Hannes Tschofenig
Example program to test AES-GCM functionality. Used for a workshop
Embed:
(wiki syntax)
Show/hide line numbers
ssl_srv.c
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2014, Brainspark B.V. 00005 * 00006 * This file is part of PolarSSL (http://www.polarssl.org) 00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> 00008 * 00009 * All rights reserved. 00010 * 00011 * This program is free software; you can redistribute it and/or modify 00012 * it under the terms of the GNU General Public License as published by 00013 * the Free Software Foundation; either version 2 of the License, or 00014 * (at your option) any later version. 00015 * 00016 * This program is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00019 * GNU General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU General Public License along 00022 * with this program; if not, write to the Free Software Foundation, Inc., 00023 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00024 */ 00025 00026 #if !defined(POLARSSL_CONFIG_FILE) 00027 #include "polarssl/config.h" 00028 #else 00029 #include POLARSSL_CONFIG_FILE 00030 #endif 00031 00032 #if defined(POLARSSL_SSL_SRV_C) 00033 00034 #include "polarssl/debug.h" 00035 #include "polarssl/ssl.h" 00036 #if defined(POLARSSL_ECP_C) 00037 #include "polarssl/ecp.h" 00038 #endif 00039 00040 #if defined(POLARSSL_PLATFORM_C) 00041 #include "polarssl/platform.h" 00042 #else 00043 #define polarssl_malloc malloc 00044 #define polarssl_free free 00045 #endif 00046 00047 #include <stdlib.h> 00048 #include <stdio.h> 00049 00050 #if defined(POLARSSL_HAVE_TIME) 00051 #include <time.h> 00052 #endif 00053 00054 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00055 /* 00056 * Serialize a session in the following format: 00057 * 0 . n-1 session structure, n = sizeof(ssl_session) 00058 * n . n+2 peer_cert length = m (0 if no certificate) 00059 * n+3 . n+2+m peer cert ASN.1 00060 * 00061 * Assumes ticket is NULL (always true on server side). 00062 */ 00063 static int ssl_save_session( const ssl_session *session, 00064 unsigned char *buf, size_t buf_len, 00065 size_t *olen ) 00066 { 00067 unsigned char *p = buf; 00068 size_t left = buf_len; 00069 #if defined(POLARSSL_X509_CRT_PARSE_C) 00070 size_t cert_len; 00071 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00072 00073 if( left < sizeof( ssl_session ) ) 00074 return( -1 ); 00075 00076 memcpy( p, session, sizeof( ssl_session ) ); 00077 p += sizeof( ssl_session ); 00078 left -= sizeof( ssl_session ); 00079 00080 #if defined(POLARSSL_X509_CRT_PARSE_C) 00081 if( session->peer_cert == NULL ) 00082 cert_len = 0; 00083 else 00084 cert_len = session->peer_cert->raw.len; 00085 00086 if( left < 3 + cert_len ) 00087 return( -1 ); 00088 00089 *p++ = (unsigned char)( cert_len >> 16 & 0xFF ); 00090 *p++ = (unsigned char)( cert_len >> 8 & 0xFF ); 00091 *p++ = (unsigned char)( cert_len & 0xFF ); 00092 00093 if( session->peer_cert != NULL ) 00094 memcpy( p, session->peer_cert->raw.p, cert_len ); 00095 00096 p += cert_len; 00097 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00098 00099 *olen = p - buf; 00100 00101 return( 0 ); 00102 } 00103 00104 /* 00105 * Unserialise session, see ssl_save_session() 00106 */ 00107 static int ssl_load_session( ssl_session *session, 00108 const unsigned char *buf, size_t len ) 00109 { 00110 const unsigned char *p = buf; 00111 const unsigned char * const end = buf + len; 00112 #if defined(POLARSSL_X509_CRT_PARSE_C) 00113 size_t cert_len; 00114 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00115 00116 if( p + sizeof( ssl_session ) > end ) 00117 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00118 00119 memcpy( session, p, sizeof( ssl_session ) ); 00120 p += sizeof( ssl_session ); 00121 00122 #if defined(POLARSSL_X509_CRT_PARSE_C) 00123 if( p + 3 > end ) 00124 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00125 00126 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2]; 00127 p += 3; 00128 00129 if( cert_len == 0 ) 00130 { 00131 session->peer_cert = NULL; 00132 } 00133 else 00134 { 00135 int ret; 00136 00137 if( p + cert_len > end ) 00138 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00139 00140 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) ); 00141 00142 if( session->peer_cert == NULL ) 00143 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 00144 00145 x509_crt_init( session->peer_cert ); 00146 00147 if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 ) 00148 { 00149 x509_crt_free( session->peer_cert ); 00150 polarssl_free( session->peer_cert ); 00151 session->peer_cert = NULL; 00152 return( ret ); 00153 } 00154 00155 p += cert_len; 00156 } 00157 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00158 00159 if( p != end ) 00160 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00161 00162 return( 0 ); 00163 } 00164 00165 /* 00166 * Create session ticket, secured as recommended in RFC 5077 section 4: 00167 * 00168 * struct { 00169 * opaque key_name[16]; 00170 * opaque iv[16]; 00171 * opaque encrypted_state<0..2^16-1>; 00172 * opaque mac[32]; 00173 * } ticket; 00174 * 00175 * (the internal state structure differs, however). 00176 */ 00177 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen ) 00178 { 00179 int ret; 00180 unsigned char * const start = ssl->out_msg + 10; 00181 unsigned char *p = start; 00182 unsigned char *state; 00183 unsigned char iv[16]; 00184 size_t clear_len, enc_len, pad_len, i; 00185 00186 *tlen = 0; 00187 00188 if( ssl->ticket_keys == NULL ) 00189 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00190 00191 /* Write key name */ 00192 memcpy( p, ssl->ticket_keys->key_name, 16 ); 00193 p += 16; 00194 00195 /* Generate and write IV (with a copy for aes_crypt) */ 00196 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 ) 00197 return( ret ); 00198 memcpy( iv, p, 16 ); 00199 p += 16; 00200 00201 /* 00202 * Dump session state 00203 * 00204 * After the session state itself, we still need room for 16 bytes of 00205 * padding and 32 bytes of MAC, so there's only so much room left 00206 */ 00207 state = p + 2; 00208 if( ssl_save_session( ssl->session_negotiate, state, 00209 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48, 00210 &clear_len ) != 0 ) 00211 { 00212 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE ); 00213 } 00214 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len ); 00215 00216 /* Apply PKCS padding */ 00217 pad_len = 16 - clear_len % 16; 00218 enc_len = clear_len + pad_len; 00219 for( i = clear_len; i < enc_len; i++ ) 00220 state[i] = (unsigned char) pad_len; 00221 00222 /* Encrypt */ 00223 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT, 00224 enc_len, iv, state, state ) ) != 0 ) 00225 { 00226 return( ret ); 00227 } 00228 00229 /* Write length */ 00230 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF ); 00231 *p++ = (unsigned char)( ( enc_len ) & 0xFF ); 00232 p = state + enc_len; 00233 00234 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */ 00235 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 ); 00236 p += 32; 00237 00238 *tlen = p - start; 00239 00240 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen ); 00241 00242 return( 0 ); 00243 } 00244 00245 /* 00246 * Load session ticket (see ssl_write_ticket for structure) 00247 */ 00248 static int ssl_parse_ticket( ssl_context *ssl, 00249 unsigned char *buf, 00250 size_t len ) 00251 { 00252 int ret; 00253 ssl_session session; 00254 unsigned char *key_name = buf; 00255 unsigned char *iv = buf + 16; 00256 unsigned char *enc_len_p = iv + 16; 00257 unsigned char *ticket = enc_len_p + 2; 00258 unsigned char *mac; 00259 unsigned char computed_mac[32]; 00260 size_t enc_len, clear_len, i; 00261 unsigned char pad_len, diff; 00262 00263 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len ); 00264 00265 if( len < 34 || ssl->ticket_keys == NULL ) 00266 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00267 00268 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1]; 00269 mac = ticket + enc_len; 00270 00271 if( len != enc_len + 66 ) 00272 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00273 00274 /* Check name, in constant time though it's not a big secret */ 00275 diff = 0; 00276 for( i = 0; i < 16; i++ ) 00277 diff |= key_name[i] ^ ssl->ticket_keys->key_name[i]; 00278 /* don't return yet, check the MAC anyway */ 00279 00280 /* Check mac, with constant-time buffer comparison */ 00281 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32, 00282 computed_mac, 0 ); 00283 00284 for( i = 0; i < 32; i++ ) 00285 diff |= mac[i] ^ computed_mac[i]; 00286 00287 /* Now return if ticket is not authentic, since we want to avoid 00288 * decrypting arbitrary attacker-chosen data */ 00289 if( diff != 0 ) 00290 return( POLARSSL_ERR_SSL_INVALID_MAC ); 00291 00292 /* Decrypt */ 00293 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT, 00294 enc_len, iv, ticket, ticket ) ) != 0 ) 00295 { 00296 return( ret ); 00297 } 00298 00299 /* Check PKCS padding */ 00300 pad_len = ticket[enc_len - 1]; 00301 00302 ret = 0; 00303 for( i = 2; i < pad_len; i++ ) 00304 if( ticket[enc_len - i] != pad_len ) 00305 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA; 00306 if( ret != 0 ) 00307 return( ret ); 00308 00309 clear_len = enc_len - pad_len; 00310 00311 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len ); 00312 00313 /* Actually load session */ 00314 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 ) 00315 { 00316 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) ); 00317 ssl_session_free( &session ); 00318 return( ret ); 00319 } 00320 00321 #if defined(POLARSSL_HAVE_TIME) 00322 /* Check if still valid */ 00323 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime ) 00324 { 00325 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) ); 00326 ssl_session_free( &session ); 00327 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED ); 00328 } 00329 #endif 00330 00331 /* 00332 * Keep the session ID sent by the client, since we MUST send it back to 00333 * inform him we're accepting the ticket (RFC 5077 section 3.4) 00334 */ 00335 session.length = ssl->session_negotiate->length; 00336 memcpy( &session.id, ssl->session_negotiate->id, session.length ); 00337 00338 ssl_session_free( ssl->session_negotiate ); 00339 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) ); 00340 memset( &session, 0, sizeof( ssl_session ) ); 00341 00342 return( 0 ); 00343 } 00344 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00345 00346 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 00347 /* 00348 * Wrapper around f_sni, allowing use of ssl_set_own_cert() but 00349 * making it act on ssl->hanshake->sni_key_cert instead. 00350 */ 00351 static int ssl_sni_wrapper( ssl_context *ssl, 00352 const unsigned char* name, size_t len ) 00353 { 00354 int ret; 00355 ssl_key_cert *key_cert_ori = ssl->key_cert; 00356 00357 ssl->key_cert = NULL; 00358 ret = ssl->f_sni( ssl->p_sni, ssl, name, len ); 00359 ssl->handshake->sni_key_cert = ssl->key_cert; 00360 00361 ssl->key_cert = key_cert_ori; 00362 00363 return( ret ); 00364 } 00365 00366 static int ssl_parse_servername_ext( ssl_context *ssl, 00367 const unsigned char *buf, 00368 size_t len ) 00369 { 00370 int ret; 00371 size_t servername_list_size, hostname_len; 00372 const unsigned char *p; 00373 00374 SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); 00375 00376 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00377 if( servername_list_size + 2 != len ) 00378 { 00379 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00380 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00381 } 00382 00383 p = buf + 2; 00384 while( servername_list_size > 0 ) 00385 { 00386 hostname_len = ( ( p[1] << 8 ) | p[2] ); 00387 if( hostname_len + 3 > servername_list_size ) 00388 { 00389 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00390 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00391 } 00392 00393 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME ) 00394 { 00395 ret = ssl_sni_wrapper( ssl, p + 3, hostname_len ); 00396 if( ret != 0 ) 00397 { 00398 SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); 00399 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 00400 SSL_ALERT_MSG_UNRECOGNIZED_NAME ); 00401 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00402 } 00403 return( 0 ); 00404 } 00405 00406 servername_list_size -= hostname_len + 3; 00407 p += hostname_len + 3; 00408 } 00409 00410 if( servername_list_size != 0 ) 00411 { 00412 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00413 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00414 } 00415 00416 return( 0 ); 00417 } 00418 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ 00419 00420 static int ssl_parse_renegotiation_info( ssl_context *ssl, 00421 const unsigned char *buf, 00422 size_t len ) 00423 { 00424 int ret; 00425 00426 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 00427 { 00428 if( len != 1 || buf[0] != 0x0 ) 00429 { 00430 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) ); 00431 00432 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00433 return( ret ); 00434 00435 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00436 } 00437 00438 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; 00439 } 00440 else 00441 { 00442 /* Check verify-data in constant-time. The length OTOH is no secret */ 00443 if( len != 1 + ssl->verify_data_len || 00444 buf[0] != ssl->verify_data_len || 00445 safer_memcmp( buf + 1, ssl->peer_verify_data, 00446 ssl->verify_data_len ) != 0 ) 00447 { 00448 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) ); 00449 00450 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00451 return( ret ); 00452 00453 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00454 } 00455 } 00456 00457 return( 0 ); 00458 } 00459 00460 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 00461 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl, 00462 const unsigned char *buf, 00463 size_t len ) 00464 { 00465 size_t sig_alg_list_size; 00466 const unsigned char *p; 00467 00468 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00469 if( sig_alg_list_size + 2 != len || 00470 sig_alg_list_size %2 != 0 ) 00471 { 00472 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00473 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00474 } 00475 00476 p = buf + 2; 00477 while( sig_alg_list_size > 0 ) 00478 { 00479 /* 00480 * For now, just ignore signature algorithm and rely on offered 00481 * ciphersuites only. To be fixed later. 00482 */ 00483 #if defined(POLARSSL_SHA512_C) 00484 if( p[0] == SSL_HASH_SHA512 ) 00485 { 00486 ssl->handshake->sig_alg = SSL_HASH_SHA512; 00487 break; 00488 } 00489 if( p[0] == SSL_HASH_SHA384 ) 00490 { 00491 ssl->handshake->sig_alg = SSL_HASH_SHA384; 00492 break; 00493 } 00494 #endif /* POLARSSL_SHA512_C */ 00495 #if defined(POLARSSL_SHA256_C) 00496 if( p[0] == SSL_HASH_SHA256 ) 00497 { 00498 ssl->handshake->sig_alg = SSL_HASH_SHA256; 00499 break; 00500 } 00501 if( p[0] == SSL_HASH_SHA224 ) 00502 { 00503 ssl->handshake->sig_alg = SSL_HASH_SHA224; 00504 break; 00505 } 00506 #endif /* POLARSSL_SHA256_C */ 00507 if( p[0] == SSL_HASH_SHA1 ) 00508 { 00509 ssl->handshake->sig_alg = SSL_HASH_SHA1; 00510 break; 00511 } 00512 if( p[0] == SSL_HASH_MD5 ) 00513 { 00514 ssl->handshake->sig_alg = SSL_HASH_MD5; 00515 break; 00516 } 00517 00518 sig_alg_list_size -= 2; 00519 p += 2; 00520 } 00521 00522 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", 00523 ssl->handshake->sig_alg ) ); 00524 00525 return( 0 ); 00526 } 00527 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 00528 00529 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00530 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, 00531 const unsigned char *buf, 00532 size_t len ) 00533 { 00534 size_t list_size, our_size; 00535 const unsigned char *p; 00536 const ecp_curve_info *curve_info, **curves; 00537 00538 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00539 if( list_size + 2 != len || 00540 list_size % 2 != 0 ) 00541 { 00542 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00543 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00544 } 00545 00546 /* Don't allow our peer to make us allocate too much memory, 00547 * and leave room for a final 0 */ 00548 our_size = list_size / 2 + 1; 00549 if( our_size > POLARSSL_ECP_DP_MAX ) 00550 our_size = POLARSSL_ECP_DP_MAX; 00551 00552 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL ) 00553 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 00554 00555 /* explicit void pointer cast for buggy MS compiler */ 00556 memset( (void *) curves, 0, our_size * sizeof( *curves ) ); 00557 ssl->handshake->curves = curves; 00558 00559 p = buf + 2; 00560 while( list_size > 0 && our_size > 1 ) 00561 { 00562 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); 00563 00564 if( curve_info != NULL ) 00565 { 00566 *curves++ = curve_info; 00567 our_size--; 00568 } 00569 00570 list_size -= 2; 00571 p += 2; 00572 } 00573 00574 return( 0 ); 00575 } 00576 00577 static int ssl_parse_supported_point_formats( ssl_context *ssl, 00578 const unsigned char *buf, 00579 size_t len ) 00580 { 00581 size_t list_size; 00582 const unsigned char *p; 00583 00584 list_size = buf[0]; 00585 if( list_size + 1 != len ) 00586 { 00587 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00588 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00589 } 00590 00591 p = buf + 2; 00592 while( list_size > 0 ) 00593 { 00594 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED || 00595 p[0] == POLARSSL_ECP_PF_COMPRESSED ) 00596 { 00597 ssl->handshake->ecdh_ctx.point_format = p[0]; 00598 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00599 return( 0 ); 00600 } 00601 00602 list_size--; 00603 p++; 00604 } 00605 00606 return( 0 ); 00607 } 00608 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 00609 00610 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 00611 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl, 00612 const unsigned char *buf, 00613 size_t len ) 00614 { 00615 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID ) 00616 { 00617 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00618 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00619 } 00620 00621 ssl->session_negotiate->mfl_code = buf[0]; 00622 00623 return( 0 ); 00624 } 00625 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 00626 00627 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 00628 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, 00629 const unsigned char *buf, 00630 size_t len ) 00631 { 00632 if( len != 0 ) 00633 { 00634 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00635 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00636 } 00637 00638 ((void) buf); 00639 00640 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; 00641 00642 return( 0 ); 00643 } 00644 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 00645 00646 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00647 static int ssl_parse_session_ticket_ext( ssl_context *ssl, 00648 unsigned char *buf, 00649 size_t len ) 00650 { 00651 int ret; 00652 00653 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ) 00654 return( 0 ); 00655 00656 /* Remember the client asked us to send a new ticket */ 00657 ssl->handshake->new_session_ticket = 1; 00658 00659 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); 00660 00661 if( len == 0 ) 00662 return( 0 ); 00663 00664 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) 00665 { 00666 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); 00667 return( 0 ); 00668 } 00669 00670 /* 00671 * Failures are ok: just ignore the ticket and proceed. 00672 */ 00673 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 ) 00674 { 00675 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret ); 00676 return( 0 ); 00677 } 00678 00679 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); 00680 00681 ssl->handshake->resume = 1; 00682 00683 /* Don't send a new ticket after all, this one is OK */ 00684 ssl->handshake->new_session_ticket = 0; 00685 00686 return( 0 ); 00687 } 00688 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00689 00690 #if defined(POLARSSL_SSL_ALPN) 00691 static int ssl_parse_alpn_ext( ssl_context *ssl, 00692 unsigned char *buf, size_t len ) 00693 { 00694 size_t list_len, cur_len; 00695 const unsigned char *theirs, *start, *end; 00696 const char **ours; 00697 00698 /* If ALPN not configured, just ignore the extension */ 00699 if( ssl->alpn_list == NULL ) 00700 return( 0 ); 00701 00702 /* 00703 * opaque ProtocolName<1..2^8-1>; 00704 * 00705 * struct { 00706 * ProtocolName protocol_name_list<2..2^16-1> 00707 * } ProtocolNameList; 00708 */ 00709 00710 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00711 if( len < 4 ) 00712 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00713 00714 list_len = ( buf[0] << 8 ) | buf[1]; 00715 if( list_len != len - 2 ) 00716 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00717 00718 /* 00719 * Use our order of preference 00720 */ 00721 start = buf + 2; 00722 end = buf + len; 00723 for( ours = ssl->alpn_list; *ours != NULL; ours++ ) 00724 { 00725 for( theirs = start; theirs != end; theirs += cur_len ) 00726 { 00727 /* If the list is well formed, we should get equality first */ 00728 if( theirs > end ) 00729 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00730 00731 cur_len = *theirs++; 00732 00733 /* Empty strings MUST NOT be included */ 00734 if( cur_len == 0 ) 00735 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00736 00737 if( cur_len == strlen( *ours ) && 00738 memcmp( theirs, *ours, cur_len ) == 0 ) 00739 { 00740 ssl->alpn_chosen = *ours; 00741 return( 0 ); 00742 } 00743 } 00744 } 00745 00746 /* If we get there, no match was found */ 00747 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 00748 SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); 00749 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00750 } 00751 #endif /* POLARSSL_SSL_ALPN */ 00752 00753 /* 00754 * Auxiliary functions for ServerHello parsing and related actions 00755 */ 00756 00757 #if defined(POLARSSL_X509_CRT_PARSE_C) 00758 /* 00759 * Return 1 if the given EC key uses the given curve, 0 otherwise 00760 */ 00761 #if defined(POLARSSL_ECDSA_C) 00762 static int ssl_key_matches_curves( pk_context *pk, 00763 const ecp_curve_info **curves ) 00764 { 00765 const ecp_curve_info **crv = curves; 00766 ecp_group_id grp_id = pk_ec( *pk )->grp.id; 00767 00768 while( *crv != NULL ) 00769 { 00770 if( (*crv)->grp_id == grp_id ) 00771 return( 1 ); 00772 crv++; 00773 } 00774 00775 return( 0 ); 00776 } 00777 #endif /* POLARSSL_ECDSA_C */ 00778 00779 /* 00780 * Try picking a certificate for this ciphersuite, 00781 * return 0 on success and -1 on failure. 00782 */ 00783 static int ssl_pick_cert( ssl_context *ssl, 00784 const ssl_ciphersuite_t * ciphersuite_info ) 00785 { 00786 ssl_key_cert *cur, *list; 00787 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 00788 00789 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 00790 if( ssl->handshake->sni_key_cert != NULL ) 00791 list = ssl->handshake->sni_key_cert; 00792 else 00793 #endif 00794 list = ssl->handshake->key_cert; 00795 00796 if( pk_alg == POLARSSL_PK_NONE ) 00797 return( 0 ); 00798 00799 for( cur = list; cur != NULL; cur = cur->next ) 00800 { 00801 if( ! pk_can_do( cur->key, pk_alg ) ) 00802 continue; 00803 00804 /* 00805 * This avoids sending the client a cert it'll reject based on 00806 * keyUsage or other extensions. 00807 * 00808 * It also allows the user to provision different certificates for 00809 * different uses based on keyUsage, eg if they want to avoid signing 00810 * and decrypting with the same RSA key. 00811 */ 00812 if( ssl_check_cert_usage( cur->cert, ciphersuite_info, 00813 SSL_IS_SERVER ) != 0 ) 00814 { 00815 continue; 00816 } 00817 00818 #if defined(POLARSSL_ECDSA_C) 00819 if( pk_alg == POLARSSL_PK_ECDSA ) 00820 { 00821 if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) ) 00822 break; 00823 } 00824 else 00825 #endif 00826 break; 00827 } 00828 00829 if( cur == NULL ) 00830 return( -1 ); 00831 00832 ssl->handshake->key_cert = cur; 00833 return( 0 ); 00834 } 00835 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00836 00837 /* 00838 * Check if a given ciphersuite is suitable for use with our config/keys/etc 00839 * Sets ciphersuite_info only if the suite matches. 00840 */ 00841 static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id, 00842 const ssl_ciphersuite_t **ciphersuite_info ) 00843 { 00844 const ssl_ciphersuite_t *suite_info; 00845 00846 suite_info = ssl_ciphersuite_from_id( suite_id ); 00847 if( suite_info == NULL ) 00848 { 00849 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", suite_id ) ); 00850 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00851 } 00852 00853 if( suite_info->min_minor_ver > ssl->minor_ver || 00854 suite_info->max_minor_ver < ssl->minor_ver ) 00855 return( 0 ); 00856 00857 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00858 if( ssl_ciphersuite_uses_ec( suite_info ) && 00859 ( ssl->handshake->curves == NULL || 00860 ssl->handshake->curves[0] == NULL ) ) 00861 return( 0 ); 00862 #endif 00863 00864 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 00865 /* If the ciphersuite requires a pre-shared key and we don't 00866 * have one, skip it now rather than failing later */ 00867 if( ssl_ciphersuite_uses_psk( suite_info ) && 00868 ssl->f_psk == NULL && 00869 ( ssl->psk == NULL || ssl->psk_identity == NULL || 00870 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) 00871 return( 0 ); 00872 #endif 00873 00874 #if defined(POLARSSL_X509_CRT_PARSE_C) 00875 /* 00876 * Final check: if ciphersuite requires us to have a 00877 * certificate/key of a particular type: 00878 * - select the appropriate certificate if we have one, or 00879 * - try the next ciphersuite if we don't 00880 * This must be done last since we modify the key_cert list. 00881 */ 00882 if( ssl_pick_cert( ssl, suite_info ) != 0 ) 00883 return( 0 ); 00884 #endif 00885 00886 *ciphersuite_info = suite_info; 00887 return( 0 ); 00888 } 00889 00890 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 00891 static int ssl_parse_client_hello_v2( ssl_context *ssl ) 00892 { 00893 int ret; 00894 unsigned int i, j; 00895 size_t n; 00896 unsigned int ciph_len, sess_len, chal_len; 00897 unsigned char *buf, *p; 00898 const int *ciphersuites; 00899 const ssl_ciphersuite_t *ciphersuite_info; 00900 00901 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); 00902 00903 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) 00904 { 00905 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); 00906 00907 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00908 return( ret ); 00909 00910 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00911 } 00912 00913 buf = ssl->in_hdr; 00914 00915 SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00916 00917 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 00918 buf[2] ) ); 00919 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 00920 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 00921 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 00922 buf[3], buf[4] ) ); 00923 00924 /* 00925 * SSLv2 Client Hello 00926 * 00927 * Record layer: 00928 * 0 . 1 message length 00929 * 00930 * SSL layer: 00931 * 2 . 2 message type 00932 * 3 . 4 protocol version 00933 */ 00934 if( buf[2] != SSL_HS_CLIENT_HELLO || 00935 buf[3] != SSL_MAJOR_VERSION_3 ) 00936 { 00937 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00938 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00939 } 00940 00941 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 00942 00943 if( n < 17 || n > 512 ) 00944 { 00945 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00946 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00947 } 00948 00949 ssl->major_ver = SSL_MAJOR_VERSION_3; 00950 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver ) 00951 ? buf[4] : ssl->max_minor_ver; 00952 00953 if( ssl->minor_ver < ssl->min_minor_ver ) 00954 { 00955 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 00956 " [%d:%d] < [%d:%d]", 00957 ssl->major_ver, ssl->minor_ver, 00958 ssl->min_major_ver, ssl->min_minor_ver ) ); 00959 00960 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 00961 SSL_ALERT_MSG_PROTOCOL_VERSION ); 00962 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 00963 } 00964 00965 ssl->handshake->max_major_ver = buf[3]; 00966 ssl->handshake->max_minor_ver = buf[4]; 00967 00968 if( ( ret = ssl_fetch_input ( ssl, 2 + n ) ) != 0 ) 00969 { 00970 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 00971 return( ret ); 00972 } 00973 00974 ssl->handshake->update_checksum( ssl, buf + 2, n ); 00975 00976 buf = ssl->in_msg; 00977 n = ssl->in_left - 5; 00978 00979 /* 00980 * 0 . 1 ciphersuitelist length 00981 * 2 . 3 session id length 00982 * 4 . 5 challenge length 00983 * 6 . .. ciphersuitelist 00984 * .. . .. session id 00985 * .. . .. challenge 00986 */ 00987 SSL_DEBUG_BUF( 4, "record contents", buf, n ); 00988 00989 ciph_len = ( buf[0] << 8 ) | buf[1]; 00990 sess_len = ( buf[2] << 8 ) | buf[3]; 00991 chal_len = ( buf[4] << 8 ) | buf[5]; 00992 00993 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 00994 ciph_len, sess_len, chal_len ) ); 00995 00996 /* 00997 * Make sure each parameter length is valid 00998 */ 00999 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 01000 { 01001 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01002 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01003 } 01004 01005 if( sess_len > 32 ) 01006 { 01007 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01008 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01009 } 01010 01011 if( chal_len < 8 || chal_len > 32 ) 01012 { 01013 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01014 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01015 } 01016 01017 if( n != 6 + ciph_len + sess_len + chal_len ) 01018 { 01019 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01020 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01021 } 01022 01023 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01024 buf + 6, ciph_len ); 01025 SSL_DEBUG_BUF( 3, "client hello, session id", 01026 buf + 6 + ciph_len, sess_len ); 01027 SSL_DEBUG_BUF( 3, "client hello, challenge", 01028 buf + 6 + ciph_len + sess_len, chal_len ); 01029 01030 p = buf + 6 + ciph_len; 01031 ssl->session_negotiate->length = sess_len; 01032 memset( ssl->session_negotiate->id, 0, 01033 sizeof( ssl->session_negotiate->id ) ); 01034 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length ); 01035 01036 p += sess_len; 01037 memset( ssl->handshake->randbytes, 0, 64 ); 01038 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); 01039 01040 /* 01041 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01042 */ 01043 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01044 { 01045 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO ) 01046 { 01047 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01048 if( ssl->renegotiation == SSL_RENEGOTIATION ) 01049 { 01050 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); 01051 01052 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01053 return( ret ); 01054 01055 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01056 } 01057 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; 01058 break; 01059 } 01060 } 01061 01062 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; 01063 ciphersuite_info = NULL; 01064 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01065 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01066 { 01067 for( i = 0; ciphersuites[i] != 0; i++ ) 01068 #else 01069 for( i = 0; ciphersuites[i] != 0; i++ ) 01070 { 01071 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01072 #endif 01073 { 01074 if( p[0] != 0 || 01075 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01076 p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) 01077 continue; 01078 01079 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01080 &ciphersuite_info ) ) != 0 ) 01081 return( ret ); 01082 01083 if( ciphersuite_info != NULL ) 01084 goto have_ciphersuite_v2; 01085 } 01086 } 01087 01088 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01089 01090 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); 01091 01092 have_ciphersuite_v2: 01093 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01094 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01095 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01096 01097 /* 01098 * SSLv2 Client Hello relevant renegotiation security checks 01099 */ 01100 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01101 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) 01102 { 01103 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01104 01105 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01106 return( ret ); 01107 01108 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01109 } 01110 01111 ssl->in_left = 0; 01112 ssl->state++; 01113 01114 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); 01115 01116 return( 0 ); 01117 } 01118 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ 01119 01120 static int ssl_parse_client_hello( ssl_context *ssl ) 01121 { 01122 int ret; 01123 unsigned int i, j; 01124 size_t n; 01125 unsigned int ciph_len, sess_len; 01126 unsigned int comp_len; 01127 unsigned int ext_len = 0; 01128 unsigned char *buf, *p, *ext; 01129 int renegotiation_info_seen = 0; 01130 int handshake_failure = 0; 01131 const int *ciphersuites; 01132 const ssl_ciphersuite_t *ciphersuite_info; 01133 01134 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 01135 01136 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && 01137 ( ret = ssl_fetch_input ( ssl, 5 ) ) != 0 ) 01138 { 01139 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 01140 return( ret ); 01141 } 01142 01143 buf = ssl->in_hdr; 01144 01145 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01146 if( ( buf[0] & 0x80 ) != 0 ) 01147 return ssl_parse_client_hello_v2( ssl ); 01148 #endif 01149 01150 SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 01151 01152 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 01153 buf[0] ) ); 01154 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 01155 ( buf[3] << 8 ) | buf[4] ) ); 01156 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]", 01157 buf[1], buf[2] ) ); 01158 01159 /* 01160 * SSLv3/TLS Client Hello 01161 * 01162 * Record layer: 01163 * 0 . 0 message type 01164 * 1 . 2 protocol version 01165 * 3 . 4 message length 01166 */ 01167 01168 /* According to RFC 5246 Appendix E.1, the version here is typically 01169 * "{03,00}, the lowest version number supported by the client, [or] the 01170 * value of ClientHello.client_version", so the only meaningful check here 01171 * is the major version shouldn't be less than 3 */ 01172 if( buf[0] != SSL_MSG_HANDSHAKE || 01173 buf[1] < SSL_MAJOR_VERSION_3 ) 01174 { 01175 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01176 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01177 } 01178 01179 n = ( buf[3] << 8 ) | buf[4]; 01180 01181 if( n < 45 || n > SSL_MAX_CONTENT_LEN ) 01182 { 01183 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01184 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01185 } 01186 01187 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && 01188 ( ret = ssl_fetch_input ( ssl, 5 + n ) ) != 0 ) 01189 { 01190 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 01191 return( ret ); 01192 } 01193 01194 buf = ssl->in_msg; 01195 if( !ssl->renegotiation ) 01196 n = ssl->in_left - 5; 01197 else 01198 n = ssl->in_msglen; 01199 01200 ssl->handshake->update_checksum( ssl, buf, n ); 01201 01202 /* 01203 * SSL layer: 01204 * 0 . 0 handshake type 01205 * 1 . 3 handshake length 01206 * 4 . 5 protocol version 01207 * 6 . 9 UNIX time() 01208 * 10 . 37 random bytes 01209 * 38 . 38 session id length 01210 * 39 . 38+x session id 01211 * 39+x . 40+x ciphersuitelist length 01212 * 41+x . .. ciphersuitelist 01213 * .. . .. compression alg. 01214 * .. . .. extensions 01215 */ 01216 SSL_DEBUG_BUF( 4, "record contents", buf, n ); 01217 01218 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", 01219 buf[0] ) ); 01220 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 01221 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 01222 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]", 01223 buf[4], buf[5] ) ); 01224 01225 /* 01226 * Check the handshake type and protocol version 01227 */ 01228 if( buf[0] != SSL_HS_CLIENT_HELLO ) 01229 { 01230 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01231 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01232 } 01233 01234 ssl->major_ver = buf[4]; 01235 ssl->minor_ver = buf[5]; 01236 01237 ssl->handshake->max_major_ver = ssl->major_ver; 01238 ssl->handshake->max_minor_ver = ssl->minor_ver; 01239 01240 if( ssl->major_ver < ssl->min_major_ver || 01241 ssl->minor_ver < ssl->min_minor_ver ) 01242 { 01243 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01244 " [%d:%d] < [%d:%d]", 01245 ssl->major_ver, ssl->minor_ver, 01246 ssl->min_major_ver, ssl->min_minor_ver ) ); 01247 01248 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 01249 SSL_ALERT_MSG_PROTOCOL_VERSION ); 01250 01251 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01252 } 01253 01254 if( ssl->major_ver > ssl->max_major_ver ) 01255 { 01256 ssl->major_ver = ssl->max_major_ver; 01257 ssl->minor_ver = ssl->max_minor_ver; 01258 } 01259 else if( ssl->minor_ver > ssl->max_minor_ver ) 01260 ssl->minor_ver = ssl->max_minor_ver; 01261 01262 memcpy( ssl->handshake->randbytes, buf + 6, 32 ); 01263 01264 /* 01265 * Check the handshake message length 01266 */ 01267 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) ) 01268 { 01269 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01270 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01271 } 01272 01273 /* 01274 * Check the session length 01275 */ 01276 sess_len = buf[38]; 01277 01278 if( sess_len > 32 ) 01279 { 01280 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01281 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01282 } 01283 01284 ssl->session_negotiate->length = sess_len; 01285 memset( ssl->session_negotiate->id, 0, 01286 sizeof( ssl->session_negotiate->id ) ); 01287 memcpy( ssl->session_negotiate->id, buf + 39, 01288 ssl->session_negotiate->length ); 01289 01290 /* 01291 * Check the ciphersuitelist length 01292 */ 01293 ciph_len = ( buf[39 + sess_len] << 8 ) 01294 | ( buf[40 + sess_len] ); 01295 01296 if( ciph_len < 2 || ( ciph_len % 2 ) != 0 ) 01297 { 01298 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01299 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01300 } 01301 01302 /* 01303 * Check the compression algorithms length 01304 */ 01305 comp_len = buf[41 + sess_len + ciph_len]; 01306 01307 if( comp_len < 1 || comp_len > 16 ) 01308 { 01309 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01310 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01311 } 01312 01313 /* 01314 * Check the extension length 01315 */ 01316 if( n > 42 + sess_len + ciph_len + comp_len ) 01317 { 01318 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 ) 01319 | ( buf[43 + sess_len + ciph_len + comp_len] ); 01320 01321 if( ( ext_len > 0 && ext_len < 4 ) || 01322 n != 44 + sess_len + ciph_len + comp_len + ext_len ) 01323 { 01324 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01325 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len); 01326 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01327 } 01328 } 01329 01330 ssl->session_negotiate->compression = SSL_COMPRESS_NULL; 01331 #if defined(POLARSSL_ZLIB_SUPPORT) 01332 for( i = 0; i < comp_len; ++i ) 01333 { 01334 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE ) 01335 { 01336 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE; 01337 break; 01338 } 01339 } 01340 #endif 01341 01342 SSL_DEBUG_BUF( 3, "client hello, random bytes", 01343 buf + 6, 32 ); 01344 SSL_DEBUG_BUF( 3, "client hello, session id", 01345 buf + 38, sess_len ); 01346 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01347 buf + 41 + sess_len, ciph_len ); 01348 SSL_DEBUG_BUF( 3, "client hello, compression", 01349 buf + 42 + sess_len + ciph_len, comp_len ); 01350 01351 /* 01352 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01353 */ 01354 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) 01355 { 01356 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO ) 01357 { 01358 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01359 if( ssl->renegotiation == SSL_RENEGOTIATION ) 01360 { 01361 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); 01362 01363 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01364 return( ret ); 01365 01366 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01367 } 01368 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; 01369 break; 01370 } 01371 } 01372 01373 ext = buf + 44 + sess_len + ciph_len + comp_len; 01374 01375 while( ext_len ) 01376 { 01377 unsigned int ext_id = ( ( ext[0] << 8 ) 01378 | ( ext[1] ) ); 01379 unsigned int ext_size = ( ( ext[2] << 8 ) 01380 | ( ext[3] ) ); 01381 01382 if( ext_size + 4 > ext_len ) 01383 { 01384 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01385 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01386 } 01387 switch( ext_id ) 01388 { 01389 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 01390 case TLS_EXT_SERVERNAME: 01391 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); 01392 if( ssl->f_sni == NULL ) 01393 break; 01394 01395 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); 01396 if( ret != 0 ) 01397 return( ret ); 01398 break; 01399 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ 01400 01401 case TLS_EXT_RENEGOTIATION_INFO: 01402 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01403 renegotiation_info_seen = 1; 01404 01405 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); 01406 if( ret != 0 ) 01407 return( ret ); 01408 break; 01409 01410 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 01411 case TLS_EXT_SIG_ALG: 01412 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); 01413 if( ssl->renegotiation == SSL_RENEGOTIATION ) 01414 break; 01415 01416 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); 01417 if( ret != 0 ) 01418 return( ret ); 01419 break; 01420 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 01421 01422 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 01423 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: 01424 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); 01425 01426 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); 01427 if( ret != 0 ) 01428 return( ret ); 01429 break; 01430 01431 case TLS_EXT_SUPPORTED_POINT_FORMATS: 01432 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); 01433 ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 01434 01435 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); 01436 if( ret != 0 ) 01437 return( ret ); 01438 break; 01439 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 01440 01441 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 01442 case TLS_EXT_MAX_FRAGMENT_LENGTH: 01443 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); 01444 01445 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); 01446 if( ret != 0 ) 01447 return( ret ); 01448 break; 01449 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 01450 01451 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 01452 case TLS_EXT_TRUNCATED_HMAC: 01453 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); 01454 01455 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); 01456 if( ret != 0 ) 01457 return( ret ); 01458 break; 01459 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 01460 01461 #if defined(POLARSSL_SSL_SESSION_TICKETS) 01462 case TLS_EXT_SESSION_TICKET: 01463 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); 01464 01465 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); 01466 if( ret != 0 ) 01467 return( ret ); 01468 break; 01469 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01470 01471 #if defined(POLARSSL_SSL_ALPN) 01472 case TLS_EXT_ALPN: 01473 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01474 01475 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); 01476 if( ret != 0 ) 01477 return( ret ); 01478 break; 01479 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01480 01481 default: 01482 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01483 ext_id ) ); 01484 } 01485 01486 ext_len -= 4 + ext_size; 01487 ext += 4 + ext_size; 01488 01489 if( ext_len > 0 && ext_len < 4 ) 01490 { 01491 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01492 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01493 } 01494 } 01495 01496 /* 01497 * Renegotiation security checks 01498 */ 01499 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01500 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) 01501 { 01502 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01503 handshake_failure = 1; 01504 } 01505 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01506 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && 01507 renegotiation_info_seen == 0 ) 01508 { 01509 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01510 handshake_failure = 1; 01511 } 01512 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01513 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01514 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) 01515 { 01516 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01517 handshake_failure = 1; 01518 } 01519 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01520 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01521 renegotiation_info_seen == 1 ) 01522 { 01523 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01524 handshake_failure = 1; 01525 } 01526 01527 if( handshake_failure == 1 ) 01528 { 01529 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01530 return( ret ); 01531 01532 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01533 } 01534 01535 /* 01536 * Search for a matching ciphersuite 01537 * (At the end because we need information from the EC-based extensions 01538 * and certificate from the SNI callback triggered by the SNI extension.) 01539 */ 01540 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; 01541 ciphersuite_info = NULL; 01542 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01543 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 ) 01544 { 01545 for( i = 0; ciphersuites[i] != 0; i++ ) 01546 #else 01547 for( i = 0; ciphersuites[i] != 0; i++ ) 01548 { 01549 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 ) 01550 #endif 01551 { 01552 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01553 p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) 01554 continue; 01555 01556 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01557 &ciphersuite_info ) ) != 0 ) 01558 return( ret ); 01559 01560 if( ciphersuite_info != NULL ) 01561 goto have_ciphersuite; 01562 } 01563 } 01564 01565 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01566 01567 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01568 return( ret ); 01569 01570 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); 01571 01572 have_ciphersuite: 01573 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01574 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01575 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01576 01577 ssl->in_left = 0; 01578 ssl->state++; 01579 01580 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 01581 01582 return( 0 ); 01583 } 01584 01585 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 01586 static void ssl_write_truncated_hmac_ext( ssl_context *ssl, 01587 unsigned char *buf, 01588 size_t *olen ) 01589 { 01590 unsigned char *p = buf; 01591 01592 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ) 01593 { 01594 *olen = 0; 01595 return; 01596 } 01597 01598 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); 01599 01600 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 01601 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 01602 01603 *p++ = 0x00; 01604 *p++ = 0x00; 01605 01606 *olen = 4; 01607 } 01608 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 01609 01610 #if defined(POLARSSL_SSL_SESSION_TICKETS) 01611 static void ssl_write_session_ticket_ext( ssl_context *ssl, 01612 unsigned char *buf, 01613 size_t *olen ) 01614 { 01615 unsigned char *p = buf; 01616 01617 if( ssl->handshake->new_session_ticket == 0 ) 01618 { 01619 *olen = 0; 01620 return; 01621 } 01622 01623 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); 01624 01625 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 01626 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF ); 01627 01628 *p++ = 0x00; 01629 *p++ = 0x00; 01630 01631 *olen = 4; 01632 } 01633 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01634 01635 static void ssl_write_renegotiation_ext( ssl_context *ssl, 01636 unsigned char *buf, 01637 size_t *olen ) 01638 { 01639 unsigned char *p = buf; 01640 01641 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION ) 01642 { 01643 *olen = 0; 01644 return; 01645 } 01646 01647 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); 01648 01649 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 01650 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 01651 01652 *p++ = 0x00; 01653 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; 01654 *p++ = ssl->verify_data_len * 2 & 0xFF; 01655 01656 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); 01657 p += ssl->verify_data_len; 01658 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 01659 p += ssl->verify_data_len; 01660 01661 *olen = 5 + ssl->verify_data_len * 2; 01662 } 01663 01664 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 01665 static void ssl_write_max_fragment_length_ext( ssl_context *ssl, 01666 unsigned char *buf, 01667 size_t *olen ) 01668 { 01669 unsigned char *p = buf; 01670 01671 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE ) 01672 { 01673 *olen = 0; 01674 return; 01675 } 01676 01677 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); 01678 01679 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 01680 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 01681 01682 *p++ = 0x00; 01683 *p++ = 1; 01684 01685 *p++ = ssl->session_negotiate->mfl_code; 01686 01687 *olen = 5; 01688 } 01689 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 01690 01691 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 01692 static void ssl_write_supported_point_formats_ext( ssl_context *ssl, 01693 unsigned char *buf, 01694 size_t *olen ) 01695 { 01696 unsigned char *p = buf; 01697 ((void) ssl); 01698 01699 if( ( ssl->handshake->cli_exts & 01700 TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) 01701 { 01702 *olen = 0; 01703 return; 01704 } 01705 01706 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); 01707 01708 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 01709 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 01710 01711 *p++ = 0x00; 01712 *p++ = 2; 01713 01714 *p++ = 1; 01715 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED; 01716 01717 *olen = 6; 01718 } 01719 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 01720 01721 #if defined(POLARSSL_SSL_ALPN ) 01722 static void ssl_write_alpn_ext( ssl_context *ssl, 01723 unsigned char *buf, size_t *olen ) 01724 { 01725 if( ssl->alpn_chosen == NULL ) 01726 { 01727 *olen = 0; 01728 return; 01729 } 01730 01731 SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); 01732 01733 /* 01734 * 0 . 1 ext identifier 01735 * 2 . 3 ext length 01736 * 4 . 5 protocol list length 01737 * 6 . 6 protocol name length 01738 * 7 . 7+n protocol name 01739 */ 01740 buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF ); 01741 buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF ); 01742 01743 *olen = 7 + strlen( ssl->alpn_chosen ); 01744 01745 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 01746 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 01747 01748 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 01749 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 01750 01751 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); 01752 01753 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); 01754 } 01755 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 01756 01757 static int ssl_write_server_hello( ssl_context *ssl ) 01758 { 01759 #if defined(POLARSSL_HAVE_TIME) 01760 time_t t; 01761 #endif 01762 int ret; 01763 size_t olen, ext_len = 0, n; 01764 unsigned char *buf, *p; 01765 01766 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 01767 01768 if( ssl->f_rng == NULL ) 01769 { 01770 SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 01771 return( POLARSSL_ERR_SSL_NO_RNG ); 01772 } 01773 01774 /* 01775 * 0 . 0 handshake type 01776 * 1 . 3 handshake length 01777 * 4 . 5 protocol version 01778 * 6 . 9 UNIX time() 01779 * 10 . 37 random bytes 01780 */ 01781 buf = ssl->out_msg; 01782 p = buf + 4; 01783 01784 *p++ = (unsigned char) ssl->major_ver; 01785 *p++ = (unsigned char) ssl->minor_ver; 01786 01787 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 01788 buf[4], buf[5] ) ); 01789 01790 #if defined(POLARSSL_HAVE_TIME) 01791 t = time( NULL ); 01792 *p++ = (unsigned char)( t >> 24 ); 01793 *p++ = (unsigned char)( t >> 16 ); 01794 *p++ = (unsigned char)( t >> 8 ); 01795 *p++ = (unsigned char)( t ); 01796 01797 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 01798 #else 01799 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 ) 01800 return( ret ); 01801 01802 p += 4; 01803 #endif /* POLARSSL_HAVE_TIME */ 01804 01805 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 ) 01806 return( ret ); 01807 01808 p += 28; 01809 01810 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 01811 01812 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 01813 01814 /* 01815 * Resume is 0 by default, see ssl_handshake_init(). 01816 * It may be already set to 1 by ssl_parse_session_ticket_ext(). 01817 * If not, try looking up session ID in our cache. 01818 */ 01819 if( ssl->handshake->resume == 0 && 01820 ssl->renegotiation == SSL_INITIAL_HANDSHAKE && 01821 ssl->session_negotiate->length != 0 && 01822 ssl->f_get_cache != NULL && 01823 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 ) 01824 { 01825 SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); 01826 ssl->handshake->resume = 1; 01827 } 01828 01829 if( ssl->handshake->resume == 0 ) 01830 { 01831 /* 01832 * New session, create a new session id, 01833 * unless we're about to issue a session ticket 01834 */ 01835 ssl->state++; 01836 01837 #if defined(POLARSSL_HAVE_TIME) 01838 ssl->session_negotiate->start = time( NULL ); 01839 #endif 01840 01841 #if defined(POLARSSL_SSL_SESSION_TICKETS) 01842 if( ssl->handshake->new_session_ticket != 0 ) 01843 { 01844 ssl->session_negotiate->length = n = 0; 01845 memset( ssl->session_negotiate->id, 0, 32 ); 01846 } 01847 else 01848 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01849 { 01850 ssl->session_negotiate->length = n = 32; 01851 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 01852 n ) ) != 0 ) 01853 return( ret ); 01854 } 01855 } 01856 else 01857 { 01858 /* 01859 * Resuming a session 01860 */ 01861 n = ssl->session_negotiate->length; 01862 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC; 01863 01864 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 01865 { 01866 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 01867 return( ret ); 01868 } 01869 } 01870 01871 /* 01872 * 38 . 38 session id length 01873 * 39 . 38+n session id 01874 * 39+n . 40+n chosen ciphersuite 01875 * 41+n . 41+n chosen compression alg. 01876 * 42+n . 43+n extensions length 01877 * 44+n . 43+n+m extensions 01878 */ 01879 *p++ = (unsigned char) ssl->session_negotiate->length; 01880 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length ); 01881 p += ssl->session_negotiate->length; 01882 01883 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01884 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 01885 SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01886 ssl->handshake->resume ? "a" : "no" ) ); 01887 01888 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); 01889 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); 01890 *p++ = (unsigned char)( ssl->session_negotiate->compression ); 01891 01892 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", 01893 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); 01894 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", 01895 ssl->session_negotiate->compression ) ); 01896 01897 /* 01898 * First write extensions, then the total length 01899 */ 01900 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 01901 ext_len += olen; 01902 01903 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 01904 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 01905 ext_len += olen; 01906 #endif 01907 01908 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 01909 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 01910 ext_len += olen; 01911 #endif 01912 01913 #if defined(POLARSSL_SSL_SESSION_TICKETS) 01914 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01915 ext_len += olen; 01916 #endif 01917 01918 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 01919 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 01920 ext_len += olen; 01921 #endif 01922 01923 #if defined(POLARSSL_SSL_ALPN) 01924 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01925 ext_len += olen; 01926 #endif 01927 01928 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); 01929 01930 if( ext_len > 0 ) 01931 { 01932 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01933 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01934 p += ext_len; 01935 } 01936 01937 ssl->out_msglen = p - buf; 01938 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 01939 ssl->out_msg[0] = SSL_HS_SERVER_HELLO; 01940 01941 ret = ssl_write_record( ssl ); 01942 01943 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 01944 01945 return( ret ); 01946 } 01947 01948 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ 01949 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 01950 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 01951 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 01952 static int ssl_write_certificate_request( ssl_context *ssl ) 01953 { 01954 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01955 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 01956 01957 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 01958 01959 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01960 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 01961 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 01962 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 01963 { 01964 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 01965 ssl->state++; 01966 return( 0 ); 01967 } 01968 01969 SSL_DEBUG_MSG( 1, ( "should not happen" ) ); 01970 return( ret ); 01971 } 01972 #else 01973 static int ssl_write_certificate_request( ssl_context *ssl ) 01974 { 01975 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 01976 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 01977 size_t dn_size, total_dn_size; /* excluding length bytes */ 01978 size_t ct_len, sa_len; /* including length bytes */ 01979 unsigned char *buf, *p; 01980 const x509_crt *crt; 01981 01982 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 01983 01984 ssl->state++; 01985 01986 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 01987 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 01988 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 01989 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 01990 ssl->authmode == SSL_VERIFY_NONE ) 01991 { 01992 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 01993 return( 0 ); 01994 } 01995 01996 /* 01997 * 0 . 0 handshake type 01998 * 1 . 3 handshake length 01999 * 4 . 4 cert type count 02000 * 5 .. m-1 cert types 02001 * m .. m+1 sig alg length (TLS 1.2 only) 02002 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02003 * n .. n+1 length of all DNs 02004 * n+2 .. n+3 length of DN 1 02005 * n+4 .. ... Distinguished Name #1 02006 * ... .. ... length of DN 2, etc. 02007 */ 02008 buf = ssl->out_msg; 02009 p = buf + 4; 02010 02011 /* 02012 * Supported certificate types 02013 * 02014 * ClientCertificateType certificate_types<1..2^8-1>; 02015 * enum { (255) } ClientCertificateType; 02016 */ 02017 ct_len = 0; 02018 02019 #if defined(POLARSSL_RSA_C) 02020 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN; 02021 #endif 02022 #if defined(POLARSSL_ECDSA_C) 02023 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN; 02024 #endif 02025 02026 p[0] = (unsigned char) ct_len++; 02027 p += ct_len; 02028 02029 sa_len = 0; 02030 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02031 /* 02032 * Add signature_algorithms for verify (TLS 1.2) 02033 * 02034 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 02035 * 02036 * struct { 02037 * HashAlgorithm hash; 02038 * SignatureAlgorithm signature; 02039 * } SignatureAndHashAlgorithm; 02040 * 02041 * enum { (255) } HashAlgorithm; 02042 * enum { (255) } SignatureAlgorithm; 02043 */ 02044 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02045 { 02046 /* 02047 * Only use current running hash algorithm that is already required 02048 * for requested ciphersuite. 02049 */ 02050 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256; 02051 02052 if( ssl->transform_negotiate->ciphersuite_info->mac == 02053 POLARSSL_MD_SHA384 ) 02054 { 02055 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384; 02056 } 02057 02058 /* 02059 * Supported signature algorithms 02060 */ 02061 #if defined(POLARSSL_RSA_C) 02062 p[2 + sa_len++] = ssl->handshake->verify_sig_alg; 02063 p[2 + sa_len++] = SSL_SIG_RSA; 02064 #endif 02065 #if defined(POLARSSL_ECDSA_C) 02066 p[2 + sa_len++] = ssl->handshake->verify_sig_alg; 02067 p[2 + sa_len++] = SSL_SIG_ECDSA; 02068 #endif 02069 02070 p[0] = (unsigned char)( sa_len >> 8 ); 02071 p[1] = (unsigned char)( sa_len ); 02072 sa_len += 2; 02073 p += sa_len; 02074 } 02075 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 02076 02077 /* 02078 * DistinguishedName certificate_authorities<0..2^16-1>; 02079 * opaque DistinguishedName<1..2^16-1>; 02080 */ 02081 p += 2; 02082 crt = ssl->ca_chain; 02083 02084 total_dn_size = 0; 02085 while( crt != NULL && crt->version != 0 ) 02086 { 02087 if( p - buf > 4096 ) 02088 break; 02089 02090 dn_size = crt->subject_raw.len; 02091 *p++ = (unsigned char)( dn_size >> 8 ); 02092 *p++ = (unsigned char)( dn_size ); 02093 memcpy( p, crt->subject_raw.p, dn_size ); 02094 p += dn_size; 02095 02096 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size ); 02097 02098 total_dn_size += 2 + dn_size; 02099 crt = crt->next; 02100 } 02101 02102 ssl->out_msglen = p - buf; 02103 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02104 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST; 02105 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); 02106 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); 02107 02108 ret = ssl_write_record( ssl ); 02109 02110 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 02111 02112 return( ret ); 02113 } 02114 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && 02115 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && 02116 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02117 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02118 02119 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02120 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02121 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl ) 02122 { 02123 int ret; 02124 02125 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) ) 02126 { 02127 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02128 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); 02129 } 02130 02131 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, 02132 pk_ec( *ssl_own_key( ssl ) ), 02133 POLARSSL_ECDH_OURS ) ) != 0 ) 02134 { 02135 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret ); 02136 return( ret ); 02137 } 02138 02139 return( 0 ); 02140 } 02141 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02142 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02143 02144 static int ssl_write_server_key_exchange( ssl_context *ssl ) 02145 { 02146 int ret; 02147 size_t n = 0; 02148 const ssl_ciphersuite_t *ciphersuite_info = 02149 ssl->transform_negotiate->ciphersuite_info; 02150 02151 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02152 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02153 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02154 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02155 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02156 unsigned char *p = ssl->out_msg + 4; 02157 unsigned char *dig_signed = p; 02158 size_t dig_signed_len = 0, len; 02159 ((void) dig_signed); 02160 ((void) dig_signed_len); 02161 #endif 02162 02163 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 02164 02165 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \ 02166 defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \ 02167 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 02168 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA || 02169 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02170 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 02171 { 02172 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02173 ssl->state++; 02174 return( 0 ); 02175 } 02176 #endif 02177 02178 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02179 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02180 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || 02181 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) 02182 { 02183 ssl_get_ecdh_params_from_cert( ssl ); 02184 02185 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02186 ssl->state++; 02187 return( 0 ); 02188 } 02189 #endif 02190 02191 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02192 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02193 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 02194 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02195 { 02196 /* TODO: Support identity hints */ 02197 *(p++) = 0x00; 02198 *(p++) = 0x00; 02199 02200 n += 2; 02201 } 02202 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED || 02203 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02204 02205 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02206 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 02207 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || 02208 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02209 { 02210 /* 02211 * Ephemeral DH parameters: 02212 * 02213 * struct { 02214 * opaque dh_p<1..2^16-1>; 02215 * opaque dh_g<1..2^16-1>; 02216 * opaque dh_Ys<1..2^16-1>; 02217 * } ServerDHParams; 02218 */ 02219 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 || 02220 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 ) 02221 { 02222 SSL_DEBUG_RET( 1, "mpi_copy", ret ); 02223 return( ret ); 02224 } 02225 02226 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx, 02227 (int) mpi_size( &ssl->handshake->dhm_ctx.P ), 02228 p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 ) 02229 { 02230 SSL_DEBUG_RET( 1, "dhm_make_params", ret ); 02231 return( ret ); 02232 } 02233 02234 dig_signed = p; 02235 dig_signed_len = len; 02236 02237 p += len; 02238 n += len; 02239 02240 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02241 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02242 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02243 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02244 } 02245 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 02246 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02247 02248 #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) 02249 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 02250 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA || 02251 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02252 { 02253 /* 02254 * Ephemeral ECDH parameters: 02255 * 02256 * struct { 02257 * ECParameters curve_params; 02258 * ECPoint public; 02259 * } ServerECDHParams; 02260 */ 02261 const ecp_curve_info **curve = NULL; 02262 #if defined(POLARSSL_SSL_SET_CURVES) 02263 const ecp_group_id *gid; 02264 02265 /* Match our preference list against the offered curves */ 02266 for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ ) 02267 for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) 02268 if( (*curve)->grp_id == *gid ) 02269 goto curve_matching_done; 02270 02271 curve_matching_done: 02272 #else 02273 curve = ssl->handshake->curves; 02274 #endif 02275 02276 if( *curve == NULL ) 02277 { 02278 SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); 02279 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); 02280 } 02281 02282 SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); 02283 02284 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp, 02285 (*curve)->grp_id ) ) != 0 ) 02286 { 02287 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret ); 02288 return( ret ); 02289 } 02290 02291 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, 02292 p, SSL_MAX_CONTENT_LEN - n, 02293 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02294 { 02295 SSL_DEBUG_RET( 1, "ecdh_make_params", ret ); 02296 return( ret ); 02297 } 02298 02299 dig_signed = p; 02300 dig_signed_len = len; 02301 02302 p += len; 02303 n += len; 02304 02305 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); 02306 } 02307 #endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ 02308 02309 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02310 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02311 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02312 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || 02313 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 02314 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) 02315 { 02316 size_t signature_len = 0; 02317 unsigned int hashlen = 0; 02318 unsigned char hash[64]; 02319 md_type_t md_alg = POLARSSL_MD_NONE; 02320 02321 /* 02322 * Choose hash algorithm. NONE means MD5 + SHA1 here. 02323 */ 02324 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02325 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02326 { 02327 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg ); 02328 02329 if( md_alg == POLARSSL_MD_NONE ) 02330 { 02331 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02332 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 02333 } 02334 } 02335 else 02336 #endif 02337 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 02338 defined(POLARSSL_SSL_PROTO_TLS1_1) 02339 if ( ciphersuite_info->key_exchange == 02340 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) 02341 { 02342 md_alg = POLARSSL_MD_SHA1; 02343 } 02344 else 02345 #endif 02346 { 02347 md_alg = POLARSSL_MD_NONE; 02348 } 02349 02350 /* 02351 * Compute the hash to be signed 02352 */ 02353 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 02354 defined(POLARSSL_SSL_PROTO_TLS1_1) 02355 if( md_alg == POLARSSL_MD_NONE ) 02356 { 02357 md5_context md5; 02358 sha1_context sha1; 02359 02360 /* 02361 * digitally-signed struct { 02362 * opaque md5_hash[16]; 02363 * opaque sha_hash[20]; 02364 * }; 02365 * 02366 * md5_hash 02367 * MD5(ClientHello.random + ServerHello.random 02368 * + ServerParams); 02369 * sha_hash 02370 * SHA(ClientHello.random + ServerHello.random 02371 * + ServerParams); 02372 */ 02373 md5_starts( &md5 ); 02374 md5_update( &md5, ssl->handshake->randbytes, 64 ); 02375 md5_update( &md5, dig_signed, dig_signed_len ); 02376 md5_finish( &md5, hash ); 02377 02378 sha1_starts( &sha1 ); 02379 sha1_update( &sha1, ssl->handshake->randbytes, 64 ); 02380 sha1_update( &sha1, dig_signed, dig_signed_len ); 02381 sha1_finish( &sha1, hash + 16 ); 02382 02383 hashlen = 36; 02384 } 02385 else 02386 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \ 02387 POLARSSL_SSL_PROTO_TLS1_1 */ 02388 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ 02389 defined(POLARSSL_SSL_PROTO_TLS1_2) 02390 if( md_alg != POLARSSL_MD_NONE ) 02391 { 02392 md_context_t ctx; 02393 02394 /* Info from md_alg will be used instead */ 02395 hashlen = 0; 02396 02397 /* 02398 * digitally-signed struct { 02399 * opaque client_random[32]; 02400 * opaque server_random[32]; 02401 * ServerDHParams params; 02402 * }; 02403 */ 02404 if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 ) 02405 { 02406 SSL_DEBUG_RET( 1, "md_init_ctx", ret ); 02407 return( ret ); 02408 } 02409 02410 md_starts( &ctx ); 02411 md_update( &ctx, ssl->handshake->randbytes, 64 ); 02412 md_update( &ctx, dig_signed, dig_signed_len ); 02413 md_finish( &ctx, hash ); 02414 02415 if( ( ret = md_free_ctx( &ctx ) ) != 0 ) 02416 { 02417 SSL_DEBUG_RET( 1, "md_free_ctx", ret ); 02418 return( ret ); 02419 } 02420 02421 } 02422 else 02423 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \ 02424 POLARSSL_SSL_PROTO_TLS1_2 */ 02425 { 02426 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02427 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 02428 } 02429 02430 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02431 (unsigned int) ( md_info_from_type( md_alg ) )->size ); 02432 02433 /* 02434 * Make the signature 02435 */ 02436 if( ssl_own_key( ssl ) == NULL ) 02437 { 02438 SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 02439 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02440 } 02441 02442 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02443 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02444 { 02445 *(p++) = ssl->handshake->sig_alg; 02446 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) ); 02447 02448 n += 2; 02449 } 02450 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 02451 02452 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen, 02453 p + 2 , &signature_len, 02454 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02455 { 02456 SSL_DEBUG_RET( 1, "pk_sign", ret ); 02457 return( ret ); 02458 } 02459 02460 *(p++) = (unsigned char)( signature_len >> 8 ); 02461 *(p++) = (unsigned char)( signature_len ); 02462 n += 2; 02463 02464 SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); 02465 02466 p += signature_len; 02467 n += signature_len; 02468 } 02469 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || 02470 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02471 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02472 02473 ssl->out_msglen = 4 + n; 02474 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02475 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE; 02476 02477 ssl->state++; 02478 02479 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02480 { 02481 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02482 return( ret ); 02483 } 02484 02485 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 02486 02487 return( 0 ); 02488 } 02489 02490 static int ssl_write_server_hello_done( ssl_context *ssl ) 02491 { 02492 int ret; 02493 02494 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 02495 02496 ssl->out_msglen = 4; 02497 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02498 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE; 02499 02500 ssl->state++; 02501 02502 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02503 { 02504 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02505 return( ret ); 02506 } 02507 02508 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 02509 02510 return( 0 ); 02511 } 02512 02513 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02514 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 02515 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p, 02516 const unsigned char *end ) 02517 { 02518 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02519 size_t n; 02520 02521 /* 02522 * Receive G^Y mod P, premaster = (G^Y)^X mod P 02523 */ 02524 if( *p + 2 > end ) 02525 { 02526 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02527 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02528 } 02529 02530 n = ( (*p)[0] << 8 ) | (*p)[1]; 02531 *p += 2; 02532 02533 if( *p + n > end ) 02534 { 02535 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02536 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02537 } 02538 02539 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) 02540 { 02541 SSL_DEBUG_RET( 1, "dhm_read_public", ret ); 02542 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 02543 } 02544 02545 *p += n; 02546 02547 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 02548 02549 return( ret ); 02550 } 02551 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 02552 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02553 02554 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \ 02555 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 02556 static int ssl_parse_encrypted_pms( ssl_context *ssl, 02557 const unsigned char *p, 02558 const unsigned char *end, 02559 size_t pms_offset ) 02560 { 02561 int ret; 02562 size_t len = pk_get_len( ssl_own_key( ssl ) ); 02563 unsigned char *pms = ssl->handshake->premaster + pms_offset; 02564 02565 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) ) 02566 { 02567 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); 02568 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02569 } 02570 02571 /* 02572 * Decrypt the premaster using own private RSA key 02573 */ 02574 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ 02575 defined(POLARSSL_SSL_PROTO_TLS1_2) 02576 if( ssl->minor_ver != SSL_MINOR_VERSION_0 ) 02577 { 02578 if( *p++ != ( ( len >> 8 ) & 0xFF ) || 02579 *p++ != ( ( len ) & 0xFF ) ) 02580 { 02581 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02582 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02583 } 02584 } 02585 #endif 02586 02587 if( p + len != end ) 02588 { 02589 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02590 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02591 } 02592 02593 ret = pk_decrypt( ssl_own_key( ssl ), p, len, 02594 pms, &ssl->handshake->pmslen, 02595 sizeof( ssl->handshake->premaster ) - pms_offset, 02596 ssl->f_rng, ssl->p_rng ); 02597 02598 if( ret != 0 || ssl->handshake->pmslen != 48 || 02599 pms[0] != ssl->handshake->max_major_ver || 02600 pms[1] != ssl->handshake->max_minor_ver ) 02601 { 02602 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02603 02604 /* 02605 * Protection against Bleichenbacher's attack: 02606 * invalid PKCS#1 v1.5 padding must not cause 02607 * the connection to end immediately; instead, 02608 * send a bad_record_mac later in the handshake. 02609 */ 02610 ssl->handshake->pmslen = 48; 02611 02612 ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen ); 02613 if( ret != 0 ) 02614 return( ret ); 02615 } 02616 02617 return( ret ); 02618 } 02619 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED || 02620 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02621 02622 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 02623 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p, 02624 const unsigned char *end ) 02625 { 02626 int ret = 0; 02627 size_t n; 02628 02629 if( ssl->f_psk == NULL && 02630 ( ssl->psk == NULL || ssl->psk_identity == NULL || 02631 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) 02632 { 02633 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); 02634 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02635 } 02636 02637 /* 02638 * Receive client pre-shared key identity name 02639 */ 02640 if( *p + 2 > end ) 02641 { 02642 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02643 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02644 } 02645 02646 n = ( (*p)[0] << 8 ) | (*p)[1]; 02647 *p += 2; 02648 02649 if( n < 1 || n > 65535 || *p + n > end ) 02650 { 02651 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02652 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02653 } 02654 02655 if( ssl->f_psk != NULL ) 02656 { 02657 if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 ) 02658 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY; 02659 } 02660 02661 if( ret == 0 ) 02662 { 02663 /* Identity is not a big secret since clients send it in the clear, 02664 * but treat it carefully anyway, just in case */ 02665 if( n != ssl->psk_identity_len || 02666 safer_memcmp( ssl->psk_identity, *p, n ) != 0 ) 02667 { 02668 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY; 02669 } 02670 } 02671 02672 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY ) 02673 { 02674 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); 02675 if( ( ret = ssl_send_alert_message( ssl, 02676 SSL_ALERT_LEVEL_FATAL, 02677 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 ) 02678 { 02679 return( ret ); 02680 } 02681 02682 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY ); 02683 } 02684 02685 *p += n; 02686 ret = 0; 02687 02688 return( ret ); 02689 } 02690 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02691 02692 static int ssl_parse_client_key_exchange( ssl_context *ssl ) 02693 { 02694 int ret; 02695 const ssl_ciphersuite_t *ciphersuite_info; 02696 02697 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02698 02699 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 02700 02701 if( ( ret = ssl_read_record ( ssl ) ) != 0 ) 02702 { 02703 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 02704 return( ret ); 02705 } 02706 02707 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 02708 { 02709 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02710 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02711 } 02712 02713 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE ) 02714 { 02715 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02716 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02717 } 02718 02719 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) 02720 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ) 02721 { 02722 unsigned char *p = ssl->in_msg + 4; 02723 unsigned char *end = ssl->in_msg + ssl->in_hslen; 02724 02725 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 02726 { 02727 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 02728 return( ret ); 02729 } 02730 02731 if( p != end ) 02732 { 02733 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 02734 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02735 } 02736 02737 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len; 02738 02739 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, 02740 ssl->handshake->premaster, 02741 &ssl->handshake->pmslen, 02742 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02743 { 02744 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); 02745 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 02746 } 02747 02748 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02749 } 02750 else 02751 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02752 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02753 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02754 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02755 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02756 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 02757 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA || 02758 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || 02759 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) 02760 { 02761 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx, 02762 ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 ) 02763 { 02764 SSL_DEBUG_RET( 1, "ecdh_read_public", ret ); 02765 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 02766 } 02767 02768 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 02769 02770 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02771 &ssl->handshake->pmslen, 02772 ssl->handshake->premaster, 02773 POLARSSL_MPI_MAX_SIZE, 02774 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02775 { 02776 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret ); 02777 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 02778 } 02779 02780 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); 02781 } 02782 else 02783 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02784 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02785 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02786 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02787 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) 02788 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ) 02789 { 02790 unsigned char *p = ssl->in_msg + 4; 02791 unsigned char *end = ssl->in_msg + ssl->in_hslen; 02792 02793 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 02794 { 02795 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 02796 return( ret ); 02797 } 02798 02799 if( p != end ) 02800 { 02801 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 02802 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02803 } 02804 02805 if( ( ret = ssl_psk_derive_premaster( ssl, 02806 ciphersuite_info->key_exchange ) ) != 0 ) 02807 { 02808 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 02809 return( ret ); 02810 } 02811 } 02812 else 02813 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */ 02814 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 02815 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 02816 { 02817 unsigned char *p = ssl->in_msg + 4; 02818 unsigned char *end = ssl->in_msg + ssl->in_hslen; 02819 02820 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 02821 { 02822 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 02823 return( ret ); 02824 } 02825 02826 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) 02827 { 02828 SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); 02829 return( ret ); 02830 } 02831 02832 if( ( ret = ssl_psk_derive_premaster( ssl, 02833 ciphersuite_info->key_exchange ) ) != 0 ) 02834 { 02835 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 02836 return( ret ); 02837 } 02838 } 02839 else 02840 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02841 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 02842 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02843 { 02844 unsigned char *p = ssl->in_msg + 4; 02845 unsigned char *end = ssl->in_msg + ssl->in_hslen; 02846 02847 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 02848 { 02849 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 02850 return( ret ); 02851 } 02852 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 02853 { 02854 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 02855 return( ret ); 02856 } 02857 02858 if( p != end ) 02859 { 02860 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 02861 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02862 } 02863 02864 if( ( ret = ssl_psk_derive_premaster( ssl, 02865 ciphersuite_info->key_exchange ) ) != 0 ) 02866 { 02867 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 02868 return( ret ); 02869 } 02870 } 02871 else 02872 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02873 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02874 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02875 { 02876 unsigned char *p = ssl->in_msg + 4; 02877 unsigned char *end = ssl->in_msg + ssl->in_hslen; 02878 02879 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 02880 { 02881 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 02882 return( ret ); 02883 } 02884 02885 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx, 02886 p, end - p ) ) != 0 ) 02887 { 02888 SSL_DEBUG_RET( 1, "ecdh_read_public", ret ); 02889 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 02890 } 02891 02892 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 02893 02894 if( ( ret = ssl_psk_derive_premaster( ssl, 02895 ciphersuite_info->key_exchange ) ) != 0 ) 02896 { 02897 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 02898 return( ret ); 02899 } 02900 } 02901 else 02902 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02903 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) 02904 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ) 02905 { 02906 if( ( ret = ssl_parse_encrypted_pms( ssl, 02907 ssl->in_msg + 4, 02908 ssl->in_msg + ssl->in_hslen, 02909 0 ) ) != 0 ) 02910 { 02911 SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); 02912 return( ret ); 02913 } 02914 } 02915 else 02916 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */ 02917 { 02918 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02919 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 02920 } 02921 02922 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 02923 { 02924 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 02925 return( ret ); 02926 } 02927 02928 ssl->state++; 02929 02930 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 02931 02932 return( 0 ); 02933 } 02934 02935 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ 02936 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02937 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02938 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02939 static int ssl_parse_certificate_verify( ssl_context *ssl ) 02940 { 02941 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02942 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02943 02944 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 02945 02946 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02947 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02948 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 02949 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02950 { 02951 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 02952 ssl->state++; 02953 return( 0 ); 02954 } 02955 02956 SSL_DEBUG_MSG( 1, ( "should not happen" ) ); 02957 return( ret ); 02958 } 02959 #else 02960 static int ssl_parse_certificate_verify( ssl_context *ssl ) 02961 { 02962 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02963 size_t sa_len, sig_len; 02964 unsigned char hash[48]; 02965 unsigned char *hash_start = hash; 02966 size_t hashlen; 02967 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02968 pk_type_t pk_alg; 02969 #endif 02970 md_type_t md_alg; 02971 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02972 02973 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 02974 02975 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02976 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02977 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 02978 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02979 { 02980 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 02981 ssl->state++; 02982 return( 0 ); 02983 } 02984 02985 if( ssl->session_negotiate->peer_cert == NULL ) 02986 { 02987 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 02988 ssl->state++; 02989 return( 0 ); 02990 } 02991 02992 ssl->handshake->calc_verify( ssl, hash ); 02993 02994 if( ( ret = ssl_read_record ( ssl ) ) != 0 ) 02995 { 02996 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 02997 return( ret ); 02998 } 02999 03000 ssl->state++; 03001 03002 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 03003 { 03004 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03005 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03006 } 03007 03008 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY ) 03009 { 03010 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03011 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03012 } 03013 03014 /* 03015 * 0 . 0 handshake type 03016 * 1 . 3 handshake length 03017 * 4 . 5 sig alg (TLS 1.2 only) 03018 * 4+n . 5+n signature length (n = sa_len) 03019 * 6+n . 6+n+m signature (m = sig_len) 03020 */ 03021 03022 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 03023 defined(POLARSSL_SSL_PROTO_TLS1_1) 03024 if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) 03025 { 03026 sa_len = 0; 03027 03028 md_alg = POLARSSL_MD_NONE; 03029 hashlen = 36; 03030 03031 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ 03032 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk, 03033 POLARSSL_PK_ECDSA ) ) 03034 { 03035 hash_start += 16; 03036 hashlen -= 16; 03037 md_alg = POLARSSL_MD_SHA1; 03038 } 03039 } 03040 else 03041 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || 03042 POLARSSL_SSL_PROTO_TLS1_1 */ 03043 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 03044 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 03045 { 03046 sa_len = 2; 03047 03048 /* 03049 * Hash 03050 */ 03051 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ) 03052 { 03053 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03054 " for verify message" ) ); 03055 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03056 } 03057 03058 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg ); 03059 03060 /* Info from md_alg will be used instead */ 03061 hashlen = 0; 03062 03063 /* 03064 * Signature 03065 */ 03066 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) ) 03067 == POLARSSL_PK_NONE ) 03068 { 03069 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03070 " for verify message" ) ); 03071 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03072 } 03073 03074 /* 03075 * Check the certificate's key type matches the signature alg 03076 */ 03077 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 03078 { 03079 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); 03080 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03081 } 03082 } 03083 else 03084 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 03085 { 03086 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03087 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 03088 } 03089 03090 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len]; 03091 03092 if( sa_len + sig_len + 6 != ssl->in_hslen ) 03093 { 03094 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03095 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03096 } 03097 03098 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk, 03099 md_alg, hash_start, hashlen, 03100 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 ) 03101 { 03102 SSL_DEBUG_RET( 1, "pk_verify", ret ); 03103 return( ret ); 03104 } 03105 03106 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 03107 03108 return( ret ); 03109 } 03110 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && 03111 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && 03112 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ 03113 03114 #if defined(POLARSSL_SSL_SESSION_TICKETS) 03115 static int ssl_write_new_session_ticket( ssl_context *ssl ) 03116 { 03117 int ret; 03118 size_t tlen; 03119 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime; 03120 03121 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); 03122 03123 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 03124 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET; 03125 03126 /* 03127 * struct { 03128 * uint32 ticket_lifetime_hint; 03129 * opaque ticket<0..2^16-1>; 03130 * } NewSessionTicket; 03131 * 03132 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 03133 * 8 . 9 ticket_len (n) 03134 * 10 . 9+n ticket content 03135 */ 03136 03137 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; 03138 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; 03139 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; 03140 ssl->out_msg[7] = ( lifetime ) & 0xFF; 03141 03142 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 ) 03143 { 03144 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret ); 03145 tlen = 0; 03146 } 03147 03148 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 03149 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); 03150 03151 ssl->out_msglen = 10 + tlen; 03152 03153 /* 03154 * Morally equivalent to updating ssl->state, but NewSessionTicket and 03155 * ChangeCipherSpec share the same state. 03156 */ 03157 ssl->handshake->new_session_ticket = 0; 03158 03159 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 03160 { 03161 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 03162 return( ret ); 03163 } 03164 03165 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); 03166 03167 return( 0 ); 03168 } 03169 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 03170 03171 /* 03172 * SSL handshake -- server side -- single step 03173 */ 03174 int ssl_handshake_server_step( ssl_context *ssl ) 03175 { 03176 int ret = 0; 03177 03178 if( ssl->state == SSL_HANDSHAKE_OVER ) 03179 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 03180 03181 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 03182 03183 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 03184 return( ret ); 03185 03186 switch( ssl->state ) 03187 { 03188 case SSL_HELLO_REQUEST: 03189 ssl->state = SSL_CLIENT_HELLO; 03190 break; 03191 03192 /* 03193 * <== ClientHello 03194 */ 03195 case SSL_CLIENT_HELLO: 03196 ret = ssl_parse_client_hello( ssl ); 03197 break; 03198 03199 /* 03200 * ==> ServerHello 03201 * Certificate 03202 * ( ServerKeyExchange ) 03203 * ( CertificateRequest ) 03204 * ServerHelloDone 03205 */ 03206 case SSL_SERVER_HELLO: 03207 ret = ssl_write_server_hello( ssl ); 03208 break; 03209 03210 case SSL_SERVER_CERTIFICATE: 03211 ret = ssl_write_certificate( ssl ); 03212 break; 03213 03214 case SSL_SERVER_KEY_EXCHANGE: 03215 ret = ssl_write_server_key_exchange( ssl ); 03216 break; 03217 03218 case SSL_CERTIFICATE_REQUEST: 03219 ret = ssl_write_certificate_request( ssl ); 03220 break; 03221 03222 case SSL_SERVER_HELLO_DONE: 03223 ret = ssl_write_server_hello_done( ssl ); 03224 break; 03225 03226 /* 03227 * <== ( Certificate/Alert ) 03228 * ClientKeyExchange 03229 * ( CertificateVerify ) 03230 * ChangeCipherSpec 03231 * Finished 03232 */ 03233 case SSL_CLIENT_CERTIFICATE: 03234 ret = ssl_parse_certificate( ssl ); 03235 break; 03236 03237 case SSL_CLIENT_KEY_EXCHANGE: 03238 ret = ssl_parse_client_key_exchange( ssl ); 03239 break; 03240 03241 case SSL_CERTIFICATE_VERIFY: 03242 ret = ssl_parse_certificate_verify( ssl ); 03243 break; 03244 03245 case SSL_CLIENT_CHANGE_CIPHER_SPEC: 03246 ret = ssl_parse_change_cipher_spec( ssl ); 03247 break; 03248 03249 case SSL_CLIENT_FINISHED: 03250 ret = ssl_parse_finished( ssl ); 03251 break; 03252 03253 /* 03254 * ==> ( NewSessionTicket ) 03255 * ChangeCipherSpec 03256 * Finished 03257 */ 03258 case SSL_SERVER_CHANGE_CIPHER_SPEC: 03259 #if defined(POLARSSL_SSL_SESSION_TICKETS) 03260 if( ssl->handshake->new_session_ticket != 0 ) 03261 ret = ssl_write_new_session_ticket( ssl ); 03262 else 03263 #endif 03264 ret = ssl_write_change_cipher_spec( ssl ); 03265 break; 03266 03267 case SSL_SERVER_FINISHED: 03268 ret = ssl_write_finished( ssl ); 03269 break; 03270 03271 case SSL_FLUSH_BUFFERS: 03272 SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03273 ssl->state = SSL_HANDSHAKE_WRAPUP; 03274 break; 03275 03276 case SSL_HANDSHAKE_WRAPUP: 03277 ssl_handshake_wrapup( ssl ); 03278 break; 03279 03280 default: 03281 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03282 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 03283 } 03284 03285 return( ret ); 03286 } 03287 #endif /* POLARSSL_SSL_SRV_C */ 03288 03289
Generated on Tue Jul 12 2022 19:40:21 by
1.7.2