PolarSSL v1.2.11
ssl_cli.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 client-side functions
3  *
4  * Copyright (C) 2006-2012, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_CLI_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <time.h>
36 
37 #if defined(POLARSSL_SHA4_C)
38 #include "polarssl/sha4.h"
39 #endif
40 
41 static int ssl_write_client_hello( ssl_context *ssl )
42 {
43  int ret;
44  size_t i, n, ext_len = 0;
45  unsigned char *buf;
46  unsigned char *p;
47  time_t t;
48  unsigned char sig_alg_list[20];
49  size_t sig_alg_len = 0;
50 
51  SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
52 
53  if( ssl->f_rng == NULL )
54  {
55  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
56  return( POLARSSL_ERR_SSL_NO_RNG );
57  }
58 
60  {
61  ssl->major_ver = ssl->min_major_ver;
62  ssl->minor_ver = ssl->min_minor_ver;
63  }
64 
65  if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
66  {
69  }
70 
71  /*
72  * 0 . 0 handshake type
73  * 1 . 3 handshake length
74  * 4 . 5 highest version supported
75  * 6 . 9 current UNIX time
76  * 10 . 37 random bytes
77  */
78  buf = ssl->out_msg;
79  p = buf + 4;
80 
81  *p++ = (unsigned char) ssl->max_major_ver;
82  *p++ = (unsigned char) ssl->max_minor_ver;
83 
84  SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
85  buf[4], buf[5] ) );
86 
87  t = time( NULL );
88  *p++ = (unsigned char)( t >> 24 );
89  *p++ = (unsigned char)( t >> 16 );
90  *p++ = (unsigned char)( t >> 8 );
91  *p++ = (unsigned char)( t );
92 
93  SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
94 
95  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
96  return( ret );
97 
98  p += 28;
99 
100  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
101 
102  SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
103 
104  /*
105  * 38 . 38 session id length
106  * 39 . 39+n session id
107  * 40+n . 41+n ciphersuitelist length
108  * 42+n . .. ciphersuitelist
109  * .. . .. compression methods length
110  * .. . .. compression methods
111  * .. . .. extensions length
112  * .. . .. extensions
113  */
114  n = ssl->session_negotiate->length;
115 
116  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
117  ssl->handshake->resume == 0 )
118  n = 0;
119 
120  *p++ = (unsigned char) n;
121 
122  for( i = 0; i < n; i++ )
123  *p++ = ssl->session_negotiate->id[i];
124 
125  SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
126  SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
127 
128  for( n = 0; ssl->ciphersuites[ssl->minor_ver][n] != 0; n++ );
129  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++;
130  *p++ = (unsigned char)( n >> 7 );
131  *p++ = (unsigned char)( n << 1 );
132 
133  /*
134  * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
135  */
137  {
138  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
139  *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
140  n--;
141  }
142 
143  SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
144 
145  for( i = 0; i < n; i++ )
146  {
147  SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
148  ssl->ciphersuites[ssl->minor_ver][i] ) );
149 
150  *p++ = (unsigned char)( ssl->ciphersuites[ssl->minor_ver][i] >> 8 );
151  *p++ = (unsigned char)( ssl->ciphersuites[ssl->minor_ver][i] );
152  }
153 
154 #if defined(POLARSSL_ZLIB_SUPPORT)
155  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
156  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
158 
159  *p++ = 2;
160  *p++ = SSL_COMPRESS_DEFLATE;
161  *p++ = SSL_COMPRESS_NULL;
162 #else
163  SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
164  SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
165 
166  *p++ = 1;
167  *p++ = SSL_COMPRESS_NULL;
168 #endif
169 
170  if ( ssl->hostname != NULL )
171  {
172  SSL_DEBUG_MSG( 3, ( "client hello, prepping for server name extension: %s",
173  ssl->hostname ) );
174 
175  ext_len += ssl->hostname_len + 9;
176  }
177 
178  if( ssl->renegotiation == SSL_RENEGOTIATION )
179  {
180  SSL_DEBUG_MSG( 3, ( "client hello, prepping for renegotiation extension" ) );
181  ext_len += 5 + ssl->verify_data_len;
182  }
183 
184  /*
185  * Prepare signature_algorithms extension (TLS 1.2)
186  */
187  if( ssl->max_minor_ver == SSL_MINOR_VERSION_3 )
188  {
189 #if defined(POLARSSL_SHA4_C)
190  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
191  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
192  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
193  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
194 #endif
195 #if defined(POLARSSL_SHA2_C)
196  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
197  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
198  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
199  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
200 #endif
201 #if defined(POLARSSL_SHA1_C)
202  sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
203  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
204 #endif
205 #if defined(POLARSSL_MD5_C)
206  sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
207  sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
208 #endif
209  ext_len += 6 + sig_alg_len;
210  }
211 
212  SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
213  ext_len ) );
214 
215  if( ext_len > 0 )
216  {
217  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
218  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
219  }
220 
221  if ( ssl->hostname != NULL )
222  {
223  /*
224  * struct {
225  * NameType name_type;
226  * select (name_type) {
227  * case host_name: HostName;
228  * } name;
229  * } ServerName;
230  *
231  * enum {
232  * host_name(0), (255)
233  * } NameType;
234  *
235  * opaque HostName<1..2^16-1>;
236  *
237  * struct {
238  * ServerName server_name_list<1..2^16-1>
239  * } ServerNameList;
240  */
241  SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
242  ssl->hostname ) );
243 
244  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
245  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
246 
247  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
248  *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
249 
250  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
251  *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
252 
253  *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
254  *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
255  *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
256 
257  memcpy( p, ssl->hostname, ssl->hostname_len );
258  p += ssl->hostname_len;
259  }
260 
261  if( ssl->renegotiation == SSL_RENEGOTIATION )
262  {
263  /*
264  * Secure renegotiation
265  */
266  SSL_DEBUG_MSG( 3, ( "client hello, renegotiation info extension" ) );
267 
268  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
269  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
270 
271  *p++ = 0x00;
272  *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
273  *p++ = ssl->verify_data_len & 0xFF;
274 
275  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
276  p += ssl->verify_data_len;
277  }
278 
279  if( ssl->max_minor_ver == SSL_MINOR_VERSION_3 )
280  {
281  /*
282  * enum {
283  * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
284  * sha512(6), (255)
285  * } HashAlgorithm;
286  *
287  * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
288  * SignatureAlgorithm;
289  *
290  * struct {
291  * HashAlgorithm hash;
292  * SignatureAlgorithm signature;
293  * } SignatureAndHashAlgorithm;
294  *
295  * SignatureAndHashAlgorithm
296  * supported_signature_algorithms<2..2^16-2>;
297  */
298  SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
299 
300  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
301  *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF );
302 
303  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
304  *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
305 
306  *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
307  *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
308 
309  memcpy( p, sig_alg_list, sig_alg_len );
310 
311  p += sig_alg_len;
312  }
313 
314  ssl->out_msglen = p - buf;
316  ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
317 
318  ssl->state++;
319 
320  if( ( ret = ssl_write_record( ssl ) ) != 0 )
321  {
322  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
323  return( ret );
324  }
325 
326  SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
327 
328  return( 0 );
329 }
330 
331 static int ssl_parse_renegotiation_info( ssl_context *ssl,
332  unsigned char *buf,
333  size_t len )
334 {
335  int ret;
336 
338  {
339  if( len != 1 || buf[0] != 0x0 )
340  {
341  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
342 
343  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
344  return( ret );
345 
347  }
348 
350  }
351  else
352  {
353  /* Check verify-data in constant-time. The length OTOH is no secret */
354  if( len != 1 + ssl->verify_data_len * 2 ||
355  buf[0] != ssl->verify_data_len * 2 ||
356  safer_memcmp( buf + 1,
357  ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
358  safer_memcmp( buf + 1 + ssl->verify_data_len,
359  ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
360  {
361  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
362 
363  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
364  return( ret );
365 
367  }
368  }
369 
370  return( 0 );
371 }
372 
373 static int ssl_parse_server_hello( ssl_context *ssl )
374 {
375 #if defined(POLARSSL_DEBUG_C)
376  time_t t;
377 #endif
378  int ret, i, comp;
379  size_t n;
380  size_t ext_len = 0;
381  unsigned char *buf, *ext;
382  int renegotiation_info_seen = 0;
383  int handshake_failure = 0;
384 
385  SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
386 
387  /*
388  * 0 . 0 handshake type
389  * 1 . 3 handshake length
390  * 4 . 5 protocol version
391  * 6 . 9 UNIX time()
392  * 10 . 37 random bytes
393  */
394  buf = ssl->in_msg;
395 
396  if( ( ret = ssl_read_record( ssl ) ) != 0 )
397  {
398  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
399  return( ret );
400  }
401 
402  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
403  {
404  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
406  }
407 
408  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
409  buf[4], buf[5] ) );
410 
411  if( ssl->in_hslen < 42 ||
412  buf[0] != SSL_HS_SERVER_HELLO ||
413  buf[4] != SSL_MAJOR_VERSION_3 )
414  {
415  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
417  }
418 
419  if( buf[5] > ssl->max_minor_ver )
420  {
421  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
423  }
424 
425  ssl->minor_ver = buf[5];
426 
427  if( ssl->minor_ver < ssl->min_minor_ver )
428  {
429  SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
430  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
431  buf[4], buf[5] ) );
432 
435 
437  }
438 
439 #if defined(POLARSSL_DEBUG_C)
440  t = ( (time_t) buf[6] << 24 )
441  | ( (time_t) buf[7] << 16 )
442  | ( (time_t) buf[8] << 8 )
443  | ( (time_t) buf[9] );
444 #endif
445 
446  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
447 
448  n = buf[38];
449 
450  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
451  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
452 
453  if( n > 32 )
454  {
455  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
457  }
458 
459  /*
460  * 38 . 38 session id length
461  * 39 . 38+n session id
462  * 39+n . 40+n chosen ciphersuite
463  * 41+n . 41+n chosen compression alg.
464  * 42+n . 43+n extensions length
465  * 44+n . 44+n+m extensions
466  */
467  if( ssl->in_hslen > 42 + n )
468  {
469  ext_len = ( ( buf[42 + n] << 8 )
470  | ( buf[43 + n] ) );
471 
472  if( ( ext_len > 0 && ext_len < 4 ) ||
473  ssl->in_hslen != 44 + n + ext_len )
474  {
475  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
477  }
478  }
479 
480  i = ( buf[39 + n] << 8 ) | buf[40 + n];
481  comp = buf[41 + n];
482 
483  /*
484  * Initialize update checksum functions
485  */
486  ssl_optimize_checksum( ssl, i );
487 
488  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
489  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
490 
491  /*
492  * Check if the session can be resumed
493  */
494  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
495  ssl->handshake->resume == 0 || n == 0 ||
496  ssl->session_negotiate->ciphersuite != i ||
497  ssl->session_negotiate->compression != comp ||
498  ssl->session_negotiate->length != n ||
499  memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
500  {
501  ssl->state++;
502  ssl->handshake->resume = 0;
503  ssl->session_negotiate->start = time( NULL );
504  ssl->session_negotiate->ciphersuite = i;
505  ssl->session_negotiate->compression = comp;
506  ssl->session_negotiate->length = n;
507  memcpy( ssl->session_negotiate->id, buf + 39, n );
508  }
509  else
510  {
512 
513  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
514  {
515  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
516  return( ret );
517  }
518  }
519 
520  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
521  ssl->handshake->resume ? "a" : "no" ) );
522 
523  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
524  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
525 
526  i = 0;
527  while( 1 )
528  {
529  if( ssl->ciphersuites[ssl->minor_ver][i] == 0 )
530  {
531  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
533  }
534 
535  if( ssl->ciphersuites[ssl->minor_ver][i++] == ssl->session_negotiate->ciphersuite )
536  break;
537  }
538 
539  if( comp != SSL_COMPRESS_NULL
540 #if defined(POLARSSL_ZLIB_SUPPORT)
541  && comp != SSL_COMPRESS_DEFLATE
542 #endif
543  )
544  {
545  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
547  }
548  ssl->session_negotiate->compression = comp;
549 
550  ext = buf + 44 + n;
551 
552  while( ext_len )
553  {
554  unsigned int ext_id = ( ( ext[0] << 8 )
555  | ( ext[1] ) );
556  unsigned int ext_size = ( ( ext[2] << 8 )
557  | ( ext[3] ) );
558 
559  if( ext_size + 4 > ext_len )
560  {
561  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
563  }
564 
565  switch( ext_id )
566  {
568  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
569  renegotiation_info_seen = 1;
570 
571  if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ) ) != 0 )
572  return( ret );
573 
574  break;
575 
576  default:
577  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
578  ext_id ) );
579  }
580 
581  ext_len -= 4 + ext_size;
582  ext += 4 + ext_size;
583 
584  if( ext_len > 0 && ext_len < 4 )
585  {
586  SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
588  }
589  }
590 
591  /*
592  * Renegotiation security checks
593  */
596  {
597  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
598  handshake_failure = 1;
599  }
600  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
602  renegotiation_info_seen == 0 )
603  {
604  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
605  handshake_failure = 1;
606  }
607  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
610  {
611  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
612  handshake_failure = 1;
613  }
614  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
616  renegotiation_info_seen == 1 )
617  {
618  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
619  handshake_failure = 1;
620  }
621 
622  if( handshake_failure == 1 )
623  {
624  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
625  return( ret );
626 
628  }
629 
630  SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
631 
632  return( 0 );
633 }
634 
635 static int ssl_parse_server_key_exchange( ssl_context *ssl )
636 {
637 #if defined(POLARSSL_DHM_C)
638  int ret;
639  size_t n;
640  unsigned char *p, *end;
641  unsigned char hash[64];
644  int hash_id = SIG_RSA_RAW;
645  unsigned int hashlen = 0;
646 #endif
647 
648  SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
649 
662  {
663  SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
664  ssl->state++;
665  return( 0 );
666  }
667 
668 #if !defined(POLARSSL_DHM_C)
669  SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
671 #else
672  if( ( ret = ssl_read_record( ssl ) ) != 0 )
673  {
674  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
675  return( ret );
676  }
677 
678  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
679  {
680  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
682  }
683 
684  if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
685  {
686  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
688  }
689 
690  SSL_DEBUG_BUF( 3, "server key exchange", ssl->in_msg + 4, ssl->in_hslen - 4 );
691 
692  /*
693  * Ephemeral DH parameters:
694  *
695  * struct {
696  * opaque dh_p<1..2^16-1>;
697  * opaque dh_g<1..2^16-1>;
698  * opaque dh_Ys<1..2^16-1>;
699  * } ServerDHParams;
700  */
701  p = ssl->in_msg + 4;
702  end = ssl->in_msg + ssl->in_hslen;
703 
704  if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, &p, end ) ) != 0 )
705  {
706  SSL_DEBUG_MSG( 2, ( "DHM Read Params returned -0x%x", -ret ) );
707  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
709  }
710 
711  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
712  {
713  if( p[1] != SSL_SIG_RSA )
714  {
715  SSL_DEBUG_MSG( 2, ( "server used unsupported SignatureAlgorithm %d", p[1] ) );
716  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
718  }
719 
720  switch( p[0] )
721  {
722 #if defined(POLARSSL_MD5_C)
723  case SSL_HASH_MD5:
724  hash_id = SIG_RSA_MD5;
725  break;
726 #endif
727 #if defined(POLARSSL_SHA1_C)
728  case SSL_HASH_SHA1:
729  hash_id = SIG_RSA_SHA1;
730  break;
731 #endif
732 #if defined(POLARSSL_SHA2_C)
733  case SSL_HASH_SHA224:
734  hash_id = SIG_RSA_SHA224;
735  break;
736  case SSL_HASH_SHA256:
737  hash_id = SIG_RSA_SHA256;
738  break;
739 #endif
740 #if defined(POLARSSL_SHA4_C)
741  case SSL_HASH_SHA384:
742  hash_id = SIG_RSA_SHA384;
743  break;
744  case SSL_HASH_SHA512:
745  hash_id = SIG_RSA_SHA512;
746  break;
747 #endif
748  default:
749  SSL_DEBUG_MSG( 2, ( "Server used unsupported HashAlgorithm %d", p[0] ) );
750  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
752  }
753 
754  SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", p[1] ) );
755  SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", p[0] ) );
756  p += 2;
757  }
758 
759  n = ( p[0] << 8 ) | p[1];
760  p += 2;
761 
762  if( end != p + n )
763  {
764  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
766  }
767 
768  if( (unsigned int)( end - p ) !=
770  {
771  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
773  }
774 
775  if( ssl->handshake->dhm_ctx.len < 64 || ssl->handshake->dhm_ctx.len > 512 )
776  {
777  SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
779  }
780 
781  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
782  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
783  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
784 
785  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
786  {
787  /*
788  * digitally-signed struct {
789  * opaque md5_hash[16];
790  * opaque sha_hash[20];
791  * };
792  *
793  * md5_hash
794  * MD5(ClientHello.random + ServerHello.random
795  * + ServerParams);
796  * sha_hash
797  * SHA(ClientHello.random + ServerHello.random
798  * + ServerParams);
799  */
800  n = ssl->in_hslen - ( end - p ) - 6;
801 
802  md5_starts( &md5 );
803  md5_update( &md5, ssl->handshake->randbytes, 64 );
804  md5_update( &md5, ssl->in_msg + 4, n );
805  md5_finish( &md5, hash );
806 
807  sha1_starts( &sha1 );
808  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
809  sha1_update( &sha1, ssl->in_msg + 4, n );
810  sha1_finish( &sha1, hash + 16 );
811 
812  hash_id = SIG_RSA_RAW;
813  hashlen = 36;
814  }
815  else
816  {
818 #if defined(POLARSSL_SHA4_C)
820 #endif
821 
822  n = ssl->in_hslen - ( end - p ) - 8;
823 
824  /*
825  * digitally-signed struct {
826  * opaque client_random[32];
827  * opaque server_random[32];
828  * ServerDHParams params;
829  * };
830  */
831  switch( hash_id )
832  {
833 #if defined(POLARSSL_MD5_C)
834  case SIG_RSA_MD5:
835  md5_starts( &md5 );
836  md5_update( &md5, ssl->handshake->randbytes, 64 );
837  md5_update( &md5, ssl->in_msg + 4, n );
838  md5_finish( &md5, hash );
839  hashlen = 16;
840  break;
841 #endif
842 #if defined(POLARSSL_SHA1_C)
843  case SIG_RSA_SHA1:
844  sha1_starts( &sha1 );
845  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
846  sha1_update( &sha1, ssl->in_msg + 4, n );
847  sha1_finish( &sha1, hash );
848  hashlen = 20;
849  break;
850 #endif
851 #if defined(POLARSSL_SHA2_C)
852  case SIG_RSA_SHA224:
853  sha2_starts( &sha2, 1 );
854  sha2_update( &sha2, ssl->handshake->randbytes, 64 );
855  sha2_update( &sha2, ssl->in_msg + 4, n );
856  sha2_finish( &sha2, hash );
857  hashlen = 28;
858  break;
859  case SIG_RSA_SHA256:
860  sha2_starts( &sha2, 0 );
861  sha2_update( &sha2, ssl->handshake->randbytes, 64 );
862  sha2_update( &sha2, ssl->in_msg + 4, n );
863  sha2_finish( &sha2, hash );
864  hashlen = 32;
865  break;
866 #endif
867 #if defined(POLARSSL_SHA4_C)
868  case SIG_RSA_SHA384:
869  sha4_starts( &sha4, 1 );
870  sha4_update( &sha4, ssl->handshake->randbytes, 64 );
871  sha4_update( &sha4, ssl->in_msg + 4, n );
872  sha4_finish( &sha4, hash );
873  hashlen = 48;
874  break;
875  case SIG_RSA_SHA512:
876  sha4_starts( &sha4, 0 );
877  sha4_update( &sha4, ssl->handshake->randbytes, 64 );
878  sha4_update( &sha4, ssl->in_msg + 4, n );
879  sha4_finish( &sha4, hash );
880  hashlen = 64;
881  break;
882 #endif
883  }
884  }
885 
886  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
887 
888  if( ( ret = rsa_pkcs1_verify( &ssl->session_negotiate->peer_cert->rsa,
889  NULL, NULL, RSA_PUBLIC,
890  hash_id, hashlen, hash, p ) ) != 0 )
891  {
892  SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
893  return( ret );
894  }
895 
896  ssl->state++;
897 
898  SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
899 
900  return( 0 );
901 #endif
902 }
903 
904 static int ssl_parse_certificate_request( ssl_context *ssl )
905 {
906  int ret;
907  unsigned char *buf, *p;
908  size_t n = 0, m = 0;
909  size_t cert_type_len = 0, sig_alg_len = 0, dn_len = 0;
910 
911  SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
912 
913  /*
914  * 0 . 0 handshake type
915  * 1 . 3 handshake length
916  * 4 . 4 cert type count
917  * 5 .. m-1 cert types
918  * m .. m+1 sig alg length (TLS 1.2 only)
919  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
920  * n .. n+1 length of all DNs
921  * n+2 .. n+3 length of DN 1
922  * n+4 .. ... Distinguished Name #1
923  * ... .. ... length of DN 2, etc.
924  */
925  if( ( ret = ssl_read_record( ssl ) ) != 0 )
926  {
927  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
928  return( ret );
929  }
930 
931  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
932  {
933  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
935  }
936 
937  ssl->client_auth = 0;
938  ssl->state++;
939 
940  if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
941  ssl->client_auth++;
942 
943  SSL_DEBUG_MSG( 3, ( "got %s certificate request",
944  ssl->client_auth ? "a" : "no" ) );
945 
946  if( ssl->client_auth == 0 )
947  goto exit;
948 
949  // TODO: handshake_failure alert for an anonymous server to request
950  // client authentication
951 
952  buf = ssl->in_msg;
953 
954  // Retrieve cert types
955  //
956  cert_type_len = buf[4];
957  n = cert_type_len;
958 
959  if( ssl->in_hslen < 6 + n )
960  {
961  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
963  }
964 
965  p = buf + 5;
966  while( cert_type_len > 0 )
967  {
968  if( *p == SSL_CERT_TYPE_RSA_SIGN )
969  {
971  break;
972  }
973 
974  cert_type_len--;
975  p++;
976  }
977 
978  if( ssl->handshake->cert_type == 0 )
979  {
980  SSL_DEBUG_MSG( 1, ( "no known cert_type provided" ) );
982  }
983 
984  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
985  {
986  sig_alg_len = ( ( buf[5 + n] << 8 )
987  | ( buf[6 + n] ) );
988 
989  p = buf + 7 + n;
990  m += 2;
991  n += sig_alg_len;
992 
993  if( ssl->in_hslen < 6 + n )
994  {
995  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
997  }
998  }
999 
1000  dn_len = ( ( buf[5 + m + n] << 8 )
1001  | ( buf[6 + m + n] ) );
1002 
1003  n += dn_len;
1004  if( ssl->in_hslen != 7 + m + n )
1005  {
1006  SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
1008  }
1009 
1010 exit:
1011  SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1012 
1013  return( 0 );
1014 }
1015 
1016 static int ssl_parse_server_hello_done( ssl_context *ssl )
1017 {
1018  int ret;
1019 
1020  SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
1021 
1022  if( ssl->client_auth != 0 )
1023  {
1024  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1025  {
1026  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1027  return( ret );
1028  }
1029 
1030  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1031  {
1032  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1034  }
1035  }
1036 
1037  if( ssl->in_hslen != 4 ||
1038  ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
1039  {
1040  SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
1042  }
1043 
1044  ssl->state++;
1045 
1046  SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
1047 
1048  return( 0 );
1049 }
1050 
1051 static int ssl_write_client_key_exchange( ssl_context *ssl )
1052 {
1053  int ret;
1054  size_t i, n;
1055 
1056  SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
1057 
1070  {
1071 #if !defined(POLARSSL_DHM_C)
1072  SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
1074 #else
1075  /*
1076  * DHM key exchange -- send G^X mod P
1077  */
1078  n = ssl->handshake->dhm_ctx.len;
1079 
1080  ssl->out_msg[4] = (unsigned char)( n >> 8 );
1081  ssl->out_msg[5] = (unsigned char)( n );
1082  i = 6;
1083 
1084  ret = dhm_make_public( &ssl->handshake->dhm_ctx,
1085  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1086  &ssl->out_msg[i], n,
1087  ssl->f_rng, ssl->p_rng );
1088  if( ret != 0 )
1089  {
1090  SSL_DEBUG_RET( 1, "dhm_make_public", ret );
1091  return( ret );
1092  }
1093 
1094  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1095  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1096 
1097  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1098 
1099  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1100  ssl->handshake->premaster,
1101  &ssl->handshake->pmslen ) ) != 0 )
1102  {
1103  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1104  return( ret );
1105  }
1106 
1107  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1108 #endif
1109  }
1110  else
1111  {
1112  /*
1113  * RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
1114  */
1115  ssl->handshake->premaster[0] = (unsigned char) ssl->max_major_ver;
1116  ssl->handshake->premaster[1] = (unsigned char) ssl->max_minor_ver;
1117  ssl->handshake->pmslen = 48;
1118 
1119  ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster + 2,
1120  ssl->handshake->pmslen - 2 );
1121  if( ret != 0 )
1122  return( ret );
1123 
1124  i = 4;
1125  n = ssl->session_negotiate->peer_cert->rsa.len;
1126 
1127  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
1128  {
1129  i += 2;
1130  ssl->out_msg[4] = (unsigned char)( n >> 8 );
1131  ssl->out_msg[5] = (unsigned char)( n );
1132  }
1133 
1135  ssl->f_rng, ssl->p_rng,
1136  RSA_PUBLIC,
1137  ssl->handshake->pmslen,
1138  ssl->handshake->premaster,
1139  ssl->out_msg + i );
1140  if( ret != 0 )
1141  {
1142  SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
1143  return( ret );
1144  }
1145  }
1146 
1147  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1148  {
1149  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1150  return( ret );
1151  }
1152 
1153  ssl->out_msglen = i + n;
1156 
1157  ssl->state++;
1158 
1159  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1160  {
1161  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1162  return( ret );
1163  }
1164 
1165  SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
1166 
1167  return( 0 );
1168 }
1169 
1170 static int ssl_write_certificate_verify( ssl_context *ssl )
1171 {
1172  int ret = 0;
1173  size_t n = 0, offset = 0;
1174  unsigned char hash[48];
1175  int hash_id = SIG_RSA_RAW;
1176  unsigned int hashlen = 36;
1177 
1178  SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
1179 
1180  if( ssl->client_auth == 0 || ssl->own_cert == NULL )
1181  {
1182  SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
1183  ssl->state++;
1184  return( 0 );
1185  }
1186 
1187  if( ssl->rsa_key == NULL )
1188  {
1189  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1191  }
1192 
1193  /*
1194  * Make an RSA signature of the handshake digests
1195  */
1196  ssl->handshake->calc_verify( ssl, hash );
1197 
1198  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1199  {
1200  /*
1201  * digitally-signed struct {
1202  * opaque md5_hash[16];
1203  * opaque sha_hash[20];
1204  * };
1205  *
1206  * md5_hash
1207  * MD5(handshake_messages);
1208  *
1209  * sha_hash
1210  * SHA(handshake_messages);
1211  */
1212  hashlen = 36;
1213  hash_id = SIG_RSA_RAW;
1214  }
1215  else
1216  {
1217  /*
1218  * digitally-signed struct {
1219  * opaque handshake_messages[handshake_messages_length];
1220  * };
1221  *
1222  * Taking shortcut here. We assume that the server always allows the
1223  * PRF Hash function and has sent it in the allowed signature
1224  * algorithms list received in the Certificate Request message.
1225  *
1226  * Until we encounter a server that does not, we will take this
1227  * shortcut.
1228  *
1229  * Reason: Otherwise we should have running hashes for SHA512 and SHA224
1230  * in order to satisfy 'weird' needs from the server side.
1231  */
1234  {
1235  hash_id = SIG_RSA_SHA384;
1236  hashlen = 48;
1237  ssl->out_msg[4] = SSL_HASH_SHA384;
1238  ssl->out_msg[5] = SSL_SIG_RSA;
1239  }
1240  else
1241  {
1242  hash_id = SIG_RSA_SHA256;
1243  hashlen = 32;
1244  ssl->out_msg[4] = SSL_HASH_SHA256;
1245  ssl->out_msg[5] = SSL_SIG_RSA;
1246  }
1247 
1248  offset = 2;
1249  }
1250 
1251  if ( ssl->rsa_key )
1252  n = ssl->rsa_key_len ( ssl->rsa_key );
1253 
1254  ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
1255  ssl->out_msg[5 + offset] = (unsigned char)( n );
1256 
1257  if( ssl->rsa_key )
1258  {
1259  ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1260  RSA_PRIVATE, hash_id,
1261  hashlen, hash, ssl->out_msg + 6 + offset );
1262  }
1263 
1264  if (ret != 0)
1265  {
1266  SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
1267  return( ret );
1268  }
1269 
1270  ssl->out_msglen = 6 + n + offset;
1273 
1274  ssl->state++;
1275 
1276  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1277  {
1278  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1279  return( ret );
1280  }
1281 
1282  SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
1283 
1284  return( 0 );
1285 }
1286 
1287 /*
1288  * SSL handshake -- client side -- single step
1289  */
1291 {
1292  int ret = 0;
1293 
1294  if( ssl->state == SSL_HANDSHAKE_OVER )
1296 
1297  SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
1298 
1299  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1300  return( ret );
1301 
1302  switch( ssl->state )
1303  {
1304  case SSL_HELLO_REQUEST:
1305  ssl->state = SSL_CLIENT_HELLO;
1306  break;
1307 
1308  /*
1309  * ==> ClientHello
1310  */
1311  case SSL_CLIENT_HELLO:
1312  ret = ssl_write_client_hello( ssl );
1313  break;
1314 
1315  /*
1316  * <== ServerHello
1317  * Certificate
1318  * ( ServerKeyExchange )
1319  * ( CertificateRequest )
1320  * ServerHelloDone
1321  */
1322  case SSL_SERVER_HELLO:
1323  ret = ssl_parse_server_hello( ssl );
1324  break;
1325 
1327  ret = ssl_parse_certificate( ssl );
1328  break;
1329 
1331  ret = ssl_parse_server_key_exchange( ssl );
1332  break;
1333 
1335  ret = ssl_parse_certificate_request( ssl );
1336  break;
1337 
1338  case SSL_SERVER_HELLO_DONE:
1339  ret = ssl_parse_server_hello_done( ssl );
1340  break;
1341 
1342  /*
1343  * ==> ( Certificate/Alert )
1344  * ClientKeyExchange
1345  * ( CertificateVerify )
1346  * ChangeCipherSpec
1347  * Finished
1348  */
1350  ret = ssl_write_certificate( ssl );
1351  break;
1352 
1354  ret = ssl_write_client_key_exchange( ssl );
1355  break;
1356 
1358  ret = ssl_write_certificate_verify( ssl );
1359  break;
1360 
1362  ret = ssl_write_change_cipher_spec( ssl );
1363  break;
1364 
1365  case SSL_CLIENT_FINISHED:
1366  ret = ssl_write_finished( ssl );
1367  break;
1368 
1369  /*
1370  * <== ChangeCipherSpec
1371  * Finished
1372  */
1374  ret = ssl_parse_change_cipher_spec( ssl );
1375  break;
1376 
1377  case SSL_SERVER_FINISHED:
1378  ret = ssl_parse_finished( ssl );
1379  break;
1380 
1381  case SSL_FLUSH_BUFFERS:
1382  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
1383  ssl->state = SSL_HANDSHAKE_WRAPUP;
1384  break;
1385 
1386  case SSL_HANDSHAKE_WRAPUP:
1387  ssl_handshake_wrapup( ssl );
1388  break;
1389 
1390  default:
1391  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
1393  }
1394 
1395  return( ret );
1396 }
1397 #endif
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:256
unsigned char * hostname
Definition: ssl.h:516
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:219
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:174
size_t length
Definition: ssl.h:323
#define SIG_RSA_MD5
Definition: rsa.h:51
int ciphersuite
Definition: ssl.h:321
mpi P
Definition: dhm.h:139
size_t in_hslen
Definition: ssl.h:470
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:420
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:263
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Processing of the ServerKeyExchange handshake message failed.
Definition: ssl.h:81
SHA-256 context structure.
Definition: sha2.h:50
int major_ver
Definition: ssl.h:409
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:38
SHA-1 context structure.
Definition: sha1.h:50
int compression
Definition: ssl.h:322
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Processing of the ServerHelloDone handshake message failed.
Definition: ssl.h:82
const int ** ciphersuites
Definition: ssl.h:506
int state
Definition: ssl.h:406
char peer_verify_data[36]
Definition: ssl.h:526
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:249
Debug functions.
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:386
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:252
x509_cert * peer_cert
Definition: ssl.h:326
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO
Processing of the ServerHello handshake message failed.
Definition: ssl.h:78
#define SSL_HASH_SHA1
Definition: ssl.h:197
ssl_session * session_negotiate
Definition: ssl.h:445
int ssl_parse_certificate(ssl_context *ssl)
size_t out_msglen
Definition: ssl.h:481
mpi GX
Definition: dhm.h:142
#define SSL_SIG_RSA
Definition: ssl.h:203
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:429
rsa_sign_func rsa_sign
Definition: ssl.h:489
#define RSA_PUBLIC
Definition: rsa.h:58
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:181
#define SSL_RENEGOTIATION
Definition: ssl.h:115
int ssl_write_finished(ssl_context *ssl)
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:35
mpi X
Definition: dhm.h:141
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:525
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:188
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int secure_renegotiation
Definition: ssl.h:522
time_t start
Definition: ssl.h:320
#define SSL_HASH_MD5
Definition: ssl.h:196
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:123
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:99
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Definition: ssl.h:165
unsigned char id[32]
Definition: ssl.h:324
size_t len
Definition: dhm.h:138
int max_major_ver
Definition: ssl.h:412
size_t len
Definition: rsa.h:138
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Definition: ssl.h:187
int max_minor_ver
Definition: ssl.h:413
int dhm_read_params(dhm_context *ctx, unsigned char **p, const unsigned char *end)
Parse the ServerKeyExchange parameters.
unsigned char premaster[POLARSSL_MPI_MAX_SIZE]
Definition: ssl.h:395
void sha4_starts(sha4_context *ctx, int is384)
SHA-512 context setup.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:265
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:208
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:253
#define TLS_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:186
ssl_handshake_params * handshake
Definition: ssl.h:447
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:215
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:240
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
Definition: ssl.h:67
int rsa_pkcs1_encrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t ilen, const unsigned char *input, unsigned char *output)
Generic wrapper to perform a PKCS#1 encryption using the mode from the context.
#define SIG_RSA_SHA512
Definition: rsa.h:56
SHA-384 and SHA-512 cryptographic hash function.
rsa_key_len_func rsa_key_len
Definition: ssl.h:490
int in_msgtype
Definition: ssl.h:466
#define RSA_PRIVATE
Definition: rsa.h:59
size_t verify_data_len
Definition: ssl.h:524
#define SIG_RSA_SHA1
Definition: rsa.h:52
mpi G
Definition: dhm.h:140
int min_minor_ver
Definition: ssl.h:415
unsigned char * out_msg
Definition: ssl.h:478
#define SSL_MINOR_VERSION_0
Definition: ssl.h:100
int client_auth
Definition: ssl.h:502
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:93
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:254
#define TLS_DHE_RSA_WITH_DES_CBC_SHA
Weak! Not in TLS 1.2.
Definition: ssl.h:159
int ssl_handshake_client_step(ssl_context *ssl)
void sha4_update(sha4_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:73
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition: ssl.h:177
mpi GY
Definition: dhm.h:143
void md5_starts(md5_context *ctx)
MD5 context setup.
int ssl_flush_output(ssl_context *ssl)
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Definition: ssl.h:170
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:250
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:108
unsigned char * in_msg
Definition: ssl.h:463
#define SSL_MINOR_VERSION_3
Definition: ssl.h:103
mpi K
Definition: dhm.h:144
MD5 context structure.
Definition: md5.h:50
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:267
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Processing of the CertificateRequest handshake message failed.
Definition: ssl.h:80
int ssl_parse_change_cipher_spec(ssl_context *ssl)
size_t hostname_len
Definition: ssl.h:517
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:410
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:190
#define SSL_HASH_SHA256
Definition: ssl.h:199
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:173
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:41
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key is not set, but needed.
Definition: ssl.h:71
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:114
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Definition: ssl.h:179
void sha2_update(sha2_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int allow_legacy_renegotiation
Definition: ssl.h:505
#define SSL_COMPRESS_NULL
Definition: ssl.h:107
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen)
Derive and export the shared secret (G^Y)^X mod P.
int ssl_read_record(ssl_context *ssl)
void sha4(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
int out_msgtype
Definition: ssl.h:480
#define SIG_RSA_SHA224
Definition: rsa.h:53
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:255
#define TLS_EXT_SERVERNAME
Definition: ssl.h:262
int dhm_make_public(dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Create own private value X and export G^X.
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:44
size_t mpi_size(const mpi *X)
Return the total size in bytes.
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:125
x509_cert * own_cert
Definition: ssl.h:492
int min_major_ver
Definition: ssl.h:414
SHA-512 context structure.
Definition: sha4.h:51
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:117
#define SSL_HASH_SHA224
Definition: ssl.h:198
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:118
#define SIG_RSA_SHA256
Definition: rsa.h:54
SSL/TLS functions.
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Definition: ssl.h:168
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
void sha2(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
void * rsa_key
Definition: ssl.h:487
int ssl_derive_keys(ssl_context *ssl)
void sha4_finish(sha4_context *ctx, unsigned char output[64])
SHA-512 final digest.
#define SIG_RSA_SHA384
Definition: rsa.h:55
int renegotiation
Definition: ssl.h:407
dhm_context dhm_ctx
Definition: ssl.h:374
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1147
#define SIG_RSA_RAW
Definition: rsa.h:48
void ssl_optimize_checksum(ssl_context *ssl, int ciphersuite)
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
void sha2_starts(sha2_context *ctx, int is224)
SHA-256 context setup.
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:183
rsa_context rsa
Container for the RSA context.
Definition: x509.h:310
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:60
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:61
#define SSL_HASH_SHA512
Definition: ssl.h:201
#define SSL_HASH_SHA384
Definition: ssl.h:200
int ssl_write_record(ssl_context *ssl)
int rsa_pkcs1_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 verification using the mode from the context. ...
unsigned char randbytes[64]
Definition: ssl.h:394
void sha2_finish(sha2_context *ctx, unsigned char output[32])
SHA-256 final digest.