Hannes Tschofenig
/
aes-gcm-test-program
Example program to test AES-GCM functionality. Used for a workshop
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2014, Brainspark B.V. 00005 * 00006 * This file is part of PolarSSL (http://www.polarssl.org) 00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> 00008 * 00009 * All rights reserved. 00010 * 00011 * This program is free software; you can redistribute it and/or modify 00012 * it under the terms of the GNU General Public License as published by 00013 * the Free Software Foundation; either version 2 of the License, or 00014 * (at your option) any later version. 00015 * 00016 * This program is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00019 * GNU General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU General Public License along 00022 * with this program; if not, write to the Free Software Foundation, Inc., 00023 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00024 */ 00025 00026 #if !defined(POLARSSL_CONFIG_FILE) 00027 #include "polarssl/config.h" 00028 #else 00029 #include POLARSSL_CONFIG_FILE 00030 #endif 00031 00032 #if defined(POLARSSL_SSL_CLI_C) 00033 00034 #include "polarssl/debug.h" 00035 #include "polarssl/ssl.h" 00036 00037 #if defined(POLARSSL_PLATFORM_C) 00038 #include "polarssl/platform.h" 00039 #else 00040 #define polarssl_malloc malloc 00041 #define polarssl_free free 00042 #endif 00043 00044 #include <stdlib.h> 00045 #include <stdio.h> 00046 00047 #if defined(_MSC_VER) && !defined(EFIX64) && !defined(EFI32) 00048 #include <basetsd.h> 00049 typedef UINT32 uint32_t; 00050 #else 00051 #include <inttypes.h> 00052 #endif 00053 00054 #if defined(POLARSSL_HAVE_TIME) 00055 #include <time.h> 00056 #endif 00057 00058 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 00059 static void ssl_write_hostname_ext( ssl_context *ssl, 00060 unsigned char *buf, 00061 size_t *olen ) 00062 { 00063 unsigned char *p = buf; 00064 00065 *olen = 0; 00066 00067 if ( ssl->hostname == NULL ) 00068 return; 00069 00070 SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00071 ssl->hostname ) ); 00072 00073 /* 00074 * struct { 00075 * NameType name_type; 00076 * select (name_type) { 00077 * case host_name: HostName; 00078 * } name; 00079 * } ServerName; 00080 * 00081 * enum { 00082 * host_name(0), (255) 00083 * } NameType; 00084 * 00085 * opaque HostName<1..2^16-1>; 00086 * 00087 * struct { 00088 * ServerName server_name_list<1..2^16-1> 00089 * } ServerNameList; 00090 */ 00091 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00092 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF ); 00093 00094 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF ); 00095 *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF ); 00096 00097 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF ); 00098 *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF ); 00099 00100 *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00101 *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF ); 00102 *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF ); 00103 00104 memcpy( p, ssl->hostname, ssl->hostname_len ); 00105 00106 *olen = ssl->hostname_len + 9; 00107 } 00108 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ 00109 00110 static void ssl_write_renegotiation_ext( ssl_context *ssl, 00111 unsigned char *buf, 00112 size_t *olen ) 00113 { 00114 unsigned char *p = buf; 00115 00116 *olen = 0; 00117 00118 if( ssl->renegotiation != SSL_RENEGOTIATION ) 00119 return; 00120 00121 SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00122 00123 /* 00124 * Secure renegotiation 00125 */ 00126 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00127 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00128 00129 *p++ = 0x00; 00130 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00131 *p++ = ssl->verify_data_len & 0xFF; 00132 00133 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00134 00135 *olen = 5 + ssl->verify_data_len; 00136 } 00137 00138 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 00139 static void ssl_write_signature_algorithms_ext( ssl_context *ssl, 00140 unsigned char *buf, 00141 size_t *olen ) 00142 { 00143 unsigned char *p = buf; 00144 unsigned char *sig_alg_list = buf + 6; 00145 size_t sig_alg_len = 0; 00146 00147 *olen = 0; 00148 00149 if( ssl->max_minor_ver != SSL_MINOR_VERSION_3 ) 00150 return; 00151 00152 SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00153 00154 /* 00155 * Prepare signature_algorithms extension (TLS 1.2) 00156 */ 00157 #if defined(POLARSSL_RSA_C) 00158 #if defined(POLARSSL_SHA512_C) 00159 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512; 00160 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00161 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384; 00162 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00163 #endif 00164 #if defined(POLARSSL_SHA256_C) 00165 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256; 00166 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00167 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224; 00168 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00169 #endif 00170 #if defined(POLARSSL_SHA1_C) 00171 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1; 00172 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00173 #endif 00174 #if defined(POLARSSL_MD5_C) 00175 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5; 00176 sig_alg_list[sig_alg_len++] = SSL_SIG_RSA; 00177 #endif 00178 #endif /* POLARSSL_RSA_C */ 00179 #if defined(POLARSSL_ECDSA_C) 00180 #if defined(POLARSSL_SHA512_C) 00181 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512; 00182 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00183 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384; 00184 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00185 #endif 00186 #if defined(POLARSSL_SHA256_C) 00187 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256; 00188 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00189 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224; 00190 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00191 #endif 00192 #if defined(POLARSSL_SHA1_C) 00193 sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1; 00194 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00195 #endif 00196 #if defined(POLARSSL_MD5_C) 00197 sig_alg_list[sig_alg_len++] = SSL_HASH_MD5; 00198 sig_alg_list[sig_alg_len++] = SSL_SIG_ECDSA; 00199 #endif 00200 #endif /* POLARSSL_ECDSA_C */ 00201 00202 /* 00203 * enum { 00204 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00205 * sha512(6), (255) 00206 * } HashAlgorithm; 00207 * 00208 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00209 * SignatureAlgorithm; 00210 * 00211 * struct { 00212 * HashAlgorithm hash; 00213 * SignatureAlgorithm signature; 00214 * } SignatureAndHashAlgorithm; 00215 * 00216 * SignatureAndHashAlgorithm 00217 * supported_signature_algorithms<2..2^16-2>; 00218 */ 00219 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00220 *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG ) & 0xFF ); 00221 00222 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00223 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00224 00225 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00226 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00227 00228 *olen = 6 + sig_alg_len; 00229 } 00230 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 00231 00232 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00233 static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl, 00234 unsigned char *buf, 00235 size_t *olen ) 00236 { 00237 unsigned char *p = buf; 00238 unsigned char *elliptic_curve_list = p + 6; 00239 size_t elliptic_curve_len = 0; 00240 const ecp_curve_info *info; 00241 #if defined(POLARSSL_SSL_SET_CURVES) 00242 const ecp_group_id *grp_id; 00243 #else 00244 ((void) ssl); 00245 #endif 00246 00247 *olen = 0; 00248 00249 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00250 00251 #if defined(POLARSSL_SSL_SET_CURVES) 00252 for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ ) 00253 { 00254 info = ecp_curve_info_from_grp_id( *grp_id ); 00255 #else 00256 for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ ) 00257 { 00258 #endif 00259 00260 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00261 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00262 } 00263 00264 if( elliptic_curve_len == 0 ) 00265 return; 00266 00267 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00268 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00269 00270 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00271 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00272 00273 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00274 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00275 00276 *olen = 6 + elliptic_curve_len; 00277 } 00278 00279 static void ssl_write_supported_point_formats_ext( ssl_context *ssl, 00280 unsigned char *buf, 00281 size_t *olen ) 00282 { 00283 unsigned char *p = buf; 00284 ((void) ssl); 00285 00286 *olen = 0; 00287 00288 SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00289 00290 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00291 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00292 00293 *p++ = 0x00; 00294 *p++ = 2; 00295 00296 *p++ = 1; 00297 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED; 00298 00299 *olen = 6; 00300 } 00301 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 00302 00303 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 00304 static void ssl_write_max_fragment_length_ext( ssl_context *ssl, 00305 unsigned char *buf, 00306 size_t *olen ) 00307 { 00308 unsigned char *p = buf; 00309 00310 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) { 00311 *olen = 0; 00312 return; 00313 } 00314 00315 SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00316 00317 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00318 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00319 00320 *p++ = 0x00; 00321 *p++ = 1; 00322 00323 *p++ = ssl->mfl_code; 00324 00325 *olen = 5; 00326 } 00327 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 00328 00329 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 00330 static void ssl_write_truncated_hmac_ext( ssl_context *ssl, 00331 unsigned char *buf, size_t *olen ) 00332 { 00333 unsigned char *p = buf; 00334 00335 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ) 00336 { 00337 *olen = 0; 00338 return; 00339 } 00340 00341 SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00342 00343 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00344 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00345 00346 *p++ = 0x00; 00347 *p++ = 0x00; 00348 00349 *olen = 4; 00350 } 00351 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 00352 00353 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00354 static void ssl_write_session_ticket_ext( ssl_context *ssl, 00355 unsigned char *buf, size_t *olen ) 00356 { 00357 unsigned char *p = buf; 00358 size_t tlen = ssl->session_negotiate->ticket_len; 00359 00360 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ) 00361 { 00362 *olen = 0; 00363 return; 00364 } 00365 00366 SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00367 00368 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00369 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF ); 00370 00371 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00372 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00373 00374 *olen = 4; 00375 00376 if( ssl->session_negotiate->ticket == NULL || 00377 ssl->session_negotiate->ticket_len == 0 ) 00378 { 00379 return; 00380 } 00381 00382 SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00383 00384 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00385 00386 *olen += tlen; 00387 } 00388 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00389 00390 #if defined(POLARSSL_SSL_ALPN) 00391 static void ssl_write_alpn_ext( ssl_context *ssl, 00392 unsigned char *buf, size_t *olen ) 00393 { 00394 unsigned char *p = buf; 00395 const char **cur; 00396 00397 if( ssl->alpn_list == NULL ) 00398 { 00399 *olen = 0; 00400 return; 00401 } 00402 00403 SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00404 00405 *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF ); 00406 *p++ = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF ); 00407 00408 /* 00409 * opaque ProtocolName<1..2^8-1>; 00410 * 00411 * struct { 00412 * ProtocolName protocol_name_list<2..2^16-1> 00413 * } ProtocolNameList; 00414 */ 00415 00416 /* Skip writing extension and list length for now */ 00417 p += 4; 00418 00419 for( cur = ssl->alpn_list; *cur != NULL; cur++ ) 00420 { 00421 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00422 memcpy( p + 1, *cur, *p ); 00423 p += 1 + *p; 00424 } 00425 00426 *olen = p - buf; 00427 00428 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00429 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00430 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00431 00432 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00433 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00434 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00435 } 00436 #endif /* POLARSSL_SSL_ALPN */ 00437 00438 static int ssl_write_client_hello( ssl_context *ssl ) 00439 { 00440 int ret; 00441 size_t i, n, olen, ext_len = 0; 00442 unsigned char *buf; 00443 unsigned char *p, *q; 00444 #if defined(POLARSSL_HAVE_TIME) 00445 time_t t; 00446 #endif 00447 const int *ciphersuites; 00448 const ssl_ciphersuite_t *ciphersuite_info; 00449 00450 SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00451 00452 if( ssl->f_rng == NULL ) 00453 { 00454 SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00455 return( POLARSSL_ERR_SSL_NO_RNG ); 00456 } 00457 00458 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 00459 { 00460 ssl->major_ver = ssl->min_major_ver; 00461 ssl->minor_ver = ssl->min_minor_ver; 00462 } 00463 00464 if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 ) 00465 { 00466 ssl->max_major_ver = SSL_MAX_MAJOR_VERSION; 00467 ssl->max_minor_ver = SSL_MAX_MINOR_VERSION; 00468 } 00469 00470 /* 00471 * 0 . 0 handshake type 00472 * 1 . 3 handshake length 00473 * 4 . 5 highest version supported 00474 * 6 . 9 current UNIX time 00475 * 10 . 37 random bytes 00476 */ 00477 buf = ssl->out_msg; 00478 p = buf + 4; 00479 00480 *p++ = (unsigned char) ssl->max_major_ver; 00481 *p++ = (unsigned char) ssl->max_minor_ver; 00482 00483 SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00484 buf[4], buf[5] ) ); 00485 00486 #if defined(POLARSSL_HAVE_TIME) 00487 t = time( NULL ); 00488 *p++ = (unsigned char)( t >> 24 ); 00489 *p++ = (unsigned char)( t >> 16 ); 00490 *p++ = (unsigned char)( t >> 8 ); 00491 *p++ = (unsigned char)( t ); 00492 00493 SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00494 #else 00495 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 ) 00496 return( ret ); 00497 00498 p += 4; 00499 #endif /* POLARSSL_HAVE_TIME */ 00500 00501 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 ) 00502 return( ret ); 00503 00504 p += 28; 00505 00506 memcpy( ssl->handshake->randbytes, buf + 6, 32 ); 00507 00508 SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 ); 00509 00510 /* 00511 * 38 . 38 session id length 00512 * 39 . 39+n session id 00513 * 40+n . 41+n ciphersuitelist length 00514 * 42+n . .. ciphersuitelist 00515 * .. . .. compression methods length 00516 * .. . .. compression methods 00517 * .. . .. extensions length 00518 * .. . .. extensions 00519 */ 00520 n = ssl->session_negotiate->length; 00521 00522 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 || 00523 ssl->handshake->resume == 0 ) 00524 { 00525 n = 0; 00526 } 00527 00528 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00529 /* 00530 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00531 * generate and include a Session ID in the TLS ClientHello." 00532 */ 00533 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && 00534 ssl->session_negotiate->ticket != NULL && 00535 ssl->session_negotiate->ticket_len != 0 ) 00536 { 00537 ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 ); 00538 00539 if( ret != 0 ) 00540 return( ret ); 00541 00542 ssl->session_negotiate->length = n = 32; 00543 } 00544 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00545 00546 *p++ = (unsigned char) n; 00547 00548 for( i = 0; i < n; i++ ) 00549 *p++ = ssl->session_negotiate->id[i]; 00550 00551 SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00552 SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00553 00554 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; 00555 n = 0; 00556 q = p; 00557 00558 // Skip writing ciphersuite length for now 00559 p += 2; 00560 00561 /* 00562 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00563 */ 00564 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 00565 { 00566 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00567 *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO ); 00568 n++; 00569 } 00570 00571 for( i = 0; ciphersuites[i] != 0; i++ ) 00572 { 00573 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] ); 00574 00575 if( ciphersuite_info == NULL ) 00576 continue; 00577 00578 if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver || 00579 ciphersuite_info->max_minor_ver < ssl->min_minor_ver ) 00580 continue; 00581 00582 SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", 00583 ciphersuites[i] ) ); 00584 00585 n++; 00586 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00587 *p++ = (unsigned char)( ciphersuites[i] ); 00588 } 00589 00590 *q++ = (unsigned char)( n >> 7 ); 00591 *q++ = (unsigned char)( n << 1 ); 00592 00593 SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00594 00595 00596 #if defined(POLARSSL_ZLIB_SUPPORT) 00597 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00598 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00599 SSL_COMPRESS_DEFLATE, SSL_COMPRESS_NULL ) ); 00600 00601 *p++ = 2; 00602 *p++ = SSL_COMPRESS_DEFLATE; 00603 *p++ = SSL_COMPRESS_NULL; 00604 #else 00605 SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00606 SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) ); 00607 00608 *p++ = 1; 00609 *p++ = SSL_COMPRESS_NULL; 00610 #endif /* POLARSSL_ZLIB_SUPPORT */ 00611 00612 // First write extensions, then the total length 00613 // 00614 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 00615 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00616 ext_len += olen; 00617 #endif 00618 00619 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00620 ext_len += olen; 00621 00622 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 00623 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00624 ext_len += olen; 00625 #endif 00626 00627 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00628 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00629 ext_len += olen; 00630 00631 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00632 ext_len += olen; 00633 #endif 00634 00635 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 00636 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 00637 ext_len += olen; 00638 #endif 00639 00640 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 00641 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 00642 ext_len += olen; 00643 #endif 00644 00645 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00646 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 00647 ext_len += olen; 00648 #endif 00649 00650 #if defined(POLARSSL_SSL_ALPN) 00651 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 00652 ext_len += olen; 00653 #endif 00654 00655 SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 00656 ext_len ) ); 00657 00658 if( ext_len > 0 ) 00659 { 00660 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 00661 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 00662 p += ext_len; 00663 } 00664 00665 ssl->out_msglen = p - buf; 00666 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00667 ssl->out_msg[0] = SSL_HS_CLIENT_HELLO; 00668 00669 ssl->state++; 00670 00671 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 00672 { 00673 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 00674 return( ret ); 00675 } 00676 00677 SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 00678 00679 return( 0 ); 00680 } 00681 00682 static int ssl_parse_renegotiation_info( ssl_context *ssl, 00683 const unsigned char *buf, 00684 size_t len ) 00685 { 00686 int ret; 00687 00688 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 00689 { 00690 if( len != 1 || buf[0] != 0x0 ) 00691 { 00692 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) ); 00693 00694 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00695 return( ret ); 00696 00697 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00698 } 00699 00700 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; 00701 } 00702 else 00703 { 00704 /* Check verify-data in constant-time. The length OTOH is no secret */ 00705 if( len != 1 + ssl->verify_data_len * 2 || 00706 buf[0] != ssl->verify_data_len * 2 || 00707 safer_memcmp( buf + 1, 00708 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 00709 safer_memcmp( buf + 1 + ssl->verify_data_len, 00710 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 00711 { 00712 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) ); 00713 00714 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00715 return( ret ); 00716 00717 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00718 } 00719 } 00720 00721 return( 0 ); 00722 } 00723 00724 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 00725 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl, 00726 const unsigned char *buf, 00727 size_t len ) 00728 { 00729 /* 00730 * server should use the extension only if we did, 00731 * and if so the server's value should match ours (and len is always 1) 00732 */ 00733 if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE || 00734 len != 1 || 00735 buf[0] != ssl->mfl_code ) 00736 { 00737 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00738 } 00739 00740 return( 0 ); 00741 } 00742 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 00743 00744 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 00745 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, 00746 const unsigned char *buf, 00747 size_t len ) 00748 { 00749 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED || 00750 len != 0 ) 00751 { 00752 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00753 } 00754 00755 ((void) buf); 00756 00757 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; 00758 00759 return( 0 ); 00760 } 00761 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 00762 00763 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00764 static int ssl_parse_session_ticket_ext( ssl_context *ssl, 00765 const unsigned char *buf, 00766 size_t len ) 00767 { 00768 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED || 00769 len != 0 ) 00770 { 00771 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00772 } 00773 00774 ((void) buf); 00775 00776 ssl->handshake->new_session_ticket = 1; 00777 00778 return( 0 ); 00779 } 00780 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00781 00782 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00783 static int ssl_parse_supported_point_formats_ext( ssl_context *ssl, 00784 const unsigned char *buf, 00785 size_t len ) 00786 { 00787 size_t list_size; 00788 const unsigned char *p; 00789 00790 list_size = buf[0]; 00791 if( list_size + 1 != len ) 00792 { 00793 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 00794 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00795 } 00796 00797 p = buf + 2; 00798 while( list_size > 0 ) 00799 { 00800 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED || 00801 p[0] == POLARSSL_ECP_PF_COMPRESSED ) 00802 { 00803 ssl->handshake->ecdh_ctx.point_format = p[0]; 00804 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00805 return( 0 ); 00806 } 00807 00808 list_size--; 00809 p++; 00810 } 00811 00812 return( 0 ); 00813 } 00814 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 00815 00816 #if defined(POLARSSL_SSL_ALPN) 00817 static int ssl_parse_alpn_ext( ssl_context *ssl, 00818 const unsigned char *buf, size_t len ) 00819 { 00820 size_t list_len, name_len; 00821 const char **p; 00822 00823 /* If we didn't send it, the server shouldn't send it */ 00824 if( ssl->alpn_list == NULL ) 00825 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00826 00827 /* 00828 * opaque ProtocolName<1..2^8-1>; 00829 * 00830 * struct { 00831 * ProtocolName protocol_name_list<2..2^16-1> 00832 * } ProtocolNameList; 00833 * 00834 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 00835 */ 00836 00837 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00838 if( len < 4 ) 00839 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00840 00841 list_len = ( buf[0] << 8 ) | buf[1]; 00842 if( list_len != len - 2 ) 00843 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00844 00845 name_len = buf[2]; 00846 if( name_len != list_len - 1 ) 00847 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00848 00849 /* Check that the server chosen protocol was in our list and save it */ 00850 for( p = ssl->alpn_list; *p != NULL; p++ ) 00851 { 00852 if( name_len == strlen( *p ) && 00853 memcmp( buf + 3, *p, name_len ) == 0 ) 00854 { 00855 ssl->alpn_chosen = *p; 00856 return( 0 ); 00857 } 00858 } 00859 00860 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00861 } 00862 #endif /* POLARSSL_SSL_ALPN */ 00863 00864 static int ssl_parse_server_hello( ssl_context *ssl ) 00865 { 00866 int ret, i, comp; 00867 size_t n; 00868 size_t ext_len = 0; 00869 unsigned char *buf, *ext; 00870 int renegotiation_info_seen = 0; 00871 int handshake_failure = 0; 00872 #if defined(POLARSSL_DEBUG_C) 00873 uint32_t t; 00874 #endif 00875 00876 SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 00877 00878 /* 00879 * 0 . 0 handshake type 00880 * 1 . 3 handshake length 00881 * 4 . 5 protocol version 00882 * 6 . 9 UNIX time() 00883 * 10 . 37 random bytes 00884 */ 00885 buf = ssl->in_msg; 00886 00887 if( ( ret = ssl_read_record ( ssl ) ) != 0 ) 00888 { 00889 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 00890 return( ret ); 00891 } 00892 00893 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 00894 { 00895 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 00896 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 00897 } 00898 00899 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 00900 buf[4], buf[5] ) ); 00901 00902 if( ssl->in_hslen < 42 || 00903 buf[0] != SSL_HS_SERVER_HELLO || 00904 buf[4] != SSL_MAJOR_VERSION_3 ) 00905 { 00906 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 00907 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00908 } 00909 00910 if( buf[5] > ssl->max_minor_ver ) 00911 { 00912 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 00913 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00914 } 00915 00916 ssl->minor_ver = buf[5]; 00917 00918 if( ssl->minor_ver < ssl->min_minor_ver ) 00919 { 00920 SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum" 00921 " [%d:%d] < [%d:%d]", ssl->major_ver, 00922 ssl->minor_ver, buf[4], buf[5] ) ); 00923 00924 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 00925 SSL_ALERT_MSG_PROTOCOL_VERSION ); 00926 00927 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 00928 } 00929 00930 #if defined(POLARSSL_DEBUG_C) 00931 t = ( (uint32_t) buf[6] << 24 ) 00932 | ( (uint32_t) buf[7] << 16 ) 00933 | ( (uint32_t) buf[8] << 8 ) 00934 | ( (uint32_t) buf[9] ); 00935 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 00936 #endif 00937 00938 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 00939 00940 n = buf[38]; 00941 00942 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 00943 00944 if( n > 32 ) 00945 { 00946 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 00947 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00948 } 00949 00950 /* 00951 * 38 . 38 session id length 00952 * 39 . 38+n session id 00953 * 39+n . 40+n chosen ciphersuite 00954 * 41+n . 41+n chosen compression alg. 00955 * 42+n . 43+n extensions length 00956 * 44+n . 44+n+m extensions 00957 */ 00958 if( ssl->in_hslen > 42 + n ) 00959 { 00960 ext_len = ( ( buf[42 + n] << 8 ) 00961 | ( buf[43 + n] ) ); 00962 00963 if( ( ext_len > 0 && ext_len < 4 ) || 00964 ssl->in_hslen != 44 + n + ext_len ) 00965 { 00966 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 00967 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 00968 } 00969 } 00970 00971 i = ( buf[39 + n] << 8 ) | buf[40 + n]; 00972 comp = buf[41 + n]; 00973 00974 /* 00975 * Initialize update checksum functions 00976 */ 00977 ssl->transform_negotiate->ciphersuite_info = ssl_ciphersuite_from_id( i ); 00978 00979 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 00980 { 00981 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 00982 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00983 } 00984 00985 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 00986 00987 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 00988 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 00989 00990 /* 00991 * Check if the session can be resumed 00992 */ 00993 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || 00994 ssl->handshake->resume == 0 || n == 0 || 00995 ssl->session_negotiate->ciphersuite != i || 00996 ssl->session_negotiate->compression != comp || 00997 ssl->session_negotiate->length != n || 00998 memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 ) 00999 { 01000 ssl->state++; 01001 ssl->handshake->resume = 0; 01002 #if defined(POLARSSL_HAVE_TIME) 01003 ssl->session_negotiate->start = time( NULL ); 01004 #endif 01005 ssl->session_negotiate->ciphersuite = i; 01006 ssl->session_negotiate->compression = comp; 01007 ssl->session_negotiate->length = n; 01008 memcpy( ssl->session_negotiate->id, buf + 39, n ); 01009 } 01010 else 01011 { 01012 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC; 01013 01014 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 01015 { 01016 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 01017 return( ret ); 01018 } 01019 } 01020 01021 SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01022 ssl->handshake->resume ? "a" : "no" ) ); 01023 01024 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) ); 01025 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) ); 01026 01027 i = 0; 01028 while( 1 ) 01029 { 01030 if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01031 { 01032 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01033 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01034 } 01035 01036 if( ssl->ciphersuite_list[ssl->minor_ver][i++] == 01037 ssl->session_negotiate->ciphersuite ) 01038 { 01039 break; 01040 } 01041 } 01042 01043 if( comp != SSL_COMPRESS_NULL 01044 #if defined(POLARSSL_ZLIB_SUPPORT) 01045 && comp != SSL_COMPRESS_DEFLATE 01046 #endif 01047 ) 01048 { 01049 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01050 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01051 } 01052 ssl->session_negotiate->compression = comp; 01053 01054 ext = buf + 44 + n; 01055 01056 SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01057 01058 while( ext_len ) 01059 { 01060 unsigned int ext_id = ( ( ext[0] << 8 ) 01061 | ( ext[1] ) ); 01062 unsigned int ext_size = ( ( ext[2] << 8 ) 01063 | ( ext[3] ) ); 01064 01065 if( ext_size + 4 > ext_len ) 01066 { 01067 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01068 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01069 } 01070 01071 switch( ext_id ) 01072 { 01073 case TLS_EXT_RENEGOTIATION_INFO: 01074 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01075 renegotiation_info_seen = 1; 01076 01077 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01078 ext_size ) ) != 0 ) 01079 return( ret ); 01080 01081 break; 01082 01083 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 01084 case TLS_EXT_MAX_FRAGMENT_LENGTH: 01085 SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01086 01087 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01088 ext + 4, ext_size ) ) != 0 ) 01089 { 01090 return( ret ); 01091 } 01092 01093 break; 01094 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 01095 01096 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 01097 case TLS_EXT_TRUNCATED_HMAC: 01098 SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01099 01100 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01101 ext + 4, ext_size ) ) != 0 ) 01102 { 01103 return( ret ); 01104 } 01105 01106 break; 01107 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 01108 01109 #if defined(POLARSSL_SSL_SESSION_TICKETS) 01110 case TLS_EXT_SESSION_TICKET: 01111 SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01112 01113 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01114 ext + 4, ext_size ) ) != 0 ) 01115 { 01116 return( ret ); 01117 } 01118 01119 break; 01120 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01121 01122 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 01123 case TLS_EXT_SUPPORTED_POINT_FORMATS: 01124 SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01125 01126 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01127 ext + 4, ext_size ) ) != 0 ) 01128 { 01129 return( ret ); 01130 } 01131 01132 break; 01133 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 01134 01135 #if defined(POLARSSL_SSL_ALPN) 01136 case TLS_EXT_ALPN: 01137 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01138 01139 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01140 return( ret ); 01141 01142 break; 01143 #endif /* POLARSSL_SSL_ALPN */ 01144 01145 default: 01146 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01147 ext_id ) ); 01148 } 01149 01150 ext_len -= 4 + ext_size; 01151 ext += 4 + ext_size; 01152 01153 if( ext_len > 0 && ext_len < 4 ) 01154 { 01155 SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01156 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01157 } 01158 } 01159 01160 /* 01161 * Renegotiation security checks 01162 */ 01163 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01164 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) 01165 { 01166 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01167 handshake_failure = 1; 01168 } 01169 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01170 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && 01171 renegotiation_info_seen == 0 ) 01172 { 01173 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01174 handshake_failure = 1; 01175 } 01176 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01177 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01178 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) 01179 { 01180 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01181 handshake_failure = 1; 01182 } 01183 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01184 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01185 renegotiation_info_seen == 1 ) 01186 { 01187 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01188 handshake_failure = 1; 01189 } 01190 01191 if( handshake_failure == 1 ) 01192 { 01193 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01194 return( ret ); 01195 01196 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); 01197 } 01198 01199 SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01200 01201 return( 0 ); 01202 } 01203 01204 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01205 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 01206 static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p, 01207 unsigned char *end ) 01208 { 01209 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01210 01211 /* 01212 * Ephemeral DH parameters: 01213 * 01214 * struct { 01215 * opaque dh_p<1..2^16-1>; 01216 * opaque dh_g<1..2^16-1>; 01217 * opaque dh_Ys<1..2^16-1>; 01218 * } ServerDHParams; 01219 */ 01220 if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01221 { 01222 SSL_DEBUG_RET( 2, ( "dhm_read_params" ), ret ); 01223 return( ret ); 01224 } 01225 01226 if( ssl->handshake->dhm_ctx.len < 64 || 01227 ssl->handshake->dhm_ctx.len > 512 ) 01228 { 01229 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) ); 01230 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01231 } 01232 01233 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01234 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01235 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01236 01237 return( ret ); 01238 } 01239 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 01240 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01241 01242 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01243 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01244 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01245 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01246 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01247 static int ssl_check_server_ecdh_params( const ssl_context *ssl ) 01248 { 01249 const ecp_curve_info *curve_info; 01250 01251 curve_info = ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01252 if( curve_info == NULL ) 01253 { 01254 SSL_DEBUG_MSG( 1, ( "Should never happen" ) ); 01255 return( -1 ); 01256 } 01257 01258 SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01259 01260 #if defined(POLARSSL_SSL_ECP_SET_CURVES) 01261 if( ! ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) ) 01262 #else 01263 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01264 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01265 #endif 01266 return( -1 ); 01267 01268 SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 01269 01270 return( 0 ); 01271 } 01272 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01273 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01274 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01275 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01276 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01277 01278 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01279 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01280 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01281 static int ssl_parse_server_ecdh_params( ssl_context *ssl, 01282 unsigned char **p, 01283 unsigned char *end ) 01284 { 01285 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01286 01287 /* 01288 * Ephemeral ECDH parameters: 01289 * 01290 * struct { 01291 * ECParameters curve_params; 01292 * ECPoint public; 01293 * } ServerECDHParams; 01294 */ 01295 if( ( ret = ecdh_read_params( &ssl->handshake->ecdh_ctx, 01296 (const unsigned char **) p, end ) ) != 0 ) 01297 { 01298 SSL_DEBUG_RET( 1, ( "ecdh_read_params" ), ret ); 01299 return( ret ); 01300 } 01301 01302 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01303 { 01304 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 01305 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01306 } 01307 01308 return( ret ); 01309 } 01310 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01311 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01312 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01313 01314 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 01315 static int ssl_parse_server_psk_hint( ssl_context *ssl, 01316 unsigned char **p, 01317 unsigned char *end ) 01318 { 01319 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01320 size_t len; 01321 ((void) ssl); 01322 01323 /* 01324 * PSK parameters: 01325 * 01326 * opaque psk_identity_hint<0..2^16-1>; 01327 */ 01328 len = (*p)[0] << 8 | (*p)[1]; 01329 *p += 2; 01330 01331 if( (*p) + len > end ) 01332 { 01333 SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) ); 01334 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01335 } 01336 01337 // TODO: Retrieve PSK identity hint and callback to app 01338 // 01339 *p += len; 01340 ret = 0; 01341 01342 return( ret ); 01343 } 01344 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01345 01346 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \ 01347 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 01348 /* 01349 * Generate a pre-master secret and encrypt it with the server's RSA key 01350 */ 01351 static int ssl_write_encrypted_pms( ssl_context *ssl, 01352 size_t offset, size_t *olen, 01353 size_t pms_offset ) 01354 { 01355 int ret; 01356 size_t len_bytes = ssl->minor_ver == SSL_MINOR_VERSION_0 ? 0 : 2; 01357 unsigned char *p = ssl->handshake->premaster + pms_offset; 01358 01359 /* 01360 * Generate (part of) the pre-master as 01361 * struct { 01362 * ProtocolVersion client_version; 01363 * opaque random[46]; 01364 * } PreMasterSecret; 01365 */ 01366 p[0] = (unsigned char) ssl->max_major_ver; 01367 p[1] = (unsigned char) ssl->max_minor_ver; 01368 01369 if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 ) 01370 { 01371 SSL_DEBUG_RET( 1, "f_rng", ret ); 01372 return( ret ); 01373 } 01374 01375 ssl->handshake->pmslen = 48; 01376 01377 /* 01378 * Now write it out, encrypted 01379 */ 01380 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, 01381 POLARSSL_PK_RSA ) ) 01382 { 01383 SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 01384 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); 01385 } 01386 01387 if( ( ret = pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 01388 p, ssl->handshake->pmslen, 01389 ssl->out_msg + offset + len_bytes, olen, 01390 SSL_MAX_CONTENT_LEN - offset - len_bytes, 01391 ssl->f_rng, ssl->p_rng ) ) != 0 ) 01392 { 01393 SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret ); 01394 return( ret ); 01395 } 01396 01397 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ 01398 defined(POLARSSL_SSL_PROTO_TLS1_2) 01399 if( len_bytes == 2 ) 01400 { 01401 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 01402 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 01403 *olen += 2; 01404 } 01405 #endif 01406 01407 return( 0 ); 01408 } 01409 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED || 01410 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01411 01412 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 01413 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01414 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01415 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01416 static int ssl_parse_signature_algorithm( ssl_context *ssl, 01417 unsigned char **p, 01418 unsigned char *end, 01419 md_type_t *md_alg, 01420 pk_type_t *pk_alg ) 01421 { 01422 ((void) ssl); 01423 *md_alg = POLARSSL_MD_NONE; 01424 *pk_alg = POLARSSL_PK_NONE; 01425 01426 /* Only in TLS 1.2 */ 01427 if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) 01428 { 01429 return( 0 ); 01430 } 01431 01432 if( (*p) + 2 > end ) 01433 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01434 01435 /* 01436 * Get hash algorithm 01437 */ 01438 if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE ) 01439 { 01440 SSL_DEBUG_MSG( 2, ( "Server used unsupported " 01441 "HashAlgorithm %d", *(p)[0] ) ); 01442 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01443 } 01444 01445 /* 01446 * Get signature algorithm 01447 */ 01448 if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE ) 01449 { 01450 SSL_DEBUG_MSG( 2, ( "server used unsupported " 01451 "SignatureAlgorithm %d", (*p)[1] ) ); 01452 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01453 } 01454 01455 SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 01456 SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 01457 *p += 2; 01458 01459 return( 0 ); 01460 } 01461 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 01462 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01463 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 01464 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 01465 01466 01467 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01468 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01469 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl ) 01470 { 01471 int ret; 01472 const ecp_keypair *peer_key; 01473 01474 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, 01475 POLARSSL_PK_ECKEY ) ) 01476 { 01477 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 01478 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); 01479 } 01480 01481 peer_key = pk_ec( ssl->session_negotiate->peer_cert->pk ); 01482 01483 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 01484 POLARSSL_ECDH_THEIRS ) ) != 0 ) 01485 { 01486 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret ); 01487 return( ret ); 01488 } 01489 01490 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 01491 { 01492 SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 01493 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); 01494 } 01495 01496 return( ret ); 01497 } 01498 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 01499 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01500 01501 static int ssl_parse_server_key_exchange( ssl_context *ssl ) 01502 { 01503 int ret; 01504 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 01505 unsigned char *p, *end; 01506 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01507 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01508 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01509 size_t sig_len, params_len; 01510 unsigned char hash[64]; 01511 md_type_t md_alg = POLARSSL_MD_NONE; 01512 size_t hashlen; 01513 pk_type_t pk_alg = POLARSSL_PK_NONE; 01514 #endif 01515 01516 SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 01517 01518 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) 01519 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ) 01520 { 01521 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 01522 ssl->state++; 01523 return( 0 ); 01524 } 01525 ((void) p); 01526 ((void) end); 01527 #endif 01528 01529 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01530 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01531 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || 01532 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) 01533 { 01534 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 01535 { 01536 SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 01537 return( ret ); 01538 } 01539 01540 SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 01541 ssl->state++; 01542 return( 0 ); 01543 } 01544 ((void) p); 01545 ((void) end); 01546 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || 01547 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 01548 01549 if( ( ret = ssl_read_record ( ssl ) ) != 0 ) 01550 { 01551 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 01552 return( ret ); 01553 } 01554 01555 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 01556 { 01557 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01558 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01559 } 01560 01561 /* 01562 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 01563 * doesn't use a psk_identity_hint 01564 */ 01565 if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE ) 01566 { 01567 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01568 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 01569 { 01570 ssl->record_read = 1; 01571 goto exit; 01572 } 01573 01574 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01575 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01576 } 01577 01578 p = ssl->in_msg + 4; 01579 end = ssl->in_msg + ssl->in_hslen; 01580 SSL_DEBUG_BUF( 3, "server key exchange", p, ssl->in_hslen - 4 ); 01581 01582 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 01583 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01584 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 01585 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 01586 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 01587 { 01588 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 01589 { 01590 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01591 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01592 } 01593 } /* FALLTROUGH */ 01594 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01595 01596 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \ 01597 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 01598 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01599 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 01600 ; /* nothing more to do */ 01601 else 01602 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED || 01603 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01604 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01605 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 01606 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || 01607 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 01608 { 01609 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 01610 { 01611 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01612 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01613 } 01614 } 01615 else 01616 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 01617 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01618 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01619 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01620 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01621 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 01622 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 01623 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) 01624 { 01625 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 01626 { 01627 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01628 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01629 } 01630 } 01631 else 01632 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01633 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01634 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 01635 { 01636 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01637 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 01638 } 01639 01640 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01641 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01642 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01643 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || 01644 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 01645 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) 01646 { 01647 params_len = p - ( ssl->in_msg + 4 ); 01648 01649 /* 01650 * Handle the digitally-signed structure 01651 */ 01652 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 01653 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 01654 { 01655 if( ssl_parse_signature_algorithm( ssl, &p, end, 01656 &md_alg, &pk_alg ) != 0 ) 01657 { 01658 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01659 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01660 } 01661 01662 if( pk_alg != ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 01663 { 01664 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01665 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01666 } 01667 } 01668 else 01669 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 01670 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 01671 defined(POLARSSL_SSL_PROTO_TLS1_1) 01672 if( ssl->minor_ver < SSL_MINOR_VERSION_3 ) 01673 { 01674 pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 01675 01676 /* Default hash for ECDSA is SHA-1 */ 01677 if( pk_alg == POLARSSL_PK_ECDSA && md_alg == POLARSSL_MD_NONE ) 01678 md_alg = POLARSSL_MD_SHA1; 01679 } 01680 else 01681 #endif 01682 { 01683 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01684 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 01685 } 01686 01687 /* 01688 * Read signature 01689 */ 01690 sig_len = ( p[0] << 8 ) | p[1]; 01691 p += 2; 01692 01693 if( end != p + sig_len ) 01694 { 01695 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01696 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01697 } 01698 01699 SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 01700 01701 /* 01702 * Compute the hash that has been signed 01703 */ 01704 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 01705 defined(POLARSSL_SSL_PROTO_TLS1_1) 01706 if( md_alg == POLARSSL_MD_NONE ) 01707 { 01708 md5_context md5; 01709 sha1_context sha1; 01710 01711 hashlen = 36; 01712 01713 /* 01714 * digitally-signed struct { 01715 * opaque md5_hash[16]; 01716 * opaque sha_hash[20]; 01717 * }; 01718 * 01719 * md5_hash 01720 * MD5(ClientHello.random + ServerHello.random 01721 * + ServerParams); 01722 * sha_hash 01723 * SHA(ClientHello.random + ServerHello.random 01724 * + ServerParams); 01725 */ 01726 md5_starts( &md5 ); 01727 md5_update( &md5, ssl->handshake->randbytes, 64 ); 01728 md5_update( &md5, ssl->in_msg + 4, params_len ); 01729 md5_finish( &md5, hash ); 01730 01731 sha1_starts( &sha1 ); 01732 sha1_update( &sha1, ssl->handshake->randbytes, 64 ); 01733 sha1_update( &sha1, ssl->in_msg + 4, params_len ); 01734 sha1_finish( &sha1, hash + 16 ); 01735 } 01736 else 01737 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \ 01738 POLARSSL_SSL_PROTO_TLS1_1 */ 01739 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ 01740 defined(POLARSSL_SSL_PROTO_TLS1_2) 01741 if( md_alg != POLARSSL_MD_NONE ) 01742 { 01743 md_context_t ctx; 01744 01745 /* Info from md_alg will be used instead */ 01746 hashlen = 0; 01747 01748 /* 01749 * digitally-signed struct { 01750 * opaque client_random[32]; 01751 * opaque server_random[32]; 01752 * ServerDHParams params; 01753 * }; 01754 */ 01755 if( ( ret = md_init_ctx( &ctx, 01756 md_info_from_type( md_alg ) ) ) != 0 ) 01757 { 01758 SSL_DEBUG_RET( 1, "md_init_ctx", ret ); 01759 return( ret ); 01760 } 01761 01762 md_starts( &ctx ); 01763 md_update( &ctx, ssl->handshake->randbytes, 64 ); 01764 md_update( &ctx, ssl->in_msg + 4, params_len ); 01765 md_finish( &ctx, hash ); 01766 md_free_ctx( &ctx ); 01767 } 01768 else 01769 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \ 01770 POLARSSL_SSL_PROTO_TLS1_2 */ 01771 { 01772 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01773 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 01774 } 01775 01776 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 01777 (unsigned int) ( md_info_from_type( md_alg ) )->size ); 01778 01779 /* 01780 * Verify signature 01781 */ 01782 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 01783 { 01784 SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 01785 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); 01786 } 01787 01788 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk, 01789 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 01790 { 01791 SSL_DEBUG_RET( 1, "pk_verify", ret ); 01792 return( ret ); 01793 } 01794 } 01795 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 01796 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01797 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 01798 01799 exit: 01800 ssl->state++; 01801 01802 SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 01803 01804 return( 0 ); 01805 } 01806 01807 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ 01808 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 01809 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 01810 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01811 static int ssl_parse_certificate_request( ssl_context *ssl ) 01812 { 01813 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01814 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 01815 01816 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 01817 01818 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01819 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 01820 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 01821 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 01822 { 01823 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 01824 ssl->state++; 01825 return( 0 ); 01826 } 01827 01828 SSL_DEBUG_MSG( 1, ( "should not happen" ) ); 01829 return( ret ); 01830 } 01831 #else 01832 static int ssl_parse_certificate_request( ssl_context *ssl ) 01833 { 01834 int ret; 01835 unsigned char *buf, *p; 01836 size_t n = 0, m = 0; 01837 size_t cert_type_len = 0, dn_len = 0; 01838 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 01839 01840 SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 01841 01842 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01843 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 01844 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 01845 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 01846 { 01847 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 01848 ssl->state++; 01849 return( 0 ); 01850 } 01851 01852 /* 01853 * 0 . 0 handshake type 01854 * 1 . 3 handshake length 01855 * 4 . 4 cert type count 01856 * 5 .. m-1 cert types 01857 * m .. m+1 sig alg length (TLS 1.2 only) 01858 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 01859 * n .. n+1 length of all DNs 01860 * n+2 .. n+3 length of DN 1 01861 * n+4 .. ... Distinguished Name #1 01862 * ... .. ... length of DN 2, etc. 01863 */ 01864 if( ssl->record_read == 0 ) 01865 { 01866 if( ( ret = ssl_read_record ( ssl ) ) != 0 ) 01867 { 01868 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 01869 return( ret ); 01870 } 01871 01872 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 01873 { 01874 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 01875 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01876 } 01877 01878 ssl->record_read = 1; 01879 } 01880 01881 ssl->client_auth = 0; 01882 ssl->state++; 01883 01884 if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST ) 01885 ssl->client_auth++; 01886 01887 SSL_DEBUG_MSG( 3, ( "got %s certificate request", 01888 ssl->client_auth ? "a" : "no" ) ); 01889 01890 if( ssl->client_auth == 0 ) 01891 goto exit; 01892 01893 ssl->record_read = 0; 01894 01895 // TODO: handshake_failure alert for an anonymous server to request 01896 // client authentication 01897 01898 buf = ssl->in_msg; 01899 01900 // Retrieve cert types 01901 // 01902 cert_type_len = buf[4]; 01903 n = cert_type_len; 01904 01905 if( ssl->in_hslen < 6 + n ) 01906 { 01907 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 01908 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 01909 } 01910 01911 p = buf + 5; 01912 while( cert_type_len > 0 ) 01913 { 01914 #if defined(POLARSSL_RSA_C) 01915 if( *p == SSL_CERT_TYPE_RSA_SIGN && 01916 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) ) 01917 { 01918 ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN; 01919 break; 01920 } 01921 else 01922 #endif 01923 #if defined(POLARSSL_ECDSA_C) 01924 if( *p == SSL_CERT_TYPE_ECDSA_SIGN && 01925 pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) ) 01926 { 01927 ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN; 01928 break; 01929 } 01930 else 01931 #endif 01932 { 01933 ; /* Unsupported cert type, ignore */ 01934 } 01935 01936 cert_type_len--; 01937 p++; 01938 } 01939 01940 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 01941 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 01942 { 01943 /* Ignored, see comments about hash in write_certificate_verify */ 01944 // TODO: should check the signature part against our pk_key though 01945 size_t sig_alg_len = ( ( buf[5 + n] << 8 ) 01946 | ( buf[6 + n] ) ); 01947 01948 p = buf + 7 + n; 01949 m += 2; 01950 n += sig_alg_len; 01951 01952 if( ssl->in_hslen < 6 + n ) 01953 { 01954 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 01955 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 01956 } 01957 } 01958 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 01959 01960 /* Ignore certificate_authorities, we only have one cert anyway */ 01961 // TODO: should not send cert if no CA matches 01962 dn_len = ( ( buf[5 + m + n] << 8 ) 01963 | ( buf[6 + m + n] ) ); 01964 01965 n += dn_len; 01966 if( ssl->in_hslen != 7 + m + n ) 01967 { 01968 SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 01969 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 01970 } 01971 01972 exit: 01973 SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 01974 01975 return( 0 ); 01976 } 01977 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && 01978 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && 01979 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 01980 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 01981 01982 static int ssl_parse_server_hello_done( ssl_context *ssl ) 01983 { 01984 int ret; 01985 01986 SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 01987 01988 if( ssl->record_read == 0 ) 01989 { 01990 if( ( ret = ssl_read_record ( ssl ) ) != 0 ) 01991 { 01992 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 01993 return( ret ); 01994 } 01995 01996 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 01997 { 01998 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 01999 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 02000 } 02001 } 02002 ssl->record_read = 0; 02003 02004 if( ssl->in_hslen != 4 || 02005 ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE ) 02006 { 02007 SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02008 return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02009 } 02010 02011 ssl->state++; 02012 02013 SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02014 02015 return( 0 ); 02016 } 02017 02018 static int ssl_write_client_key_exchange( ssl_context *ssl ) 02019 { 02020 int ret; 02021 size_t i, n; 02022 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02023 02024 SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02025 02026 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) 02027 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ) 02028 { 02029 /* 02030 * DHM key exchange -- send G^X mod P 02031 */ 02032 n = ssl->handshake->dhm_ctx.len; 02033 02034 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02035 ssl->out_msg[5] = (unsigned char)( n ); 02036 i = 6; 02037 02038 ret = dhm_make_public( &ssl->handshake->dhm_ctx, 02039 (int) mpi_size( &ssl->handshake->dhm_ctx.P ), 02040 &ssl->out_msg[i], n, 02041 ssl->f_rng, ssl->p_rng ); 02042 if( ret != 0 ) 02043 { 02044 SSL_DEBUG_RET( 1, "dhm_make_public", ret ); 02045 return( ret ); 02046 } 02047 02048 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02049 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02050 02051 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len; 02052 02053 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, 02054 ssl->handshake->premaster, 02055 &ssl->handshake->pmslen, 02056 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02057 { 02058 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); 02059 return( ret ); 02060 } 02061 02062 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02063 } 02064 else 02065 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02066 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02067 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02068 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02069 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02070 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 02071 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA || 02072 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || 02073 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) 02074 { 02075 /* 02076 * ECDH key exchange -- send client public value 02077 */ 02078 i = 4; 02079 02080 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, 02081 &n, 02082 &ssl->out_msg[i], 1000, 02083 ssl->f_rng, ssl->p_rng ); 02084 if( ret != 0 ) 02085 { 02086 SSL_DEBUG_RET( 1, "ecdh_make_public", ret ); 02087 return( ret ); 02088 } 02089 02090 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02091 02092 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02093 &ssl->handshake->pmslen, 02094 ssl->handshake->premaster, 02095 POLARSSL_MPI_MAX_SIZE, 02096 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02097 { 02098 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret ); 02099 return( ret ); 02100 } 02101 02102 SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02103 } 02104 else 02105 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02106 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02107 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02108 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02109 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 02110 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02111 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02112 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 02113 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02114 { 02115 /* 02116 * opaque psk_identity<0..2^16-1>; 02117 */ 02118 if( ssl->psk == NULL || ssl->psk_identity == NULL ) 02119 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02120 02121 i = 4; 02122 n = ssl->psk_identity_len; 02123 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02124 ssl->out_msg[i++] = (unsigned char)( n ); 02125 02126 memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len ); 02127 i += ssl->psk_identity_len; 02128 02129 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) 02130 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ) 02131 { 02132 n = 0; 02133 } 02134 else 02135 #endif 02136 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 02137 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 02138 { 02139 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02140 return( ret ); 02141 } 02142 else 02143 #endif 02144 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 02145 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02146 { 02147 /* 02148 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02149 */ 02150 n = ssl->handshake->dhm_ctx.len; 02151 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02152 ssl->out_msg[i++] = (unsigned char)( n ); 02153 02154 ret = dhm_make_public( &ssl->handshake->dhm_ctx, 02155 (int) mpi_size( &ssl->handshake->dhm_ctx.P ), 02156 &ssl->out_msg[i], n, 02157 ssl->f_rng, ssl->p_rng ); 02158 if( ret != 0 ) 02159 { 02160 SSL_DEBUG_RET( 1, "dhm_make_public", ret ); 02161 return( ret ); 02162 } 02163 } 02164 else 02165 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02166 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02167 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02168 { 02169 /* 02170 * ClientECDiffieHellmanPublic public; 02171 */ 02172 ret = ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02173 &ssl->out_msg[i], SSL_MAX_CONTENT_LEN - i, 02174 ssl->f_rng, ssl->p_rng ); 02175 if( ret != 0 ) 02176 { 02177 SSL_DEBUG_RET( 1, "ecdh_make_public", ret ); 02178 return( ret ); 02179 } 02180 02181 SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02182 } 02183 else 02184 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02185 { 02186 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02187 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 02188 } 02189 02190 if( ( ret = ssl_psk_derive_premaster( ssl, 02191 ciphersuite_info->key_exchange ) ) != 0 ) 02192 { 02193 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 02194 return( ret ); 02195 } 02196 } 02197 else 02198 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02199 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) 02200 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ) 02201 { 02202 i = 4; 02203 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02204 return( ret ); 02205 } 02206 else 02207 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */ 02208 { 02209 ((void) ciphersuite_info); 02210 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02211 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 02212 } 02213 02214 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 02215 { 02216 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 02217 return( ret ); 02218 } 02219 02220 ssl->out_msglen = i + n; 02221 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02222 ssl->out_msg[0] = SSL_HS_CLIENT_KEY_EXCHANGE; 02223 02224 ssl->state++; 02225 02226 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02227 { 02228 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02229 return( ret ); 02230 } 02231 02232 SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 02233 02234 return( 0 ); 02235 } 02236 02237 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ 02238 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02239 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02240 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02241 static int ssl_write_certificate_verify( ssl_context *ssl ) 02242 { 02243 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02244 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02245 02246 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02247 02248 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02249 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02250 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 02251 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02252 { 02253 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02254 ssl->state++; 02255 return( 0 ); 02256 } 02257 02258 SSL_DEBUG_MSG( 1, ( "should not happen" ) ); 02259 return( ret ); 02260 } 02261 #else 02262 static int ssl_write_certificate_verify( ssl_context *ssl ) 02263 { 02264 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02265 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02266 size_t n = 0, offset = 0; 02267 unsigned char hash[48]; 02268 unsigned char *hash_start = hash; 02269 md_type_t md_alg = POLARSSL_MD_NONE; 02270 unsigned int hashlen; 02271 02272 SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 02273 02274 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02275 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02276 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 02277 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02278 { 02279 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02280 ssl->state++; 02281 return( 0 ); 02282 } 02283 02284 if( ssl->client_auth == 0 || ssl_own_cert( ssl ) == NULL ) 02285 { 02286 SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 02287 ssl->state++; 02288 return( 0 ); 02289 } 02290 02291 if( ssl_own_key( ssl ) == NULL ) 02292 { 02293 SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 02294 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02295 } 02296 02297 /* 02298 * Make an RSA signature of the handshake digests 02299 */ 02300 ssl->handshake->calc_verify( ssl, hash ); 02301 02302 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 02303 defined(POLARSSL_SSL_PROTO_TLS1_1) 02304 if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) 02305 { 02306 /* 02307 * digitally-signed struct { 02308 * opaque md5_hash[16]; 02309 * opaque sha_hash[20]; 02310 * }; 02311 * 02312 * md5_hash 02313 * MD5(handshake_messages); 02314 * 02315 * sha_hash 02316 * SHA(handshake_messages); 02317 */ 02318 hashlen = 36; 02319 md_alg = POLARSSL_MD_NONE; 02320 02321 /* 02322 * For ECDSA, default hash is SHA-1 only 02323 */ 02324 if( pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECDSA ) ) 02325 { 02326 hash_start += 16; 02327 hashlen -= 16; 02328 md_alg = POLARSSL_MD_SHA1; 02329 } 02330 } 02331 else 02332 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \ 02333 POLARSSL_SSL_PROTO_TLS1_1 */ 02334 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02335 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02336 { 02337 /* 02338 * digitally-signed struct { 02339 * opaque handshake_messages[handshake_messages_length]; 02340 * }; 02341 * 02342 * Taking shortcut here. We assume that the server always allows the 02343 * PRF Hash function and has sent it in the allowed signature 02344 * algorithms list received in the Certificate Request message. 02345 * 02346 * Until we encounter a server that does not, we will take this 02347 * shortcut. 02348 * 02349 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 02350 * in order to satisfy 'weird' needs from the server side. 02351 */ 02352 if( ssl->transform_negotiate->ciphersuite_info->mac == 02353 POLARSSL_MD_SHA384 ) 02354 { 02355 md_alg = POLARSSL_MD_SHA384; 02356 ssl->out_msg[4] = SSL_HASH_SHA384; 02357 } 02358 else 02359 { 02360 md_alg = POLARSSL_MD_SHA256; 02361 ssl->out_msg[4] = SSL_HASH_SHA256; 02362 } 02363 ssl->out_msg[5] = ssl_sig_from_pk( ssl_own_key( ssl ) ); 02364 02365 /* Info from md_alg will be used instead */ 02366 hashlen = 0; 02367 offset = 2; 02368 } 02369 else 02370 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 02371 { 02372 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02373 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 02374 } 02375 02376 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash_start, hashlen, 02377 ssl->out_msg + 6 + offset, &n, 02378 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02379 { 02380 SSL_DEBUG_RET( 1, "pk_sign", ret ); 02381 return( ret ); 02382 } 02383 02384 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 02385 ssl->out_msg[5 + offset] = (unsigned char)( n ); 02386 02387 ssl->out_msglen = 6 + n + offset; 02388 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02389 ssl->out_msg[0] = SSL_HS_CERTIFICATE_VERIFY; 02390 02391 ssl->state++; 02392 02393 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02394 { 02395 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02396 return( ret ); 02397 } 02398 02399 SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 02400 02401 return( ret ); 02402 } 02403 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && 02404 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && 02405 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ 02406 02407 #if defined(POLARSSL_SSL_SESSION_TICKETS) 02408 static int ssl_parse_new_session_ticket( ssl_context *ssl ) 02409 { 02410 int ret; 02411 uint32_t lifetime; 02412 size_t ticket_len; 02413 unsigned char *ticket; 02414 02415 SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 02416 02417 if( ( ret = ssl_read_record ( ssl ) ) != 0 ) 02418 { 02419 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 02420 return( ret ); 02421 } 02422 02423 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 02424 { 02425 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 02426 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 02427 } 02428 02429 /* 02430 * struct { 02431 * uint32 ticket_lifetime_hint; 02432 * opaque ticket<0..2^16-1>; 02433 * } NewSessionTicket; 02434 * 02435 * 0 . 0 handshake message type 02436 * 1 . 3 handshake message length 02437 * 4 . 7 ticket_lifetime_hint 02438 * 8 . 9 ticket_len (n) 02439 * 10 . 9+n ticket content 02440 */ 02441 if( ssl->in_msg[0] != SSL_HS_NEW_SESSION_TICKET || 02442 ssl->in_hslen < 10 ) 02443 { 02444 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 02445 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 02446 } 02447 02448 lifetime = ( ssl->in_msg[4] << 24 ) | ( ssl->in_msg[5] << 16 ) | 02449 ( ssl->in_msg[6] << 8 ) | ( ssl->in_msg[7] ); 02450 02451 ticket_len = ( ssl->in_msg[8] << 8 ) | ( ssl->in_msg[9] ); 02452 02453 if( ticket_len + 10 != ssl->in_hslen ) 02454 { 02455 SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 02456 return( POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 02457 } 02458 02459 SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 02460 02461 /* We're not waiting for a NewSessionTicket message any more */ 02462 ssl->handshake->new_session_ticket = 0; 02463 02464 /* 02465 * Zero-length ticket means the server changed his mind and doesn't want 02466 * to send a ticket after all, so just forget it 02467 */ 02468 if( ticket_len == 0) 02469 return( 0 ); 02470 02471 polarssl_free( ssl->session_negotiate->ticket ); 02472 ssl->session_negotiate->ticket = NULL; 02473 ssl->session_negotiate->ticket_len = 0; 02474 02475 if( ( ticket = polarssl_malloc( ticket_len ) ) == NULL ) 02476 { 02477 SSL_DEBUG_MSG( 1, ( "ticket malloc failed" ) ); 02478 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 02479 } 02480 02481 memcpy( ticket, ssl->in_msg + 10, ticket_len ); 02482 02483 ssl->session_negotiate->ticket = ticket; 02484 ssl->session_negotiate->ticket_len = ticket_len; 02485 ssl->session_negotiate->ticket_lifetime = lifetime; 02486 02487 /* 02488 * RFC 5077 section 3.4: 02489 * "If the client receives a session ticket from the server, then it 02490 * discards any Session ID that was sent in the ServerHello." 02491 */ 02492 SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 02493 ssl->session_negotiate->length = 0; 02494 02495 SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 02496 02497 return( 0 ); 02498 } 02499 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 02500 02501 /* 02502 * SSL handshake -- client side -- single step 02503 */ 02504 int ssl_handshake_client_step( ssl_context *ssl ) 02505 { 02506 int ret = 0; 02507 02508 if( ssl->state == SSL_HANDSHAKE_OVER ) 02509 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 02510 02511 SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 02512 02513 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 02514 return( ret ); 02515 02516 switch( ssl->state ) 02517 { 02518 case SSL_HELLO_REQUEST: 02519 ssl->state = SSL_CLIENT_HELLO; 02520 break; 02521 02522 /* 02523 * ==> ClientHello 02524 */ 02525 case SSL_CLIENT_HELLO: 02526 ret = ssl_write_client_hello( ssl ); 02527 break; 02528 02529 /* 02530 * <== ServerHello 02531 * Certificate 02532 * ( ServerKeyExchange ) 02533 * ( CertificateRequest ) 02534 * ServerHelloDone 02535 */ 02536 case SSL_SERVER_HELLO: 02537 ret = ssl_parse_server_hello( ssl ); 02538 break; 02539 02540 case SSL_SERVER_CERTIFICATE: 02541 ret = ssl_parse_certificate( ssl ); 02542 break; 02543 02544 case SSL_SERVER_KEY_EXCHANGE: 02545 ret = ssl_parse_server_key_exchange( ssl ); 02546 break; 02547 02548 case SSL_CERTIFICATE_REQUEST: 02549 ret = ssl_parse_certificate_request( ssl ); 02550 break; 02551 02552 case SSL_SERVER_HELLO_DONE: 02553 ret = ssl_parse_server_hello_done( ssl ); 02554 break; 02555 02556 /* 02557 * ==> ( Certificate/Alert ) 02558 * ClientKeyExchange 02559 * ( CertificateVerify ) 02560 * ChangeCipherSpec 02561 * Finished 02562 */ 02563 case SSL_CLIENT_CERTIFICATE: 02564 ret = ssl_write_certificate( ssl ); 02565 break; 02566 02567 case SSL_CLIENT_KEY_EXCHANGE: 02568 ret = ssl_write_client_key_exchange( ssl ); 02569 break; 02570 02571 case SSL_CERTIFICATE_VERIFY: 02572 ret = ssl_write_certificate_verify( ssl ); 02573 break; 02574 02575 case SSL_CLIENT_CHANGE_CIPHER_SPEC: 02576 ret = ssl_write_change_cipher_spec( ssl ); 02577 break; 02578 02579 case SSL_CLIENT_FINISHED: 02580 ret = ssl_write_finished( ssl ); 02581 break; 02582 02583 /* 02584 * <== ( NewSessionTicket ) 02585 * ChangeCipherSpec 02586 * Finished 02587 */ 02588 case SSL_SERVER_CHANGE_CIPHER_SPEC: 02589 #if defined(POLARSSL_SSL_SESSION_TICKETS) 02590 if( ssl->handshake->new_session_ticket != 0 ) 02591 ret = ssl_parse_new_session_ticket( ssl ); 02592 else 02593 #endif 02594 ret = ssl_parse_change_cipher_spec( ssl ); 02595 break; 02596 02597 case SSL_SERVER_FINISHED: 02598 ret = ssl_parse_finished( ssl ); 02599 break; 02600 02601 case SSL_FLUSH_BUFFERS: 02602 SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 02603 ssl->state = SSL_HANDSHAKE_WRAPUP; 02604 break; 02605 02606 case SSL_HANDSHAKE_WRAPUP: 02607 ssl_handshake_wrapup( ssl ); 02608 break; 02609 02610 default: 02611 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 02612 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 02613 } 02614 02615 return( ret ); 02616 } 02617 #endif /* POLARSSL_SSL_CLI_C */ 02618 02619
Generated on Tue Jul 12 2022 19:40:20 by 1.7.2