00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026 #include "polarssl/config.h"
00027
00028 #if defined(POLARSSL_SSL_SRV_C)
00029
00030 #include "polarssl/debug.h"
00031 #include "polarssl/ssl.h"
00032 #if defined(POLARSSL_ECP_C)
00033 #include "polarssl/ecp.h"
00034 #endif
00035
00036 #if defined(POLARSSL_MEMORY_C)
00037 #include "polarssl/memory.h"
00038 #else
00039 #define polarssl_malloc malloc
00040 #define polarssl_free free
00041 #endif
00042
00043 #include <stdlib.h>
00044 #include <stdio.h>
00045
00046 #if defined(POLARSSL_HAVE_TIME)
00047 #include <time.h>
00048 #endif
00049
00050 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00051
00052
00053
00054
00055
00056
00057
00058
00059 static int ssl_save_session( const ssl_session *session,
00060 unsigned char *buf, size_t buf_len,
00061 size_t *olen )
00062 {
00063 unsigned char *p = buf;
00064 size_t left = buf_len;
00065 #if defined(POLARSSL_X509_CRT_PARSE_C)
00066 size_t cert_len;
00067 #endif
00068
00069 if( left < sizeof( ssl_session ) )
00070 return( -1 );
00071
00072 memcpy( p, session, sizeof( ssl_session ) );
00073 p += sizeof( ssl_session );
00074 left -= sizeof( ssl_session );
00075
00076 #if defined(POLARSSL_X509_CRT_PARSE_C)
00077 if( session->peer_cert == NULL )
00078 cert_len = 0;
00079 else
00080 cert_len = session->peer_cert->raw.len;
00081
00082 if( left < 3 + cert_len )
00083 return( -1 );
00084
00085 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
00086 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
00087 *p++ = (unsigned char)( cert_len & 0xFF );
00088
00089 if( session->peer_cert != NULL )
00090 memcpy( p, session->peer_cert->raw.p, cert_len );
00091
00092 p += cert_len;
00093 #endif
00094
00095 *olen = p - buf;
00096
00097 return( 0 );
00098 }
00099
00100
00101
00102
00103 static int ssl_load_session( ssl_session *session,
00104 const unsigned char *buf, size_t len )
00105 {
00106 const unsigned char *p = buf;
00107 const unsigned char * const end = buf + len;
00108 #if defined(POLARSSL_X509_CRT_PARSE_C)
00109 size_t cert_len;
00110 #endif
00111
00112 if( p + sizeof( ssl_session ) > end )
00113 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00114
00115 memcpy( session, p, sizeof( ssl_session ) );
00116 p += sizeof( ssl_session );
00117
00118 #if defined(POLARSSL_X509_CRT_PARSE_C)
00119 if( p + 3 > end )
00120 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00121
00122 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
00123 p += 3;
00124
00125 if( cert_len == 0 )
00126 {
00127 session->peer_cert = NULL;
00128 }
00129 else
00130 {
00131 int ret;
00132
00133 if( p + cert_len > end )
00134 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00135
00136 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
00137
00138 if( session->peer_cert == NULL )
00139 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
00140
00141 x509_crt_init( session->peer_cert );
00142
00143 if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 )
00144 {
00145 x509_crt_free( session->peer_cert );
00146 polarssl_free( session->peer_cert );
00147 session->peer_cert = NULL;
00148 return( ret );
00149 }
00150
00151 p += cert_len;
00152 }
00153 #endif
00154
00155 if( p != end )
00156 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00157
00158 return( 0 );
00159 }
00160
00161
00162
00163
00164
00165
00166
00167
00168
00169
00170
00171
00172
00173 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
00174 {
00175 int ret;
00176 unsigned char * const start = ssl->out_msg + 10;
00177 unsigned char *p = start;
00178 unsigned char *state;
00179 unsigned char iv[16];
00180 size_t clear_len, enc_len, pad_len, i;
00181
00182 *tlen = 0;
00183
00184 if( ssl->ticket_keys == NULL )
00185 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00186
00187
00188 memcpy( p, ssl->ticket_keys->key_name, 16 );
00189 p += 16;
00190
00191
00192 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
00193 return( ret );
00194 memcpy( iv, p, 16 );
00195 p += 16;
00196
00197
00198
00199
00200
00201
00202
00203 state = p + 2;
00204 if( ssl_save_session( ssl->session_negotiate, state,
00205 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
00206 &clear_len ) != 0 )
00207 {
00208 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
00209 }
00210 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
00211
00212
00213 pad_len = 16 - clear_len % 16;
00214 enc_len = clear_len + pad_len;
00215 for( i = clear_len; i < enc_len; i++ )
00216 state[i] = (unsigned char) pad_len;
00217
00218
00219 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
00220 enc_len, iv, state, state ) ) != 0 )
00221 {
00222 return( ret );
00223 }
00224
00225
00226 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
00227 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
00228 p = state + enc_len;
00229
00230
00231 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
00232 p += 32;
00233
00234 *tlen = p - start;
00235
00236 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
00237
00238 return( 0 );
00239 }
00240
00241
00242
00243
00244 static int ssl_parse_ticket( ssl_context *ssl,
00245 unsigned char *buf,
00246 size_t len )
00247 {
00248 int ret;
00249 ssl_session session;
00250 unsigned char *key_name = buf;
00251 unsigned char *iv = buf + 16;
00252 unsigned char *enc_len_p = iv + 16;
00253 unsigned char *ticket = enc_len_p + 2;
00254 unsigned char *mac;
00255 unsigned char computed_mac[32];
00256 size_t enc_len, clear_len, i;
00257 unsigned char pad_len, diff;
00258
00259 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
00260
00261 if( len < 34 || ssl->ticket_keys == NULL )
00262 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00263
00264 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
00265 mac = ticket + enc_len;
00266
00267 if( len != enc_len + 66 )
00268 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00269
00270
00271 diff = 0;
00272 for( i = 0; i < 16; i++ )
00273 diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
00274
00275
00276
00277 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
00278 computed_mac, 0 );
00279
00280 for( i = 0; i < 32; i++ )
00281 diff |= mac[i] ^ computed_mac[i];
00282
00283
00284
00285 if( diff != 0 )
00286 return( POLARSSL_ERR_SSL_INVALID_MAC );
00287
00288
00289 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
00290 enc_len, iv, ticket, ticket ) ) != 0 )
00291 {
00292 return( ret );
00293 }
00294
00295
00296 pad_len = ticket[enc_len - 1];
00297
00298 ret = 0;
00299 for( i = 2; i < pad_len; i++ )
00300 if( ticket[enc_len - i] != pad_len )
00301 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
00302 if( ret != 0 )
00303 return( ret );
00304
00305 clear_len = enc_len - pad_len;
00306
00307 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
00308
00309
00310 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
00311 {
00312 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
00313 memset( &session, 0, sizeof( ssl_session ) );
00314 return( ret );
00315 }
00316
00317 #if defined(POLARSSL_HAVE_TIME)
00318
00319 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
00320 {
00321 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
00322 memset( &session, 0, sizeof( ssl_session ) );
00323 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
00324 }
00325 #endif
00326
00327
00328
00329
00330
00331 session.length = ssl->session_negotiate->length;
00332 memcpy( &session.id, ssl->session_negotiate->id, session.length );
00333
00334 ssl_session_free( ssl->session_negotiate );
00335 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
00336 memset( &session, 0, sizeof( ssl_session ) );
00337
00338 return( 0 );
00339 }
00340 #endif
00341
00342 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
00343
00344
00345
00346
00347 static int ssl_sni_wrapper( ssl_context *ssl,
00348 const unsigned char* name, size_t len )
00349 {
00350 int ret;
00351 ssl_key_cert *key_cert_ori = ssl->key_cert;
00352
00353 ssl->key_cert = NULL;
00354 ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
00355 ssl->handshake->sni_key_cert = ssl->key_cert;
00356
00357 ssl->key_cert = key_cert_ori;
00358
00359 return( ret );
00360 }
00361
00362 static int ssl_parse_servername_ext( ssl_context *ssl,
00363 const unsigned char *buf,
00364 size_t len )
00365 {
00366 int ret;
00367 size_t servername_list_size, hostname_len;
00368 const unsigned char *p;
00369
00370 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00371 if( servername_list_size + 2 != len )
00372 {
00373 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00374 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00375 }
00376
00377 p = buf + 2;
00378 while( servername_list_size > 0 )
00379 {
00380 hostname_len = ( ( p[1] << 8 ) | p[2] );
00381 if( hostname_len + 3 > servername_list_size )
00382 {
00383 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00384 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00385 }
00386
00387 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
00388 {
00389 ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
00390 if( ret != 0 )
00391 {
00392 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
00393 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
00394 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00395 }
00396 return( 0 );
00397 }
00398
00399 servername_list_size -= hostname_len + 3;
00400 p += hostname_len + 3;
00401 }
00402
00403 if( servername_list_size != 0 )
00404 {
00405 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00406 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00407 }
00408
00409 return( 0 );
00410 }
00411 #endif
00412
00413 static int ssl_parse_renegotiation_info( ssl_context *ssl,
00414 const unsigned char *buf,
00415 size_t len )
00416 {
00417 int ret;
00418
00419 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
00420 {
00421 if( len != 1 || buf[0] != 0x0 )
00422 {
00423 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
00424
00425 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00426 return( ret );
00427
00428 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00429 }
00430
00431 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
00432 }
00433 else
00434 {
00435
00436 if( len != 1 + ssl->verify_data_len ||
00437 buf[0] != ssl->verify_data_len ||
00438 safer_memcmp( buf + 1, ssl->peer_verify_data,
00439 ssl->verify_data_len ) != 0 )
00440 {
00441 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
00442
00443 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00444 return( ret );
00445
00446 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00447 }
00448 }
00449
00450 return( 0 );
00451 }
00452
00453 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
00454 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
00455 const unsigned char *buf,
00456 size_t len )
00457 {
00458 size_t sig_alg_list_size;
00459 const unsigned char *p;
00460
00461 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00462 if( sig_alg_list_size + 2 != len ||
00463 sig_alg_list_size %2 != 0 )
00464 {
00465 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00466 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00467 }
00468
00469 p = buf + 2;
00470 while( sig_alg_list_size > 0 )
00471 {
00472
00473
00474
00475
00476 #if defined(POLARSSL_SHA512_C)
00477 if( p[0] == SSL_HASH_SHA512 )
00478 {
00479 ssl->handshake->sig_alg = SSL_HASH_SHA512;
00480 break;
00481 }
00482 if( p[0] == SSL_HASH_SHA384 )
00483 {
00484 ssl->handshake->sig_alg = SSL_HASH_SHA384;
00485 break;
00486 }
00487 #endif
00488 #if defined(POLARSSL_SHA256_C)
00489 if( p[0] == SSL_HASH_SHA256 )
00490 {
00491 ssl->handshake->sig_alg = SSL_HASH_SHA256;
00492 break;
00493 }
00494 if( p[0] == SSL_HASH_SHA224 )
00495 {
00496 ssl->handshake->sig_alg = SSL_HASH_SHA224;
00497 break;
00498 }
00499 #endif
00500 if( p[0] == SSL_HASH_SHA1 )
00501 {
00502 ssl->handshake->sig_alg = SSL_HASH_SHA1;
00503 break;
00504 }
00505 if( p[0] == SSL_HASH_MD5 )
00506 {
00507 ssl->handshake->sig_alg = SSL_HASH_MD5;
00508 break;
00509 }
00510
00511 sig_alg_list_size -= 2;
00512 p += 2;
00513 }
00514
00515 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
00516 ssl->handshake->sig_alg ) );
00517
00518 return( 0 );
00519 }
00520 #endif
00521
00522 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
00523 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
00524 const unsigned char *buf,
00525 size_t len )
00526 {
00527 size_t list_size, our_size;
00528 const unsigned char *p;
00529 const ecp_curve_info *curve_info, **curves;
00530
00531 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00532 if( list_size + 2 != len ||
00533 list_size % 2 != 0 )
00534 {
00535 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00536 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00537 }
00538
00539
00540
00541 our_size = list_size / 2 + 1;
00542 if( our_size > POLARSSL_ECP_DP_MAX )
00543 our_size = POLARSSL_ECP_DP_MAX;
00544
00545 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
00546 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
00547
00548
00549 memset( (void *) curves, 0, our_size * sizeof( *curves ) );
00550 ssl->handshake->curves = curves;
00551
00552 p = buf + 2;
00553 while( list_size > 0 && our_size > 1 )
00554 {
00555 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
00556
00557 if( curve_info != NULL )
00558 {
00559 *curves++ = curve_info;
00560 our_size--;
00561 }
00562
00563 list_size -= 2;
00564 p += 2;
00565 }
00566
00567 return( 0 );
00568 }
00569
00570 static int ssl_parse_supported_point_formats( ssl_context *ssl,
00571 const unsigned char *buf,
00572 size_t len )
00573 {
00574 size_t list_size;
00575 const unsigned char *p;
00576
00577 list_size = buf[0];
00578 if( list_size + 1 != len )
00579 {
00580 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00581 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00582 }
00583
00584 p = buf + 2;
00585 while( list_size > 0 )
00586 {
00587 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
00588 p[0] == POLARSSL_ECP_PF_COMPRESSED )
00589 {
00590 ssl->handshake->ecdh_ctx.point_format = p[0];
00591 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
00592 return( 0 );
00593 }
00594
00595 list_size--;
00596 p++;
00597 }
00598
00599 return( 0 );
00600 }
00601 #endif
00602
00603 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
00604 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
00605 const unsigned char *buf,
00606 size_t len )
00607 {
00608 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
00609 {
00610 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00611 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00612 }
00613
00614 ssl->session_negotiate->mfl_code = buf[0];
00615
00616 return( 0 );
00617 }
00618 #endif
00619
00620 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
00621 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
00622 const unsigned char *buf,
00623 size_t len )
00624 {
00625 if( len != 0 )
00626 {
00627 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00628 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00629 }
00630
00631 ((void) buf);
00632
00633 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
00634
00635 return( 0 );
00636 }
00637 #endif
00638
00639 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00640 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
00641 unsigned char *buf,
00642 size_t len )
00643 {
00644 int ret;
00645
00646 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
00647 return( 0 );
00648
00649
00650 ssl->handshake->new_session_ticket = 1;
00651
00652 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
00653
00654 if( len == 0 )
00655 return( 0 );
00656
00657 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
00658 {
00659 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
00660 return( 0 );
00661 }
00662
00663
00664
00665
00666 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
00667 {
00668 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
00669 return( 0 );
00670 }
00671
00672 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
00673
00674 ssl->handshake->resume = 1;
00675
00676
00677 ssl->handshake->new_session_ticket = 0;
00678
00679 return( 0 );
00680 }
00681 #endif
00682
00683 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
00684 static int ssl_parse_client_hello_v2( ssl_context *ssl )
00685 {
00686 int ret;
00687 unsigned int i, j;
00688 size_t n;
00689 unsigned int ciph_len, sess_len, chal_len;
00690 unsigned char *buf, *p;
00691 const int *ciphersuites;
00692 const ssl_ciphersuite_t *ciphersuite_info;
00693
00694 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
00695
00696 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
00697 {
00698 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
00699
00700 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00701 return( ret );
00702
00703 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00704 }
00705
00706 buf = ssl->in_hdr;
00707
00708 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00709
00710 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
00711 buf[2] ) );
00712 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
00713 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
00714 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
00715 buf[3], buf[4] ) );
00716
00717
00718
00719
00720
00721
00722
00723
00724
00725
00726
00727 if( buf[2] != SSL_HS_CLIENT_HELLO ||
00728 buf[3] != SSL_MAJOR_VERSION_3 )
00729 {
00730 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00731 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00732 }
00733
00734 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
00735
00736 if( n < 17 || n > 512 )
00737 {
00738 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00739 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00740 }
00741
00742 ssl->major_ver = SSL_MAJOR_VERSION_3;
00743 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
00744 ? buf[4] : ssl->max_minor_ver;
00745
00746 if( ssl->minor_ver < ssl->min_minor_ver )
00747 {
00748 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
00749 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
00750 ssl->min_major_ver, ssl->min_minor_ver ) );
00751
00752 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
00753 SSL_ALERT_MSG_PROTOCOL_VERSION );
00754 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
00755 }
00756
00757 ssl->handshake->max_major_ver = buf[3];
00758 ssl->handshake->max_minor_ver = buf[4];
00759
00760 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
00761 {
00762 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00763 return( ret );
00764 }
00765
00766 ssl->handshake->update_checksum( ssl, buf + 2, n );
00767
00768 buf = ssl->in_msg;
00769 n = ssl->in_left - 5;
00770
00771
00772
00773
00774
00775
00776
00777
00778
00779 SSL_DEBUG_BUF( 4, "record contents", buf, n );
00780
00781 ciph_len = ( buf[0] << 8 ) | buf[1];
00782 sess_len = ( buf[2] << 8 ) | buf[3];
00783 chal_len = ( buf[4] << 8 ) | buf[5];
00784
00785 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
00786 ciph_len, sess_len, chal_len ) );
00787
00788
00789
00790
00791 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
00792 {
00793 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00794 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00795 }
00796
00797 if( sess_len > 32 )
00798 {
00799 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00800 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00801 }
00802
00803 if( chal_len < 8 || chal_len > 32 )
00804 {
00805 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00806 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00807 }
00808
00809 if( n != 6 + ciph_len + sess_len + chal_len )
00810 {
00811 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00812 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00813 }
00814
00815 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
00816 buf + 6, ciph_len );
00817 SSL_DEBUG_BUF( 3, "client hello, session id",
00818 buf + 6 + ciph_len, sess_len );
00819 SSL_DEBUG_BUF( 3, "client hello, challenge",
00820 buf + 6 + ciph_len + sess_len, chal_len );
00821
00822 p = buf + 6 + ciph_len;
00823 ssl->session_negotiate->length = sess_len;
00824 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
00825 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
00826
00827 p += sess_len;
00828 memset( ssl->handshake->randbytes, 0, 64 );
00829 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
00830
00831
00832
00833
00834 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
00835 {
00836 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
00837 {
00838 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
00839 if( ssl->renegotiation == SSL_RENEGOTIATION )
00840 {
00841 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
00842
00843 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00844 return( ret );
00845
00846 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00847 }
00848 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
00849 break;
00850 }
00851 }
00852
00853 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
00854 for( i = 0; ciphersuites[i] != 0; i++ )
00855 {
00856 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
00857 {
00858
00859
00860 if( p[0] == 0 && p[1] == 0 &&
00861 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
00862 p[2] == ( ciphersuites[i] & 0xFF ) )
00863 {
00864 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
00865
00866 if( ciphersuite_info == NULL )
00867 {
00868 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
00869 ciphersuites[i] ) );
00870 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00871 }
00872
00873 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
00874 ciphersuite_info->max_minor_ver < ssl->minor_ver )
00875 continue;
00876
00877 goto have_ciphersuite_v2;
00878 }
00879 }
00880 }
00881
00882 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
00883
00884 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
00885
00886 have_ciphersuite_v2:
00887 ssl->session_negotiate->ciphersuite = ciphersuites[i];
00888 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
00889 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
00890
00891
00892
00893
00894 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
00895 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
00896 {
00897 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
00898
00899 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00900 return( ret );
00901
00902 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00903 }
00904
00905 ssl->in_left = 0;
00906 ssl->state++;
00907
00908 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
00909
00910 return( 0 );
00911 }
00912 #endif
00913
00914 #if defined(POLARSSL_X509_CRT_PARSE_C)
00915 #if defined(POLARSSL_ECDSA_C)
00916 static int ssl_key_matches_curves( pk_context *pk,
00917 const ecp_curve_info **curves )
00918 {
00919 const ecp_curve_info **crv = curves;
00920 ecp_group_id grp_id = pk_ec( *pk )->grp.id;
00921
00922 while( *crv != NULL )
00923 {
00924 if( (*crv)->grp_id == grp_id )
00925 return( 1 );
00926 crv++;
00927 }
00928
00929 return( 0 );
00930 }
00931 #endif
00932
00933
00934
00935
00936
00937 static int ssl_pick_cert( ssl_context *ssl,
00938 const ssl_ciphersuite_t * ciphersuite_info )
00939 {
00940 ssl_key_cert *cur, *list;
00941 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
00942
00943 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
00944 if( ssl->handshake->sni_key_cert != NULL )
00945 list = ssl->handshake->sni_key_cert;
00946 else
00947 #endif
00948 list = ssl->handshake->key_cert;
00949
00950 if( pk_alg == POLARSSL_PK_NONE )
00951 return( 0 );
00952
00953 for( cur = list; cur != NULL; cur = cur->next )
00954 {
00955 if( ! pk_can_do( cur->key, pk_alg ) )
00956 continue;
00957
00958 #if defined(POLARSSL_ECDSA_C)
00959 if( pk_alg == POLARSSL_PK_ECDSA )
00960 {
00961 if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
00962 break;
00963 }
00964 else
00965 #endif
00966 break;
00967 }
00968
00969 if( cur == NULL )
00970 return( -1 );
00971
00972 ssl->handshake->key_cert = cur;
00973 return( 0 );
00974 }
00975 #endif
00976
00977 static int ssl_parse_client_hello( ssl_context *ssl )
00978 {
00979 int ret;
00980 unsigned int i, j;
00981 size_t n;
00982 unsigned int ciph_len, sess_len;
00983 unsigned int comp_len;
00984 unsigned int ext_len = 0;
00985 unsigned char *buf, *p, *ext;
00986 int renegotiation_info_seen = 0;
00987 int handshake_failure = 0;
00988 const int *ciphersuites;
00989 const ssl_ciphersuite_t *ciphersuite_info;
00990
00991 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
00992
00993 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
00994 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
00995 {
00996 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00997 return( ret );
00998 }
00999
01000 buf = ssl->in_hdr;
01001
01002 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
01003 if( ( buf[0] & 0x80 ) != 0 )
01004 return ssl_parse_client_hello_v2( ssl );
01005 #endif
01006
01007 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
01008
01009 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
01010 buf[0] ) );
01011 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
01012 ( buf[3] << 8 ) | buf[4] ) );
01013 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
01014 buf[1], buf[2] ) );
01015
01016
01017
01018
01019
01020
01021
01022
01023
01024 if( buf[0] != SSL_MSG_HANDSHAKE ||
01025 buf[1] != SSL_MAJOR_VERSION_3 )
01026 {
01027 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01028 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01029 }
01030
01031 n = ( buf[3] << 8 ) | buf[4];
01032
01033 if( n < 45 || n > 2048 )
01034 {
01035 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01036 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01037 }
01038
01039 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
01040 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
01041 {
01042 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
01043 return( ret );
01044 }
01045
01046 buf = ssl->in_msg;
01047 if( !ssl->renegotiation )
01048 n = ssl->in_left - 5;
01049 else
01050 n = ssl->in_msglen;
01051
01052 ssl->handshake->update_checksum( ssl, buf, n );
01053
01054
01055
01056
01057
01058
01059
01060
01061
01062
01063
01064
01065
01066
01067
01068 SSL_DEBUG_BUF( 4, "record contents", buf, n );
01069
01070 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
01071 buf[0] ) );
01072 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
01073 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
01074 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
01075 buf[4], buf[5] ) );
01076
01077
01078
01079
01080 if( buf[0] != SSL_HS_CLIENT_HELLO ||
01081 buf[4] != SSL_MAJOR_VERSION_3 )
01082 {
01083 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01084 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01085 }
01086
01087 ssl->major_ver = SSL_MAJOR_VERSION_3;
01088 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
01089 ? buf[5] : ssl->max_minor_ver;
01090
01091 if( ssl->minor_ver < ssl->min_minor_ver )
01092 {
01093 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
01094 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
01095 ssl->min_major_ver, ssl->min_minor_ver ) );
01096
01097 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
01098 SSL_ALERT_MSG_PROTOCOL_VERSION );
01099
01100 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
01101 }
01102
01103 ssl->handshake->max_major_ver = buf[4];
01104 ssl->handshake->max_minor_ver = buf[5];
01105
01106 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
01107
01108
01109
01110
01111 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
01112 {
01113 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01114 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01115 }
01116
01117
01118
01119
01120 sess_len = buf[38];
01121
01122 if( sess_len > 32 )
01123 {
01124 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01125 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01126 }
01127
01128 ssl->session_negotiate->length = sess_len;
01129 memset( ssl->session_negotiate->id, 0,
01130 sizeof( ssl->session_negotiate->id ) );
01131 memcpy( ssl->session_negotiate->id, buf + 39,
01132 ssl->session_negotiate->length );
01133
01134
01135
01136
01137 ciph_len = ( buf[39 + sess_len] << 8 )
01138 | ( buf[40 + sess_len] );
01139
01140 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
01141 {
01142 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01143 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01144 }
01145
01146
01147
01148
01149 comp_len = buf[41 + sess_len + ciph_len];
01150
01151 if( comp_len < 1 || comp_len > 16 )
01152 {
01153 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01154 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01155 }
01156
01157
01158
01159
01160 if( n > 42 + sess_len + ciph_len + comp_len )
01161 {
01162 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
01163 | ( buf[43 + sess_len + ciph_len + comp_len] );
01164
01165 if( ( ext_len > 0 && ext_len < 4 ) ||
01166 n != 44 + sess_len + ciph_len + comp_len + ext_len )
01167 {
01168 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01169 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
01170 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01171 }
01172 }
01173
01174 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
01175 #if defined(POLARSSL_ZLIB_SUPPORT)
01176 for( i = 0; i < comp_len; ++i )
01177 {
01178 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
01179 {
01180 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
01181 break;
01182 }
01183 }
01184 #endif
01185
01186 SSL_DEBUG_BUF( 3, "client hello, random bytes",
01187 buf + 6, 32 );
01188 SSL_DEBUG_BUF( 3, "client hello, session id",
01189 buf + 38, sess_len );
01190 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01191 buf + 41 + sess_len, ciph_len );
01192 SSL_DEBUG_BUF( 3, "client hello, compression",
01193 buf + 42 + sess_len + ciph_len, comp_len );
01194
01195
01196
01197
01198 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
01199 {
01200 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
01201 {
01202 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01203 if( ssl->renegotiation == SSL_RENEGOTIATION )
01204 {
01205 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
01206
01207 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01208 return( ret );
01209
01210 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01211 }
01212 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
01213 break;
01214 }
01215 }
01216
01217 ext = buf + 44 + sess_len + ciph_len + comp_len;
01218
01219 while( ext_len )
01220 {
01221 unsigned int ext_id = ( ( ext[0] << 8 )
01222 | ( ext[1] ) );
01223 unsigned int ext_size = ( ( ext[2] << 8 )
01224 | ( ext[3] ) );
01225
01226 if( ext_size + 4 > ext_len )
01227 {
01228 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01229 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01230 }
01231 switch( ext_id )
01232 {
01233 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
01234 case TLS_EXT_SERVERNAME:
01235 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
01236 if( ssl->f_sni == NULL )
01237 break;
01238
01239 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
01240 if( ret != 0 )
01241 return( ret );
01242 break;
01243 #endif
01244
01245 case TLS_EXT_RENEGOTIATION_INFO:
01246 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
01247 renegotiation_info_seen = 1;
01248
01249 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
01250 if( ret != 0 )
01251 return( ret );
01252 break;
01253
01254 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
01255 case TLS_EXT_SIG_ALG:
01256 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
01257 if( ssl->renegotiation == SSL_RENEGOTIATION )
01258 break;
01259
01260 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
01261 if( ret != 0 )
01262 return( ret );
01263 break;
01264 #endif
01265
01266 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01267 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
01268 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
01269
01270 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
01271 if( ret != 0 )
01272 return( ret );
01273 break;
01274
01275 case TLS_EXT_SUPPORTED_POINT_FORMATS:
01276 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
01277 ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
01278
01279 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
01280 if( ret != 0 )
01281 return( ret );
01282 break;
01283 #endif
01284
01285 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
01286 case TLS_EXT_MAX_FRAGMENT_LENGTH:
01287 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
01288
01289 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
01290 if( ret != 0 )
01291 return( ret );
01292 break;
01293 #endif
01294
01295 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
01296 case TLS_EXT_TRUNCATED_HMAC:
01297 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
01298
01299 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
01300 if( ret != 0 )
01301 return( ret );
01302 break;
01303 #endif
01304
01305 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01306 case TLS_EXT_SESSION_TICKET:
01307 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
01308
01309 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
01310 if( ret != 0 )
01311 return( ret );
01312 break;
01313 #endif
01314
01315 default:
01316 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
01317 ext_id ) );
01318 }
01319
01320 ext_len -= 4 + ext_size;
01321 ext += 4 + ext_size;
01322
01323 if( ext_len > 0 && ext_len < 4 )
01324 {
01325 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01326 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01327 }
01328 }
01329
01330
01331
01332
01333 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01334 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
01335 {
01336 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01337 handshake_failure = 1;
01338 }
01339 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01340 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
01341 renegotiation_info_seen == 0 )
01342 {
01343 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
01344 handshake_failure = 1;
01345 }
01346 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01347 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01348 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
01349 {
01350 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
01351 handshake_failure = 1;
01352 }
01353 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01354 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01355 renegotiation_info_seen == 1 )
01356 {
01357 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
01358 handshake_failure = 1;
01359 }
01360
01361 if( handshake_failure == 1 )
01362 {
01363 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01364 return( ret );
01365
01366 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01367 }
01368
01369
01370
01371
01372
01373
01374 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
01375 for( i = 0; ciphersuites[i] != 0; i++ )
01376 {
01377 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
01378 j += 2, p += 2 )
01379 {
01380 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
01381 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
01382 {
01383 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
01384
01385 if( ciphersuite_info == NULL )
01386 {
01387 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found",
01388 ciphersuites[i] ) );
01389 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
01390 }
01391
01392 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
01393 ciphersuite_info->max_minor_ver < ssl->minor_ver )
01394 continue;
01395
01396 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01397 if( ssl_ciphersuite_uses_ec( ciphersuite_info ) &&
01398 ( ssl->handshake->curves == NULL ||
01399 ssl->handshake->curves[0] == NULL ) )
01400 continue;
01401 #endif
01402
01403 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
01404
01405
01406 if( ssl_ciphersuite_uses_psk( ciphersuite_info ) &&
01407 ssl->f_psk == NULL &&
01408 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
01409 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
01410 continue;
01411 #endif
01412
01413 #if defined(POLARSSL_X509_CRT_PARSE_C)
01414
01415
01416
01417
01418
01419
01420
01421 if( ssl_pick_cert( ssl, ciphersuite_info ) != 0 )
01422 continue;
01423 #endif
01424
01425 goto have_ciphersuite;
01426 }
01427 }
01428 }
01429
01430 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01431
01432 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01433 return( ret );
01434
01435 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
01436
01437 have_ciphersuite:
01438 ssl->session_negotiate->ciphersuite = ciphersuites[i];
01439 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01440 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
01441
01442 ssl->in_left = 0;
01443 ssl->state++;
01444
01445 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
01446
01447 return( 0 );
01448 }
01449
01450 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
01451 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
01452 unsigned char *buf,
01453 size_t *olen )
01454 {
01455 unsigned char *p = buf;
01456
01457 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
01458 {
01459 *olen = 0;
01460 return;
01461 }
01462
01463 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
01464
01465 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
01466 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
01467
01468 *p++ = 0x00;
01469 *p++ = 0x00;
01470
01471 *olen = 4;
01472 }
01473 #endif
01474
01475 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01476 static void ssl_write_session_ticket_ext( ssl_context *ssl,
01477 unsigned char *buf,
01478 size_t *olen )
01479 {
01480 unsigned char *p = buf;
01481
01482 if( ssl->handshake->new_session_ticket == 0 )
01483 {
01484 *olen = 0;
01485 return;
01486 }
01487
01488 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
01489
01490 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
01491 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
01492
01493 *p++ = 0x00;
01494 *p++ = 0x00;
01495
01496 *olen = 4;
01497 }
01498 #endif
01499
01500 static void ssl_write_renegotiation_ext( ssl_context *ssl,
01501 unsigned char *buf,
01502 size_t *olen )
01503 {
01504 unsigned char *p = buf;
01505
01506 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
01507 {
01508 *olen = 0;
01509 return;
01510 }
01511
01512 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
01513
01514 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
01515 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
01516
01517 *p++ = 0x00;
01518 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
01519 *p++ = ssl->verify_data_len * 2 & 0xFF;
01520
01521 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
01522 p += ssl->verify_data_len;
01523 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
01524 p += ssl->verify_data_len;
01525
01526 *olen = 5 + ssl->verify_data_len * 2;
01527 }
01528
01529 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
01530 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
01531 unsigned char *buf,
01532 size_t *olen )
01533 {
01534 unsigned char *p = buf;
01535
01536 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
01537 {
01538 *olen = 0;
01539 return;
01540 }
01541
01542 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
01543
01544 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
01545 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
01546
01547 *p++ = 0x00;
01548 *p++ = 1;
01549
01550 *p++ = ssl->session_negotiate->mfl_code;
01551
01552 *olen = 5;
01553 }
01554 #endif
01555
01556 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01557 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
01558 unsigned char *buf,
01559 size_t *olen )
01560 {
01561 unsigned char *p = buf;
01562 ((void) ssl);
01563
01564 if( ( ssl->handshake->cli_exts &
01565 TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
01566 {
01567 *olen = 0;
01568 return;
01569 }
01570
01571 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
01572
01573 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
01574 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
01575
01576 *p++ = 0x00;
01577 *p++ = 2;
01578
01579 *p++ = 1;
01580 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
01581
01582 *olen = 6;
01583 }
01584 #endif
01585
01586 static int ssl_write_server_hello( ssl_context *ssl )
01587 {
01588 #if defined(POLARSSL_HAVE_TIME)
01589 time_t t;
01590 #endif
01591 int ret;
01592 size_t olen, ext_len = 0, n;
01593 unsigned char *buf, *p;
01594
01595 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
01596
01597
01598
01599
01600
01601
01602
01603
01604 buf = ssl->out_msg;
01605 p = buf + 4;
01606
01607 *p++ = (unsigned char) ssl->major_ver;
01608 *p++ = (unsigned char) ssl->minor_ver;
01609
01610 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
01611 buf[4], buf[5] ) );
01612
01613 #if defined(POLARSSL_HAVE_TIME)
01614 t = time( NULL );
01615 *p++ = (unsigned char)( t >> 24 );
01616 *p++ = (unsigned char)( t >> 16 );
01617 *p++ = (unsigned char)( t >> 8 );
01618 *p++ = (unsigned char)( t );
01619
01620 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
01621 #else
01622 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
01623 return( ret );
01624
01625 p += 4;
01626 #endif
01627
01628 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
01629 return( ret );
01630
01631 p += 28;
01632
01633 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
01634
01635 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
01636
01637
01638
01639
01640
01641
01642 if( ssl->handshake->resume == 0 &&
01643 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
01644 ssl->session_negotiate->length != 0 &&
01645 ssl->f_get_cache != NULL &&
01646 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
01647 {
01648 ssl->handshake->resume = 1;
01649 }
01650
01651 if( ssl->handshake->resume == 0 )
01652 {
01653
01654
01655
01656
01657 ssl->state++;
01658
01659 #if defined(POLARSSL_HAVE_TIME)
01660 ssl->session_negotiate->start = time( NULL );
01661 #endif
01662
01663 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01664 if( ssl->handshake->new_session_ticket != 0 )
01665 {
01666 ssl->session_negotiate->length = n = 0;
01667 memset( ssl->session_negotiate->id, 0, 32 );
01668 }
01669 else
01670 #endif
01671 {
01672 ssl->session_negotiate->length = n = 32;
01673 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
01674 n ) ) != 0 )
01675 return( ret );
01676 }
01677 }
01678 else
01679 {
01680
01681
01682
01683 n = ssl->session_negotiate->length;
01684 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
01685
01686 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
01687 {
01688 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
01689 return( ret );
01690 }
01691 }
01692
01693
01694
01695
01696
01697
01698
01699
01700
01701 *p++ = (unsigned char) ssl->session_negotiate->length;
01702 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
01703 p += ssl->session_negotiate->length;
01704
01705 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
01706 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
01707 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
01708 ssl->handshake->resume ? "a" : "no" ) );
01709
01710 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
01711 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
01712 *p++ = (unsigned char)( ssl->session_negotiate->compression );
01713
01714 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
01715 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
01716 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
01717 ssl->session_negotiate->compression ) );
01718
01719
01720
01721
01722 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
01723 ext_len += olen;
01724
01725 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
01726 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
01727 ext_len += olen;
01728 #endif
01729
01730 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
01731 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
01732 ext_len += olen;
01733 #endif
01734
01735 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01736 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
01737 ext_len += olen;
01738 #endif
01739
01740 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01741 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
01742 ext_len += olen;
01743 #endif
01744
01745 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
01746
01747 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
01748 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
01749 p += ext_len;
01750
01751 ssl->out_msglen = p - buf;
01752 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01753 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
01754
01755 ret = ssl_write_record( ssl );
01756
01757 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
01758
01759 return( ret );
01760 }
01761
01762 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
01763 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
01764 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
01765 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01766 static int ssl_write_certificate_request( ssl_context *ssl )
01767 {
01768 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01769 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
01770
01771 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
01772
01773 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01774 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
01775 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
01776 {
01777 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
01778 ssl->state++;
01779 return( 0 );
01780 }
01781
01782 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
01783 return( ret );
01784 }
01785 #else
01786 static int ssl_write_certificate_request( ssl_context *ssl )
01787 {
01788 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01789 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
01790 size_t dn_size, total_dn_size;
01791 size_t ct_len, sa_len;
01792 unsigned char *buf, *p;
01793 const x509_crt *crt;
01794
01795 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
01796
01797 ssl->state++;
01798
01799 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01800 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
01801 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
01802 ssl->authmode == SSL_VERIFY_NONE )
01803 {
01804 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
01805 return( 0 );
01806 }
01807
01808
01809
01810
01811
01812
01813
01814
01815
01816
01817
01818
01819
01820 buf = ssl->out_msg;
01821 p = buf + 4;
01822
01823
01824
01825
01826
01827
01828
01829 ct_len = 0;
01830
01831 #if defined(POLARSSL_RSA_C)
01832 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
01833 #endif
01834 #if defined(POLARSSL_ECDSA_C)
01835 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
01836 #endif
01837
01838 p[0] = (unsigned char) ct_len++;
01839 p += ct_len;
01840
01841 sa_len = 0;
01842 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
01843
01844
01845
01846
01847
01848
01849
01850
01851
01852
01853
01854
01855
01856 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
01857 {
01858
01859
01860
01861
01862 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
01863
01864 if( ssl->transform_negotiate->ciphersuite_info->mac ==
01865 POLARSSL_MD_SHA384 )
01866 {
01867 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
01868 }
01869
01870
01871
01872
01873 #if defined(POLARSSL_RSA_C)
01874 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
01875 p[2 + sa_len++] = SSL_SIG_RSA;
01876 #endif
01877 #if defined(POLARSSL_ECDSA_C)
01878 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
01879 p[2 + sa_len++] = SSL_SIG_ECDSA;
01880 #endif
01881
01882 p[0] = (unsigned char)( sa_len >> 8 );
01883 p[1] = (unsigned char)( sa_len );
01884 sa_len += 2;
01885 p += sa_len;
01886 }
01887 #endif
01888
01889
01890
01891
01892
01893 p += 2;
01894 crt = ssl->ca_chain;
01895
01896 total_dn_size = 0;
01897 while( crt != NULL )
01898 {
01899 if( p - buf > 4096 )
01900 break;
01901
01902 dn_size = crt->subject_raw.len;
01903 *p++ = (unsigned char)( dn_size >> 8 );
01904 *p++ = (unsigned char)( dn_size );
01905 memcpy( p, crt->subject_raw.p, dn_size );
01906 p += dn_size;
01907
01908 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
01909
01910 total_dn_size += 2 + dn_size;
01911 crt = crt->next;
01912 }
01913
01914 ssl->out_msglen = p - buf;
01915 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01916 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
01917 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
01918 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
01919
01920 ret = ssl_write_record( ssl );
01921
01922 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
01923
01924 return( ret );
01925 }
01926 #endif
01927
01928
01929
01930 static int ssl_write_server_key_exchange( ssl_context *ssl )
01931 {
01932 int ret;
01933 size_t n = 0;
01934 const ssl_ciphersuite_t *ciphersuite_info =
01935 ssl->transform_negotiate->ciphersuite_info;
01936
01937 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01938 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
01939 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
01940 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
01941 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01942 unsigned char *p = ssl->out_msg + 4;
01943 unsigned char *dig_signed = p;
01944 size_t dig_signed_len = 0, len;
01945 ((void) dig_signed);
01946 ((void) dig_signed_len);
01947 #endif
01948
01949 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
01950
01951 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
01952 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01953 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
01954 {
01955 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
01956 ssl->state++;
01957 return( 0 );
01958 }
01959
01960 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
01961 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
01962 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
01963 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
01964 {
01965
01966 *(p++) = 0x00;
01967 *(p++) = 0x00;
01968
01969 n += 2;
01970 }
01971 #endif
01972
01973
01974 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01975 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
01976 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
01977 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
01978 {
01979
01980
01981
01982
01983
01984
01985
01986
01987
01988 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
01989 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
01990 {
01991 SSL_DEBUG_RET( 1, "mpi_copy", ret );
01992 return( ret );
01993 }
01994
01995 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
01996 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
01997 p,
01998 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
01999 {
02000 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
02001 return( ret );
02002 }
02003
02004 dig_signed = p;
02005 dig_signed_len = len;
02006
02007 p += len;
02008 n += len;
02009
02010 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
02011 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
02012 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
02013 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
02014 }
02015 #endif
02016
02017
02018 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
02019 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
02020 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
02021
02022 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
02023 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
02024 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
02025 {
02026
02027
02028
02029
02030
02031
02032
02033
02034 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
02035 ssl->handshake->curves[0]->grp_id ) ) != 0 )
02036 {
02037 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
02038 return( ret );
02039 }
02040
02041 SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
02042 (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
02043
02044 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
02045 p, SSL_MAX_CONTENT_LEN - n,
02046 ssl->f_rng, ssl->p_rng ) ) != 0 )
02047 {
02048 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
02049 return( ret );
02050 }
02051
02052 dig_signed = p;
02053 dig_signed_len = len;
02054
02055 p += len;
02056 n += len;
02057
02058 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
02059 }
02060 #endif
02061
02062
02063
02064 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
02065 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
02066 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02067 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
02068 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
02069 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
02070 {
02071 size_t signature_len = 0;
02072 unsigned int hashlen = 0;
02073 unsigned char hash[64];
02074 md_type_t md_alg = POLARSSL_MD_NONE;
02075
02076
02077
02078
02079 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02080 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02081 {
02082 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
02083
02084 if( md_alg == POLARSSL_MD_NONE )
02085 {
02086 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02087 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02088 }
02089 }
02090 else
02091 #endif
02092 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02093 defined(POLARSSL_SSL_PROTO_TLS1_1)
02094 if ( ciphersuite_info->key_exchange ==
02095 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
02096 {
02097 md_alg = POLARSSL_MD_SHA1;
02098 }
02099 else
02100 #endif
02101 {
02102 md_alg = POLARSSL_MD_NONE;
02103 }
02104
02105
02106
02107
02108 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02109 defined(POLARSSL_SSL_PROTO_TLS1_1)
02110 if( md_alg == POLARSSL_MD_NONE )
02111 {
02112 md5_context md5;
02113 sha1_context sha1;
02114
02115
02116
02117
02118
02119
02120
02121
02122
02123
02124
02125
02126
02127
02128 md5_starts( &md5 );
02129 md5_update( &md5, ssl->handshake->randbytes, 64 );
02130 md5_update( &md5, dig_signed, dig_signed_len );
02131 md5_finish( &md5, hash );
02132
02133 sha1_starts( &sha1 );
02134 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
02135 sha1_update( &sha1, dig_signed, dig_signed_len );
02136 sha1_finish( &sha1, hash + 16 );
02137
02138 hashlen = 36;
02139 }
02140 else
02141 #endif
02142
02143 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
02144 defined(POLARSSL_SSL_PROTO_TLS1_2)
02145 if( md_alg != POLARSSL_MD_NONE )
02146 {
02147 md_context_t ctx;
02148
02149
02150 hashlen = 0;
02151
02152
02153
02154
02155
02156
02157
02158
02159 if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
02160 {
02161 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
02162 return( ret );
02163 }
02164
02165 md_starts( &ctx );
02166 md_update( &ctx, ssl->handshake->randbytes, 64 );
02167 md_update( &ctx, dig_signed, dig_signed_len );
02168 md_finish( &ctx, hash );
02169
02170 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
02171 {
02172 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
02173 return( ret );
02174 }
02175
02176 }
02177 else
02178 #endif
02179
02180 {
02181 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02182 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02183 }
02184
02185 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
02186 (unsigned int) ( md_info_from_type( md_alg ) )->size );
02187
02188
02189
02190
02191 if( ssl_own_key( ssl ) == NULL )
02192 {
02193 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
02194 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02195 }
02196
02197 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02198 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02199 {
02200 *(p++) = ssl->handshake->sig_alg;
02201 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
02202
02203 n += 2;
02204 }
02205 #endif
02206
02207 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
02208 p + 2 , &signature_len,
02209 ssl->f_rng, ssl->p_rng ) ) != 0 )
02210 {
02211 SSL_DEBUG_RET( 1, "pk_sign", ret );
02212 return( ret );
02213 }
02214
02215 *(p++) = (unsigned char)( signature_len >> 8 );
02216 *(p++) = (unsigned char)( signature_len );
02217 n += 2;
02218
02219 SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
02220
02221 p += signature_len;
02222 n += signature_len;
02223 }
02224 #endif
02225
02226
02227
02228 ssl->out_msglen = 4 + n;
02229 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02230 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
02231
02232 ssl->state++;
02233
02234 if( ( ret = ssl_write_record( ssl ) ) != 0 )
02235 {
02236 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02237 return( ret );
02238 }
02239
02240 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
02241
02242 return( 0 );
02243 }
02244
02245 static int ssl_write_server_hello_done( ssl_context *ssl )
02246 {
02247 int ret;
02248
02249 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
02250
02251 ssl->out_msglen = 4;
02252 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02253 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
02254
02255 ssl->state++;
02256
02257 if( ( ret = ssl_write_record( ssl ) ) != 0 )
02258 {
02259 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02260 return( ret );
02261 }
02262
02263 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
02264
02265 return( 0 );
02266 }
02267
02268 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
02269 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
02270 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
02271 const unsigned char *end )
02272 {
02273 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02274 size_t n;
02275
02276
02277
02278
02279 if( *p + 2 > end )
02280 {
02281 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02282 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02283 }
02284
02285 n = ( (*p)[0] << 8 ) | (*p)[1];
02286 *p += 2;
02287
02288 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
02289 {
02290 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02291 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02292 }
02293
02294 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
02295 *p, n ) ) != 0 )
02296 {
02297 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
02298 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
02299 }
02300
02301 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
02302
02303 return( ret );
02304 }
02305 #endif
02306
02307
02308 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
02309 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
02310 static int ssl_parse_encrypted_pms( ssl_context *ssl,
02311 const unsigned char *p,
02312 const unsigned char *end,
02313 size_t pms_offset )
02314 {
02315 int ret;
02316 size_t len = pk_get_len( ssl_own_key( ssl ) );
02317 unsigned char *pms = ssl->handshake->premaster + pms_offset;
02318
02319 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
02320 {
02321 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
02322 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02323 }
02324
02325
02326
02327
02328 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
02329 defined(POLARSSL_SSL_PROTO_TLS1_2)
02330 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
02331 {
02332 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
02333 *p++ != ( ( len ) & 0xFF ) )
02334 {
02335 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02336 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02337 }
02338 }
02339 #endif
02340
02341 if( p + len != end )
02342 {
02343 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02344 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02345 }
02346
02347 ret = pk_decrypt( ssl_own_key( ssl ), p, len,
02348 pms, &ssl->handshake->pmslen,
02349 sizeof(ssl->handshake->premaster),
02350 ssl->f_rng, ssl->p_rng );
02351
02352 if( ret != 0 || ssl->handshake->pmslen != 48 ||
02353 pms[0] != ssl->handshake->max_major_ver ||
02354 pms[1] != ssl->handshake->max_minor_ver )
02355 {
02356 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02357
02358
02359
02360
02361
02362
02363
02364 ssl->handshake->pmslen = 48;
02365
02366 ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
02367 if( ret != 0 )
02368 return( ret );
02369 }
02370
02371 return( ret );
02372 }
02373 #endif
02374
02375
02376 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
02377 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
02378 const unsigned char *end )
02379 {
02380 int ret = 0;
02381 size_t n;
02382
02383 if( ssl->f_psk == NULL &&
02384 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
02385 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
02386 {
02387 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
02388 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02389 }
02390
02391
02392
02393
02394 if( *p + 2 > end )
02395 {
02396 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02397 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02398 }
02399
02400 n = ( (*p)[0] << 8 ) | (*p)[1];
02401 *p += 2;
02402
02403 if( n < 1 || n > 65535 || *p + n > end )
02404 {
02405 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02406 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02407 }
02408
02409 if( ssl->f_psk != NULL )
02410 {
02411 if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
02412 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
02413 }
02414
02415 if( ret == 0 )
02416 {
02417
02418
02419 if( n != ssl->psk_identity_len ||
02420 safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
02421 {
02422 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
02423 }
02424 }
02425
02426 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
02427 {
02428 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
02429 if( ( ret = ssl_send_alert_message( ssl,
02430 SSL_ALERT_LEVEL_FATAL,
02431 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
02432 {
02433 return( ret );
02434 }
02435
02436 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
02437 }
02438
02439 *p += n;
02440 ret = 0;
02441
02442 return( ret );
02443 }
02444 #endif
02445
02446 static int ssl_parse_client_key_exchange( ssl_context *ssl )
02447 {
02448 int ret;
02449 const ssl_ciphersuite_t *ciphersuite_info;
02450
02451 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02452
02453 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
02454
02455 if( ( ret = ssl_read_record( ssl ) ) != 0 )
02456 {
02457 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
02458 return( ret );
02459 }
02460
02461 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
02462 {
02463 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02464 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02465 }
02466
02467 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
02468 {
02469 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02470 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02471 }
02472
02473 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
02474 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
02475 {
02476 unsigned char *p = ssl->in_msg + 4;
02477 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02478
02479 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
02480 {
02481 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
02482 return( ret );
02483 }
02484
02485 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
02486
02487 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
02488 ssl->handshake->premaster,
02489 &ssl->handshake->pmslen,
02490 ssl->f_rng, ssl->p_rng ) ) != 0 )
02491 {
02492 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
02493 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
02494 }
02495
02496 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
02497 }
02498 else
02499 #endif
02500 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
02501 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02502 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
02503 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
02504 {
02505 size_t n = ssl->in_msg[3];
02506
02507 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
02508 n + 4 != ssl->in_hslen )
02509 {
02510 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02511 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02512 }
02513
02514 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
02515 ssl->in_msg + 4, n ) ) != 0 )
02516 {
02517 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
02518 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
02519 }
02520
02521 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
02522
02523 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
02524 &ssl->handshake->pmslen,
02525 ssl->handshake->premaster,
02526 POLARSSL_MPI_MAX_SIZE,
02527 ssl->f_rng, ssl->p_rng ) ) != 0 )
02528 {
02529 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
02530 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
02531 }
02532
02533 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
02534 }
02535 else
02536 #endif
02537
02538 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
02539 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
02540 {
02541 unsigned char *p = ssl->in_msg + 4;
02542 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02543
02544 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
02545 {
02546 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
02547 return( ret );
02548 }
02549
02550 if( ( ret = ssl_psk_derive_premaster( ssl,
02551 ciphersuite_info->key_exchange ) ) != 0 )
02552 {
02553 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
02554 return( ret );
02555 }
02556 }
02557 else
02558 #endif
02559 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
02560 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
02561 {
02562 unsigned char *p = ssl->in_msg + 4;
02563 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02564
02565 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
02566 {
02567 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
02568 return( ret );
02569 }
02570
02571 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
02572 {
02573 SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
02574 return( ret );
02575 }
02576
02577 if( ( ret = ssl_psk_derive_premaster( ssl,
02578 ciphersuite_info->key_exchange ) ) != 0 )
02579 {
02580 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
02581 return( ret );
02582 }
02583 }
02584 else
02585 #endif
02586 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
02587 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
02588 {
02589 unsigned char *p = ssl->in_msg + 4;
02590 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02591
02592 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
02593 {
02594 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
02595 return( ret );
02596 }
02597 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
02598 {
02599 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
02600 return( ret );
02601 }
02602
02603 if( ( ret = ssl_psk_derive_premaster( ssl,
02604 ciphersuite_info->key_exchange ) ) != 0 )
02605 {
02606 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
02607 return( ret );
02608 }
02609 }
02610 else
02611 #endif
02612 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
02613 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
02614 {
02615 unsigned char *p = ssl->in_msg + 4;
02616 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02617
02618 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
02619 {
02620 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
02621 return( ret );
02622 }
02623
02624 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
02625 p, end - p ) ) != 0 )
02626 {
02627 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
02628 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
02629 }
02630
02631 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
02632
02633 if( ( ret = ssl_psk_derive_premaster( ssl,
02634 ciphersuite_info->key_exchange ) ) != 0 )
02635 {
02636 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
02637 return( ret );
02638 }
02639 }
02640 else
02641 #endif
02642 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
02643 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
02644 {
02645 if( ( ret = ssl_parse_encrypted_pms( ssl,
02646 ssl->in_msg + 4,
02647 ssl->in_msg + ssl->in_msglen,
02648 0 ) ) != 0 )
02649 {
02650 SSL_DEBUG_RET( 1, ( "ssl_parse_parse_ecrypted_pms_secret" ), ret );
02651 return( ret );
02652 }
02653 }
02654 else
02655 #endif
02656 {
02657 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02658 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02659 }
02660
02661 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
02662 {
02663 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
02664 return( ret );
02665 }
02666
02667 ssl->state++;
02668
02669 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
02670
02671 return( 0 );
02672 }
02673
02674 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
02675 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
02676 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
02677 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02678 static int ssl_parse_certificate_verify( ssl_context *ssl )
02679 {
02680 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02681 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02682
02683 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
02684
02685 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
02686 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
02687 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
02688 {
02689 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
02690 ssl->state++;
02691 return( 0 );
02692 }
02693
02694 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
02695 return( ret );
02696 }
02697 #else
02698 static int ssl_parse_certificate_verify( ssl_context *ssl )
02699 {
02700 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02701 size_t sa_len, sig_len;
02702 unsigned char hash[48];
02703 unsigned char *hash_start = hash;
02704 size_t hashlen;
02705 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02706 pk_type_t pk_alg;
02707 #endif
02708 md_type_t md_alg;
02709 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02710
02711 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
02712
02713 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
02714 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
02715 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
02716 {
02717 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
02718 ssl->state++;
02719 return( 0 );
02720 }
02721
02722 if( ssl->session_negotiate->peer_cert == NULL )
02723 {
02724 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
02725 ssl->state++;
02726 return( 0 );
02727 }
02728
02729 ssl->handshake->calc_verify( ssl, hash );
02730
02731 if( ( ret = ssl_read_record( ssl ) ) != 0 )
02732 {
02733 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
02734 return( ret );
02735 }
02736
02737 ssl->state++;
02738
02739 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
02740 {
02741 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
02742 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02743 }
02744
02745 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
02746 {
02747 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
02748 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02749 }
02750
02751
02752
02753
02754
02755
02756
02757
02758
02759 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02760 defined(POLARSSL_SSL_PROTO_TLS1_1)
02761 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
02762 {
02763 sa_len = 0;
02764
02765 md_alg = POLARSSL_MD_NONE;
02766 hashlen = 36;
02767
02768
02769 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
02770 POLARSSL_PK_ECDSA ) )
02771 {
02772 hash_start += 16;
02773 hashlen -= 16;
02774 md_alg = POLARSSL_MD_SHA1;
02775 }
02776 }
02777 else
02778 #endif
02779 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02780 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02781 {
02782 sa_len = 2;
02783
02784
02785
02786
02787 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
02788 {
02789 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
02790 " for verify message" ) );
02791 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02792 }
02793
02794 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
02795
02796
02797 hashlen = 0;
02798
02799
02800
02801
02802 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
02803 == POLARSSL_PK_NONE )
02804 {
02805 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
02806 " for verify message" ) );
02807 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02808 }
02809
02810
02811
02812
02813 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
02814 {
02815 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
02816 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02817 }
02818 }
02819 else
02820 #endif
02821 {
02822 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02823 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02824 }
02825
02826 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
02827
02828 if( sa_len + sig_len + 6 != ssl->in_hslen )
02829 {
02830 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
02831 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02832 }
02833
02834 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
02835 md_alg, hash_start, hashlen,
02836 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
02837 {
02838 SSL_DEBUG_RET( 1, "pk_verify", ret );
02839 return( ret );
02840 }
02841
02842 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
02843
02844 return( ret );
02845 }
02846 #endif
02847
02848
02849
02850 #if defined(POLARSSL_SSL_SESSION_TICKETS)
02851 static int ssl_write_new_session_ticket( ssl_context *ssl )
02852 {
02853 int ret;
02854 size_t tlen;
02855 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
02856
02857 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
02858
02859 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02860 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
02861
02862
02863
02864
02865
02866
02867
02868
02869
02870
02871
02872
02873 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
02874 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
02875 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
02876 ssl->out_msg[7] = ( lifetime ) & 0xFF;
02877
02878 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
02879 {
02880 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
02881 tlen = 0;
02882 }
02883
02884 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
02885 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
02886
02887 ssl->out_msglen = 10 + tlen;
02888
02889 if( ( ret = ssl_write_record( ssl ) ) != 0 )
02890 {
02891 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02892 return( ret );
02893 }
02894
02895
02896 ssl->handshake->new_session_ticket = 0;
02897
02898 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
02899
02900 return( 0 );
02901 }
02902 #endif
02903
02904
02905
02906
02907 int ssl_handshake_server_step( ssl_context *ssl )
02908 {
02909 int ret = 0;
02910
02911 if( ssl->state == SSL_HANDSHAKE_OVER )
02912 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
02913
02914 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
02915
02916 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
02917 return( ret );
02918
02919 switch( ssl->state )
02920 {
02921 case SSL_HELLO_REQUEST:
02922 ssl->state = SSL_CLIENT_HELLO;
02923 break;
02924
02925
02926
02927
02928 case SSL_CLIENT_HELLO:
02929 ret = ssl_parse_client_hello( ssl );
02930 break;
02931
02932
02933
02934
02935
02936
02937
02938
02939 case SSL_SERVER_HELLO:
02940 ret = ssl_write_server_hello( ssl );
02941 break;
02942
02943 case SSL_SERVER_CERTIFICATE:
02944 ret = ssl_write_certificate( ssl );
02945 break;
02946
02947 case SSL_SERVER_KEY_EXCHANGE:
02948 ret = ssl_write_server_key_exchange( ssl );
02949 break;
02950
02951 case SSL_CERTIFICATE_REQUEST:
02952 ret = ssl_write_certificate_request( ssl );
02953 break;
02954
02955 case SSL_SERVER_HELLO_DONE:
02956 ret = ssl_write_server_hello_done( ssl );
02957 break;
02958
02959
02960
02961
02962
02963
02964
02965
02966 case SSL_CLIENT_CERTIFICATE:
02967 ret = ssl_parse_certificate( ssl );
02968 break;
02969
02970 case SSL_CLIENT_KEY_EXCHANGE:
02971 ret = ssl_parse_client_key_exchange( ssl );
02972 break;
02973
02974 case SSL_CERTIFICATE_VERIFY:
02975 ret = ssl_parse_certificate_verify( ssl );
02976 break;
02977
02978 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
02979 ret = ssl_parse_change_cipher_spec( ssl );
02980 break;
02981
02982 case SSL_CLIENT_FINISHED:
02983 ret = ssl_parse_finished( ssl );
02984 break;
02985
02986
02987
02988
02989
02990
02991 case SSL_SERVER_CHANGE_CIPHER_SPEC:
02992 #if defined(POLARSSL_SSL_SESSION_TICKETS)
02993 if( ssl->handshake->new_session_ticket != 0 )
02994 ret = ssl_write_new_session_ticket( ssl );
02995 else
02996 #endif
02997 ret = ssl_write_change_cipher_spec( ssl );
02998 break;
02999
03000 case SSL_SERVER_FINISHED:
03001 ret = ssl_write_finished( ssl );
03002 break;
03003
03004 case SSL_FLUSH_BUFFERS:
03005 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
03006 ssl->state = SSL_HANDSHAKE_WRAPUP;
03007 break;
03008
03009 case SSL_HANDSHAKE_WRAPUP:
03010 ssl_handshake_wrapup( ssl );
03011 break;
03012
03013 default:
03014 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
03015 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
03016 }
03017
03018 return( ret );
03019 }
03020 #endif