Doug Anson
mbed TLS library
Dependents: HTTPClient-SSL WS_SERVER
Embed:
(wiki syntax)
Show/hide line numbers
ssl_srv.c
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved 00005 * 00006 * This file is part of mbed TLS (https://tls.mbed.org) 00007 * 00008 * This program is free software; you can redistribute it and/or modify 00009 * it under the terms of the GNU General Public License as published by 00010 * the Free Software Foundation; either version 2 of the License, or 00011 * (at your option) any later version. 00012 * 00013 * This program is distributed in the hope that it will be useful, 00014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00016 * GNU General Public License for more details. 00017 * 00018 * You should have received a copy of the GNU General Public License along 00019 * with this program; if not, write to the Free Software Foundation, Inc., 00020 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00021 */ 00022 00023 #if !defined(POLARSSL_CONFIG_FILE) 00024 #include "polarssl/config.h" 00025 #else 00026 #include POLARSSL_CONFIG_FILE 00027 #endif 00028 00029 #if defined(POLARSSL_SSL_SRV_C) 00030 00031 #include "polarssl/debug.h" 00032 #include "polarssl/ssl.h" 00033 00034 #include <string.h> 00035 00036 #if defined(POLARSSL_ECP_C) 00037 #include "polarssl/ecp.h" 00038 #endif 00039 00040 #if defined(POLARSSL_PLATFORM_C) 00041 #include "polarssl/platform.h" 00042 #else 00043 #include <stdlib.h> 00044 #define polarssl_malloc malloc 00045 #define polarssl_free free 00046 #endif 00047 00048 #if defined(POLARSSL_HAVE_TIME) 00049 #include <time.h> 00050 #endif 00051 00052 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00053 /* Implementation that should never be optimized out by the compiler */ 00054 static void polarssl_zeroize( void *v, size_t n ) { 00055 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00056 } 00057 00058 /* 00059 * Serialize a session in the following format: 00060 * 0 . n-1 session structure, n = sizeof(ssl_session) 00061 * n . n+2 peer_cert length = m (0 if no certificate) 00062 * n+3 . n+2+m peer cert ASN.1 00063 * 00064 * Assumes ticket is NULL (always true on server side). 00065 */ 00066 static int ssl_save_session( const ssl_session *session, 00067 unsigned char *buf, size_t buf_len, 00068 size_t *olen ) 00069 { 00070 unsigned char *p = buf; 00071 size_t left = buf_len; 00072 #if defined(POLARSSL_X509_CRT_PARSE_C) 00073 size_t cert_len; 00074 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00075 00076 if( left < sizeof( ssl_session ) ) 00077 return( -1 ); 00078 00079 memcpy( p, session, sizeof( ssl_session ) ); 00080 p += sizeof( ssl_session ); 00081 left -= sizeof( ssl_session ); 00082 00083 #if defined(POLARSSL_X509_CRT_PARSE_C) 00084 if( session->peer_cert == NULL ) 00085 cert_len = 0; 00086 else 00087 cert_len = session->peer_cert->raw.len; 00088 00089 if( left < 3 + cert_len ) 00090 return( -1 ); 00091 00092 *p++ = (unsigned char)( cert_len >> 16 & 0xFF ); 00093 *p++ = (unsigned char)( cert_len >> 8 & 0xFF ); 00094 *p++ = (unsigned char)( cert_len & 0xFF ); 00095 00096 if( session->peer_cert != NULL ) 00097 memcpy( p, session->peer_cert->raw.p, cert_len ); 00098 00099 p += cert_len; 00100 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00101 00102 *olen = p - buf; 00103 00104 return( 0 ); 00105 } 00106 00107 /* 00108 * Unserialise session, see ssl_save_session() 00109 */ 00110 static int ssl_load_session( ssl_session *session, 00111 const unsigned char *buf, size_t len ) 00112 { 00113 const unsigned char *p = buf; 00114 const unsigned char * const end = buf + len; 00115 #if defined(POLARSSL_X509_CRT_PARSE_C) 00116 size_t cert_len; 00117 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00118 00119 if( p + sizeof( ssl_session ) > end ) 00120 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00121 00122 memcpy( session, p, sizeof( ssl_session ) ); 00123 p += sizeof( ssl_session ); 00124 00125 #if defined(POLARSSL_X509_CRT_PARSE_C) 00126 if( p + 3 > end ) 00127 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00128 00129 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2]; 00130 p += 3; 00131 00132 if( cert_len == 0 ) 00133 { 00134 session->peer_cert = NULL; 00135 } 00136 else 00137 { 00138 int ret; 00139 00140 if( p + cert_len > end ) 00141 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00142 00143 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) ); 00144 00145 if( session->peer_cert == NULL ) 00146 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 00147 00148 x509_crt_init( session->peer_cert ); 00149 00150 if( ( ret = x509_crt_parse_der( session->peer_cert, 00151 p, cert_len ) ) != 0 ) 00152 { 00153 x509_crt_free( session->peer_cert ); 00154 polarssl_free( session->peer_cert ); 00155 session->peer_cert = NULL; 00156 return( ret ); 00157 } 00158 00159 p += cert_len; 00160 } 00161 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00162 00163 if( p != end ) 00164 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00165 00166 return( 0 ); 00167 } 00168 00169 /* 00170 * Create session ticket, secured as recommended in RFC 5077 section 4: 00171 * 00172 * struct { 00173 * opaque key_name[16]; 00174 * opaque iv[16]; 00175 * opaque encrypted_state<0..2^16-1>; 00176 * opaque mac[32]; 00177 * } ticket; 00178 * 00179 * (the internal state structure differs, however). 00180 */ 00181 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen ) 00182 { 00183 int ret; 00184 unsigned char * const start = ssl->out_msg + 10; 00185 unsigned char *p = start; 00186 unsigned char *state; 00187 unsigned char iv[16]; 00188 size_t clear_len, enc_len, pad_len, i; 00189 00190 *tlen = 0; 00191 00192 if( ssl->ticket_keys == NULL ) 00193 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00194 00195 /* Write key name */ 00196 memcpy( p, ssl->ticket_keys->key_name, 16 ); 00197 p += 16; 00198 00199 /* Generate and write IV (with a copy for aes_crypt) */ 00200 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 ) 00201 return( ret ); 00202 memcpy( iv, p, 16 ); 00203 p += 16; 00204 00205 /* 00206 * Dump session state 00207 * 00208 * After the session state itself, we still need room for 16 bytes of 00209 * padding and 32 bytes of MAC, so there's only so much room left 00210 */ 00211 state = p + 2; 00212 if( ssl_save_session( ssl->session_negotiate, state, 00213 SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48, 00214 &clear_len ) != 0 ) 00215 { 00216 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE ); 00217 } 00218 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len ); 00219 00220 /* Apply PKCS padding */ 00221 pad_len = 16 - clear_len % 16; 00222 enc_len = clear_len + pad_len; 00223 for( i = clear_len; i < enc_len; i++ ) 00224 state[i] = (unsigned char) pad_len; 00225 00226 /* Encrypt */ 00227 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT, 00228 enc_len, iv, state, state ) ) != 0 ) 00229 { 00230 return( ret ); 00231 } 00232 00233 /* Write length */ 00234 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF ); 00235 *p++ = (unsigned char)( ( enc_len ) & 0xFF ); 00236 p = state + enc_len; 00237 00238 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */ 00239 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 ); 00240 p += 32; 00241 00242 *tlen = p - start; 00243 00244 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen ); 00245 00246 return( 0 ); 00247 } 00248 00249 /* 00250 * Load session ticket (see ssl_write_ticket for structure) 00251 */ 00252 static int ssl_parse_ticket( ssl_context *ssl, 00253 unsigned char *buf, 00254 size_t len ) 00255 { 00256 int ret; 00257 ssl_session session; 00258 unsigned char *key_name = buf; 00259 unsigned char *iv = buf + 16; 00260 unsigned char *enc_len_p = iv + 16; 00261 unsigned char *ticket = enc_len_p + 2; 00262 unsigned char *mac; 00263 unsigned char computed_mac[32]; 00264 size_t enc_len, clear_len, i; 00265 unsigned char pad_len, diff; 00266 00267 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len ); 00268 00269 if( len < 34 || ssl->ticket_keys == NULL ) 00270 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00271 00272 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1]; 00273 mac = ticket + enc_len; 00274 00275 if( len != enc_len + 66 ) 00276 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00277 00278 /* Check name, in constant time though it's not a big secret */ 00279 diff = 0; 00280 for( i = 0; i < 16; i++ ) 00281 diff |= key_name[i] ^ ssl->ticket_keys->key_name[i]; 00282 /* don't return yet, check the MAC anyway */ 00283 00284 /* Check mac, with constant-time buffer comparison */ 00285 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32, 00286 computed_mac, 0 ); 00287 00288 for( i = 0; i < 32; i++ ) 00289 diff |= mac[i] ^ computed_mac[i]; 00290 00291 /* Now return if ticket is not authentic, since we want to avoid 00292 * decrypting arbitrary attacker-chosen data */ 00293 if( diff != 0 ) 00294 return( POLARSSL_ERR_SSL_INVALID_MAC ); 00295 00296 /* Decrypt */ 00297 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT, 00298 enc_len, iv, ticket, ticket ) ) != 0 ) 00299 { 00300 return( ret ); 00301 } 00302 00303 /* Check PKCS padding */ 00304 pad_len = ticket[enc_len - 1]; 00305 00306 ret = 0; 00307 for( i = 2; i < pad_len; i++ ) 00308 if( ticket[enc_len - i] != pad_len ) 00309 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA; 00310 if( ret != 0 ) 00311 return( ret ); 00312 00313 clear_len = enc_len - pad_len; 00314 00315 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len ); 00316 00317 /* Actually load session */ 00318 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 ) 00319 { 00320 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) ); 00321 ssl_session_free( &session ); 00322 return( ret ); 00323 } 00324 00325 #if defined(POLARSSL_HAVE_TIME) 00326 /* Check if still valid */ 00327 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime ) 00328 { 00329 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) ); 00330 ssl_session_free( &session ); 00331 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED ); 00332 } 00333 #endif 00334 00335 /* 00336 * Keep the session ID sent by the client, since we MUST send it back to 00337 * inform him we're accepting the ticket (RFC 5077 section 3.4) 00338 */ 00339 session.length = ssl->session_negotiate->length; 00340 memcpy( &session.id, ssl->session_negotiate->id, session.length ); 00341 00342 ssl_session_free( ssl->session_negotiate ); 00343 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) ); 00344 00345 /* Zeroize instead of free as we copied the content */ 00346 polarssl_zeroize( &session, sizeof( ssl_session ) ); 00347 00348 return( 0 ); 00349 } 00350 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00351 00352 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 00353 /* 00354 * Wrapper around f_sni, allowing use of ssl_set_own_cert() but 00355 * making it act on ssl->hanshake->sni_key_cert instead. 00356 */ 00357 static int ssl_sni_wrapper( ssl_context *ssl, 00358 const unsigned char* name, size_t len ) 00359 { 00360 int ret; 00361 ssl_key_cert *key_cert_ori = ssl->key_cert; 00362 00363 ssl->key_cert = NULL; 00364 ret = ssl->f_sni( ssl->p_sni, ssl, name, len ); 00365 ssl->handshake->sni_key_cert = ssl->key_cert; 00366 00367 ssl->key_cert = key_cert_ori; 00368 00369 return( ret ); 00370 } 00371 00372 static int ssl_parse_servername_ext( ssl_context *ssl, 00373 const unsigned char *buf, 00374 size_t len ) 00375 { 00376 int ret; 00377 size_t servername_list_size, hostname_len; 00378 const unsigned char *p; 00379 00380 SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); 00381 00382 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00383 if( servername_list_size + 2 != len ) 00384 { 00385 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00386 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00387 } 00388 00389 p = buf + 2; 00390 while( servername_list_size > 0 ) 00391 { 00392 hostname_len = ( ( p[1] << 8 ) | p[2] ); 00393 if( hostname_len + 3 > servername_list_size ) 00394 { 00395 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00396 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00397 } 00398 00399 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME ) 00400 { 00401 ret = ssl_sni_wrapper( ssl, p + 3, hostname_len ); 00402 if( ret != 0 ) 00403 { 00404 SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); 00405 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 00406 SSL_ALERT_MSG_UNRECOGNIZED_NAME ); 00407 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00408 } 00409 return( 0 ); 00410 } 00411 00412 servername_list_size -= hostname_len + 3; 00413 p += hostname_len + 3; 00414 } 00415 00416 if( servername_list_size != 0 ) 00417 { 00418 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00419 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00420 } 00421 00422 return( 0 ); 00423 } 00424 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ 00425 00426 static int ssl_parse_renegotiation_info( ssl_context *ssl, 00427 const unsigned char *buf, 00428 size_t len ) 00429 { 00430 int ret; 00431 00432 #if defined(POLARSSL_SSL_RENEGOTIATION) 00433 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) 00434 { 00435 /* Check verify-data in constant-time. The length OTOH is no secret */ 00436 if( len != 1 + ssl->verify_data_len || 00437 buf[0] != ssl->verify_data_len || 00438 safer_memcmp( buf + 1, ssl->peer_verify_data, 00439 ssl->verify_data_len ) != 0 ) 00440 { 00441 SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 00442 00443 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00444 return( ret ); 00445 00446 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00447 } 00448 } 00449 else 00450 #endif /* POLARSSL_SSL_RENEGOTIATION */ 00451 { 00452 if( len != 1 || buf[0] != 0x0 ) 00453 { 00454 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 00455 00456 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 00457 return( ret ); 00458 00459 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00460 } 00461 00462 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; 00463 } 00464 00465 return( 0 ); 00466 } 00467 00468 #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \ 00469 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED) 00470 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl, 00471 const unsigned char *buf, 00472 size_t len ) 00473 { 00474 size_t sig_alg_list_size; 00475 const unsigned char *p; 00476 const unsigned char *end = buf + len; 00477 const int *md_cur; 00478 00479 00480 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00481 if( sig_alg_list_size + 2 != len || 00482 sig_alg_list_size % 2 != 0 ) 00483 { 00484 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00485 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00486 } 00487 00488 /* 00489 * For now, ignore the SignatureAlgorithm part and rely on offered 00490 * ciphersuites only for that part. To be fixed later. 00491 * 00492 * So, just look at the HashAlgorithm part. 00493 */ 00494 for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) { 00495 for( p = buf + 2; p < end; p += 2 ) { 00496 if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) { 00497 ssl->handshake->sig_alg = p[0]; 00498 goto have_sig_alg; 00499 } 00500 } 00501 } 00502 00503 /* Some key echanges do not need signatures at all */ 00504 SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) ); 00505 return( 0 ); 00506 00507 have_sig_alg: 00508 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", 00509 ssl->handshake->sig_alg ) ); 00510 00511 return( 0 ); 00512 } 00513 #endif /* POLARSSL_SSL_PROTO_TLS1_2 && 00514 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00515 00516 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00517 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, 00518 const unsigned char *buf, 00519 size_t len ) 00520 { 00521 size_t list_size, our_size; 00522 const unsigned char *p; 00523 const ecp_curve_info *curve_info, **curves; 00524 00525 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00526 if( list_size + 2 != len || 00527 list_size % 2 != 0 ) 00528 { 00529 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00530 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00531 } 00532 00533 /* Should never happen unless client duplicates the extension */ 00534 if( ssl->handshake->curves != NULL ) 00535 { 00536 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00537 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00538 } 00539 00540 /* Don't allow our peer to make us allocate too much memory, 00541 * and leave room for a final 0 */ 00542 our_size = list_size / 2 + 1; 00543 if( our_size > POLARSSL_ECP_DP_MAX ) 00544 our_size = POLARSSL_ECP_DP_MAX; 00545 00546 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL ) 00547 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 00548 00549 /* explicit void pointer cast for buggy MS compiler */ 00550 memset( (void *) curves, 0, our_size * sizeof( *curves ) ); 00551 ssl->handshake->curves = curves; 00552 00553 p = buf + 2; 00554 while( list_size > 0 && our_size > 1 ) 00555 { 00556 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); 00557 00558 if( curve_info != NULL ) 00559 { 00560 *curves++ = curve_info; 00561 our_size--; 00562 } 00563 00564 list_size -= 2; 00565 p += 2; 00566 } 00567 00568 return( 0 ); 00569 } 00570 00571 static int ssl_parse_supported_point_formats( ssl_context *ssl, 00572 const unsigned char *buf, 00573 size_t len ) 00574 { 00575 size_t list_size; 00576 const unsigned char *p; 00577 00578 list_size = buf[0]; 00579 if( list_size + 1 != len ) 00580 { 00581 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00582 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00583 } 00584 00585 p = buf + 2; 00586 while( list_size > 0 ) 00587 { 00588 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED || 00589 p[0] == POLARSSL_ECP_PF_COMPRESSED ) 00590 { 00591 ssl->handshake->ecdh_ctx.point_format = p[0]; 00592 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00593 return( 0 ); 00594 } 00595 00596 list_size--; 00597 p++; 00598 } 00599 00600 return( 0 ); 00601 } 00602 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 00603 00604 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 00605 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl, 00606 const unsigned char *buf, 00607 size_t len ) 00608 { 00609 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID ) 00610 { 00611 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00612 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00613 } 00614 00615 ssl->session_negotiate->mfl_code = buf[0]; 00616 00617 return( 0 ); 00618 } 00619 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 00620 00621 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 00622 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, 00623 const unsigned char *buf, 00624 size_t len ) 00625 { 00626 if( len != 0 ) 00627 { 00628 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00629 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00630 } 00631 00632 ((void) buf); 00633 00634 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_ENABLED ) 00635 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; 00636 00637 return( 0 ); 00638 } 00639 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 00640 00641 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) 00642 static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl, 00643 const unsigned char *buf, 00644 size_t len ) 00645 { 00646 if( len != 0 ) 00647 { 00648 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00649 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00650 } 00651 00652 ((void) buf); 00653 00654 if( ssl->encrypt_then_mac == SSL_ETM_ENABLED && 00655 ssl->minor_ver != SSL_MINOR_VERSION_0 ) 00656 { 00657 ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED; 00658 } 00659 00660 return( 0 ); 00661 } 00662 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ 00663 00664 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) 00665 static int ssl_parse_extended_ms_ext( ssl_context *ssl, 00666 const unsigned char *buf, 00667 size_t len ) 00668 { 00669 if( len != 0 ) 00670 { 00671 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00672 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00673 } 00674 00675 ((void) buf); 00676 00677 if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED && 00678 ssl->minor_ver != SSL_MINOR_VERSION_0 ) 00679 { 00680 ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED; 00681 } 00682 00683 return( 0 ); 00684 } 00685 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ 00686 00687 #if defined(POLARSSL_SSL_SESSION_TICKETS) 00688 static int ssl_parse_session_ticket_ext( ssl_context *ssl, 00689 unsigned char *buf, 00690 size_t len ) 00691 { 00692 int ret; 00693 00694 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ) 00695 return( 0 ); 00696 00697 /* Remember the client asked us to send a new ticket */ 00698 ssl->handshake->new_session_ticket = 1; 00699 00700 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); 00701 00702 if( len == 0 ) 00703 return( 0 ); 00704 00705 #if defined(POLARSSL_SSL_RENEGOTIATION) 00706 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) 00707 { 00708 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); 00709 return( 0 ); 00710 } 00711 #endif /* POLARSSL_SSL_RENEGOTIATION */ 00712 00713 /* 00714 * Failures are ok: just ignore the ticket and proceed. 00715 */ 00716 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 ) 00717 { 00718 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret ); 00719 return( 0 ); 00720 } 00721 00722 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); 00723 00724 ssl->handshake->resume = 1; 00725 00726 /* Don't send a new ticket after all, this one is OK */ 00727 ssl->handshake->new_session_ticket = 0; 00728 00729 return( 0 ); 00730 } 00731 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 00732 00733 #if defined(POLARSSL_SSL_ALPN) 00734 static int ssl_parse_alpn_ext( ssl_context *ssl, 00735 const unsigned char *buf, size_t len ) 00736 { 00737 size_t list_len, cur_len, ours_len; 00738 const unsigned char *theirs, *start, *end; 00739 const char **ours; 00740 00741 /* If ALPN not configured, just ignore the extension */ 00742 if( ssl->alpn_list == NULL ) 00743 return( 0 ); 00744 00745 /* 00746 * opaque ProtocolName<1..2^8-1>; 00747 * 00748 * struct { 00749 * ProtocolName protocol_name_list<2..2^16-1> 00750 * } ProtocolNameList; 00751 */ 00752 00753 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00754 if( len < 4 ) 00755 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00756 00757 list_len = ( buf[0] << 8 ) | buf[1]; 00758 if( list_len != len - 2 ) 00759 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00760 00761 /* 00762 * Use our order of preference 00763 */ 00764 start = buf + 2; 00765 end = buf + len; 00766 for( ours = ssl->alpn_list; *ours != NULL; ours++ ) 00767 { 00768 ours_len = strlen( *ours ); 00769 for( theirs = start; theirs != end; theirs += cur_len ) 00770 { 00771 /* If the list is well formed, we should get equality first */ 00772 if( theirs > end ) 00773 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00774 00775 cur_len = *theirs++; 00776 00777 /* Empty strings MUST NOT be included */ 00778 if( cur_len == 0 ) 00779 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00780 00781 if( cur_len == ours_len && 00782 memcmp( theirs, *ours, cur_len ) == 0 ) 00783 { 00784 ssl->alpn_chosen = *ours; 00785 return( 0 ); 00786 } 00787 } 00788 } 00789 00790 /* If we get there, no match was found */ 00791 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 00792 SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); 00793 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00794 } 00795 #endif /* POLARSSL_SSL_ALPN */ 00796 00797 /* 00798 * Auxiliary functions for ServerHello parsing and related actions 00799 */ 00800 00801 #if defined(POLARSSL_X509_CRT_PARSE_C) 00802 /* 00803 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 00804 */ 00805 #if defined(POLARSSL_ECDSA_C) 00806 static int ssl_check_key_curve( pk_context *pk, 00807 const ecp_curve_info **curves ) 00808 { 00809 const ecp_curve_info **crv = curves; 00810 ecp_group_id grp_id = pk_ec( *pk )->grp.id; 00811 00812 while( *crv != NULL ) 00813 { 00814 if( (*crv)->grp_id == grp_id ) 00815 return( 0 ); 00816 crv++; 00817 } 00818 00819 return( -1 ); 00820 } 00821 #endif /* POLARSSL_ECDSA_C */ 00822 00823 /* 00824 * Try picking a certificate for this ciphersuite, 00825 * return 0 on success and -1 on failure. 00826 */ 00827 static int ssl_pick_cert( ssl_context *ssl, 00828 const ssl_ciphersuite_t * ciphersuite_info ) 00829 { 00830 ssl_key_cert *cur, *list, *fallback = NULL; 00831 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 00832 int flags; 00833 00834 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 00835 if( ssl->handshake->sni_key_cert != NULL ) 00836 list = ssl->handshake->sni_key_cert; 00837 else 00838 #endif 00839 list = ssl->handshake->key_cert; 00840 00841 if( pk_alg == POLARSSL_PK_NONE ) 00842 return( 0 ); 00843 00844 SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); 00845 00846 for( cur = list; cur != NULL; cur = cur->next ) 00847 { 00848 SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", 00849 cur->cert ); 00850 00851 if( ! pk_can_do( cur->key, pk_alg ) ) 00852 { 00853 SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); 00854 continue; 00855 } 00856 00857 /* 00858 * This avoids sending the client a cert it'll reject based on 00859 * keyUsage or other extensions. 00860 * 00861 * It also allows the user to provision different certificates for 00862 * different uses based on keyUsage, eg if they want to avoid signing 00863 * and decrypting with the same RSA key. 00864 */ 00865 if( ssl_check_cert_usage( cur->cert, ciphersuite_info, 00866 SSL_IS_SERVER, &flags ) != 0 ) 00867 { 00868 SSL_DEBUG_MSG( 3, ( "certificate mismatch: " 00869 "(extended) key usage extension" ) ); 00870 continue; 00871 } 00872 00873 #if defined(POLARSSL_ECDSA_C) 00874 if( pk_alg == POLARSSL_PK_ECDSA && 00875 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 ) 00876 { 00877 SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); 00878 continue; 00879 } 00880 #endif 00881 00882 /* 00883 * Try to select a SHA-1 certificate for pre-1.2 clients, but still 00884 * present them a SHA-higher cert rather than failing if it's the only 00885 * one we got that satisfies the other conditions. 00886 */ 00887 if( ssl->minor_ver < SSL_MINOR_VERSION_3 && 00888 cur->cert->sig_md != POLARSSL_MD_SHA1 ) 00889 { 00890 if( fallback == NULL ) 00891 fallback = cur; 00892 { 00893 SSL_DEBUG_MSG( 3, ( "certificate not preferred: " 00894 "sha-2 with pre-TLS 1.2 client" ) ); 00895 continue; 00896 } 00897 } 00898 00899 /* If we get there, we got a winner */ 00900 break; 00901 } 00902 00903 if( cur == NULL ) 00904 cur = fallback; 00905 00906 00907 /* Do not update ssl->handshake->key_cert unless the is a match */ 00908 if( cur != NULL ) 00909 { 00910 ssl->handshake->key_cert = cur; 00911 SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", 00912 ssl->handshake->key_cert->cert ); 00913 return( 0 ); 00914 } 00915 00916 return( -1 ); 00917 } 00918 #endif /* POLARSSL_X509_CRT_PARSE_C */ 00919 00920 /* 00921 * Check if a given ciphersuite is suitable for use with our config/keys/etc 00922 * Sets ciphersuite_info only if the suite matches. 00923 */ 00924 static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id, 00925 const ssl_ciphersuite_t **ciphersuite_info ) 00926 { 00927 const ssl_ciphersuite_t *suite_info; 00928 00929 suite_info = ssl_ciphersuite_from_id( suite_id ); 00930 if( suite_info == NULL ) 00931 { 00932 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00933 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 00934 } 00935 00936 SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); 00937 00938 if( suite_info->min_minor_ver > ssl->minor_ver || 00939 suite_info->max_minor_ver < ssl->minor_ver ) 00940 { 00941 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); 00942 return( 0 ); 00943 } 00944 00945 if( ssl->arc4_disabled == SSL_ARC4_DISABLED && 00946 suite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) 00947 { 00948 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); 00949 return( 0 ); 00950 } 00951 00952 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 00953 if( ssl_ciphersuite_uses_ec( suite_info ) && 00954 ( ssl->handshake->curves == NULL || 00955 ssl->handshake->curves[0] == NULL ) ) 00956 { 00957 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00958 "no common elliptic curve" ) ); 00959 return( 0 ); 00960 } 00961 #endif 00962 00963 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 00964 /* If the ciphersuite requires a pre-shared key and we don't 00965 * have one, skip it now rather than failing later */ 00966 if( ssl_ciphersuite_uses_psk( suite_info ) && 00967 ssl->f_psk == NULL && 00968 ( ssl->psk == NULL || ssl->psk_identity == NULL || 00969 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) 00970 { 00971 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); 00972 return( 0 ); 00973 } 00974 #endif 00975 00976 #if defined(POLARSSL_X509_CRT_PARSE_C) 00977 /* 00978 * Final check: if ciphersuite requires us to have a 00979 * certificate/key of a particular type: 00980 * - select the appropriate certificate if we have one, or 00981 * - try the next ciphersuite if we don't 00982 * This must be done last since we modify the key_cert list. 00983 */ 00984 if( ssl_pick_cert( ssl, suite_info ) != 0 ) 00985 { 00986 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00987 "no suitable certificate" ) ); 00988 return( 0 ); 00989 } 00990 #endif 00991 00992 *ciphersuite_info = suite_info; 00993 return( 0 ); 00994 } 00995 00996 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 00997 static int ssl_parse_client_hello_v2( ssl_context *ssl ) 00998 { 00999 int ret, got_common_suite; 01000 unsigned int i, j; 01001 size_t n; 01002 unsigned int ciph_len, sess_len, chal_len; 01003 unsigned char *buf, *p; 01004 const int *ciphersuites; 01005 const ssl_ciphersuite_t *ciphersuite_info; 01006 01007 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); 01008 01009 #if defined(POLARSSL_SSL_RENEGOTIATION) 01010 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) 01011 { 01012 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); 01013 01014 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01015 return( ret ); 01016 01017 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01018 } 01019 #endif /* POLARSSL_SSL_RENEGOTIATION */ 01020 01021 buf = ssl->in_hdr; 01022 01023 SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 01024 01025 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 01026 buf[2] ) ); 01027 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 01028 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 01029 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 01030 buf[3], buf[4] ) ); 01031 01032 /* 01033 * SSLv2 Client Hello 01034 * 01035 * Record layer: 01036 * 0 . 1 message length 01037 * 01038 * SSL layer: 01039 * 2 . 2 message type 01040 * 3 . 4 protocol version 01041 */ 01042 if( buf[2] != SSL_HS_CLIENT_HELLO || 01043 buf[3] != SSL_MAJOR_VERSION_3 ) 01044 { 01045 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01046 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01047 } 01048 01049 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 01050 01051 if( n < 17 || n > 512 ) 01052 { 01053 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01054 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01055 } 01056 01057 ssl->major_ver = SSL_MAJOR_VERSION_3; 01058 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver ) 01059 ? buf[4] : ssl->max_minor_ver; 01060 01061 if( ssl->minor_ver < ssl->min_minor_ver ) 01062 { 01063 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01064 " [%d:%d] < [%d:%d]", 01065 ssl->major_ver, ssl->minor_ver, 01066 ssl->min_major_ver, ssl->min_minor_ver ) ); 01067 01068 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 01069 SSL_ALERT_MSG_PROTOCOL_VERSION ); 01070 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01071 } 01072 01073 ssl->handshake->max_major_ver = buf[3]; 01074 ssl->handshake->max_minor_ver = buf[4]; 01075 01076 if( ( ret = ssl_fetch_input ( ssl, 2 + n ) ) != 0 ) 01077 { 01078 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 01079 return( ret ); 01080 } 01081 01082 ssl->handshake->update_checksum( ssl, buf + 2, n ); 01083 01084 buf = ssl->in_msg; 01085 n = ssl->in_left - 5; 01086 01087 /* 01088 * 0 . 1 ciphersuitelist length 01089 * 2 . 3 session id length 01090 * 4 . 5 challenge length 01091 * 6 . .. ciphersuitelist 01092 * .. . .. session id 01093 * .. . .. challenge 01094 */ 01095 SSL_DEBUG_BUF( 4, "record contents", buf, n ); 01096 01097 ciph_len = ( buf[0] << 8 ) | buf[1]; 01098 sess_len = ( buf[2] << 8 ) | buf[3]; 01099 chal_len = ( buf[4] << 8 ) | buf[5]; 01100 01101 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 01102 ciph_len, sess_len, chal_len ) ); 01103 01104 /* 01105 * Make sure each parameter length is valid 01106 */ 01107 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 01108 { 01109 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01110 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01111 } 01112 01113 if( sess_len > 32 ) 01114 { 01115 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01116 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01117 } 01118 01119 if( chal_len < 8 || chal_len > 32 ) 01120 { 01121 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01122 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01123 } 01124 01125 if( n != 6 + ciph_len + sess_len + chal_len ) 01126 { 01127 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01128 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01129 } 01130 01131 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01132 buf + 6, ciph_len ); 01133 SSL_DEBUG_BUF( 3, "client hello, session id", 01134 buf + 6 + ciph_len, sess_len ); 01135 SSL_DEBUG_BUF( 3, "client hello, challenge", 01136 buf + 6 + ciph_len + sess_len, chal_len ); 01137 01138 p = buf + 6 + ciph_len; 01139 ssl->session_negotiate->length = sess_len; 01140 memset( ssl->session_negotiate->id, 0, 01141 sizeof( ssl->session_negotiate->id ) ); 01142 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length ); 01143 01144 p += sess_len; 01145 memset( ssl->handshake->randbytes, 0, 64 ); 01146 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); 01147 01148 /* 01149 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01150 */ 01151 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01152 { 01153 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO ) 01154 { 01155 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01156 #if defined(POLARSSL_SSL_RENEGOTIATION) 01157 if( ssl->renegotiation == SSL_RENEGOTIATION ) 01158 { 01159 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01160 "during renegotiation" ) ); 01161 01162 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01163 return( ret ); 01164 01165 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01166 } 01167 #endif /* POLARSSL_SSL_RENEGOTIATION */ 01168 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; 01169 break; 01170 } 01171 } 01172 01173 #if defined(POLARSSL_SSL_FALLBACK_SCSV) 01174 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01175 { 01176 if( p[0] == 0 && 01177 p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) && 01178 p[2] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) ) 01179 { 01180 SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); 01181 01182 if( ssl->minor_ver < ssl->max_minor_ver ) 01183 { 01184 SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01185 01186 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 01187 SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01188 01189 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01190 } 01191 01192 break; 01193 } 01194 } 01195 #endif /* POLARSSL_SSL_FALLBACK_SCSV */ 01196 01197 got_common_suite = 0; 01198 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; 01199 ciphersuite_info = NULL; 01200 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01201 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01202 { 01203 for( i = 0; ciphersuites[i] != 0; i++ ) 01204 #else 01205 for( i = 0; ciphersuites[i] != 0; i++ ) 01206 { 01207 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01208 #endif 01209 { 01210 if( p[0] != 0 || 01211 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01212 p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) 01213 continue; 01214 01215 got_common_suite = 1; 01216 01217 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01218 &ciphersuite_info ) ) != 0 ) 01219 return( ret ); 01220 01221 if( ciphersuite_info != NULL ) 01222 goto have_ciphersuite_v2; 01223 } 01224 } 01225 01226 if( got_common_suite ) 01227 { 01228 SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01229 "but none of them usable" ) ); 01230 return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01231 } 01232 else 01233 { 01234 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01235 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); 01236 } 01237 01238 have_ciphersuite_v2: 01239 SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01240 01241 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01242 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01243 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01244 01245 /* 01246 * SSLv2 Client Hello relevant renegotiation security checks 01247 */ 01248 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01249 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) 01250 { 01251 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01252 01253 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01254 return( ret ); 01255 01256 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01257 } 01258 01259 ssl->in_left = 0; 01260 ssl->state++; 01261 01262 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); 01263 01264 return( 0 ); 01265 } 01266 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ 01267 01268 static int ssl_parse_client_hello( ssl_context *ssl ) 01269 { 01270 int ret, got_common_suite; 01271 unsigned int i, j; 01272 size_t n; 01273 unsigned int ciph_len, sess_len; 01274 unsigned int comp_len; 01275 unsigned int ext_len = 0; 01276 unsigned char *buf, *p, *ext; 01277 #if defined(POLARSSL_SSL_RENEGOTIATION) 01278 int renegotiation_info_seen = 0; 01279 #endif 01280 int handshake_failure = 0; 01281 const int *ciphersuites; 01282 const ssl_ciphersuite_t *ciphersuite_info; 01283 01284 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 01285 01286 #if defined(POLARSSL_SSL_RENEGOTIATION) 01287 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 01288 #endif 01289 { 01290 if( ( ret = ssl_fetch_input ( ssl, 5 ) ) != 0 ) 01291 { 01292 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 01293 return( ret ); 01294 } 01295 } 01296 01297 buf = ssl->in_hdr; 01298 01299 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01300 if( ( buf[0] & 0x80 ) != 0 ) 01301 return ssl_parse_client_hello_v2( ssl ); 01302 #endif 01303 01304 SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 01305 01306 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 01307 buf[0] ) ); 01308 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 01309 ( buf[3] << 8 ) | buf[4] ) ); 01310 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]", 01311 buf[1], buf[2] ) ); 01312 01313 /* 01314 * SSLv3/TLS Client Hello 01315 * 01316 * Record layer: 01317 * 0 . 0 message type 01318 * 1 . 2 protocol version 01319 * 3 . 4 message length 01320 */ 01321 01322 /* According to RFC 5246 Appendix E.1, the version here is typically 01323 * "{03,00}, the lowest version number supported by the client, [or] the 01324 * value of ClientHello.client_version", so the only meaningful check here 01325 * is the major version shouldn't be less than 3 */ 01326 if( buf[0] != SSL_MSG_HANDSHAKE || 01327 buf[1] < SSL_MAJOR_VERSION_3 ) 01328 { 01329 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01330 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01331 } 01332 01333 n = ( buf[3] << 8 ) | buf[4]; 01334 01335 if( n < 45 || n > SSL_MAX_CONTENT_LEN ) 01336 { 01337 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01338 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01339 } 01340 01341 #if defined(POLARSSL_SSL_RENEGOTIATION) 01342 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) 01343 #endif 01344 { 01345 if( ( ret = ssl_fetch_input ( ssl, 5 + n ) ) != 0 ) 01346 { 01347 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 01348 return( ret ); 01349 } 01350 } 01351 01352 buf = ssl->in_msg; 01353 #if defined(POLARSSL_SSL_RENEGOTIATION) 01354 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) 01355 n = ssl->in_msglen; 01356 else 01357 #endif 01358 n = ssl->in_left - 5; 01359 01360 ssl->handshake->update_checksum( ssl, buf, n ); 01361 01362 /* 01363 * SSL layer: 01364 * 0 . 0 handshake type 01365 * 1 . 3 handshake length 01366 * 4 . 5 protocol version 01367 * 6 . 9 UNIX time() 01368 * 10 . 37 random bytes 01369 * 38 . 38 session id length 01370 * 39 . 38+x session id 01371 * 39+x . 40+x ciphersuitelist length 01372 * 41+x . 40+y ciphersuitelist 01373 * 41+y . 41+y compression alg length 01374 * 42+y . 41+z compression algs 01375 * .. . .. extensions 01376 */ 01377 SSL_DEBUG_BUF( 4, "record contents", buf, n ); 01378 01379 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", 01380 buf[0] ) ); 01381 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 01382 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 01383 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]", 01384 buf[4], buf[5] ) ); 01385 01386 /* 01387 * Check the handshake type and protocol version 01388 */ 01389 if( buf[0] != SSL_HS_CLIENT_HELLO ) 01390 { 01391 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01392 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01393 } 01394 01395 ssl->major_ver = buf[4]; 01396 ssl->minor_ver = buf[5]; 01397 01398 ssl->handshake->max_major_ver = ssl->major_ver; 01399 ssl->handshake->max_minor_ver = ssl->minor_ver; 01400 01401 if( ssl->major_ver < ssl->min_major_ver || 01402 ssl->minor_ver < ssl->min_minor_ver ) 01403 { 01404 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01405 " [%d:%d] < [%d:%d]", 01406 ssl->major_ver, ssl->minor_ver, 01407 ssl->min_major_ver, ssl->min_minor_ver ) ); 01408 01409 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 01410 SSL_ALERT_MSG_PROTOCOL_VERSION ); 01411 01412 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01413 } 01414 01415 if( ssl->major_ver > ssl->max_major_ver ) 01416 { 01417 ssl->major_ver = ssl->max_major_ver; 01418 ssl->minor_ver = ssl->max_minor_ver; 01419 } 01420 else if( ssl->minor_ver > ssl->max_minor_ver ) 01421 ssl->minor_ver = ssl->max_minor_ver; 01422 01423 memcpy( ssl->handshake->randbytes, buf + 6, 32 ); 01424 01425 /* 01426 * Check the handshake message length 01427 */ 01428 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) ) 01429 { 01430 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01431 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01432 } 01433 01434 /* 01435 * Check the session length 01436 */ 01437 sess_len = buf[38]; 01438 01439 if( sess_len > 32 || sess_len > n - 42 ) 01440 { 01441 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01442 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01443 } 01444 01445 ssl->session_negotiate->length = sess_len; 01446 memset( ssl->session_negotiate->id, 0, 01447 sizeof( ssl->session_negotiate->id ) ); 01448 memcpy( ssl->session_negotiate->id, buf + 39, 01449 ssl->session_negotiate->length ); 01450 01451 /* 01452 * Check the ciphersuitelist length 01453 */ 01454 ciph_len = ( buf[39 + sess_len] << 8 ) 01455 | ( buf[40 + sess_len] ); 01456 01457 if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len ) 01458 { 01459 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01460 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01461 } 01462 01463 /* 01464 * Check the compression algorithms length 01465 */ 01466 comp_len = buf[41 + sess_len + ciph_len]; 01467 01468 if( comp_len < 1 || comp_len > 16 || 01469 comp_len > n - 42 - sess_len - ciph_len ) 01470 { 01471 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01472 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01473 } 01474 01475 /* 01476 * Check the extension length 01477 */ 01478 if( n > 42 + sess_len + ciph_len + comp_len ) 01479 { 01480 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 ) 01481 | ( buf[43 + sess_len + ciph_len + comp_len] ); 01482 01483 if( ( ext_len > 0 && ext_len < 4 ) || 01484 n != 44 + sess_len + ciph_len + comp_len + ext_len ) 01485 { 01486 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01487 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len); 01488 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01489 } 01490 } 01491 01492 ssl->session_negotiate->compression = SSL_COMPRESS_NULL; 01493 #if defined(POLARSSL_ZLIB_SUPPORT) 01494 for( i = 0; i < comp_len; ++i ) 01495 { 01496 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE ) 01497 { 01498 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE; 01499 break; 01500 } 01501 } 01502 #endif 01503 01504 SSL_DEBUG_BUF( 3, "client hello, random bytes", 01505 buf + 6, 32 ); 01506 SSL_DEBUG_BUF( 3, "client hello, session id", 01507 buf + 38, sess_len ); 01508 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01509 buf + 41 + sess_len, ciph_len ); 01510 SSL_DEBUG_BUF( 3, "client hello, compression", 01511 buf + 42 + sess_len + ciph_len, comp_len ); 01512 01513 /* 01514 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01515 */ 01516 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) 01517 { 01518 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO ) 01519 { 01520 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01521 #if defined(POLARSSL_SSL_RENEGOTIATION) 01522 if( ssl->renegotiation == SSL_RENEGOTIATION ) 01523 { 01524 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); 01525 01526 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01527 return( ret ); 01528 01529 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01530 } 01531 renegotiation_info_seen = 1; 01532 #endif /* POLARSSL_SSL_RENEGOTIATION */ 01533 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; 01534 break; 01535 } 01536 } 01537 01538 #if defined(POLARSSL_SSL_FALLBACK_SCSV) 01539 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) 01540 { 01541 if( p[0] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) && 01542 p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) ) 01543 { 01544 SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) ); 01545 01546 if( ssl->minor_ver < ssl->max_minor_ver ) 01547 { 01548 SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) ); 01549 01550 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, 01551 SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01552 01553 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01554 } 01555 01556 break; 01557 } 01558 } 01559 #endif /* POLARSSL_SSL_FALLBACK_SCSV */ 01560 01561 ext = buf + 44 + sess_len + ciph_len + comp_len; 01562 01563 while( ext_len ) 01564 { 01565 unsigned int ext_id = ( ( ext[0] << 8 ) 01566 | ( ext[1] ) ); 01567 unsigned int ext_size = ( ( ext[2] << 8 ) 01568 | ( ext[3] ) ); 01569 01570 if( ext_size + 4 > ext_len ) 01571 { 01572 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01573 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01574 } 01575 switch( ext_id ) 01576 { 01577 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) 01578 case TLS_EXT_SERVERNAME: 01579 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); 01580 if( ssl->f_sni == NULL ) 01581 break; 01582 01583 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); 01584 if( ret != 0 ) 01585 return( ret ); 01586 break; 01587 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ 01588 01589 case TLS_EXT_RENEGOTIATION_INFO: 01590 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01591 #if defined(POLARSSL_SSL_RENEGOTIATION) 01592 renegotiation_info_seen = 1; 01593 #endif 01594 01595 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); 01596 if( ret != 0 ) 01597 return( ret ); 01598 break; 01599 01600 #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \ 01601 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED) 01602 case TLS_EXT_SIG_ALG: 01603 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); 01604 #if defined(POLARSSL_SSL_RENEGOTIATION) 01605 if( ssl->renegotiation == SSL_RENEGOTIATION ) 01606 break; 01607 #endif 01608 01609 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); 01610 if( ret != 0 ) 01611 return( ret ); 01612 break; 01613 #endif /* POLARSSL_SSL_PROTO_TLS1_2 && 01614 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01615 01616 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 01617 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: 01618 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); 01619 01620 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); 01621 if( ret != 0 ) 01622 return( ret ); 01623 break; 01624 01625 case TLS_EXT_SUPPORTED_POINT_FORMATS: 01626 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); 01627 ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 01628 01629 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); 01630 if( ret != 0 ) 01631 return( ret ); 01632 break; 01633 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 01634 01635 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 01636 case TLS_EXT_MAX_FRAGMENT_LENGTH: 01637 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); 01638 01639 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); 01640 if( ret != 0 ) 01641 return( ret ); 01642 break; 01643 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 01644 01645 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 01646 case TLS_EXT_TRUNCATED_HMAC: 01647 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); 01648 01649 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); 01650 if( ret != 0 ) 01651 return( ret ); 01652 break; 01653 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 01654 01655 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) 01656 case TLS_EXT_ENCRYPT_THEN_MAC: 01657 SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); 01658 01659 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); 01660 if( ret != 0 ) 01661 return( ret ); 01662 break; 01663 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ 01664 01665 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) 01666 case TLS_EXT_EXTENDED_MASTER_SECRET: 01667 SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); 01668 01669 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); 01670 if( ret != 0 ) 01671 return( ret ); 01672 break; 01673 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ 01674 01675 #if defined(POLARSSL_SSL_SESSION_TICKETS) 01676 case TLS_EXT_SESSION_TICKET: 01677 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); 01678 01679 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); 01680 if( ret != 0 ) 01681 return( ret ); 01682 break; 01683 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01684 01685 #if defined(POLARSSL_SSL_ALPN) 01686 case TLS_EXT_ALPN: 01687 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01688 01689 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); 01690 if( ret != 0 ) 01691 return( ret ); 01692 break; 01693 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01694 01695 default: 01696 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01697 ext_id ) ); 01698 } 01699 01700 ext_len -= 4 + ext_size; 01701 ext += 4 + ext_size; 01702 01703 if( ext_len > 0 && ext_len < 4 ) 01704 { 01705 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01706 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01707 } 01708 } 01709 01710 /* 01711 * Renegotiation security checks 01712 */ 01713 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION && 01714 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) 01715 { 01716 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01717 handshake_failure = 1; 01718 } 01719 #if defined(POLARSSL_SSL_RENEGOTIATION) 01720 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01721 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && 01722 renegotiation_info_seen == 0 ) 01723 { 01724 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01725 handshake_failure = 1; 01726 } 01727 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01728 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01729 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) 01730 { 01731 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01732 handshake_failure = 1; 01733 } 01734 else if( ssl->renegotiation == SSL_RENEGOTIATION && 01735 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && 01736 renegotiation_info_seen == 1 ) 01737 { 01738 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01739 handshake_failure = 1; 01740 } 01741 #endif /* POLARSSL_SSL_RENEGOTIATION */ 01742 01743 if( handshake_failure == 1 ) 01744 { 01745 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) 01746 return( ret ); 01747 01748 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01749 } 01750 01751 /* 01752 * Search for a matching ciphersuite 01753 * (At the end because we need information from the EC-based extensions 01754 * and certificate from the SNI callback triggered by the SNI extension.) 01755 */ 01756 got_common_suite = 0; 01757 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; 01758 ciphersuite_info = NULL; 01759 #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01760 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 ) 01761 { 01762 for( i = 0; ciphersuites[i] != 0; i++ ) 01763 #else 01764 for( i = 0; ciphersuites[i] != 0; i++ ) 01765 { 01766 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 ) 01767 #endif 01768 { 01769 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01770 p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) 01771 continue; 01772 01773 got_common_suite = 1; 01774 01775 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01776 &ciphersuite_info ) ) != 0 ) 01777 return( ret ); 01778 01779 if( ciphersuite_info != NULL ) 01780 goto have_ciphersuite; 01781 } 01782 } 01783 01784 if( got_common_suite ) 01785 { 01786 SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01787 "but none of them usable" ) ); 01788 ssl_send_fatal_handshake_failure( ssl ); 01789 return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01790 } 01791 else 01792 { 01793 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01794 ssl_send_fatal_handshake_failure( ssl ); 01795 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); 01796 } 01797 01798 have_ciphersuite: 01799 SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01800 01801 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01802 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01803 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01804 01805 ssl->in_left = 0; 01806 ssl->state++; 01807 01808 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 01809 01810 return( 0 ); 01811 } 01812 01813 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 01814 static void ssl_write_truncated_hmac_ext( ssl_context *ssl, 01815 unsigned char *buf, 01816 size_t *olen ) 01817 { 01818 unsigned char *p = buf; 01819 01820 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ) 01821 { 01822 *olen = 0; 01823 return; 01824 } 01825 01826 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); 01827 01828 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 01829 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 01830 01831 *p++ = 0x00; 01832 *p++ = 0x00; 01833 01834 *olen = 4; 01835 } 01836 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ 01837 01838 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) 01839 static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl, 01840 unsigned char *buf, 01841 size_t *olen ) 01842 { 01843 unsigned char *p = buf; 01844 const ssl_ciphersuite_t *suite = NULL; 01845 const cipher_info_t *cipher = NULL; 01846 01847 if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED || 01848 ssl->minor_ver == SSL_MINOR_VERSION_0 ) 01849 { 01850 *olen = 0; 01851 return; 01852 } 01853 01854 /* 01855 * RFC 7366: "If a server receives an encrypt-then-MAC request extension 01856 * from a client and then selects a stream or Authenticated Encryption 01857 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 01858 * encrypt-then-MAC response extension back to the client." 01859 */ 01860 if( ( suite = ssl_ciphersuite_from_id( 01861 ssl->session_negotiate->ciphersuite ) ) == NULL || 01862 ( cipher = cipher_info_from_type( suite->cipher ) ) == NULL || 01863 cipher->mode != POLARSSL_MODE_CBC ) 01864 { 01865 *olen = 0; 01866 return; 01867 } 01868 01869 SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); 01870 01871 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 01872 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 01873 01874 *p++ = 0x00; 01875 *p++ = 0x00; 01876 01877 *olen = 4; 01878 } 01879 #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ 01880 01881 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) 01882 static void ssl_write_extended_ms_ext( ssl_context *ssl, 01883 unsigned char *buf, 01884 size_t *olen ) 01885 { 01886 unsigned char *p = buf; 01887 01888 if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED || 01889 ssl->minor_ver == SSL_MINOR_VERSION_0 ) 01890 { 01891 *olen = 0; 01892 return; 01893 } 01894 01895 SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " 01896 "extension" ) ); 01897 01898 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 01899 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 01900 01901 *p++ = 0x00; 01902 *p++ = 0x00; 01903 01904 *olen = 4; 01905 } 01906 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ 01907 01908 #if defined(POLARSSL_SSL_SESSION_TICKETS) 01909 static void ssl_write_session_ticket_ext( ssl_context *ssl, 01910 unsigned char *buf, 01911 size_t *olen ) 01912 { 01913 unsigned char *p = buf; 01914 01915 if( ssl->handshake->new_session_ticket == 0 ) 01916 { 01917 *olen = 0; 01918 return; 01919 } 01920 01921 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); 01922 01923 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 01924 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF ); 01925 01926 *p++ = 0x00; 01927 *p++ = 0x00; 01928 01929 *olen = 4; 01930 } 01931 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 01932 01933 static void ssl_write_renegotiation_ext( ssl_context *ssl, 01934 unsigned char *buf, 01935 size_t *olen ) 01936 { 01937 unsigned char *p = buf; 01938 01939 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION ) 01940 { 01941 *olen = 0; 01942 return; 01943 } 01944 01945 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); 01946 01947 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 01948 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 01949 01950 #if defined(POLARSSL_SSL_RENEGOTIATION) 01951 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) 01952 { 01953 *p++ = 0x00; 01954 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; 01955 *p++ = ssl->verify_data_len * 2 & 0xFF; 01956 01957 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); 01958 p += ssl->verify_data_len; 01959 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 01960 p += ssl->verify_data_len; 01961 01962 *olen = 5 + ssl->verify_data_len * 2; 01963 } 01964 else 01965 #endif /* POLARSSL_SSL_RENEGOTIATION */ 01966 { 01967 *p++ = 0x00; 01968 *p++ = 0x01; 01969 *p++ = 0x00; 01970 01971 *olen = 5; 01972 } 01973 } 01974 01975 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 01976 static void ssl_write_max_fragment_length_ext( ssl_context *ssl, 01977 unsigned char *buf, 01978 size_t *olen ) 01979 { 01980 unsigned char *p = buf; 01981 01982 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE ) 01983 { 01984 *olen = 0; 01985 return; 01986 } 01987 01988 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); 01989 01990 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 01991 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 01992 01993 *p++ = 0x00; 01994 *p++ = 1; 01995 01996 *p++ = ssl->session_negotiate->mfl_code; 01997 01998 *olen = 5; 01999 } 02000 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ 02001 02002 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 02003 static void ssl_write_supported_point_formats_ext( ssl_context *ssl, 02004 unsigned char *buf, 02005 size_t *olen ) 02006 { 02007 unsigned char *p = buf; 02008 ((void) ssl); 02009 02010 if( ( ssl->handshake->cli_exts & 02011 TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) 02012 { 02013 *olen = 0; 02014 return; 02015 } 02016 02017 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); 02018 02019 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 02020 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 02021 02022 *p++ = 0x00; 02023 *p++ = 2; 02024 02025 *p++ = 1; 02026 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED; 02027 02028 *olen = 6; 02029 } 02030 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 02031 02032 #if defined(POLARSSL_SSL_ALPN ) 02033 static void ssl_write_alpn_ext( ssl_context *ssl, 02034 unsigned char *buf, size_t *olen ) 02035 { 02036 if( ssl->alpn_chosen == NULL ) 02037 { 02038 *olen = 0; 02039 return; 02040 } 02041 02042 SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); 02043 02044 /* 02045 * 0 . 1 ext identifier 02046 * 2 . 3 ext length 02047 * 4 . 5 protocol list length 02048 * 6 . 6 protocol name length 02049 * 7 . 7+n protocol name 02050 */ 02051 buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF ); 02052 buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF ); 02053 02054 *olen = 7 + strlen( ssl->alpn_chosen ); 02055 02056 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 02057 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 02058 02059 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 02060 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 02061 02062 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); 02063 02064 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); 02065 } 02066 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ 02067 02068 static int ssl_write_server_hello( ssl_context *ssl ) 02069 { 02070 #if defined(POLARSSL_HAVE_TIME) 02071 time_t t; 02072 #endif 02073 int ret; 02074 size_t olen, ext_len = 0, n; 02075 unsigned char *buf, *p; 02076 02077 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 02078 02079 if( ssl->f_rng == NULL ) 02080 { 02081 SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 02082 return( POLARSSL_ERR_SSL_NO_RNG ); 02083 } 02084 02085 /* 02086 * 0 . 0 handshake type 02087 * 1 . 3 handshake length 02088 * 4 . 5 protocol version 02089 * 6 . 9 UNIX time() 02090 * 10 . 37 random bytes 02091 */ 02092 buf = ssl->out_msg; 02093 p = buf + 4; 02094 02095 *p++ = (unsigned char) ssl->major_ver; 02096 *p++ = (unsigned char) ssl->minor_ver; 02097 02098 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 02099 buf[4], buf[5] ) ); 02100 02101 #if defined(POLARSSL_HAVE_TIME) 02102 t = time( NULL ); 02103 *p++ = (unsigned char)( t >> 24 ); 02104 *p++ = (unsigned char)( t >> 16 ); 02105 *p++ = (unsigned char)( t >> 8 ); 02106 *p++ = (unsigned char)( t ); 02107 02108 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 02109 #else 02110 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 ) 02111 return( ret ); 02112 02113 p += 4; 02114 #endif /* POLARSSL_HAVE_TIME */ 02115 02116 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 ) 02117 return( ret ); 02118 02119 p += 28; 02120 02121 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 02122 02123 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 02124 02125 /* 02126 * Resume is 0 by default, see ssl_handshake_init(). 02127 * It may be already set to 1 by ssl_parse_session_ticket_ext(). 02128 * If not, try looking up session ID in our cache. 02129 */ 02130 if( ssl->handshake->resume == 0 && 02131 #if defined(POLARSSL_SSL_RENEGOTIATION) 02132 ssl->renegotiation == SSL_INITIAL_HANDSHAKE && 02133 #endif 02134 ssl->session_negotiate->length != 0 && 02135 ssl->f_get_cache != NULL && 02136 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 ) 02137 { 02138 SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); 02139 ssl->handshake->resume = 1; 02140 } 02141 02142 if( ssl->handshake->resume == 0 ) 02143 { 02144 /* 02145 * New session, create a new session id, 02146 * unless we're about to issue a session ticket 02147 */ 02148 ssl->state++; 02149 02150 #if defined(POLARSSL_HAVE_TIME) 02151 ssl->session_negotiate->start = time( NULL ); 02152 #endif 02153 02154 #if defined(POLARSSL_SSL_SESSION_TICKETS) 02155 if( ssl->handshake->new_session_ticket != 0 ) 02156 { 02157 ssl->session_negotiate->length = n = 0; 02158 memset( ssl->session_negotiate->id, 0, 32 ); 02159 } 02160 else 02161 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 02162 { 02163 ssl->session_negotiate->length = n = 32; 02164 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 02165 n ) ) != 0 ) 02166 return( ret ); 02167 } 02168 } 02169 else 02170 { 02171 /* 02172 * Resuming a session 02173 */ 02174 n = ssl->session_negotiate->length; 02175 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC; 02176 02177 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 02178 { 02179 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 02180 return( ret ); 02181 } 02182 } 02183 02184 /* 02185 * 38 . 38 session id length 02186 * 39 . 38+n session id 02187 * 39+n . 40+n chosen ciphersuite 02188 * 41+n . 41+n chosen compression alg. 02189 * 42+n . 43+n extensions length 02190 * 44+n . 43+n+m extensions 02191 */ 02192 *p++ = (unsigned char) ssl->session_negotiate->length; 02193 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length ); 02194 p += ssl->session_negotiate->length; 02195 02196 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 02197 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 02198 SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 02199 ssl->handshake->resume ? "a" : "no" ) ); 02200 02201 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); 02202 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); 02203 *p++ = (unsigned char)( ssl->session_negotiate->compression ); 02204 02205 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", 02206 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); 02207 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", 02208 ssl->session_negotiate->compression ) ); 02209 02210 /* 02211 * First write extensions, then the total length 02212 */ 02213 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 02214 ext_len += olen; 02215 02216 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) 02217 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 02218 ext_len += olen; 02219 #endif 02220 02221 #if defined(POLARSSL_SSL_TRUNCATED_HMAC) 02222 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 02223 ext_len += olen; 02224 #endif 02225 02226 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) 02227 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 02228 ext_len += olen; 02229 #endif 02230 02231 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) 02232 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 02233 ext_len += olen; 02234 #endif 02235 02236 #if defined(POLARSSL_SSL_SESSION_TICKETS) 02237 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 02238 ext_len += olen; 02239 #endif 02240 02241 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) 02242 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 02243 ext_len += olen; 02244 #endif 02245 02246 #if defined(POLARSSL_SSL_ALPN) 02247 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 02248 ext_len += olen; 02249 #endif 02250 02251 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); 02252 02253 if( ext_len > 0 ) 02254 { 02255 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 02256 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 02257 p += ext_len; 02258 } 02259 02260 ssl->out_msglen = p - buf; 02261 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02262 ssl->out_msg[0] = SSL_HS_SERVER_HELLO; 02263 02264 ret = ssl_write_record( ssl ); 02265 02266 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02267 02268 return( ret ); 02269 } 02270 02271 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ 02272 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02273 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02274 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02275 static int ssl_write_certificate_request( ssl_context *ssl ) 02276 { 02277 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02278 02279 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02280 02281 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02282 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02283 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 02284 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02285 { 02286 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02287 ssl->state++; 02288 return( 0 ); 02289 } 02290 02291 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02292 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02293 } 02294 #else 02295 static int ssl_write_certificate_request( ssl_context *ssl ) 02296 { 02297 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02298 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 02299 size_t dn_size, total_dn_size; /* excluding length bytes */ 02300 size_t ct_len, sa_len; /* including length bytes */ 02301 unsigned char *buf, *p; 02302 const x509_crt *crt; 02303 02304 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02305 02306 ssl->state++; 02307 02308 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02309 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 02310 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 02311 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 02312 ssl->authmode == SSL_VERIFY_NONE ) 02313 { 02314 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02315 return( 0 ); 02316 } 02317 02318 /* 02319 * 0 . 0 handshake type 02320 * 1 . 3 handshake length 02321 * 4 . 4 cert type count 02322 * 5 .. m-1 cert types 02323 * m .. m+1 sig alg length (TLS 1.2 only) 02324 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02325 * n .. n+1 length of all DNs 02326 * n+2 .. n+3 length of DN 1 02327 * n+4 .. ... Distinguished Name #1 02328 * ... .. ... length of DN 2, etc. 02329 */ 02330 buf = ssl->out_msg; 02331 p = buf + 4; 02332 02333 /* 02334 * Supported certificate types 02335 * 02336 * ClientCertificateType certificate_types<1..2^8-1>; 02337 * enum { (255) } ClientCertificateType; 02338 */ 02339 ct_len = 0; 02340 02341 #if defined(POLARSSL_RSA_C) 02342 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN; 02343 #endif 02344 #if defined(POLARSSL_ECDSA_C) 02345 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN; 02346 #endif 02347 02348 p[0] = (unsigned char) ct_len++; 02349 p += ct_len; 02350 02351 sa_len = 0; 02352 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02353 /* 02354 * Add signature_algorithms for verify (TLS 1.2) 02355 * 02356 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 02357 * 02358 * struct { 02359 * HashAlgorithm hash; 02360 * SignatureAlgorithm signature; 02361 * } SignatureAndHashAlgorithm; 02362 * 02363 * enum { (255) } HashAlgorithm; 02364 * enum { (255) } SignatureAlgorithm; 02365 */ 02366 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02367 { 02368 /* 02369 * Only use current running hash algorithm that is already required 02370 * for requested ciphersuite. 02371 */ 02372 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256; 02373 02374 if( ssl->transform_negotiate->ciphersuite_info->mac == 02375 POLARSSL_MD_SHA384 ) 02376 { 02377 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384; 02378 } 02379 02380 /* 02381 * Supported signature algorithms 02382 */ 02383 #if defined(POLARSSL_RSA_C) 02384 p[2 + sa_len++] = ssl->handshake->verify_sig_alg; 02385 p[2 + sa_len++] = SSL_SIG_RSA; 02386 #endif 02387 #if defined(POLARSSL_ECDSA_C) 02388 p[2 + sa_len++] = ssl->handshake->verify_sig_alg; 02389 p[2 + sa_len++] = SSL_SIG_ECDSA; 02390 #endif 02391 02392 p[0] = (unsigned char)( sa_len >> 8 ); 02393 p[1] = (unsigned char)( sa_len ); 02394 sa_len += 2; 02395 p += sa_len; 02396 } 02397 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 02398 02399 /* 02400 * DistinguishedName certificate_authorities<0..2^16-1>; 02401 * opaque DistinguishedName<1..2^16-1>; 02402 */ 02403 p += 2; 02404 crt = ssl->ca_chain; 02405 02406 total_dn_size = 0; 02407 while( crt != NULL && crt->version != 0 ) 02408 { 02409 if( p - buf > 4096 ) 02410 break; 02411 02412 dn_size = crt->subject_raw.len; 02413 *p++ = (unsigned char)( dn_size >> 8 ); 02414 *p++ = (unsigned char)( dn_size ); 02415 memcpy( p, crt->subject_raw.p, dn_size ); 02416 p += dn_size; 02417 02418 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size ); 02419 02420 total_dn_size += 2 + dn_size; 02421 crt = crt->next; 02422 } 02423 02424 ssl->out_msglen = p - buf; 02425 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02426 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST; 02427 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); 02428 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); 02429 02430 ret = ssl_write_record( ssl ); 02431 02432 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 02433 02434 return( ret ); 02435 } 02436 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && 02437 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && 02438 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02439 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02440 02441 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02442 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02443 static int ssl_get_ecdh_params_from_cert( ssl_context *ssl ) 02444 { 02445 int ret; 02446 02447 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) ) 02448 { 02449 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02450 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); 02451 } 02452 02453 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, 02454 pk_ec( *ssl_own_key( ssl ) ), 02455 POLARSSL_ECDH_OURS ) ) != 0 ) 02456 { 02457 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret ); 02458 return( ret ); 02459 } 02460 02461 return( 0 ); 02462 } 02463 #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02464 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02465 02466 static int ssl_write_server_key_exchange( ssl_context *ssl ) 02467 { 02468 int ret; 02469 size_t n = 0; 02470 const ssl_ciphersuite_t *ciphersuite_info = 02471 ssl->transform_negotiate->ciphersuite_info; 02472 02473 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02474 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02475 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02476 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02477 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02478 unsigned char *p = ssl->out_msg + 4; 02479 unsigned char *dig_signed = p; 02480 size_t dig_signed_len = 0, len; 02481 ((void) dig_signed); 02482 ((void) dig_signed_len); 02483 #endif 02484 02485 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 02486 02487 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \ 02488 defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \ 02489 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 02490 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA || 02491 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 02492 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 02493 { 02494 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02495 ssl->state++; 02496 return( 0 ); 02497 } 02498 #endif 02499 02500 #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02501 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02502 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || 02503 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) 02504 { 02505 ssl_get_ecdh_params_from_cert( ssl ); 02506 02507 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02508 ssl->state++; 02509 return( 0 ); 02510 } 02511 #endif 02512 02513 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02514 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02515 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || 02516 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02517 { 02518 /* TODO: Support identity hints */ 02519 *(p++) = 0x00; 02520 *(p++) = 0x00; 02521 02522 n += 2; 02523 } 02524 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED || 02525 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02526 02527 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02528 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 02529 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || 02530 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 02531 { 02532 /* 02533 * Ephemeral DH parameters: 02534 * 02535 * struct { 02536 * opaque dh_p<1..2^16-1>; 02537 * opaque dh_g<1..2^16-1>; 02538 * opaque dh_Ys<1..2^16-1>; 02539 * } ServerDHParams; 02540 */ 02541 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 || 02542 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 ) 02543 { 02544 SSL_DEBUG_RET( 1, "mpi_copy", ret ); 02545 return( ret ); 02546 } 02547 02548 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx, 02549 (int) mpi_size( &ssl->handshake->dhm_ctx.P ), 02550 p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 ) 02551 { 02552 SSL_DEBUG_RET( 1, "dhm_make_params", ret ); 02553 return( ret ); 02554 } 02555 02556 dig_signed = p; 02557 dig_signed_len = len; 02558 02559 p += len; 02560 n += len; 02561 02562 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02563 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02564 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02565 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02566 } 02567 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 02568 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02569 02570 #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) 02571 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 02572 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA || 02573 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 02574 { 02575 /* 02576 * Ephemeral ECDH parameters: 02577 * 02578 * struct { 02579 * ECParameters curve_params; 02580 * ECPoint public; 02581 * } ServerECDHParams; 02582 */ 02583 const ecp_curve_info **curve = NULL; 02584 #if defined(POLARSSL_SSL_SET_CURVES) 02585 const ecp_group_id *gid; 02586 02587 /* Match our preference list against the offered curves */ 02588 for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ ) 02589 for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) 02590 if( (*curve)->grp_id == *gid ) 02591 goto curve_matching_done; 02592 02593 curve_matching_done: 02594 #else 02595 curve = ssl->handshake->curves; 02596 #endif 02597 02598 if( *curve == NULL ) 02599 { 02600 SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); 02601 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); 02602 } 02603 02604 SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); 02605 02606 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp, 02607 (*curve)->grp_id ) ) != 0 ) 02608 { 02609 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret ); 02610 return( ret ); 02611 } 02612 02613 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, 02614 p, SSL_MAX_CONTENT_LEN - n, 02615 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02616 { 02617 SSL_DEBUG_RET( 1, "ecdh_make_params", ret ); 02618 return( ret ); 02619 } 02620 02621 dig_signed = p; 02622 dig_signed_len = len; 02623 02624 p += len; 02625 n += len; 02626 02627 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); 02628 } 02629 #endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ 02630 02631 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02632 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02633 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02634 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || 02635 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 02636 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) 02637 { 02638 size_t signature_len = 0; 02639 unsigned int hashlen = 0; 02640 unsigned char hash[64]; 02641 md_type_t md_alg = POLARSSL_MD_NONE; 02642 02643 /* 02644 * Choose hash algorithm. NONE means MD5 + SHA1 here. 02645 */ 02646 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02647 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02648 { 02649 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg ); 02650 02651 if( md_alg == POLARSSL_MD_NONE ) 02652 { 02653 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02654 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02655 } 02656 } 02657 else 02658 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 02659 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 02660 defined(POLARSSL_SSL_PROTO_TLS1_1) 02661 if( ciphersuite_info->key_exchange == 02662 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) 02663 { 02664 md_alg = POLARSSL_MD_SHA1; 02665 } 02666 else 02667 #endif 02668 { 02669 md_alg = POLARSSL_MD_NONE; 02670 } 02671 02672 /* 02673 * Compute the hash to be signed 02674 */ 02675 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 02676 defined(POLARSSL_SSL_PROTO_TLS1_1) 02677 if( md_alg == POLARSSL_MD_NONE ) 02678 { 02679 md5_context md5; 02680 sha1_context sha1; 02681 02682 md5_init( &md5 ); 02683 sha1_init( &sha1 ); 02684 02685 /* 02686 * digitally-signed struct { 02687 * opaque md5_hash[16]; 02688 * opaque sha_hash[20]; 02689 * }; 02690 * 02691 * md5_hash 02692 * MD5(ClientHello.random + ServerHello.random 02693 * + ServerParams); 02694 * sha_hash 02695 * SHA(ClientHello.random + ServerHello.random 02696 * + ServerParams); 02697 */ 02698 md5_starts( &md5 ); 02699 md5_update( &md5, ssl->handshake->randbytes, 64 ); 02700 md5_update( &md5, dig_signed, dig_signed_len ); 02701 md5_finish( &md5, hash ); 02702 02703 sha1_starts( &sha1 ); 02704 sha1_update( &sha1, ssl->handshake->randbytes, 64 ); 02705 sha1_update( &sha1, dig_signed, dig_signed_len ); 02706 sha1_finish( &sha1, hash + 16 ); 02707 02708 hashlen = 36; 02709 02710 md5_free( &md5 ); 02711 sha1_free( &sha1 ); 02712 } 02713 else 02714 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \ 02715 POLARSSL_SSL_PROTO_TLS1_1 */ 02716 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ 02717 defined(POLARSSL_SSL_PROTO_TLS1_2) 02718 if( md_alg != POLARSSL_MD_NONE ) 02719 { 02720 md_context_t ctx; 02721 const md_info_t *md_info = md_info_from_type( md_alg ); 02722 02723 md_init( &ctx ); 02724 02725 /* Info from md_alg will be used instead */ 02726 hashlen = 0; 02727 02728 /* 02729 * digitally-signed struct { 02730 * opaque client_random[32]; 02731 * opaque server_random[32]; 02732 * ServerDHParams params; 02733 * }; 02734 */ 02735 if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 ) 02736 { 02737 SSL_DEBUG_RET( 1, "md_init_ctx", ret ); 02738 return( ret ); 02739 } 02740 02741 md_starts( &ctx ); 02742 md_update( &ctx, ssl->handshake->randbytes, 64 ); 02743 md_update( &ctx, dig_signed, dig_signed_len ); 02744 md_finish( &ctx, hash ); 02745 md_free( &ctx ); 02746 } 02747 else 02748 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \ 02749 POLARSSL_SSL_PROTO_TLS1_2 */ 02750 { 02751 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02752 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02753 } 02754 02755 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02756 (unsigned int) ( md_info_from_type( md_alg ) )->size ); 02757 02758 /* 02759 * Make the signature 02760 */ 02761 if( ssl_own_key( ssl ) == NULL ) 02762 { 02763 SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 02764 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02765 } 02766 02767 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 02768 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 02769 { 02770 *(p++) = ssl->handshake->sig_alg; 02771 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) ); 02772 02773 n += 2; 02774 } 02775 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 02776 02777 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen, 02778 p + 2 , &signature_len, 02779 ssl->f_rng, ssl->p_rng ) ) != 0 ) 02780 { 02781 SSL_DEBUG_RET( 1, "pk_sign", ret ); 02782 return( ret ); 02783 } 02784 02785 *(p++) = (unsigned char)( signature_len >> 8 ); 02786 *(p++) = (unsigned char)( signature_len ); 02787 n += 2; 02788 02789 SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); 02790 02791 p += signature_len; 02792 n += signature_len; 02793 } 02794 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || 02795 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02796 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02797 02798 ssl->out_msglen = 4 + n; 02799 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02800 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE; 02801 02802 ssl->state++; 02803 02804 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02805 { 02806 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02807 return( ret ); 02808 } 02809 02810 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 02811 02812 return( 0 ); 02813 } 02814 02815 static int ssl_write_server_hello_done( ssl_context *ssl ) 02816 { 02817 int ret; 02818 02819 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 02820 02821 ssl->out_msglen = 4; 02822 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 02823 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE; 02824 02825 ssl->state++; 02826 02827 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02828 { 02829 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02830 return( ret ); 02831 } 02832 02833 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 02834 02835 return( 0 ); 02836 } 02837 02838 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02839 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 02840 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p, 02841 const unsigned char *end ) 02842 { 02843 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02844 size_t n; 02845 02846 /* 02847 * Receive G^Y mod P, premaster = (G^Y)^X mod P 02848 */ 02849 if( *p + 2 > end ) 02850 { 02851 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02852 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02853 } 02854 02855 n = ( (*p)[0] << 8 ) | (*p)[1]; 02856 *p += 2; 02857 02858 if( *p + n > end ) 02859 { 02860 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02861 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02862 } 02863 02864 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) 02865 { 02866 SSL_DEBUG_RET( 1, "dhm_read_public", ret ); 02867 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 02868 } 02869 02870 *p += n; 02871 02872 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 02873 02874 return( ret ); 02875 } 02876 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || 02877 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02878 02879 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \ 02880 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 02881 static int ssl_parse_encrypted_pms( ssl_context *ssl, 02882 const unsigned char *p, 02883 const unsigned char *end, 02884 size_t pms_offset ) 02885 { 02886 int ret; 02887 size_t len = pk_get_len( ssl_own_key( ssl ) ); 02888 unsigned char *pms = ssl->handshake->premaster + pms_offset; 02889 unsigned char fake_pms[48], peer_pms[48]; 02890 unsigned char mask; 02891 size_t i, diff, peer_pmslen; 02892 02893 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) ) 02894 { 02895 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); 02896 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02897 } 02898 02899 /* 02900 * Decrypt the premaster using own private RSA key 02901 */ 02902 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ 02903 defined(POLARSSL_SSL_PROTO_TLS1_2) 02904 if( ssl->minor_ver != SSL_MINOR_VERSION_0 ) 02905 { 02906 if( *p++ != ( ( len >> 8 ) & 0xFF ) || 02907 *p++ != ( ( len ) & 0xFF ) ) 02908 { 02909 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02910 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02911 } 02912 } 02913 #endif 02914 02915 if( p + len != end ) 02916 { 02917 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02918 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02919 } 02920 02921 /* 02922 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 02923 * must not cause the connection to end immediately; instead, send a 02924 * bad_record_mac later in the handshake. 02925 * Also, avoid data-dependant branches here to protect against 02926 * timing-based variants. 02927 */ 02928 ret = ssl->f_rng( ssl->p_rng, fake_pms, sizeof( fake_pms ) ); 02929 if( ret != 0 ) 02930 return( ret ); 02931 02932 ret = pk_decrypt( ssl_own_key( ssl ), p, len, 02933 peer_pms, &peer_pmslen, 02934 sizeof( peer_pms ), 02935 ssl->f_rng, ssl->p_rng ); 02936 02937 diff = (size_t) ret; 02938 diff |= peer_pmslen ^ 48; 02939 diff |= peer_pms[0] ^ ssl->handshake->max_major_ver; 02940 diff |= peer_pms[1] ^ ssl->handshake->max_minor_ver; 02941 02942 #if defined(POLARSSL_SSL_DEBUG_ALL) 02943 if( diff != 0 ) 02944 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02945 #endif 02946 02947 if( sizeof( ssl->handshake->premaster ) < pms_offset || 02948 sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) 02949 { 02950 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02951 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 02952 } 02953 ssl->handshake->pmslen = 48; 02954 02955 mask = ( diff | - diff ) >> ( sizeof( size_t ) * 8 - 1 ); 02956 mask = (unsigned char)( - ( ret != 0 ) ); /* mask = diff ? 0xff : 0x00 */ 02957 for( i = 0; i < ssl->handshake->pmslen; i++ ) 02958 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); 02959 02960 return( 0 ); 02961 } 02962 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED || 02963 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02964 02965 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) 02966 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p, 02967 const unsigned char *end ) 02968 { 02969 int ret = 0; 02970 size_t n; 02971 02972 if( ssl->f_psk == NULL && 02973 ( ssl->psk == NULL || ssl->psk_identity == NULL || 02974 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) 02975 { 02976 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); 02977 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02978 } 02979 02980 /* 02981 * Receive client pre-shared key identity name 02982 */ 02983 if( *p + 2 > end ) 02984 { 02985 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02986 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02987 } 02988 02989 n = ( (*p)[0] << 8 ) | (*p)[1]; 02990 *p += 2; 02991 02992 if( n < 1 || n > 65535 || *p + n > end ) 02993 { 02994 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 02995 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 02996 } 02997 02998 if( ssl->f_psk != NULL ) 02999 { 03000 if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 ) 03001 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY; 03002 } 03003 else 03004 { 03005 /* Identity is not a big secret since clients send it in the clear, 03006 * but treat it carefully anyway, just in case */ 03007 if( n != ssl->psk_identity_len || 03008 safer_memcmp( ssl->psk_identity, *p, n ) != 0 ) 03009 { 03010 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY; 03011 } 03012 } 03013 03014 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY ) 03015 { 03016 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); 03017 if( ( ret = ssl_send_alert_message( ssl, 03018 SSL_ALERT_LEVEL_FATAL, 03019 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 ) 03020 { 03021 return( ret ); 03022 } 03023 03024 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY ); 03025 } 03026 03027 *p += n; 03028 03029 return( 0 ); 03030 } 03031 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03032 03033 static int ssl_parse_client_key_exchange( ssl_context *ssl ) 03034 { 03035 int ret; 03036 const ssl_ciphersuite_t *ciphersuite_info; 03037 03038 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03039 03040 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 03041 03042 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 03043 { 03044 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 03045 return( ret ); 03046 } 03047 03048 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 03049 { 03050 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03051 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03052 } 03053 03054 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE ) 03055 { 03056 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03057 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03058 } 03059 03060 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) 03061 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ) 03062 { 03063 unsigned char *p = ssl->in_msg + 4; 03064 unsigned char *end = ssl->in_msg + ssl->in_hslen; 03065 03066 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03067 { 03068 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03069 return( ret ); 03070 } 03071 03072 if( p != end ) 03073 { 03074 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03075 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03076 } 03077 03078 ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE; 03079 03080 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, 03081 ssl->handshake->premaster, 03082 &ssl->handshake->pmslen, 03083 ssl->f_rng, ssl->p_rng ) ) != 0 ) 03084 { 03085 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); 03086 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03087 } 03088 03089 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 03090 } 03091 else 03092 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */ 03093 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03094 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 03095 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03096 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03097 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || 03098 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA || 03099 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || 03100 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) 03101 { 03102 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx, 03103 ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 ) 03104 { 03105 SSL_DEBUG_RET( 1, "ecdh_read_public", ret ); 03106 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03107 } 03108 03109 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03110 03111 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 03112 &ssl->handshake->pmslen, 03113 ssl->handshake->premaster, 03114 POLARSSL_MPI_MAX_SIZE, 03115 ssl->f_rng, ssl->p_rng ) ) != 0 ) 03116 { 03117 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret ); 03118 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03119 } 03120 03121 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); 03122 } 03123 else 03124 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03125 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 03126 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || 03127 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03128 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) 03129 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ) 03130 { 03131 unsigned char *p = ssl->in_msg + 4; 03132 unsigned char *end = ssl->in_msg + ssl->in_hslen; 03133 03134 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03135 { 03136 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03137 return( ret ); 03138 } 03139 03140 if( p != end ) 03141 { 03142 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03143 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03144 } 03145 03146 if( ( ret = ssl_psk_derive_premaster( ssl, 03147 ciphersuite_info->key_exchange ) ) != 0 ) 03148 { 03149 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 03150 return( ret ); 03151 } 03152 } 03153 else 03154 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */ 03155 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) 03156 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) 03157 { 03158 unsigned char *p = ssl->in_msg + 4; 03159 unsigned char *end = ssl->in_msg + ssl->in_hslen; 03160 03161 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03162 { 03163 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03164 return( ret ); 03165 } 03166 03167 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) 03168 { 03169 SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); 03170 return( ret ); 03171 } 03172 03173 if( ( ret = ssl_psk_derive_premaster( ssl, 03174 ciphersuite_info->key_exchange ) ) != 0 ) 03175 { 03176 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 03177 return( ret ); 03178 } 03179 } 03180 else 03181 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03182 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) 03183 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 03184 { 03185 unsigned char *p = ssl->in_msg + 4; 03186 unsigned char *end = ssl->in_msg + ssl->in_hslen; 03187 03188 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03189 { 03190 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03191 return( ret ); 03192 } 03193 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03194 { 03195 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03196 return( ret ); 03197 } 03198 03199 if( p != end ) 03200 { 03201 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03202 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03203 } 03204 03205 if( ( ret = ssl_psk_derive_premaster( ssl, 03206 ciphersuite_info->key_exchange ) ) != 0 ) 03207 { 03208 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 03209 return( ret ); 03210 } 03211 } 03212 else 03213 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03214 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03215 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) 03216 { 03217 unsigned char *p = ssl->in_msg + 4; 03218 unsigned char *end = ssl->in_msg + ssl->in_hslen; 03219 03220 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03221 { 03222 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03223 return( ret ); 03224 } 03225 03226 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx, 03227 p, end - p ) ) != 0 ) 03228 { 03229 SSL_DEBUG_RET( 1, "ecdh_read_public", ret ); 03230 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03231 } 03232 03233 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03234 03235 if( ( ret = ssl_psk_derive_premaster( ssl, 03236 ciphersuite_info->key_exchange ) ) != 0 ) 03237 { 03238 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); 03239 return( ret ); 03240 } 03241 } 03242 else 03243 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03244 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) 03245 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ) 03246 { 03247 if( ( ret = ssl_parse_encrypted_pms( ssl, 03248 ssl->in_msg + 4, 03249 ssl->in_msg + ssl->in_hslen, 03250 0 ) ) != 0 ) 03251 { 03252 SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); 03253 return( ret ); 03254 } 03255 } 03256 else 03257 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */ 03258 { 03259 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03260 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 03261 } 03262 03263 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 03264 { 03265 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 03266 return( ret ); 03267 } 03268 03269 ssl->state++; 03270 03271 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 03272 03273 return( 0 ); 03274 } 03275 03276 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ 03277 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03278 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03279 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03280 static int ssl_parse_certificate_verify( ssl_context *ssl ) 03281 { 03282 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03283 03284 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03285 03286 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 03287 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 03288 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 03289 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 03290 { 03291 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03292 ssl->state++; 03293 return( 0 ); 03294 } 03295 03296 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03297 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 03298 } 03299 #else 03300 static int ssl_parse_certificate_verify( ssl_context *ssl ) 03301 { 03302 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 03303 size_t sa_len, sig_len; 03304 unsigned char hash[48]; 03305 unsigned char *hash_start = hash; 03306 size_t hashlen; 03307 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 03308 pk_type_t pk_alg; 03309 #endif 03310 md_type_t md_alg; 03311 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03312 03313 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03314 03315 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || 03316 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || 03317 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || 03318 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) 03319 { 03320 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03321 ssl->state++; 03322 return( 0 ); 03323 } 03324 03325 if( ssl->session_negotiate->peer_cert == NULL ) 03326 { 03327 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03328 ssl->state++; 03329 return( 0 ); 03330 } 03331 03332 ssl->handshake->calc_verify( ssl, hash ); 03333 03334 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 03335 { 03336 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 03337 return( ret ); 03338 } 03339 03340 ssl->state++; 03341 03342 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 03343 { 03344 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03345 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03346 } 03347 03348 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY ) 03349 { 03350 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03351 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03352 } 03353 03354 /* 03355 * 0 . 0 handshake type 03356 * 1 . 3 handshake length 03357 * 4 . 5 sig alg (TLS 1.2 only) 03358 * 4+n . 5+n signature length (n = sa_len) 03359 * 6+n . 6+n+m signature (m = sig_len) 03360 */ 03361 03362 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ 03363 defined(POLARSSL_SSL_PROTO_TLS1_1) 03364 if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) 03365 { 03366 sa_len = 0; 03367 03368 md_alg = POLARSSL_MD_NONE; 03369 hashlen = 36; 03370 03371 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ 03372 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk, 03373 POLARSSL_PK_ECDSA ) ) 03374 { 03375 hash_start += 16; 03376 hashlen -= 16; 03377 md_alg = POLARSSL_MD_SHA1; 03378 } 03379 } 03380 else 03381 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || 03382 POLARSSL_SSL_PROTO_TLS1_1 */ 03383 #if defined(POLARSSL_SSL_PROTO_TLS1_2) 03384 if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) 03385 { 03386 sa_len = 2; 03387 03388 /* 03389 * Hash 03390 */ 03391 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ) 03392 { 03393 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03394 " for verify message" ) ); 03395 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03396 } 03397 03398 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg ); 03399 03400 /* Info from md_alg will be used instead */ 03401 hashlen = 0; 03402 03403 /* 03404 * Signature 03405 */ 03406 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) ) 03407 == POLARSSL_PK_NONE ) 03408 { 03409 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03410 " for verify message" ) ); 03411 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03412 } 03413 03414 /* 03415 * Check the certificate's key type matches the signature alg 03416 */ 03417 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 03418 { 03419 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); 03420 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03421 } 03422 } 03423 else 03424 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ 03425 { 03426 SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03427 return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); 03428 } 03429 03430 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len]; 03431 03432 if( sa_len + sig_len + 6 != ssl->in_hslen ) 03433 { 03434 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03435 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03436 } 03437 03438 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk, 03439 md_alg, hash_start, hashlen, 03440 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 ) 03441 { 03442 SSL_DEBUG_RET( 1, "pk_verify", ret ); 03443 return( ret ); 03444 } 03445 03446 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 03447 03448 return( ret ); 03449 } 03450 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && 03451 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && 03452 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ 03453 03454 #if defined(POLARSSL_SSL_SESSION_TICKETS) 03455 static int ssl_write_new_session_ticket( ssl_context *ssl ) 03456 { 03457 int ret; 03458 size_t tlen; 03459 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime; 03460 03461 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); 03462 03463 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 03464 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET; 03465 03466 /* 03467 * struct { 03468 * uint32 ticket_lifetime_hint; 03469 * opaque ticket<0..2^16-1>; 03470 * } NewSessionTicket; 03471 * 03472 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 03473 * 8 . 9 ticket_len (n) 03474 * 10 . 9+n ticket content 03475 */ 03476 03477 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; 03478 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; 03479 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; 03480 ssl->out_msg[7] = ( lifetime ) & 0xFF; 03481 03482 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 ) 03483 { 03484 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret ); 03485 tlen = 0; 03486 } 03487 03488 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 03489 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); 03490 03491 ssl->out_msglen = 10 + tlen; 03492 03493 /* 03494 * Morally equivalent to updating ssl->state, but NewSessionTicket and 03495 * ChangeCipherSpec share the same state. 03496 */ 03497 ssl->handshake->new_session_ticket = 0; 03498 03499 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 03500 { 03501 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 03502 return( ret ); 03503 } 03504 03505 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); 03506 03507 return( 0 ); 03508 } 03509 #endif /* POLARSSL_SSL_SESSION_TICKETS */ 03510 03511 /* 03512 * SSL handshake -- server side -- single step 03513 */ 03514 int ssl_handshake_server_step( ssl_context *ssl ) 03515 { 03516 int ret = 0; 03517 03518 if( ssl->state == SSL_HANDSHAKE_OVER ) 03519 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 03520 03521 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 03522 03523 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 03524 return( ret ); 03525 03526 switch( ssl->state ) 03527 { 03528 case SSL_HELLO_REQUEST: 03529 ssl->state = SSL_CLIENT_HELLO; 03530 break; 03531 03532 /* 03533 * <== ClientHello 03534 */ 03535 case SSL_CLIENT_HELLO: 03536 ret = ssl_parse_client_hello( ssl ); 03537 break; 03538 03539 /* 03540 * ==> ServerHello 03541 * Certificate 03542 * ( ServerKeyExchange ) 03543 * ( CertificateRequest ) 03544 * ServerHelloDone 03545 */ 03546 case SSL_SERVER_HELLO: 03547 ret = ssl_write_server_hello( ssl ); 03548 break; 03549 03550 case SSL_SERVER_CERTIFICATE: 03551 ret = ssl_write_certificate( ssl ); 03552 break; 03553 03554 case SSL_SERVER_KEY_EXCHANGE: 03555 ret = ssl_write_server_key_exchange( ssl ); 03556 break; 03557 03558 case SSL_CERTIFICATE_REQUEST: 03559 ret = ssl_write_certificate_request( ssl ); 03560 break; 03561 03562 case SSL_SERVER_HELLO_DONE: 03563 ret = ssl_write_server_hello_done( ssl ); 03564 break; 03565 03566 /* 03567 * <== ( Certificate/Alert ) 03568 * ClientKeyExchange 03569 * ( CertificateVerify ) 03570 * ChangeCipherSpec 03571 * Finished 03572 */ 03573 case SSL_CLIENT_CERTIFICATE: 03574 ret = ssl_parse_certificate( ssl ); 03575 break; 03576 03577 case SSL_CLIENT_KEY_EXCHANGE: 03578 ret = ssl_parse_client_key_exchange( ssl ); 03579 break; 03580 03581 case SSL_CERTIFICATE_VERIFY: 03582 ret = ssl_parse_certificate_verify( ssl ); 03583 break; 03584 03585 case SSL_CLIENT_CHANGE_CIPHER_SPEC: 03586 ret = ssl_parse_change_cipher_spec( ssl ); 03587 break; 03588 03589 case SSL_CLIENT_FINISHED: 03590 ret = ssl_parse_finished( ssl ); 03591 break; 03592 03593 /* 03594 * ==> ( NewSessionTicket ) 03595 * ChangeCipherSpec 03596 * Finished 03597 */ 03598 case SSL_SERVER_CHANGE_CIPHER_SPEC: 03599 #if defined(POLARSSL_SSL_SESSION_TICKETS) 03600 if( ssl->handshake->new_session_ticket != 0 ) 03601 ret = ssl_write_new_session_ticket( ssl ); 03602 else 03603 #endif 03604 ret = ssl_write_change_cipher_spec( ssl ); 03605 break; 03606 03607 case SSL_SERVER_FINISHED: 03608 ret = ssl_write_finished( ssl ); 03609 break; 03610 03611 case SSL_FLUSH_BUFFERS: 03612 SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03613 ssl->state = SSL_HANDSHAKE_WRAPUP; 03614 break; 03615 03616 case SSL_HANDSHAKE_WRAPUP: 03617 ssl_handshake_wrapup( ssl ); 03618 break; 03619 03620 default: 03621 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03622 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 03623 } 03624 03625 return( ret ); 03626 } 03627 #endif /* POLARSSL_SSL_SRV_C */ 03628
Generated on Tue Jul 12 2022 13:50:38 by
1.7.2