. 

  1167. 

  1168.     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
    1169. 

  1169.         ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
    1170. 

  1170.     {
    1171. 

  1171.         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
    1172. 

  1172.         return( ret );
    1173. 

  1173.     }
    1174. 

  1174. 

  1175.     buf = ssl->in_msg;
    1176. 

  1176.     if( !ssl->renegotiation )
    1177. 

  1177.         n = ssl->in_left - 5;
    1178. 

  1178.     else
    1179. 

  1179.         n = ssl->in_msglen;
    1180. 

  1180. 

  1181.     ssl->handshake->update_checksum( ssl, buf, n );
    1182. 

  1182. 

  1183.     /*
    1184. 

  1184.      * SSL layer:
    1185. 

  1185.      *     0  .   0   handshake type
    1186. 

  1186.      *     1  .   3   handshake length
    1187. 

  1187.      *     4  .   5   protocol version
    1188. 

  1188.      *     6  .   9   UNIX time()
    1189. 

  1189.      *    10  .  37   random bytes
    1190. 

  1190.      *    38  .  38   session id length
    1191. 

  1191.      *    39  . 38+x  session id
    1192. 

  1192.      *   39+x . 40+x  ciphersuitelist length
    1193. 

  1193.      *   41+x . 40+y  ciphersuitelist
    1194. 

  1194.      *   41+y . 41+y  compression alg length
    1195. 

  1195.      *   42+y . 41+z  compression algs
    1196. 

  1196.      *    ..  .  ..   extensions
    1197. 

  1197.      */
    1198. 

  1198.     SSL_DEBUG_BUF( 4, "record contents", buf, n );
    1199. 

  1199. 

  1200.     SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
    1201. 

  1201.                    buf[0] ) );
    1202. 

  1202.     SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
    1203. 

  1203.                    ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
    1204. 

  1204.     SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
    1205. 

  1205.                    buf[4], buf[5] ) );
    1206. 

  1206. 

  1207.     /*
    1208. 

  1208.      * Check the handshake type and protocol version
    1209. 

  1209.      */
    1210. 

  1210.     if( buf[0] != SSL_HS_CLIENT_HELLO )
    1211. 

  1211.     {
    1212. 

  1212.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1213. 

  1213.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1214. 

  1214.     }
    1215. 

  1215. 

  1216.     ssl->major_ver = buf[4];
    1217. 

  1217.     ssl->minor_ver = buf[5];
    1218. 

  1218. 

  1219.     ssl->handshake->max_major_ver = ssl->major_ver;
    1220. 

  1220.     ssl->handshake->max_minor_ver = ssl->minor_ver;
    1221. 

  1221. 

  1222.     if( ssl->major_ver < ssl->min_major_ver ||
    1223. 

  1223.         ssl->minor_ver < ssl->min_minor_ver )
    1224. 

  1224.     {
    1225. 

  1225.         SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
    1226. 

  1226.                             " [%d:%d] < [%d:%d]",
    1227. 

  1227.                             ssl->major_ver, ssl->minor_ver,
    1228. 

  1228.                             ssl->min_major_ver, ssl->min_minor_ver ) );
    1229. 

  1229. 

  1230.         ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
    1231. 

  1231.                                      SSL_ALERT_MSG_PROTOCOL_VERSION );
    1232. 

  1232. 

  1233.         return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
    1234. 

  1234.     }
    1235. 

  1235. 

  1236.     if( ssl->major_ver > ssl->max_major_ver )
    1237. 

  1237.     {
    1238. 

  1238.         ssl->major_ver = ssl->max_major_ver;
    1239. 

  1239.         ssl->minor_ver = ssl->max_minor_ver;
    1240. 

  1240.     }
    1241. 

  1241.     else if( ssl->minor_ver > ssl->max_minor_ver )
    1242. 

  1242.         ssl->minor_ver = ssl->max_minor_ver;
    1243. 

  1243. 

  1244.     memcpy( ssl->handshake->randbytes, buf + 6, 32 );
    1245. 

  1245. 

  1246.     /*
    1247. 

  1247.      * Check the handshake message length
    1248. 

  1248.      */
    1249. 

  1249.     if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
    1250. 

  1250.     {
    1251. 

  1251.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1252. 

  1252.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1253. 

  1253.     }
    1254. 

  1254. 

  1255.     /*
    1256. 

  1256.      * Check the session length
    1257. 

  1257.      */
    1258. 

  1258.     sess_len = buf[38];
    1259. 

  1259. 

  1260.     if( sess_len > 32 || sess_len > n - 42 )
    1261. 

  1261.     {
    1262. 

  1262.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1263. 

  1263.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1264. 

  1264.     }
    1265. 

  1265. 

  1266.     ssl->session_negotiate->length = sess_len;
    1267. 

  1267.     memset( ssl->session_negotiate->id, 0,
    1268. 

  1268.             sizeof( ssl->session_negotiate->id ) );
    1269. 

  1269.     memcpy( ssl->session_negotiate->id, buf + 39,
    1270. 

  1270.             ssl->session_negotiate->length );
    1271. 

  1271. 

  1272.     /*
    1273. 

  1273.      * Check the ciphersuitelist length
    1274. 

  1274.      */
    1275. 

  1275.     ciph_len = ( buf[39 + sess_len] << 8 )
    1276. 

  1276.              | ( buf[40 + sess_len]      );
    1277. 

  1277. 

  1278.     if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
    1279. 

  1279.     {
    1280. 

  1280.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1281. 

  1281.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1282. 

  1282.     }
    1283. 

  1283. 

  1284.     /*
    1285. 

  1285.      * Check the compression algorithms length
    1286. 

  1286.      */
    1287. 

  1287.     comp_len = buf[41 + sess_len + ciph_len];
    1288. 

  1288. 

  1289.     if( comp_len < 1 || comp_len > 16 ||
    1290. 

  1290.         comp_len > n - 42 - sess_len - ciph_len )
    1291. 

  1291.     {
    1292. 

  1292.         SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1293. 

  1293.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1294. 

  1294.     }
    1295. 

  1295. 

  1296.     /*
    1297. 

  1297.      * Check the extension length
    1298. 

  1298.      */
    1299. 

  1299.     if( n > 42 + sess_len + ciph_len + comp_len )
    1300. 

  1300.     {
    1301. 

  1301.         ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
    1302. 

  1302.                 | ( buf[43 + sess_len + ciph_len + comp_len]      );
    1303. 

  1303. 

  1304.         if( ( ext_len > 0 && ext_len < 4 ) ||
    1305. 

  1305.             n != 44 + sess_len + ciph_len + comp_len + ext_len )
    1306. 

  1306.         {
    1307. 

  1307.             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1308. 

  1308.             SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
    1309. 

  1309.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1310. 

  1310.         }
    1311. 

  1311.     }
    1312. 

  1312. 

  1313.     ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
    1314. 

  1314. #if defined(POLARSSL_ZLIB_SUPPORT)
    1315. 

  1315.     for( i = 0; i < comp_len; ++i )
    1316. 

  1316.     {
    1317. 

  1317.         if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
    1318. 

  1318.         {
    1319. 

  1319.             ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
    1320. 

  1320.             break;
    1321. 

  1321.         }
    1322. 

  1322.     }
    1323. 

  1323. #endif
    1324. 

  1324. 

  1325.     SSL_DEBUG_BUF( 3, "client hello, random bytes",
    1326. 

  1326.                    buf +  6,  32 );
    1327. 

  1327.     SSL_DEBUG_BUF( 3, "client hello, session id",
    1328. 

  1328.                    buf + 38,  sess_len );
    1329. 

  1329.     SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
    1330. 

  1330.                    buf + 41 + sess_len,  ciph_len );
    1331. 

  1331.     SSL_DEBUG_BUF( 3, "client hello, compression",
    1332. 

  1332.                    buf + 42 + sess_len + ciph_len, comp_len );
    1333. 

  1333. 

  1334.     /*
    1335. 

  1335.      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    1336. 

  1336.      */
    1337. 

  1337.     for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
    1338. 

  1338.     {
    1339. 

  1339.         if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
    1340. 

  1340.         {
    1341. 

  1341.             SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
    1342. 

  1342.             if( ssl->renegotiation == SSL_RENEGOTIATION )
    1343. 

  1343.             {
    1344. 

  1344.                 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
    1345. 

  1345. 

  1346.                 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    1347. 

  1347.                     return( ret );
    1348. 

  1348. 

  1349.                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1350. 

  1350.             }
    1351. 

  1351.             ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
    1352. 

  1352.             break;
    1353. 

  1353.         }
    1354. 

  1354.     }
    1355. 

  1355. 

  1356.     ext = buf + 44 + sess_len + ciph_len + comp_len;
    1357. 

  1357. 

  1358.     while( ext_len )
    1359. 

  1359.     {
    1360. 

  1360.         unsigned int ext_id   = ( ( ext[0] <<  8 )
    1361. 

  1361.                                 | ( ext[1]       ) );
    1362. 

  1362.         unsigned int ext_size = ( ( ext[2] <<  8 )
    1363. 

  1363.                                 | ( ext[3]       ) );
    1364. 

  1364. 

  1365.         if( ext_size + 4 > ext_len )
    1366. 

  1366.         {
    1367. 

  1367.             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1368. 

  1368.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1369. 

  1369.         }
    1370. 

  1370.         switch( ext_id )
    1371. 

  1371.         {
    1372. 

  1372. #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    1373. 

  1373.         case TLS_EXT_SERVERNAME:
    1374. 

  1374.             SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
    1375. 

  1375.             if( ssl->f_sni == NULL )
    1376. 

  1376.                 break;
    1377. 

  1377. 

  1378.             ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
    1379. 

  1379.             if( ret != 0 )
    1380. 

  1380.                 return( ret );
    1381. 

  1381.             break;
    1382. 

  1382. #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
    1383. 

  1383. 

  1384.         case TLS_EXT_RENEGOTIATION_INFO:
    1385. 

  1385.             SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
    1386. 

  1386.             renegotiation_info_seen = 1;
    1387. 

  1387. 

  1388.             ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
    1389. 

  1389.             if( ret != 0 )
    1390. 

  1390.                 return( ret );
    1391. 

  1391.             break;
    1392. 

  1392. 

  1393. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    1394. 

  1394.         case TLS_EXT_SIG_ALG:
    1395. 

  1395.             SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
    1396. 

  1396.             if( ssl->renegotiation == SSL_RENEGOTIATION )
    1397. 

  1397.                 break;
    1398. 

  1398. 

  1399.             ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
    1400. 

  1400.             if( ret != 0 )
    1401. 

  1401.                 return( ret );
    1402. 

  1402.             break;
    1403. 

  1403. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    1404. 

  1404. 

  1405. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    1406. 

  1406.         case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
    1407. 

  1407.             SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
    1408. 

  1408. 

  1409.             ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
    1410. 

  1410.             if( ret != 0 )
    1411. 

  1411.                 return( ret );
    1412. 

  1412.             break;
    1413. 

  1413. 

  1414.         case TLS_EXT_SUPPORTED_POINT_FORMATS:
    1415. 

  1415.             SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
    1416. 

  1416.             ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
    1417. 

  1417. 

  1418.             ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
    1419. 

  1419.             if( ret != 0 )
    1420. 

  1420.                 return( ret );
    1421. 

  1421.             break;
    1422. 

  1422. #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
    1423. 

  1423. 

  1424. #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
    1425. 

  1425.         case TLS_EXT_MAX_FRAGMENT_LENGTH:
    1426. 

  1426.             SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
    1427. 

  1427. 

  1428.             ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
    1429. 

  1429.             if( ret != 0 )
    1430. 

  1430.                 return( ret );
    1431. 

  1431.             break;
    1432. 

  1432. #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
    1433. 

  1433. 

  1434. #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
    1435. 

  1435.         case TLS_EXT_TRUNCATED_HMAC:
    1436. 

  1436.             SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
    1437. 

  1437. 

  1438.             ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
    1439. 

  1439.             if( ret != 0 )
    1440. 

  1440.                 return( ret );
    1441. 

  1441.             break;
    1442. 

  1442. #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
    1443. 

  1443. 

  1444. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    1445. 

  1445.         case TLS_EXT_SESSION_TICKET:
    1446. 

  1446.             SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
    1447. 

  1447. 

  1448.             ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
    1449. 

  1449.             if( ret != 0 )
    1450. 

  1450.                 return( ret );
    1451. 

  1451.             break;
    1452. 

  1452. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    1453. 

  1453. 

  1454. #if defined(POLARSSL_SSL_ALPN)
    1455. 

  1455.         case TLS_EXT_ALPN:
    1456. 

  1456.             SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
    1457. 

  1457. 

  1458.             ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
    1459. 

  1459.             if( ret != 0 )
    1460. 

  1460.                 return( ret );
    1461. 

  1461.             break;
    1462. 

  1462. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    1463. 

  1463. 

  1464.         default:
    1465. 

  1465.             SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
    1466. 

  1466.                            ext_id ) );
    1467. 

  1467.         }
    1468. 

  1468. 

  1469.         ext_len -= 4 + ext_size;
    1470. 

  1470.         ext += 4 + ext_size;
    1471. 

  1471. 

  1472.         if( ext_len > 0 && ext_len < 4 )
    1473. 

  1473.         {
    1474. 

  1474.             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
    1475. 

  1475.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1476. 

  1476.         }
    1477. 

  1477.     }
    1478. 

  1478. 

  1479.     /*
    1480. 

  1480.      * Renegotiation security checks
    1481. 

  1481.      */
    1482. 

  1482.     if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
    1483. 

  1483.         ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
    1484. 

  1484.     {
    1485. 

  1485.         SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
    1486. 

  1486.         handshake_failure = 1;
    1487. 

  1487.     }
    1488. 

  1488.     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
    1489. 

  1489.              ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
    1490. 

  1490.              renegotiation_info_seen == 0 )
    1491. 

  1491.     {
    1492. 

  1492.         SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
    1493. 

  1493.         handshake_failure = 1;
    1494. 

  1494.     }
    1495. 

  1495.     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
    1496. 

  1496.              ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
    1497. 

  1497.              ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
    1498. 

  1498.     {
    1499. 

  1499.         SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
    1500. 

  1500.         handshake_failure = 1;
    1501. 

  1501.     }
    1502. 

  1502.     else if( ssl->renegotiation == SSL_RENEGOTIATION &&
    1503. 

  1503.              ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
    1504. 

  1504.              renegotiation_info_seen == 1 )
    1505. 

  1505.     {
    1506. 

  1506.         SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
    1507. 

  1507.         handshake_failure = 1;
    1508. 

  1508.     }
    1509. 

  1509. 

  1510.     if( handshake_failure == 1 )
    1511. 

  1511.     {
    1512. 

  1512.         if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    1513. 

  1513.             return( ret );
    1514. 

  1514. 

  1515.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    1516. 

  1516.     }
    1517. 

  1517. 

  1518.     /*
    1519. 

  1519.      * Search for a matching ciphersuite
    1520. 

  1520.      * (At the end because we need information from the EC-based extensions
    1521. 

  1521.      * and certificate from the SNI callback triggered by the SNI extension.)
    1522. 

  1522.      */
    1523. 

  1523.     ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
    1524. 

  1524.     ciphersuite_info = NULL;
    1525. 

  1525. #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
    1526. 

  1526.     for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
    1527. 

  1527.     {
    1528. 

  1528.         for( i = 0; ciphersuites[i] != 0; i++ )
    1529. 

  1529. #else
    1530. 

  1530.     for( i = 0; ciphersuites[i] != 0; i++ )
    1531. 

  1531.     {
    1532. 

  1532.         for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
    1533. 

  1533. #endif
    1534. 

  1534.         {
    1535. 

  1535.             if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
    1536. 

  1536.                 p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
    1537. 

  1537.                 continue;
    1538. 

  1538. 

  1539.             if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
    1540. 

  1540.                                                &ciphersuite_info ) ) != 0 )
    1541. 

  1541.                 return( ret );
    1542. 

  1542. 

  1543.             if( ciphersuite_info != NULL )
    1544. 

  1544.                 goto have_ciphersuite;
    1545. 

  1545.         }
    1546. 

  1546.     }
    1547. 

  1547. 

  1548.     SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
    1549. 

  1549. 

  1550.     if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
    1551. 

  1551.         return( ret );
    1552. 

  1552. 

  1553.     return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
    1554. 

  1554. 

  1555. have_ciphersuite:
    1556. 

  1556.     ssl->session_negotiate->ciphersuite = ciphersuites[i];
    1557. 

  1557.     ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
    1558. 

  1558.     ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
    1559. 

  1559. 

  1560.     ssl->in_left = 0;
    1561. 

  1561.     ssl->state++;
    1562. 

  1562. 

  1563.     SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
    1564. 

  1564. 

  1565.     return( 0 );
    1566. 

  1566. }
    1567. 

  1567. 

  1568. #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
    1569. 

  1569. static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
    1570. 

  1570.                                           unsigned char *buf,
    1571. 

  1571.                                           size_t *olen )
    1572. 

  1572. {
    1573. 

  1573.     unsigned char *p = buf;
    1574. 

  1574. 

  1575.     if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
    1576. 

  1576.     {
    1577. 

  1577.         *olen = 0;
    1578. 

  1578.         return;
    1579. 

  1579.     }
    1580. 

  1580. 

  1581.     SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
    1582. 

  1582. 

  1583.     *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
    1584. 

  1584.     *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
    1585. 

  1585. 

  1586.     *p++ = 0x00;
    1587. 

  1587.     *p++ = 0x00;
    1588. 

  1588. 

  1589.     *olen = 4;
    1590. 

  1590. }
    1591. 

  1591. #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
    1592. 

  1592. 

  1593. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    1594. 

  1594. static void ssl_write_session_ticket_ext( ssl_context *ssl,
    1595. 

  1595.                                           unsigned char *buf,
    1596. 

  1596.                                           size_t *olen )
    1597. 

  1597. {
    1598. 

  1598.     unsigned char *p = buf;
    1599. 

  1599. 

  1600.     if( ssl->handshake->new_session_ticket == 0 )
    1601. 

  1601.     {
    1602. 

  1602.         *olen = 0;
    1603. 

  1603.         return;
    1604. 

  1604.     }
    1605. 

  1605. 

  1606.     SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
    1607. 

  1607. 

  1608.     *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
    1609. 

  1609.     *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET      ) & 0xFF );
    1610. 

  1610. 

  1611.     *p++ = 0x00;
    1612. 

  1612.     *p++ = 0x00;
    1613. 

  1613. 

  1614.     *olen = 4;
    1615. 

  1615. }
    1616. 

  1616. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    1617. 

  1617. 

  1618. static void ssl_write_renegotiation_ext( ssl_context *ssl,
    1619. 

  1619.                                          unsigned char *buf,
    1620. 

  1620.                                          size_t *olen )
    1621. 

  1621. {
    1622. 

  1622.     unsigned char *p = buf;
    1623. 

  1623. 

  1624.     if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
    1625. 

  1625.     {
    1626. 

  1626.         *olen = 0;
    1627. 

  1627.         return;
    1628. 

  1628.     }
    1629. 

  1629. 

  1630.     SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
    1631. 

  1631. 

  1632.     *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
    1633. 

  1633.     *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
    1634. 

  1634. 

  1635.     *p++ = 0x00;
    1636. 

  1636.     *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
    1637. 

  1637.     *p++ = ssl->verify_data_len * 2 & 0xFF;
    1638. 

  1638. 

  1639.     memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
    1640. 

  1640.     p += ssl->verify_data_len;
    1641. 

  1641.     memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
    1642. 

  1642.     p += ssl->verify_data_len;
    1643. 

  1643. 

  1644.     *olen = 5 + ssl->verify_data_len * 2;
    1645. 

  1645. }
    1646. 

  1646. 

  1647. #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
    1648. 

  1648. static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
    1649. 

  1649.                                                unsigned char *buf,
    1650. 

  1650.                                                size_t *olen )
    1651. 

  1651. {
    1652. 

  1652.     unsigned char *p = buf;
    1653. 

  1653. 

  1654.     if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
    1655. 

  1655.     {
    1656. 

  1656.         *olen = 0;
    1657. 

  1657.         return;
    1658. 

  1658.     }
    1659. 

  1659. 

  1660.     SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
    1661. 

  1661. 

  1662.     *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
    1663. 

  1663.     *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
    1664. 

  1664. 

  1665.     *p++ = 0x00;
    1666. 

  1666.     *p++ = 1;
    1667. 

  1667. 

  1668.     *p++ = ssl->session_negotiate->mfl_code;
    1669. 

  1669. 

  1670.     *olen = 5;
    1671. 

  1671. }
    1672. 

  1672. #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
    1673. 

  1673. 

  1674. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    1675. 

  1675. static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
    1676. 

  1676.                                                    unsigned char *buf,
    1677. 

  1677.                                                    size_t *olen )
    1678. 

  1678. {
    1679. 

  1679.     unsigned char *p = buf;
    1680. 

  1680.     ((void) ssl);
    1681. 

  1681. 

  1682.     if( ( ssl->handshake->cli_exts &
    1683. 

  1683.           TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
    1684. 

  1684.     {
    1685. 

  1685.         *olen = 0;
    1686. 

  1686.         return;
    1687. 

  1687.     }
    1688. 

  1688. 

  1689.     SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
    1690. 

  1690. 

  1691.     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
    1692. 

  1692.     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
    1693. 

  1693. 

  1694.     *p++ = 0x00;
    1695. 

  1695.     *p++ = 2;
    1696. 

  1696. 

  1697.     *p++ = 1;
    1698. 

  1698.     *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
    1699. 

  1699. 

  1700.     *olen = 6;
    1701. 

  1701. }
    1702. 

  1702. #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
    1703. 

  1703. 

  1704. #if defined(POLARSSL_SSL_ALPN )
    1705. 

  1705. static void ssl_write_alpn_ext( ssl_context *ssl,
    1706. 

  1706.                                 unsigned char *buf, size_t *olen )
    1707. 

  1707. {
    1708. 

  1708.     if( ssl->alpn_chosen == NULL )
    1709. 

  1709.     {
    1710. 

  1710.         *olen = 0;
    1711. 

  1711.         return;
    1712. 

  1712.     }
    1713. 

  1713. 

  1714.     SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
    1715. 

  1715. 

  1716.     /*
    1717. 

  1717.      * 0 . 1    ext identifier
    1718. 

  1718.      * 2 . 3    ext length
    1719. 

  1719.      * 4 . 5    protocol list length
    1720. 

  1720.      * 6 . 6    protocol name length
    1721. 

  1721.      * 7 . 7+n  protocol name
    1722. 

  1722.      */
    1723. 

  1723.     buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
    1724. 

  1724.     buf[1] = (unsigned char)( ( TLS_EXT_ALPN      ) & 0xFF );
    1725. 

  1725. 

  1726.     *olen = 7 + strlen( ssl->alpn_chosen );
    1727. 

  1727. 

  1728.     buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
    1729. 

  1729.     buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
    1730. 

  1730. 

  1731.     buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
    1732. 

  1732.     buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
    1733. 

  1733. 

  1734.     buf[6] = (unsigned char)( ( ( *olen - 7 )      ) & 0xFF );
    1735. 

  1735. 

  1736.     memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
    1737. 

  1737. }
    1738. 

  1738. #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
    1739. 

  1739. 

  1740. static int ssl_write_server_hello( ssl_context *ssl )
    1741. 

  1741. {
    1742. 

  1742. #if defined(POLARSSL_HAVE_TIME)
    1743. 

  1743.     time_t t;
    1744. 

  1744. #endif
    1745. 

  1745.     int ret;
    1746. 

  1746.     size_t olen, ext_len = 0, n;
    1747. 

  1747.     unsigned char *buf, *p;
    1748. 

  1748. 

  1749.     SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
    1750. 

  1750. 

  1751.     if( ssl->f_rng == NULL )
    1752. 

  1752.     {
    1753. 

  1753.         SSL_DEBUG_MSG( 1, ( "no RNG provided") );
    1754. 

  1754.         return( POLARSSL_ERR_SSL_NO_RNG );
    1755. 

  1755.     }
    1756. 

  1756. 

  1757.     /*
    1758. 

  1758.      *     0  .   0   handshake type
    1759. 

  1759.      *     1  .   3   handshake length
    1760. 

  1760.      *     4  .   5   protocol version
    1761. 

  1761.      *     6  .   9   UNIX time()
    1762. 

  1762.      *    10  .  37   random bytes
    1763. 

  1763.      */
    1764. 

  1764.     buf = ssl->out_msg;
    1765. 

  1765.     p = buf + 4;
    1766. 

  1766. 

  1767.     *p++ = (unsigned char) ssl->major_ver;
    1768. 

  1768.     *p++ = (unsigned char) ssl->minor_ver;
    1769. 

  1769. 

  1770.     SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
    1771. 

  1771.                    buf[4], buf[5] ) );
    1772. 

  1772. 

  1773. #if defined(POLARSSL_HAVE_TIME)
    1774. 

  1774.     t = time( NULL );
    1775. 

  1775.     *p++ = (unsigned char)( t >> 24 );
    1776. 

  1776.     *p++ = (unsigned char)( t >> 16 );
    1777. 

  1777.     *p++ = (unsigned char)( t >>  8 );
    1778. 

  1778.     *p++ = (unsigned char)( t       );
    1779. 

  1779. 

  1780.     SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
    1781. 

  1781. #else
    1782. 

  1782.     if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
    1783. 

  1783.         return( ret );
    1784. 

  1784. 

  1785.     p += 4;
    1786. 

  1786. #endif /* POLARSSL_HAVE_TIME */
    1787. 

  1787. 

  1788.     if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
    1789. 

  1789.         return( ret );
    1790. 

  1790. 

  1791.     p += 28;
    1792. 

  1792. 

  1793.     memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
    1794. 

  1794. 

  1795.     SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
    1796. 

  1796. 

  1797.     /*
    1798. 

  1798.      * Resume is 0  by default, see ssl_handshake_init().
    1799. 

  1799.      * It may be already set to 1 by ssl_parse_session_ticket_ext().
    1800. 

  1800.      * If not, try looking up session ID in our cache.
    1801. 

  1801.      */
    1802. 

  1802.     if( ssl->handshake->resume == 0 &&
    1803. 

  1803.         ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
    1804. 

  1804.         ssl->session_negotiate->length != 0 &&
    1805. 

  1805.         ssl->f_get_cache != NULL &&
    1806. 

  1806.         ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
    1807. 

  1807.     {
    1808. 

  1808.         SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
    1809. 

  1809.         ssl->handshake->resume = 1;
    1810. 

  1810.     }
    1811. 

  1811. 

  1812.     if( ssl->handshake->resume == 0 )
    1813. 

  1813.     {
    1814. 

  1814.         /*
    1815. 

  1815.          * New session, create a new session id,
    1816. 

  1816.          * unless we're about to issue a session ticket
    1817. 

  1817.          */
    1818. 

  1818.         ssl->state++;
    1819. 

  1819. 

  1820. #if defined(POLARSSL_HAVE_TIME)
    1821. 

  1821.         ssl->session_negotiate->start = time( NULL );
    1822. 

  1822. #endif
    1823. 

  1823. 

  1824. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    1825. 

  1825.         if( ssl->handshake->new_session_ticket != 0 )
    1826. 

  1826.         {
    1827. 

  1827.             ssl->session_negotiate->length = n = 0;
    1828. 

  1828.             memset( ssl->session_negotiate->id, 0, 32 );
    1829. 

  1829.         }
    1830. 

  1830.         else
    1831. 

  1831. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    1832. 

  1832.         {
    1833. 

  1833.             ssl->session_negotiate->length = n = 32;
    1834. 

  1834.             if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
    1835. 

  1835.                                     n ) ) != 0 )
    1836. 

  1836.                 return( ret );
    1837. 

  1837.         }
    1838. 

  1838.     }
    1839. 

  1839.     else
    1840. 

  1840.     {
    1841. 

  1841.         /*
    1842. 

  1842.          * Resuming a session
    1843. 

  1843.          */
    1844. 

  1844.         n = ssl->session_negotiate->length;
    1845. 

  1845.         ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
    1846. 

  1846. 

  1847.         if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
    1848. 

  1848.         {
    1849. 

  1849.             SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
    1850. 

  1850.             return( ret );
    1851. 

  1851.         }
    1852. 

  1852.     }
    1853. 

  1853. 

  1854.     /*
    1855. 

  1855.      *    38  .  38     session id length
    1856. 

  1856.      *    39  . 38+n    session id
    1857. 

  1857.      *   39+n . 40+n    chosen ciphersuite
    1858. 

  1858.      *   41+n . 41+n    chosen compression alg.
    1859. 

  1859.      *   42+n . 43+n    extensions length
    1860. 

  1860.      *   44+n . 43+n+m  extensions
    1861. 

  1861.      */
    1862. 

  1862.     *p++ = (unsigned char) ssl->session_negotiate->length;
    1863. 

  1863.     memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
    1864. 

  1864.     p += ssl->session_negotiate->length;
    1865. 

  1865. 

  1866.     SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
    1867. 

  1867.     SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
    1868. 

  1868.     SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
    1869. 

  1869.                    ssl->handshake->resume ? "a" : "no" ) );
    1870. 

  1870. 

  1871.     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
    1872. 

  1872.     *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
    1873. 

  1873.     *p++ = (unsigned char)( ssl->session_negotiate->compression      );
    1874. 

  1874. 

  1875.     SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
    1876. 

  1876.            ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
    1877. 

  1877.     SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
    1878. 

  1878.                    ssl->session_negotiate->compression ) );
    1879. 

  1879. 

  1880.     /*
    1881. 

  1881.      *  First write extensions, then the total length
    1882. 

  1882.      */
    1883. 

  1883.     ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
    1884. 

  1884.     ext_len += olen;
    1885. 

  1885. 

  1886. #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
    1887. 

  1887.     ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
    1888. 

  1888.     ext_len += olen;
    1889. 

  1889. #endif
    1890. 

  1890. 

  1891. #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
    1892. 

  1892.     ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
    1893. 

  1893.     ext_len += olen;
    1894. 

  1894. #endif
    1895. 

  1895. 

  1896. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    1897. 

  1897.     ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
    1898. 

  1898.     ext_len += olen;
    1899. 

  1899. #endif
    1900. 

  1900. 

  1901. #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    1902. 

  1902.     ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
    1903. 

  1903.     ext_len += olen;
    1904. 

  1904. #endif
    1905. 

  1905. 

  1906. #if defined(POLARSSL_SSL_ALPN)
    1907. 

  1907.     ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
    1908. 

  1908.     ext_len += olen;
    1909. 

  1909. #endif
    1910. 

  1910. 

  1911.     SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
    1912. 

  1912. 

  1913.     if( ext_len > 0 )
    1914. 

  1914.     {
    1915. 

  1915.         *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
    1916. 

  1916.         *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
    1917. 

  1917.         p += ext_len;
    1918. 

  1918.     }
    1919. 

  1919. 

  1920.     ssl->out_msglen  = p - buf;
    1921. 

  1921.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    1922. 

  1922.     ssl->out_msg[0]  = SSL_HS_SERVER_HELLO;
    1923. 

  1923. 

  1924.     ret = ssl_write_record( ssl );
    1925. 

  1925. 

  1926.     SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
    1927. 

  1927. 

  1928.     return( ret );
    1929. 

  1929. }
    1930. 

  1930. 

  1931. #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
    1932. 

  1932.     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
    1933. 

  1933.     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
    1934. 

  1934.     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    1935. 

  1935. static int ssl_write_certificate_request( ssl_context *ssl )
    1936. 

  1936. {
    1937. 

  1937.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    1938. 

  1938. 

  1939.     SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
    1940. 

  1940. 

  1941.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    1942. 

  1942.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    1943. 

  1943.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
    1944. 

  1944.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    1945. 

  1945.     {
    1946. 

  1946.         SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
    1947. 

  1947.         ssl->state++;
    1948. 

  1948.         return( 0 );
    1949. 

  1949.     }
    1950. 

  1950. 

  1951.     SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    1952. 

  1952.     return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    1953. 

  1953. }
    1954. 

  1954. #else
    1955. 

  1955. static int ssl_write_certificate_request( ssl_context *ssl )
    1956. 

  1956. {
    1957. 

  1957.     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
    1958. 

  1958.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    1959. 

  1959.     size_t dn_size, total_dn_size; /* excluding length bytes */
    1960. 

  1960.     size_t ct_len, sa_len; /* including length bytes */
    1961. 

  1961.     unsigned char *buf, *p;
    1962. 

  1962.     const x509_crt *crt;
    1963. 

  1963. 

  1964.     SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
    1965. 

  1965. 

  1966.     ssl->state++;
    1967. 

  1967. 

  1968.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    1969. 

  1969.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    1970. 

  1970.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
    1971. 

  1971.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
    1972. 

  1972.         ssl->authmode == SSL_VERIFY_NONE )
    1973. 

  1973.     {
    1974. 

  1974.         SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
    1975. 

  1975.         return( 0 );
    1976. 

  1976.     }
    1977. 

  1977. 

  1978.     /*
    1979. 

  1979.      *     0  .   0   handshake type
    1980. 

  1980.      *     1  .   3   handshake length
    1981. 

  1981.      *     4  .   4   cert type count
    1982. 

  1982.      *     5  .. m-1  cert types
    1983. 

  1983.      *     m  .. m+1  sig alg length (TLS 1.2 only)
    1984. 

  1984.      *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
    1985. 

  1985.      *     n  .. n+1  length of all DNs
    1986. 

  1986.      *    n+2 .. n+3  length of DN 1
    1987. 

  1987.      *    n+4 .. ...  Distinguished Name #1
    1988. 

  1988.      *    ... .. ...  length of DN 2, etc.
    1989. 

  1989.      */
    1990. 

  1990.     buf = ssl->out_msg;
    1991. 

  1991.     p = buf + 4;
    1992. 

  1992. 

  1993.     /*
    1994. 

  1994.      * Supported certificate types
    1995. 

  1995.      *
    1996. 

  1996.      *     ClientCertificateType certificate_types<1..2^8-1>;
    1997. 

  1997.      *     enum { (255) } ClientCertificateType;
    1998. 

  1998.      */
    1999. 

  1999.     ct_len = 0;
    2000. 

  2000. 

  2001. #if defined(POLARSSL_RSA_C)
    2002. 

  2002.     p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
    2003. 

  2003. #endif
    2004. 

  2004. #if defined(POLARSSL_ECDSA_C)
    2005. 

  2005.     p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
    2006. 

  2006. #endif
    2007. 

  2007. 

  2008.     p[0] = (unsigned char) ct_len++;
    2009. 

  2009.     p += ct_len;
    2010. 

  2010. 

  2011.     sa_len = 0;
    2012. 

  2012. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    2013. 

  2013.     /*
    2014. 

  2014.      * Add signature_algorithms for verify (TLS 1.2)
    2015. 

  2015.      *
    2016. 

  2016.      *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
    2017. 

  2017.      *
    2018. 

  2018.      *     struct {
    2019. 

  2019.      *           HashAlgorithm hash;
    2020. 

  2020.      *           SignatureAlgorithm signature;
    2021. 

  2021.      *     } SignatureAndHashAlgorithm;
    2022. 

  2022.      *
    2023. 

  2023.      *     enum { (255) } HashAlgorithm;
    2024. 

  2024.      *     enum { (255) } SignatureAlgorithm;
    2025. 

  2025.      */
    2026. 

  2026.     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
    2027. 

  2027.     {
    2028. 

  2028.         /*
    2029. 

  2029.          * Only use current running hash algorithm that is already required
    2030. 

  2030.          * for requested ciphersuite.
    2031. 

  2031.          */
    2032. 

  2032.         ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
    2033. 

  2033. 

  2034.         if( ssl->transform_negotiate->ciphersuite_info->mac ==
    2035. 

  2035.             POLARSSL_MD_SHA384 )
    2036. 

  2036.         {
    2037. 

  2037.             ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
    2038. 

  2038.         }
    2039. 

  2039. 

  2040.         /*
    2041. 

  2041.          * Supported signature algorithms
    2042. 

  2042.          */
    2043. 

  2043. #if defined(POLARSSL_RSA_C)
    2044. 

  2044.         p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
    2045. 

  2045.         p[2 + sa_len++] = SSL_SIG_RSA;
    2046. 

  2046. #endif
    2047. 

  2047. #if defined(POLARSSL_ECDSA_C)
    2048. 

  2048.         p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
    2049. 

  2049.         p[2 + sa_len++] = SSL_SIG_ECDSA;
    2050. 

  2050. #endif
    2051. 

  2051. 

  2052.         p[0] = (unsigned char)( sa_len >> 8 );
    2053. 

  2053.         p[1] = (unsigned char)( sa_len      );
    2054. 

  2054.         sa_len += 2;
    2055. 

  2055.         p += sa_len;
    2056. 

  2056.     }
    2057. 

  2057. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    2058. 

  2058. 

  2059.     /*
    2060. 

  2060.      * DistinguishedName certificate_authorities<0..2^16-1>;
    2061. 

  2061.      * opaque DistinguishedName<1..2^16-1>;
    2062. 

  2062.      */
    2063. 

  2063.     p += 2;
    2064. 

  2064.     crt = ssl->ca_chain;
    2065. 

  2065. 

  2066.     total_dn_size = 0;
    2067. 

  2067.     while( crt != NULL && crt->version != 0 )
    2068. 

  2068.     {
    2069. 

  2069.         if( p - buf > 4096 )
    2070. 

  2070.             break;
    2071. 

  2071. 

  2072.         dn_size = crt->subject_raw.len;
    2073. 

  2073.         *p++ = (unsigned char)( dn_size >> 8 );
    2074. 

  2074.         *p++ = (unsigned char)( dn_size      );
    2075. 

  2075.         memcpy( p, crt->subject_raw.p, dn_size );
    2076. 

  2076.         p += dn_size;
    2077. 

  2077. 

  2078.         SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
    2079. 

  2079. 

  2080.         total_dn_size += 2 + dn_size;
    2081. 

  2081.         crt = crt->next;
    2082. 

  2082.     }
    2083. 

  2083. 

  2084.     ssl->out_msglen  = p - buf;
    2085. 

  2085.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    2086. 

  2086.     ssl->out_msg[0]  = SSL_HS_CERTIFICATE_REQUEST;
    2087. 

  2087.     ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
    2088. 

  2088.     ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
    2089. 

  2089. 

  2090.     ret = ssl_write_record( ssl );
    2091. 

  2091. 

  2092.     SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
    2093. 

  2093. 

  2094.     return( ret );
    2095. 

  2095. }
    2096. 

  2096. #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
    2097. 

  2097.           !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
    2098. 

  2098.           !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
    2099. 

  2099.           !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
    2100. 

  2100. 

  2101. #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
    2102. 

  2102.     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
    2103. 

  2103. static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
    2104. 

  2104. {
    2105. 

  2105.     int ret;
    2106. 

  2106. 

  2107.     if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
    2108. 

  2108.     {
    2109. 

  2109.         SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
    2110. 

  2110.         return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
    2111. 

  2111.     }
    2112. 

  2112. 

  2113.     if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
    2114. 

  2114.                                  pk_ec( *ssl_own_key( ssl ) ),
    2115. 

  2115.                                  POLARSSL_ECDH_OURS ) ) != 0 )
    2116. 

  2116.     {
    2117. 

  2117.         SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
    2118. 

  2118.         return( ret );
    2119. 

  2119.     }
    2120. 

  2120. 

  2121.     return( 0 );
    2122. 

  2122. }
    2123. 

  2123. #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
    2124. 

  2124.           POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
    2125. 

  2125. 

  2126. static int ssl_write_server_key_exchange( ssl_context *ssl )
    2127. 

  2127. {
    2128. 

  2128.     int ret;
    2129. 

  2129.     size_t n = 0;
    2130. 

  2130.     const ssl_ciphersuite_t *ciphersuite_info =
    2131. 

  2131.                             ssl->transform_negotiate->ciphersuite_info;
    2132. 

  2132. 

  2133. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    2134. 

  2134.     defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                       \
    2135. 

  2135.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    2136. 

  2136.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
    2137. 

  2137.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    2138. 

  2138.     unsigned char *p = ssl->out_msg + 4;
    2139. 

  2139.     unsigned char *dig_signed = p;
    2140. 

  2140.     size_t dig_signed_len = 0, len;
    2141. 

  2141.     ((void) dig_signed);
    2142. 

  2142.     ((void) dig_signed_len);
    2143. 

  2143. #endif
    2144. 

  2144. 

  2145.     SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
    2146. 

  2146. 

  2147. #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) ||                           \
    2148. 

  2148.     defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) ||                           \
    2149. 

  2149.     defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
    2150. 

  2150.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
    2151. 

  2151.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    2152. 

  2152.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
    2153. 

  2153.     {
    2154. 

  2154.         SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
    2155. 

  2155.         ssl->state++;
    2156. 

  2156.         return( 0 );
    2157. 

  2157.     }
    2158. 

  2158. #endif
    2159. 

  2159. 

  2160. #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
    2161. 

  2161.     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
    2162. 

  2162.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
    2163. 

  2163.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
    2164. 

  2164.     {
    2165. 

  2165.         ssl_get_ecdh_params_from_cert( ssl );
    2166. 

  2166. 

  2167.         SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
    2168. 

  2168.         ssl->state++;
    2169. 

  2169.         return( 0 );
    2170. 

  2170.     }
    2171. 

  2171. #endif
    2172. 

  2172. 

  2173. #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                       \
    2174. 

  2174.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
    2175. 

  2175.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
    2176. 

  2176.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    2177. 

  2177.     {
    2178. 

  2178.         /* TODO: Support identity hints */
    2179. 

  2179.         *(p++) = 0x00;
    2180. 

  2180.         *(p++) = 0x00;
    2181. 

  2181. 

  2182.         n += 2;
    2183. 

  2183.     }
    2184. 

  2184. #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
    2185. 

  2185.           POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
    2186. 

  2186. 

  2187. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    2188. 

  2188.     defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
    2189. 

  2189.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
    2190. 

  2190.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
    2191. 

  2191.     {
    2192. 

  2192.         /*
    2193. 

  2193.          * Ephemeral DH parameters:
    2194. 

  2194.          *
    2195. 

  2195.          * struct {
    2196. 

  2196.          *     opaque dh_p<1..2^16-1>;
    2197. 

  2197.          *     opaque dh_g<1..2^16-1>;
    2198. 

  2198.          *     opaque dh_Ys<1..2^16-1>;
    2199. 

  2199.          * } ServerDHParams;
    2200. 

  2200.          */
    2201. 

  2201.         if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
    2202. 

  2202.             ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
    2203. 

  2203.         {
    2204. 

  2204.             SSL_DEBUG_RET( 1, "mpi_copy", ret );
    2205. 

  2205.             return( ret );
    2206. 

  2206.         }
    2207. 

  2207. 

  2208.         if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
    2209. 

  2209.                         (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
    2210. 

  2210.                         p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
    2211. 

  2211.         {
    2212. 

  2212.             SSL_DEBUG_RET( 1, "dhm_make_params", ret );
    2213. 

  2213.             return( ret );
    2214. 

  2214.         }
    2215. 

  2215. 

  2216.         dig_signed = p;
    2217. 

  2217.         dig_signed_len = len;
    2218. 

  2218. 

  2219.         p += len;
    2220. 

  2220.         n += len;
    2221. 

  2221. 

  2222.         SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
    2223. 

  2223.         SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
    2224. 

  2224.         SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
    2225. 

  2225.         SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
    2226. 

  2226.     }
    2227. 

  2227. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
    2228. 

  2228.           POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
    2229. 

  2229. 

  2230. #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
    2231. 

  2231.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
    2232. 

  2232.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
    2233. 

  2233.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    2234. 

  2234.     {
    2235. 

  2235.         /*
    2236. 

  2236.          * Ephemeral ECDH parameters:
    2237. 

  2237.          *
    2238. 

  2238.          * struct {
    2239. 

  2239.          *     ECParameters curve_params;
    2240. 

  2240.          *     ECPoint      public;
    2241. 

  2241.          * } ServerECDHParams;
    2242. 

  2242.          */
    2243. 

  2243.         const ecp_curve_info **curve = NULL;
    2244. 

  2244. #if defined(POLARSSL_SSL_SET_CURVES)
    2245. 

  2245.         const ecp_group_id *gid;
    2246. 

  2246. 

  2247.         /* Match our preference list against the offered curves */
    2248. 

  2248.         for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
    2249. 

  2249.             for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
    2250. 

  2250.                 if( (*curve)->grp_id == *gid )
    2251. 

  2251.                     goto curve_matching_done;
    2252. 

  2252. 

  2253. curve_matching_done:
    2254. 

  2254. #else
    2255. 

  2255.         curve = ssl->handshake->curves;
    2256. 

  2256. #endif
    2257. 

  2257. 

  2258.         if( *curve == NULL )
    2259. 

  2259.         {
    2260. 

  2260.             SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
    2261. 

  2261.             return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
    2262. 

  2262.         }
    2263. 

  2263. 

  2264.         SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
    2265. 

  2265. 

  2266.         if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
    2267. 

  2267.                                        (*curve)->grp_id ) ) != 0 )
    2268. 

  2268.         {
    2269. 

  2269.             SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
    2270. 

  2270.             return( ret );
    2271. 

  2271.         }
    2272. 

  2272. 

  2273.         if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
    2274. 

  2274.                                       p, SSL_MAX_CONTENT_LEN - n,
    2275. 

  2275.                                       ssl->f_rng, ssl->p_rng ) ) != 0 )
    2276. 

  2276.         {
    2277. 

  2277.             SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
    2278. 

  2278.             return( ret );
    2279. 

  2279.         }
    2280. 

  2280. 

  2281.         dig_signed = p;
    2282. 

  2282.         dig_signed_len = len;
    2283. 

  2283. 

  2284.         p += len;
    2285. 

  2285.         n += len;
    2286. 

  2286. 

  2287.         SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
    2288. 

  2288.     }
    2289. 

  2289. #endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
    2290. 

  2290. 

  2291. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    2292. 

  2292.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    2293. 

  2293.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    2294. 

  2294.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
    2295. 

  2295.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
    2296. 

  2296.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
    2297. 

  2297.     {
    2298. 

  2298.         size_t signature_len = 0;
    2299. 

  2299.         unsigned int hashlen = 0;
    2300. 

  2300.         unsigned char hash[64];
    2301. 

  2301.         md_type_t md_alg = POLARSSL_MD_NONE;
    2302. 

  2302. 

  2303.         /*
    2304. 

  2304.          * Choose hash algorithm. NONE means MD5 + SHA1 here.
    2305. 

  2305.          */
    2306. 

  2306. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    2307. 

  2307.         if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
    2308. 

  2308.         {
    2309. 

  2309.             md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
    2310. 

  2310. 

  2311.             if( md_alg == POLARSSL_MD_NONE )
    2312. 

  2312.             {
    2313. 

  2313.                 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    2314. 

  2314.                 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    2315. 

  2315.             }
    2316. 

  2316.         }
    2317. 

  2317.         else
    2318. 

  2318. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    2319. 

  2319. #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
    2320. 

  2320.     defined(POLARSSL_SSL_PROTO_TLS1_1)
    2321. 

  2321.         if( ciphersuite_info->key_exchange ==
    2322. 

  2322.                   POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
    2323. 

  2323.         {
    2324. 

  2324.             md_alg = POLARSSL_MD_SHA1;
    2325. 

  2325.         }
    2326. 

  2326.         else
    2327. 

  2327. #endif
    2328. 

  2328.         {
    2329. 

  2329.             md_alg = POLARSSL_MD_NONE;
    2330. 

  2330.         }
    2331. 

  2331. 

  2332.         /*
    2333. 

  2333.          * Compute the hash to be signed
    2334. 

  2334.          */
    2335. 

  2335. #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
    2336. 

  2336.     defined(POLARSSL_SSL_PROTO_TLS1_1)
    2337. 

  2337.         if( md_alg == POLARSSL_MD_NONE )
    2338. 

  2338.         {
    2339. 

  2339.             md5_context md5;
    2340. 

  2340.             sha1_context sha1;
    2341. 

  2341. 

  2342.             md5_init(  &md5  );
    2343. 

  2343.             sha1_init( &sha1 );
    2344. 

  2344. 

  2345.             /*
    2346. 

  2346.              * digitally-signed struct {
    2347. 

  2347.              *     opaque md5_hash[16];
    2348. 

  2348.              *     opaque sha_hash[20];
    2349. 

  2349.              * };
    2350. 

  2350.              *
    2351. 

  2351.              * md5_hash
    2352. 

  2352.              *     MD5(ClientHello.random + ServerHello.random
    2353. 

  2353.              *                            + ServerParams);
    2354. 

  2354.              * sha_hash
    2355. 

  2355.              *     SHA(ClientHello.random + ServerHello.random
    2356. 

  2356.              *                            + ServerParams);
    2357. 

  2357.              */
    2358. 

  2358.             md5_starts( &md5 );
    2359. 

  2359.             md5_update( &md5, ssl->handshake->randbytes,  64 );
    2360. 

  2360.             md5_update( &md5, dig_signed, dig_signed_len );
    2361. 

  2361.             md5_finish( &md5, hash );
    2362. 

  2362. 

  2363.             sha1_starts( &sha1 );
    2364. 

  2364.             sha1_update( &sha1, ssl->handshake->randbytes,  64 );
    2365. 

  2365.             sha1_update( &sha1, dig_signed, dig_signed_len );
    2366. 

  2366.             sha1_finish( &sha1, hash + 16 );
    2367. 

  2367. 

  2368.             hashlen = 36;
    2369. 

  2369. 

  2370.             md5_free(  &md5  );
    2371. 

  2371.             sha1_free( &sha1 );
    2372. 

  2372.         }
    2373. 

  2373.         else
    2374. 

  2374. #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
    2375. 

  2375.           POLARSSL_SSL_PROTO_TLS1_1 */
    2376. 

  2376. #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
    2377. 

  2377.     defined(POLARSSL_SSL_PROTO_TLS1_2)
    2378. 

  2378.         if( md_alg != POLARSSL_MD_NONE )
    2379. 

  2379.         {
    2380. 

  2380.             md_context_t ctx;
    2381. 

  2381.             const md_info_t *md_info = md_info_from_type( md_alg );
    2382. 

  2382. 

  2383.             md_init( &ctx );
    2384. 

  2384. 

  2385.             /* Info from md_alg will be used instead */
    2386. 

  2386.             hashlen = 0;
    2387. 

  2387. 

  2388.             /*
    2389. 

  2389.              * digitally-signed struct {
    2390. 

  2390.              *     opaque client_random[32];
    2391. 

  2391.              *     opaque server_random[32];
    2392. 

  2392.              *     ServerDHParams params;
    2393. 

  2393.              * };
    2394. 

  2394.              */
    2395. 

  2395.             if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 )
    2396. 

  2396.             {
    2397. 

  2397.                 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
    2398. 

  2398.                 return( ret );
    2399. 

  2399.             }
    2400. 

  2400. 

  2401.             md_starts( &ctx );
    2402. 

  2402.             md_update( &ctx, ssl->handshake->randbytes, 64 );
    2403. 

  2403.             md_update( &ctx, dig_signed, dig_signed_len );
    2404. 

  2404.             md_finish( &ctx, hash );
    2405. 

  2405.             md_free( &ctx );
    2406. 

  2406.         }
    2407. 

  2407.         else
    2408. 

  2408. #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
    2409. 

  2409.           POLARSSL_SSL_PROTO_TLS1_2 */
    2410. 

  2410.         {
    2411. 

  2411.             SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    2412. 

  2412.             return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    2413. 

  2413.         }
    2414. 

  2414. 

  2415.         SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
    2416. 

  2416.                 (unsigned int) ( md_info_from_type( md_alg ) )->size );
    2417. 

  2417. 

  2418.         /*
    2419. 

  2419.          * Make the signature
    2420. 

  2420.          */
    2421. 

  2421.         if( ssl_own_key( ssl ) == NULL )
    2422. 

  2422.         {
    2423. 

  2423.             SSL_DEBUG_MSG( 1, ( "got no private key" ) );
    2424. 

  2424.             return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
    2425. 

  2425.         }
    2426. 

  2426. 

  2427. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    2428. 

  2428.         if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
    2429. 

  2429.         {
    2430. 

  2430.             *(p++) = ssl->handshake->sig_alg;
    2431. 

  2431.             *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
    2432. 

  2432. 

  2433.             n += 2;
    2434. 

  2434.         }
    2435. 

  2435. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    2436. 

  2436. 

  2437.         if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
    2438. 

  2438.                         p + 2 , &signature_len,
    2439. 

  2439.                         ssl->f_rng, ssl->p_rng ) ) != 0 )
    2440. 

  2440.         {
    2441. 

  2441.             SSL_DEBUG_RET( 1, "pk_sign", ret );
    2442. 

  2442.             return( ret );
    2443. 

  2443.         }
    2444. 

  2444. 

  2445.         *(p++) = (unsigned char)( signature_len >> 8 );
    2446. 

  2446.         *(p++) = (unsigned char)( signature_len      );
    2447. 

  2447.         n += 2;
    2448. 

  2448. 

  2449.         SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
    2450. 

  2450. 

  2451.         p += signature_len;
    2452. 

  2452.         n += signature_len;
    2453. 

  2453.     }
    2454. 

  2454. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
    2455. 

  2455.           POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
    2456. 

  2456.           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
    2457. 

  2457. 

  2458.     ssl->out_msglen  = 4 + n;
    2459. 

  2459.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    2460. 

  2460.     ssl->out_msg[0]  = SSL_HS_SERVER_KEY_EXCHANGE;
    2461. 

  2461. 

  2462.     ssl->state++;
    2463. 

  2463. 

  2464.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    2465. 

  2465.     {
    2466. 

  2466.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    2467. 

  2467.         return( ret );
    2468. 

  2468.     }
    2469. 

  2469. 

  2470.     SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
    2471. 

  2471. 

  2472.     return( 0 );
    2473. 

  2473. }
    2474. 

  2474. 

  2475. static int ssl_write_server_hello_done( ssl_context *ssl )
    2476. 

  2476. {
    2477. 

  2477.     int ret;
    2478. 

  2478. 

  2479.     SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
    2480. 

  2480. 

  2481.     ssl->out_msglen  = 4;
    2482. 

  2482.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    2483. 

  2483.     ssl->out_msg[0]  = SSL_HS_SERVER_HELLO_DONE;
    2484. 

  2484. 

  2485.     ssl->state++;
    2486. 

  2486. 

  2487.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    2488. 

  2488.     {
    2489. 

  2489.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    2490. 

  2490.         return( ret );
    2491. 

  2491.     }
    2492. 

  2492. 

  2493.     SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
    2494. 

  2494. 

  2495.     return( 0 );
    2496. 

  2496. }
    2497. 

  2497. 

  2498. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
    2499. 

  2499.     defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
    2500. 

  2500. static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
    2501. 

  2501.                                        const unsigned char *end )
    2502. 

  2502. {
    2503. 

  2503.     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
    2504. 

  2504.     size_t n;
    2505. 

  2505. 

  2506.     /*
    2507. 

  2507.      * Receive G^Y mod P, premaster = (G^Y)^X mod P
    2508. 

  2508.      */
    2509. 

  2509.     if( *p + 2 > end )
    2510. 

  2510.     {
    2511. 

  2511.         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2512. 

  2512.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2513. 

  2513.     }
    2514. 

  2514. 

  2515.     n = ( (*p)[0] << 8 ) | (*p)[1];
    2516. 

  2516.     *p += 2;
    2517. 

  2517. 

  2518.     if( *p + n > end )
    2519. 

  2519.     {
    2520. 

  2520.         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2521. 

  2521.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2522. 

  2522.     }
    2523. 

  2523. 

  2524.     if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
    2525. 

  2525.     {
    2526. 

  2526.         SSL_DEBUG_RET( 1, "dhm_read_public", ret );
    2527. 

  2527.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
    2528. 

  2528.     }
    2529. 

  2529. 

  2530.     *p += n;
    2531. 

  2531. 

  2532.     SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
    2533. 

  2533. 

  2534.     return( ret );
    2535. 

  2535. }
    2536. 

  2536. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
    2537. 

  2537.           POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
    2538. 

  2538. 

  2539. #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) ||                           \
    2540. 

  2540.     defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
    2541. 

  2541. static int ssl_parse_encrypted_pms( ssl_context *ssl,
    2542. 

  2542.                                     const unsigned char *p,
    2543. 

  2543.                                     const unsigned char *end,
    2544. 

  2544.                                     size_t pms_offset )
    2545. 

  2545. {
    2546. 

  2546.     int ret;
    2547. 

  2547.     size_t len = pk_get_len( ssl_own_key( ssl ) );
    2548. 

  2548.     unsigned char *pms = ssl->handshake->premaster + pms_offset;
    2549. 

  2549. 

  2550.     if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
    2551. 

  2551.     {
    2552. 

  2552.         SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
    2553. 

  2553.         return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
    2554. 

  2554.     }
    2555. 

  2555. 

  2556.     /*
    2557. 

  2557.      * Decrypt the premaster using own private RSA key
    2558. 

  2558.      */
    2559. 

  2559. #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
    2560. 

  2560.     defined(POLARSSL_SSL_PROTO_TLS1_2)
    2561. 

  2561.     if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
    2562. 

  2562.     {
    2563. 

  2563.         if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
    2564. 

  2564.             *p++ != ( ( len      ) & 0xFF ) )
    2565. 

  2565.         {
    2566. 

  2566.             SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2567. 

  2567.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2568. 

  2568.         }
    2569. 

  2569.     }
    2570. 

  2570. #endif
    2571. 

  2571. 

  2572.     if( p + len != end )
    2573. 

  2573.     {
    2574. 

  2574.         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2575. 

  2575.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2576. 

  2576.     }
    2577. 

  2577. 

  2578.     ret = pk_decrypt( ssl_own_key( ssl ), p, len,
    2579. 

  2579.                       pms, &ssl->handshake->pmslen,
    2580. 

  2580.                       sizeof( ssl->handshake->premaster ) - pms_offset,
    2581. 

  2581.                       ssl->f_rng, ssl->p_rng );
    2582. 

  2582. 

  2583.     if( ret != 0 || ssl->handshake->pmslen != 48 ||
    2584. 

  2584.         pms[0] != ssl->handshake->max_major_ver ||
    2585. 

  2585.         pms[1] != ssl->handshake->max_minor_ver )
    2586. 

  2586.     {
    2587. 

  2587.         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2588. 

  2588. 

  2589.         /*
    2590. 

  2590.          * Protection against Bleichenbacher's attack:
    2591. 

  2591.          * invalid PKCS#1 v1.5 padding must not cause
    2592. 

  2592.          * the connection to end immediately; instead,
    2593. 

  2593.          * send a bad_record_mac later in the handshake.
    2594. 

  2594.          */
    2595. 

  2595.         ssl->handshake->pmslen = 48;
    2596. 

  2596. 

  2597.         ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
    2598. 

  2598.         if( ret != 0 )
    2599. 

  2599.             return( ret );
    2600. 

  2600.     }
    2601. 

  2601. 

  2602.     return( ret );
    2603. 

  2603. }
    2604. 

  2604. #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
    2605. 

  2605.           POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
    2606. 

  2606. 

  2607. #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
    2608. 

  2608. static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
    2609. 

  2609.                                           const unsigned char *end )
    2610. 

  2610. {
    2611. 

  2611.     int ret = 0;
    2612. 

  2612.     size_t n;
    2613. 

  2613. 

  2614.     if( ssl->f_psk == NULL &&
    2615. 

  2615.         ( ssl->psk == NULL || ssl->psk_identity == NULL ||
    2616. 

  2616.           ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
    2617. 

  2617.     {
    2618. 

  2618.         SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
    2619. 

  2619.         return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
    2620. 

  2620.     }
    2621. 

  2621. 

  2622.     /*
    2623. 

  2623.      * Receive client pre-shared key identity name
    2624. 

  2624.      */
    2625. 

  2625.     if( *p + 2 > end )
    2626. 

  2626.     {
    2627. 

  2627.         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2628. 

  2628.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2629. 

  2629.     }
    2630. 

  2630. 

  2631.     n = ( (*p)[0] << 8 ) | (*p)[1];
    2632. 

  2632.     *p += 2;
    2633. 

  2633. 

  2634.     if( n < 1 || n > 65535 || *p + n > end )
    2635. 

  2635.     {
    2636. 

  2636.         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2637. 

  2637.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2638. 

  2638.     }
    2639. 

  2639. 

  2640.     if( ssl->f_psk != NULL )
    2641. 

  2641.     {
    2642. 

  2642.         if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 )
    2643. 

  2643.             ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
    2644. 

  2644.     }
    2645. 

  2645.     else
    2646. 

  2646.     {
    2647. 

  2647.         /* Identity is not a big secret since clients send it in the clear,
    2648. 

  2648.          * but treat it carefully anyway, just in case */
    2649. 

  2649.         if( n != ssl->psk_identity_len ||
    2650. 

  2650.             safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
    2651. 

  2651.         {
    2652. 

  2652.             ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
    2653. 

  2653.         }
    2654. 

  2654.     }
    2655. 

  2655. 

  2656.     if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
    2657. 

  2657.     {
    2658. 

  2658.         SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
    2659. 

  2659.         if( ( ret = ssl_send_alert_message( ssl,
    2660. 

  2660.                               SSL_ALERT_LEVEL_FATAL,
    2661. 

  2661.                               SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
    2662. 

  2662.         {
    2663. 

  2663.             return( ret );
    2664. 

  2664.         }
    2665. 

  2665. 

  2666.         return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
    2667. 

  2667.     }
    2668. 

  2668. 

  2669.     *p += n;
    2670. 

  2670. 

  2671.     return( 0 );
    2672. 

  2672. }
    2673. 

  2673. #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
    2674. 

  2674. 

  2675. static int ssl_parse_client_key_exchange( ssl_context *ssl )
    2676. 

  2676. {
    2677. 

  2677.     int ret;
    2678. 

  2678.     const ssl_ciphersuite_t *ciphersuite_info;
    2679. 

  2679. 

  2680.     ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    2681. 

  2681. 

  2682.     SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
    2683. 

  2683. 

  2684.     if( ( ret = ssl_read_record( ssl ) ) != 0 )
    2685. 

  2685.     {
    2686. 

  2686.         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    2687. 

  2687.         return( ret );
    2688. 

  2688.     }
    2689. 

  2689. 

  2690.     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    2691. 

  2691.     {
    2692. 

  2692.         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2693. 

  2693.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2694. 

  2694.     }
    2695. 

  2695. 

  2696.     if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
    2697. 

  2697.     {
    2698. 

  2698.         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
    2699. 

  2699.         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2700. 

  2700.     }
    2701. 

  2701. 

  2702. #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
    2703. 

  2703.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
    2704. 

  2704.     {
    2705. 

  2705.         unsigned char *p = ssl->in_msg + 4;
    2706. 

  2706.         unsigned char *end = ssl->in_msg + ssl->in_hslen;
    2707. 

  2707. 

  2708.         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
    2709. 

  2709.         {
    2710. 

  2710.             SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
    2711. 

  2711.             return( ret );
    2712. 

  2712.         }
    2713. 

  2713. 

  2714.         if( p != end )
    2715. 

  2715.         {
    2716. 

  2716.             SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
    2717. 

  2717.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2718. 

  2718.         }
    2719. 

  2719. 

  2720.         ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE;
    2721. 

  2721. 

  2722.         if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
    2723. 

  2723.                                       ssl->handshake->premaster,
    2724. 

  2724.                                      &ssl->handshake->pmslen,
    2725. 

  2725.                                       ssl->f_rng, ssl->p_rng ) ) != 0 )
    2726. 

  2726.         {
    2727. 

  2727.             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
    2728. 

  2728.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
    2729. 

  2729.         }
    2730. 

  2730. 

  2731.         SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
    2732. 

  2732.     }
    2733. 

  2733.     else
    2734. 

  2734. #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
    2735. 

  2735. #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
    2736. 

  2736.     defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
    2737. 

  2737.     defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
    2738. 

  2738.     defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
    2739. 

  2739.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
    2740. 

  2740.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
    2741. 

  2741.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
    2742. 

  2742.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
    2743. 

  2743.     {
    2744. 

  2744.         if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
    2745. 

  2745.                         ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 )
    2746. 

  2746.         {
    2747. 

  2747.             SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
    2748. 

  2748.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
    2749. 

  2749.         }
    2750. 

  2750. 

  2751.         SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
    2752. 

  2752. 

  2753.         if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
    2754. 

  2754.                                       &ssl->handshake->pmslen,
    2755. 

  2755.                                        ssl->handshake->premaster,
    2756. 

  2756.                                        POLARSSL_MPI_MAX_SIZE,
    2757. 

  2757.                                        ssl->f_rng, ssl->p_rng ) ) != 0 )
    2758. 

  2758.         {
    2759. 

  2759.             SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
    2760. 

  2760.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
    2761. 

  2761.         }
    2762. 

  2762. 

  2763.         SSL_DEBUG_MPI( 3, "ECDH: z  ", &ssl->handshake->ecdh_ctx.z );
    2764. 

  2764.     }
    2765. 

  2765.     else
    2766. 

  2766. #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
    2767. 

  2767.           POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
    2768. 

  2768.           POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
    2769. 

  2769.           POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
    2770. 

  2770. #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
    2771. 

  2771.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
    2772. 

  2772.     {
    2773. 

  2773.         unsigned char *p = ssl->in_msg + 4;
    2774. 

  2774.         unsigned char *end = ssl->in_msg + ssl->in_hslen;
    2775. 

  2775. 

  2776.         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
    2777. 

  2777.         {
    2778. 

  2778.             SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
    2779. 

  2779.             return( ret );
    2780. 

  2780.         }
    2781. 

  2781. 

  2782.         if( p != end )
    2783. 

  2783.         {
    2784. 

  2784.             SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
    2785. 

  2785.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2786. 

  2786.         }
    2787. 

  2787. 

  2788.         if( ( ret = ssl_psk_derive_premaster( ssl,
    2789. 

  2789.                         ciphersuite_info->key_exchange ) ) != 0 )
    2790. 

  2790.         {
    2791. 

  2791.             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
    2792. 

  2792.             return( ret );
    2793. 

  2793.         }
    2794. 

  2794.     }
    2795. 

  2795.     else
    2796. 

  2796. #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
    2797. 

  2797. #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
    2798. 

  2798.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
    2799. 

  2799.     {
    2800. 

  2800.         unsigned char *p = ssl->in_msg + 4;
    2801. 

  2801.         unsigned char *end = ssl->in_msg + ssl->in_hslen;
    2802. 

  2802. 

  2803.         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
    2804. 

  2804.         {
    2805. 

  2805.             SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
    2806. 

  2806.             return( ret );
    2807. 

  2807.         }
    2808. 

  2808. 

  2809.         if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
    2810. 

  2810.         {
    2811. 

  2811.             SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
    2812. 

  2812.             return( ret );
    2813. 

  2813.         }
    2814. 

  2814. 

  2815.         if( ( ret = ssl_psk_derive_premaster( ssl,
    2816. 

  2816.                         ciphersuite_info->key_exchange ) ) != 0 )
    2817. 

  2817.         {
    2818. 

  2818.             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
    2819. 

  2819.             return( ret );
    2820. 

  2820.         }
    2821. 

  2821.     }
    2822. 

  2822.     else
    2823. 

  2823. #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
    2824. 

  2824. #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
    2825. 

  2825.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
    2826. 

  2826.     {
    2827. 

  2827.         unsigned char *p = ssl->in_msg + 4;
    2828. 

  2828.         unsigned char *end = ssl->in_msg + ssl->in_hslen;
    2829. 

  2829. 

  2830.         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
    2831. 

  2831.         {
    2832. 

  2832.             SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
    2833. 

  2833.             return( ret );
    2834. 

  2834.         }
    2835. 

  2835.         if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
    2836. 

  2836.         {
    2837. 

  2837.             SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
    2838. 

  2838.             return( ret );
    2839. 

  2839.         }
    2840. 

  2840. 

  2841.         if( p != end )
    2842. 

  2842.         {
    2843. 

  2843.             SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
    2844. 

  2844.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    2845. 

  2845.         }
    2846. 

  2846. 

  2847.         if( ( ret = ssl_psk_derive_premaster( ssl,
    2848. 

  2848.                         ciphersuite_info->key_exchange ) ) != 0 )
    2849. 

  2849.         {
    2850. 

  2850.             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
    2851. 

  2851.             return( ret );
    2852. 

  2852.         }
    2853. 

  2853.     }
    2854. 

  2854.     else
    2855. 

  2855. #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
    2856. 

  2856. #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
    2857. 

  2857.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
    2858. 

  2858.     {
    2859. 

  2859.         unsigned char *p = ssl->in_msg + 4;
    2860. 

  2860.         unsigned char *end = ssl->in_msg + ssl->in_hslen;
    2861. 

  2861. 

  2862.         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
    2863. 

  2863.         {
    2864. 

  2864.             SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
    2865. 

  2865.             return( ret );
    2866. 

  2866.         }
    2867. 

  2867. 

  2868.         if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
    2869. 

  2869.                                        p, end - p ) ) != 0 )
    2870. 

  2870.         {
    2871. 

  2871.             SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
    2872. 

  2872.             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
    2873. 

  2873.         }
    2874. 

  2874. 

  2875.         SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
    2876. 

  2876. 

  2877.         if( ( ret = ssl_psk_derive_premaster( ssl,
    2878. 

  2878.                         ciphersuite_info->key_exchange ) ) != 0 )
    2879. 

  2879.         {
    2880. 

  2880.             SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
    2881. 

  2881.             return( ret );
    2882. 

  2882.         }
    2883. 

  2883.     }
    2884. 

  2884.     else
    2885. 

  2885. #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
    2886. 

  2886. #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
    2887. 

  2887.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
    2888. 

  2888.     {
    2889. 

  2889.         if( ( ret = ssl_parse_encrypted_pms( ssl,
    2890. 

  2890.                                              ssl->in_msg + 4,
    2891. 

  2891.                                              ssl->in_msg + ssl->in_hslen,
    2892. 

  2892.                                              0 ) ) != 0 )
    2893. 

  2893.         {
    2894. 

  2894.             SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
    2895. 

  2895.             return( ret );
    2896. 

  2896.         }
    2897. 

  2897.     }
    2898. 

  2898.     else
    2899. 

  2899. #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
    2900. 

  2900.     {
    2901. 

  2901.         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    2902. 

  2902.         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    2903. 

  2903.     }
    2904. 

  2904. 

  2905.     if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
    2906. 

  2906.     {
    2907. 

  2907.         SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
    2908. 

  2908.         return( ret );
    2909. 

  2909.     }
    2910. 

  2910. 

  2911.     ssl->state++;
    2912. 

  2912. 

  2913.     SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
    2914. 

  2914. 

  2915.     return( 0 );
    2916. 

  2916. }
    2917. 

  2917. 

  2918. #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
    2919. 

  2919.     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
    2920. 

  2920.     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
    2921. 

  2921.     !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    2922. 

  2922. static int ssl_parse_certificate_verify( ssl_context *ssl )
    2923. 

  2923. {
    2924. 

  2924.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    2925. 

  2925. 

  2926.     SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
    2927. 

  2927. 

  2928.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    2929. 

  2929.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    2930. 

  2930.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
    2931. 

  2931.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
    2932. 

  2932.     {
    2933. 

  2933.         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
    2934. 

  2934.         ssl->state++;
    2935. 

  2935.         return( 0 );
    2936. 

  2936.     }
    2937. 

  2937. 

  2938.     SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    2939. 

  2939.     return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    2940. 

  2940. }
    2941. 

  2941. #else
    2942. 

  2942. static int ssl_parse_certificate_verify( ssl_context *ssl )
    2943. 

  2943. {
    2944. 

  2944.     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
    2945. 

  2945.     size_t sa_len, sig_len;
    2946. 

  2946.     unsigned char hash[48];
    2947. 

  2947.     unsigned char *hash_start = hash;
    2948. 

  2948.     size_t hashlen;
    2949. 

  2949. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    2950. 

  2950.     pk_type_t pk_alg;
    2951. 

  2951. #endif
    2952. 

  2952.     md_type_t md_alg;
    2953. 

  2953.     const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
    2954. 

  2954. 

  2955.     SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
    2956. 

  2956. 

  2957.     if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
    2958. 

  2958.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
    2959. 

  2959.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
    2960. 

  2960.         ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
    2961. 

  2961.     {
    2962. 

  2962.         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
    2963. 

  2963.         ssl->state++;
    2964. 

  2964.         return( 0 );
    2965. 

  2965.     }
    2966. 

  2966. 

  2967.     if( ssl->session_negotiate->peer_cert == NULL )
    2968. 

  2968.     {
    2969. 

  2969.         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
    2970. 

  2970.         ssl->state++;
    2971. 

  2971.         return( 0 );
    2972. 

  2972.     }
    2973. 

  2973. 

  2974.     ssl->handshake->calc_verify( ssl, hash );
    2975. 

  2975. 

  2976.     if( ( ret = ssl_read_record( ssl ) ) != 0 )
    2977. 

  2977.     {
    2978. 

  2978.         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    2979. 

  2979.         return( ret );
    2980. 

  2980.     }
    2981. 

  2981. 

  2982.     ssl->state++;
    2983. 

  2983. 

  2984.     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    2985. 

  2985.     {
    2986. 

  2986.         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
    2987. 

  2987.         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
    2988. 

  2988.     }
    2989. 

  2989. 

  2990.     if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
    2991. 

  2991.     {
    2992. 

  2992.         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
    2993. 

  2993.         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
    2994. 

  2994.     }
    2995. 

  2995. 

  2996.     /*
    2997. 

  2997.      *     0  .   0   handshake type
    2998. 

  2998.      *     1  .   3   handshake length
    2999. 

  2999.      *     4  .   5   sig alg (TLS 1.2 only)
    3000. 

  3000.      *    4+n .  5+n  signature length (n = sa_len)
    3001. 

  3001.      *    6+n . 6+n+m signature (m = sig_len)
    3002. 

  3002.      */
    3003. 

  3003. 

  3004. #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
    3005. 

  3005.     defined(POLARSSL_SSL_PROTO_TLS1_1)
    3006. 

  3006.     if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
    3007. 

  3007.     {
    3008. 

  3008.         sa_len = 0;
    3009. 

  3009. 

  3010.         md_alg = POLARSSL_MD_NONE;
    3011. 

  3011.         hashlen = 36;
    3012. 

  3012. 

  3013.         /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
    3014. 

  3014.         if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
    3015. 

  3015.                         POLARSSL_PK_ECDSA ) )
    3016. 

  3016.         {
    3017. 

  3017.             hash_start += 16;
    3018. 

  3018.             hashlen -= 16;
    3019. 

  3019.             md_alg = POLARSSL_MD_SHA1;
    3020. 

  3020.         }
    3021. 

  3021.     }
    3022. 

  3022.     else
    3023. 

  3023. #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 ||
    3024. 

  3024.           POLARSSL_SSL_PROTO_TLS1_1 */
    3025. 

  3025. #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    3026. 

  3026.     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
    3027. 

  3027.     {
    3028. 

  3028.         sa_len = 2;
    3029. 

  3029. 

  3030.         /*
    3031. 

  3031.          * Hash
    3032. 

  3032.          */
    3033. 

  3033.         if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
    3034. 

  3034.         {
    3035. 

  3035.             SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
    3036. 

  3036.                                 " for verify message" ) );
    3037. 

  3037.             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
    3038. 

  3038.         }
    3039. 

  3039. 

  3040.         md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
    3041. 

  3041. 

  3042.         /* Info from md_alg will be used instead */
    3043. 

  3043.         hashlen = 0;
    3044. 

  3044. 

  3045.         /*
    3046. 

  3046.          * Signature
    3047. 

  3047.          */
    3048. 

  3048.         if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
    3049. 

  3049.                         == POLARSSL_PK_NONE )
    3050. 

  3050.         {
    3051. 

  3051.             SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
    3052. 

  3052.                                 " for verify message" ) );
    3053. 

  3053.             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
    3054. 

  3054.         }
    3055. 

  3055. 

  3056.         /*
    3057. 

  3057.          * Check the certificate's key type matches the signature alg
    3058. 

  3058.          */
    3059. 

  3059.         if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
    3060. 

  3060.         {
    3061. 

  3061.             SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
    3062. 

  3062.             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
    3063. 

  3063.         }
    3064. 

  3064.     }
    3065. 

  3065.     else
    3066. 

  3066. #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
    3067. 

  3067.     {
    3068. 

  3068.         SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    3069. 

  3069.         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    3070. 

  3070.     }
    3071. 

  3071. 

  3072.     sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
    3073. 

  3073. 

  3074.     if( sa_len + sig_len + 6 != ssl->in_hslen )
    3075. 

  3075.     {
    3076. 

  3076.         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
    3077. 

  3077.         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
    3078. 

  3078.     }
    3079. 

  3079. 

  3080.     if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
    3081. 

  3081.                            md_alg, hash_start, hashlen,
    3082. 

  3082.                            ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
    3083. 

  3083.     {
    3084. 

  3084.         SSL_DEBUG_RET( 1, "pk_verify", ret );
    3085. 

  3085.         return( ret );
    3086. 

  3086.     }
    3087. 

  3087. 

  3088.     SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
    3089. 

  3089. 

  3090.     return( ret );
    3091. 

  3091. }
    3092. 

  3092. #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
    3093. 

  3093.           !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
    3094. 

  3094.           !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
    3095. 

  3095. 

  3096. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    3097. 

  3097. static int ssl_write_new_session_ticket( ssl_context *ssl )
    3098. 

  3098. {
    3099. 

  3099.     int ret;
    3100. 

  3100.     size_t tlen;
    3101. 

  3101.     uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
    3102. 

  3102. 

  3103.     SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
    3104. 

  3104. 

  3105.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    3106. 

  3106.     ssl->out_msg[0]  = SSL_HS_NEW_SESSION_TICKET;
    3107. 

  3107. 

  3108.     /*
    3109. 

  3109.      * struct {
    3110. 

  3110.      *     uint32 ticket_lifetime_hint;
    3111. 

  3111.      *     opaque ticket<0..2^16-1>;
    3112. 

  3112.      * } NewSessionTicket;
    3113. 

  3113.      *
    3114. 

  3114.      * 4  .  7   ticket_lifetime_hint (0 = unspecified)
    3115. 

  3115.      * 8  .  9   ticket_len (n)
    3116. 

  3116.      * 10 .  9+n ticket content
    3117. 

  3117.      */
    3118. 

  3118. 

  3119.     ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
    3120. 

  3120.     ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
    3121. 

  3121.     ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
    3122. 

  3122.     ssl->out_msg[7] = ( lifetime       ) & 0xFF;
    3123. 

  3123. 

  3124.     if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
    3125. 

  3125.     {
    3126. 

  3126.         SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
    3127. 

  3127.         tlen = 0;
    3128. 

  3128.     }
    3129. 

  3129. 

  3130.     ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
    3131. 

  3131.     ssl->out_msg[9] = (unsigned char)( ( tlen      ) & 0xFF );
    3132. 

  3132. 

  3133.     ssl->out_msglen = 10 + tlen;
    3134. 

  3134. 

  3135.     /*
    3136. 

  3136.      * Morally equivalent to updating ssl->state, but NewSessionTicket and
    3137. 

  3137.      * ChangeCipherSpec share the same state.
    3138. 

  3138.      */
    3139. 

  3139.     ssl->handshake->new_session_ticket = 0;
    3140. 

  3140. 

  3141.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    3142. 

  3142.     {
    3143. 

  3143.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    3144. 

  3144.         return( ret );
    3145. 

  3145.     }
    3146. 

  3146. 

  3147.     SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
    3148. 

  3148. 

  3149.     return( 0 );
    3150. 

  3150. }
    3151. 

  3151. #endif /* POLARSSL_SSL_SESSION_TICKETS */
    3152. 

  3152. 

  3153. /*
    3154. 

  3154.  * SSL handshake -- server side -- single step
    3155. 

  3155.  */
    3156. 

  3156. int ssl_handshake_server_step( ssl_context *ssl )
    3157. 

  3157. {
    3158. 

  3158.     int ret = 0;
    3159. 

  3159. 

  3160.     if( ssl->state == SSL_HANDSHAKE_OVER )
    3161. 

  3161.         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    3162. 

  3162. 

  3163.     SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
    3164. 

  3164. 

  3165.     if( ( ret = ssl_flush_output( ssl ) ) != 0 )
    3166. 

  3166.         return( ret );
    3167. 

  3167. 

  3168.     switch( ssl->state )
    3169. 

  3169.     {
    3170. 

  3170.         case SSL_HELLO_REQUEST:
    3171. 

  3171.             ssl->state = SSL_CLIENT_HELLO;
    3172. 

  3172.             break;
    3173. 

  3173. 

  3174.         /*
    3175. 

  3175.          *  <==   ClientHello
    3176. 

  3176.          */
    3177. 

  3177.         case SSL_CLIENT_HELLO:
    3178. 

  3178.             ret = ssl_parse_client_hello( ssl );
    3179. 

  3179.             break;
    3180. 

  3180. 

  3181.         /*
    3182. 

  3182.          *  ==>   ServerHello
    3183. 

  3183.          *        Certificate
    3184. 

  3184.          *      ( ServerKeyExchange  )
    3185. 

  3185.          *      ( CertificateRequest )
    3186. 

  3186.          *        ServerHelloDone
    3187. 

  3187.          */
    3188. 

  3188.         case SSL_SERVER_HELLO:
    3189. 

  3189.             ret = ssl_write_server_hello( ssl );
    3190. 

  3190.             break;
    3191. 

  3191. 

  3192.         case SSL_SERVER_CERTIFICATE:
    3193. 

  3193.             ret = ssl_write_certificate( ssl );
    3194. 

  3194.             break;
    3195. 

  3195. 

  3196.         case SSL_SERVER_KEY_EXCHANGE:
    3197. 

  3197.             ret = ssl_write_server_key_exchange( ssl );
    3198. 

  3198.             break;
    3199. 

  3199. 

  3200.         case SSL_CERTIFICATE_REQUEST:
    3201. 

  3201.             ret = ssl_write_certificate_request( ssl );
    3202. 

  3202.             break;
    3203. 

  3203. 

  3204.         case SSL_SERVER_HELLO_DONE:
    3205. 

  3205.             ret = ssl_write_server_hello_done( ssl );
    3206. 

  3206.             break;
    3207. 

  3207. 

  3208.         /*
    3209. 

  3209.          *  <== ( Certificate/Alert  )
    3210. 

  3210.          *        ClientKeyExchange
    3211. 

  3211.          *      ( CertificateVerify  )
    3212. 

  3212.          *        ChangeCipherSpec
    3213. 

  3213.          *        Finished
    3214. 

  3214.          */
    3215. 

  3215.         case SSL_CLIENT_CERTIFICATE:
    3216. 

  3216.             ret = ssl_parse_certificate( ssl );
    3217. 

  3217.             break;
    3218. 

  3218. 

  3219.         case SSL_CLIENT_KEY_EXCHANGE:
    3220. 

  3220.             ret = ssl_parse_client_key_exchange( ssl );
    3221. 

  3221.             break;
    3222. 

  3222. 

  3223.         case SSL_CERTIFICATE_VERIFY:
    3224. 

  3224.             ret = ssl_parse_certificate_verify( ssl );
    3225. 

  3225.             break;
    3226. 

  3226. 

  3227.         case SSL_CLIENT_CHANGE_CIPHER_SPEC:
    3228. 

  3228.             ret = ssl_parse_change_cipher_spec( ssl );
    3229. 

  3229.             break;
    3230. 

  3230. 

  3231.         case SSL_CLIENT_FINISHED:
    3232. 

  3232.             ret = ssl_parse_finished( ssl );
    3233. 

  3233.             break;
    3234. 

  3234. 

  3235.         /*
    3236. 

  3236.          *  ==> ( NewSessionTicket )
    3237. 

  3237.          *        ChangeCipherSpec
    3238. 

  3238.          *        Finished
    3239. 

  3239.          */
    3240. 

  3240.         case SSL_SERVER_CHANGE_CIPHER_SPEC:
    3241. 

  3241. #if defined(POLARSSL_SSL_SESSION_TICKETS)
    3242. 

  3242.             if( ssl->handshake->new_session_ticket != 0 )
    3243. 

  3243.                 ret = ssl_write_new_session_ticket( ssl );
    3244. 

  3244.             else
    3245. 

  3245. #endif
    3246. 

  3246.                 ret = ssl_write_change_cipher_spec( ssl );
    3247. 

  3247.             break;
    3248. 

  3248. 

  3249.         case SSL_SERVER_FINISHED:
    3250. 

  3250.             ret = ssl_write_finished( ssl );
    3251. 

  3251.             break;
    3252. 

  3252. 

  3253.         case SSL_FLUSH_BUFFERS:
    3254. 

  3254.             SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
    3255. 

  3255.             ssl->state = SSL_HANDSHAKE_WRAPUP;
    3256. 

  3256.             break;
    3257. 

  3257. 

  3258.         case SSL_HANDSHAKE_WRAPUP:
    3259. 

  3259.             ssl_handshake_wrapup( ssl );
    3260. 

  3260.             break;
    3261. 

  3261. 

  3262.         default:
    3263. 

  3263.             SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
    3264. 

  3264.             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    3265. 

  3265.     }
    3266. 

  3266. 

  3267.     return( ret );
    3268. 

  3268. }
    3269. 

  3269. #endif /* POLARSSL_SSL_SRV_C */
    3270. 

  3270.