00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026 #include "polarssl/config.h"
00027
00028 #if defined(POLARSSL_SSL_SRV_C)
00029
00030 #include "polarssl/debug.h"
00031 #include "polarssl/ssl.h"
00032 #if defined(POLARSSL_ECP_C)
00033 #include "polarssl/ecp.h"
00034 #endif
00035
00036 #if defined(POLARSSL_MEMORY_C)
00037 #include "polarssl/memory.h"
00038 #else
00039 #define polarssl_malloc malloc
00040 #define polarssl_free free
00041 #endif
00042
00043 #include <stdlib.h>
00044 #include <stdio.h>
00045
00046 #if defined(POLARSSL_HAVE_TIME)
00047 #include <time.h>
00048 #endif
00049
00050 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00051
00052
00053
00054
00055
00056
00057
00058
00059 static int ssl_save_session( const ssl_session *session,
00060 unsigned char *buf, size_t buf_len,
00061 size_t *olen )
00062 {
00063 unsigned char *p = buf;
00064 size_t left = buf_len;
00065 #if defined(POLARSSL_X509_CRT_PARSE_C)
00066 size_t cert_len;
00067 #endif
00068
00069 if( left < sizeof( ssl_session ) )
00070 return( -1 );
00071
00072 memcpy( p, session, sizeof( ssl_session ) );
00073 p += sizeof( ssl_session );
00074 left -= sizeof( ssl_session );
00075
00076 #if defined(POLARSSL_X509_CRT_PARSE_C)
00077 if( session->peer_cert == NULL )
00078 cert_len = 0;
00079 else
00080 cert_len = session->peer_cert->raw.len;
00081
00082 if( left < 3 + cert_len )
00083 return( -1 );
00084
00085 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
00086 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
00087 *p++ = (unsigned char)( cert_len & 0xFF );
00088
00089 if( session->peer_cert != NULL )
00090 memcpy( p, session->peer_cert->raw.p, cert_len );
00091
00092 p += cert_len;
00093 #endif
00094
00095 *olen = p - buf;
00096
00097 return( 0 );
00098 }
00099
00100
00101
00102
00103 static int ssl_load_session( ssl_session *session,
00104 const unsigned char *buf, size_t len )
00105 {
00106 const unsigned char *p = buf;
00107 const unsigned char * const end = buf + len;
00108 #if defined(POLARSSL_X509_CRT_PARSE_C)
00109 size_t cert_len;
00110 #endif
00111
00112 if( p + sizeof( ssl_session ) > end )
00113 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00114
00115 memcpy( session, p, sizeof( ssl_session ) );
00116 p += sizeof( ssl_session );
00117
00118 #if defined(POLARSSL_X509_CRT_PARSE_C)
00119 if( p + 3 > end )
00120 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00121
00122 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
00123 p += 3;
00124
00125 if( cert_len == 0 )
00126 {
00127 session->peer_cert = NULL;
00128 }
00129 else
00130 {
00131 int ret;
00132
00133 if( p + cert_len > end )
00134 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00135
00136 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
00137
00138 if( session->peer_cert == NULL )
00139 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
00140
00141 x509_crt_init( session->peer_cert );
00142
00143 if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 )
00144 {
00145 x509_crt_free( session->peer_cert );
00146 polarssl_free( session->peer_cert );
00147 session->peer_cert = NULL;
00148 return( ret );
00149 }
00150
00151 p += cert_len;
00152 }
00153 #endif
00154
00155 if( p != end )
00156 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00157
00158 return( 0 );
00159 }
00160
00161
00162
00163
00164
00165
00166
00167
00168
00169
00170
00171
00172
00173 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
00174 {
00175 int ret;
00176 unsigned char * const start = ssl->out_msg + 10;
00177 unsigned char *p = start;
00178 unsigned char *state;
00179 unsigned char iv[16];
00180 size_t clear_len, enc_len, pad_len, i;
00181
00182 *tlen = 0;
00183
00184 if( ssl->ticket_keys == NULL )
00185 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00186
00187
00188 memcpy( p, ssl->ticket_keys->key_name, 16 );
00189 p += 16;
00190
00191
00192 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
00193 return( ret );
00194 memcpy( iv, p, 16 );
00195 p += 16;
00196
00197
00198
00199
00200
00201
00202
00203 state = p + 2;
00204 if( ssl_save_session( ssl->session_negotiate, state,
00205 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
00206 &clear_len ) != 0 )
00207 {
00208 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
00209 }
00210 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
00211
00212
00213 pad_len = 16 - clear_len % 16;
00214 enc_len = clear_len + pad_len;
00215 for( i = clear_len; i < enc_len; i++ )
00216 state[i] = (unsigned char) pad_len;
00217
00218
00219 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
00220 enc_len, iv, state, state ) ) != 0 )
00221 {
00222 return( ret );
00223 }
00224
00225
00226 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
00227 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
00228 p = state + enc_len;
00229
00230
00231 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
00232 p += 32;
00233
00234 *tlen = p - start;
00235
00236 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
00237
00238 return( 0 );
00239 }
00240
00241
00242
00243
00244 static int ssl_parse_ticket( ssl_context *ssl,
00245 unsigned char *buf,
00246 size_t len )
00247 {
00248 int ret;
00249 ssl_session session;
00250 unsigned char *key_name = buf;
00251 unsigned char *iv = buf + 16;
00252 unsigned char *enc_len_p = iv + 16;
00253 unsigned char *ticket = enc_len_p + 2;
00254 unsigned char *mac;
00255 unsigned char computed_mac[32];
00256 size_t enc_len, clear_len, i;
00257 unsigned char pad_len, diff;
00258
00259 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
00260
00261 if( len < 34 || ssl->ticket_keys == NULL )
00262 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00263
00264 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
00265 mac = ticket + enc_len;
00266
00267 if( len != enc_len + 66 )
00268 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00269
00270
00271 diff = 0;
00272 for( i = 0; i < 16; i++ )
00273 diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
00274
00275
00276
00277 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
00278 computed_mac, 0 );
00279
00280 for( i = 0; i < 32; i++ )
00281 diff |= mac[i] ^ computed_mac[i];
00282
00283
00284
00285 if( diff != 0 )
00286 return( POLARSSL_ERR_SSL_INVALID_MAC );
00287
00288
00289 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
00290 enc_len, iv, ticket, ticket ) ) != 0 )
00291 {
00292 return( ret );
00293 }
00294
00295
00296 pad_len = ticket[enc_len - 1];
00297
00298 ret = 0;
00299 for( i = 2; i < pad_len; i++ )
00300 if( ticket[enc_len - i] != pad_len )
00301 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
00302 if( ret != 0 )
00303 return( ret );
00304
00305 clear_len = enc_len - pad_len;
00306
00307 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
00308
00309
00310 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
00311 {
00312 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
00313 memset( &session, 0, sizeof( ssl_session ) );
00314 return( ret );
00315 }
00316
00317 #if defined(POLARSSL_HAVE_TIME)
00318
00319 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
00320 {
00321 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
00322 memset( &session, 0, sizeof( ssl_session ) );
00323 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
00324 }
00325 #endif
00326
00327
00328
00329
00330
00331 session.length = ssl->session_negotiate->length;
00332 memcpy( &session.id, ssl->session_negotiate->id, session.length );
00333
00334 ssl_session_free( ssl->session_negotiate );
00335 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
00336 memset( &session, 0, sizeof( ssl_session ) );
00337
00338 return( 0 );
00339 }
00340 #endif
00341
00342 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
00343
00344
00345
00346
00347 static int ssl_sni_wrapper( ssl_context *ssl,
00348 const unsigned char* name, size_t len )
00349 {
00350 int ret;
00351 ssl_key_cert *key_cert_ori = ssl->key_cert;
00352
00353 ssl->key_cert = NULL;
00354 ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
00355 ssl->handshake->sni_key_cert = ssl->key_cert;
00356
00357 ssl->key_cert = key_cert_ori;
00358
00359 return( ret );
00360 }
00361
00362 static int ssl_parse_servername_ext( ssl_context *ssl,
00363 const unsigned char *buf,
00364 size_t len )
00365 {
00366 int ret;
00367 size_t servername_list_size, hostname_len;
00368 const unsigned char *p;
00369
00370 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00371 if( servername_list_size + 2 != len )
00372 {
00373 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00374 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00375 }
00376
00377 p = buf + 2;
00378 while( servername_list_size > 0 )
00379 {
00380 hostname_len = ( ( p[1] << 8 ) | p[2] );
00381 if( hostname_len + 3 > servername_list_size )
00382 {
00383 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00384 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00385 }
00386
00387 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
00388 {
00389 ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
00390 if( ret != 0 )
00391 {
00392 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
00393 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
00394 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00395 }
00396 return( 0 );
00397 }
00398
00399 servername_list_size -= hostname_len + 3;
00400 p += hostname_len + 3;
00401 }
00402
00403 if( servername_list_size != 0 )
00404 {
00405 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00406 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00407 }
00408
00409 return( 0 );
00410 }
00411 #endif
00412
00413 static int ssl_parse_renegotiation_info( ssl_context *ssl,
00414 const unsigned char *buf,
00415 size_t len )
00416 {
00417 int ret;
00418
00419 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
00420 {
00421 if( len != 1 || buf[0] != 0x0 )
00422 {
00423 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
00424
00425 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00426 return( ret );
00427
00428 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00429 }
00430
00431 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
00432 }
00433 else
00434 {
00435
00436 if( len != 1 + ssl->verify_data_len ||
00437 buf[0] != ssl->verify_data_len ||
00438 safer_memcmp( buf + 1, ssl->peer_verify_data,
00439 ssl->verify_data_len ) != 0 )
00440 {
00441 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
00442
00443 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00444 return( ret );
00445
00446 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00447 }
00448 }
00449
00450 return( 0 );
00451 }
00452
00453 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
00454 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
00455 const unsigned char *buf,
00456 size_t len )
00457 {
00458 size_t sig_alg_list_size;
00459 const unsigned char *p;
00460
00461 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00462 if( sig_alg_list_size + 2 != len ||
00463 sig_alg_list_size %2 != 0 )
00464 {
00465 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00466 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00467 }
00468
00469 p = buf + 2;
00470 while( sig_alg_list_size > 0 )
00471 {
00472
00473
00474
00475
00476 #if defined(POLARSSL_SHA512_C)
00477 if( p[0] == SSL_HASH_SHA512 )
00478 {
00479 ssl->handshake->sig_alg = SSL_HASH_SHA512;
00480 break;
00481 }
00482 if( p[0] == SSL_HASH_SHA384 )
00483 {
00484 ssl->handshake->sig_alg = SSL_HASH_SHA384;
00485 break;
00486 }
00487 #endif
00488 #if defined(POLARSSL_SHA256_C)
00489 if( p[0] == SSL_HASH_SHA256 )
00490 {
00491 ssl->handshake->sig_alg = SSL_HASH_SHA256;
00492 break;
00493 }
00494 if( p[0] == SSL_HASH_SHA224 )
00495 {
00496 ssl->handshake->sig_alg = SSL_HASH_SHA224;
00497 break;
00498 }
00499 #endif
00500 if( p[0] == SSL_HASH_SHA1 )
00501 {
00502 ssl->handshake->sig_alg = SSL_HASH_SHA1;
00503 break;
00504 }
00505 if( p[0] == SSL_HASH_MD5 )
00506 {
00507 ssl->handshake->sig_alg = SSL_HASH_MD5;
00508 break;
00509 }
00510
00511 sig_alg_list_size -= 2;
00512 p += 2;
00513 }
00514
00515 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
00516 ssl->handshake->sig_alg ) );
00517
00518 return( 0 );
00519 }
00520 #endif
00521
00522 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
00523 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
00524 const unsigned char *buf,
00525 size_t len )
00526 {
00527 size_t list_size, our_size;
00528 const unsigned char *p;
00529 const ecp_curve_info *curve_info, **curves;
00530
00531 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
00532 if( list_size + 2 != len ||
00533 list_size % 2 != 0 )
00534 {
00535 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00536 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00537 }
00538
00539
00540 if( ssl->handshake->curves != NULL )
00541 {
00542 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00543 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00544 }
00545
00546
00547
00548 our_size = list_size / 2 + 1;
00549 if( our_size > POLARSSL_ECP_DP_MAX )
00550 our_size = POLARSSL_ECP_DP_MAX;
00551
00552 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
00553 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
00554
00555
00556 memset( (void *) curves, 0, our_size * sizeof( *curves ) );
00557 ssl->handshake->curves = curves;
00558
00559 p = buf + 2;
00560 while( list_size > 0 && our_size > 1 )
00561 {
00562 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
00563
00564 if( curve_info != NULL )
00565 {
00566 *curves++ = curve_info;
00567 our_size--;
00568 }
00569
00570 list_size -= 2;
00571 p += 2;
00572 }
00573
00574 return( 0 );
00575 }
00576
00577 static int ssl_parse_supported_point_formats( ssl_context *ssl,
00578 const unsigned char *buf,
00579 size_t len )
00580 {
00581 size_t list_size;
00582 const unsigned char *p;
00583
00584 list_size = buf[0];
00585 if( list_size + 1 != len )
00586 {
00587 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00588 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00589 }
00590
00591 p = buf + 2;
00592 while( list_size > 0 )
00593 {
00594 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
00595 p[0] == POLARSSL_ECP_PF_COMPRESSED )
00596 {
00597 ssl->handshake->ecdh_ctx.point_format = p[0];
00598 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
00599 return( 0 );
00600 }
00601
00602 list_size--;
00603 p++;
00604 }
00605
00606 return( 0 );
00607 }
00608 #endif
00609
00610 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
00611 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
00612 const unsigned char *buf,
00613 size_t len )
00614 {
00615 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
00616 {
00617 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00618 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00619 }
00620
00621 ssl->session_negotiate->mfl_code = buf[0];
00622
00623 return( 0 );
00624 }
00625 #endif
00626
00627 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
00628 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
00629 const unsigned char *buf,
00630 size_t len )
00631 {
00632 if( len != 0 )
00633 {
00634 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00635 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00636 }
00637
00638 ((void) buf);
00639
00640 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
00641
00642 return( 0 );
00643 }
00644 #endif
00645
00646 #if defined(POLARSSL_SSL_SESSION_TICKETS)
00647 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
00648 unsigned char *buf,
00649 size_t len )
00650 {
00651 int ret;
00652
00653 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
00654 return( 0 );
00655
00656
00657 ssl->handshake->new_session_ticket = 1;
00658
00659 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
00660
00661 if( len == 0 )
00662 return( 0 );
00663
00664 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
00665 {
00666 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
00667 return( 0 );
00668 }
00669
00670
00671
00672
00673 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
00674 {
00675 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
00676 return( 0 );
00677 }
00678
00679 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
00680
00681 ssl->handshake->resume = 1;
00682
00683
00684 ssl->handshake->new_session_ticket = 0;
00685
00686 return( 0 );
00687 }
00688 #endif
00689
00690 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
00691 static int ssl_parse_client_hello_v2( ssl_context *ssl )
00692 {
00693 int ret;
00694 unsigned int i, j;
00695 size_t n;
00696 unsigned int ciph_len, sess_len, chal_len;
00697 unsigned char *buf, *p;
00698 const int *ciphersuites;
00699 const ssl_ciphersuite_t *ciphersuite_info;
00700
00701 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
00702
00703 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
00704 {
00705 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
00706
00707 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00708 return( ret );
00709
00710 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00711 }
00712
00713 buf = ssl->in_hdr;
00714
00715 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00716
00717 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
00718 buf[2] ) );
00719 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
00720 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
00721 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
00722 buf[3], buf[4] ) );
00723
00724
00725
00726
00727
00728
00729
00730
00731
00732
00733
00734 if( buf[2] != SSL_HS_CLIENT_HELLO ||
00735 buf[3] != SSL_MAJOR_VERSION_3 )
00736 {
00737 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00738 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00739 }
00740
00741 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
00742
00743 if( n < 17 || n > 512 )
00744 {
00745 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00746 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00747 }
00748
00749 ssl->major_ver = SSL_MAJOR_VERSION_3;
00750 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
00751 ? buf[4] : ssl->max_minor_ver;
00752
00753 if( ssl->minor_ver < ssl->min_minor_ver )
00754 {
00755 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
00756 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
00757 ssl->min_major_ver, ssl->min_minor_ver ) );
00758
00759 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
00760 SSL_ALERT_MSG_PROTOCOL_VERSION );
00761 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
00762 }
00763
00764 ssl->handshake->max_major_ver = buf[3];
00765 ssl->handshake->max_minor_ver = buf[4];
00766
00767 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
00768 {
00769 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00770 return( ret );
00771 }
00772
00773 ssl->handshake->update_checksum( ssl, buf + 2, n );
00774
00775 buf = ssl->in_msg;
00776 n = ssl->in_left - 5;
00777
00778
00779
00780
00781
00782
00783
00784
00785
00786 SSL_DEBUG_BUF( 4, "record contents", buf, n );
00787
00788 ciph_len = ( buf[0] << 8 ) | buf[1];
00789 sess_len = ( buf[2] << 8 ) | buf[3];
00790 chal_len = ( buf[4] << 8 ) | buf[5];
00791
00792 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
00793 ciph_len, sess_len, chal_len ) );
00794
00795
00796
00797
00798 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
00799 {
00800 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00801 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00802 }
00803
00804 if( sess_len > 32 )
00805 {
00806 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00807 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00808 }
00809
00810 if( chal_len < 8 || chal_len > 32 )
00811 {
00812 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00813 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00814 }
00815
00816 if( n != 6 + ciph_len + sess_len + chal_len )
00817 {
00818 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00819 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00820 }
00821
00822 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
00823 buf + 6, ciph_len );
00824 SSL_DEBUG_BUF( 3, "client hello, session id",
00825 buf + 6 + ciph_len, sess_len );
00826 SSL_DEBUG_BUF( 3, "client hello, challenge",
00827 buf + 6 + ciph_len + sess_len, chal_len );
00828
00829 p = buf + 6 + ciph_len;
00830 ssl->session_negotiate->length = sess_len;
00831 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
00832 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
00833
00834 p += sess_len;
00835 memset( ssl->handshake->randbytes, 0, 64 );
00836 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
00837
00838
00839
00840
00841 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
00842 {
00843 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
00844 {
00845 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
00846 if( ssl->renegotiation == SSL_RENEGOTIATION )
00847 {
00848 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
00849
00850 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00851 return( ret );
00852
00853 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00854 }
00855 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
00856 break;
00857 }
00858 }
00859
00860 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
00861 for( i = 0; ciphersuites[i] != 0; i++ )
00862 {
00863 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
00864 {
00865
00866
00867 if( p[0] == 0 && p[1] == 0 &&
00868 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
00869 p[2] == ( ciphersuites[i] & 0xFF ) )
00870 {
00871 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
00872
00873 if( ciphersuite_info == NULL )
00874 {
00875 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
00876 ciphersuites[i] ) );
00877 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00878 }
00879
00880 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
00881 ciphersuite_info->max_minor_ver < ssl->minor_ver )
00882 continue;
00883
00884 goto have_ciphersuite_v2;
00885 }
00886 }
00887 }
00888
00889 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
00890
00891 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
00892
00893 have_ciphersuite_v2:
00894 ssl->session_negotiate->ciphersuite = ciphersuites[i];
00895 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
00896 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
00897
00898
00899
00900
00901 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
00902 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
00903 {
00904 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
00905
00906 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
00907 return( ret );
00908
00909 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00910 }
00911
00912 ssl->in_left = 0;
00913 ssl->state++;
00914
00915 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
00916
00917 return( 0 );
00918 }
00919 #endif
00920
00921 #if defined(POLARSSL_X509_CRT_PARSE_C)
00922 #if defined(POLARSSL_ECDSA_C)
00923 static int ssl_key_matches_curves( pk_context *pk,
00924 const ecp_curve_info **curves )
00925 {
00926 const ecp_curve_info **crv = curves;
00927 ecp_group_id grp_id = pk_ec( *pk )->grp.id;
00928
00929 while( *crv != NULL )
00930 {
00931 if( (*crv)->grp_id == grp_id )
00932 return( 1 );
00933 crv++;
00934 }
00935
00936 return( 0 );
00937 }
00938 #endif
00939
00940
00941
00942
00943
00944 static int ssl_pick_cert( ssl_context *ssl,
00945 const ssl_ciphersuite_t * ciphersuite_info )
00946 {
00947 ssl_key_cert *cur, *list;
00948 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
00949
00950 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
00951 if( ssl->handshake->sni_key_cert != NULL )
00952 list = ssl->handshake->sni_key_cert;
00953 else
00954 #endif
00955 list = ssl->handshake->key_cert;
00956
00957 if( pk_alg == POLARSSL_PK_NONE )
00958 return( 0 );
00959
00960 for( cur = list; cur != NULL; cur = cur->next )
00961 {
00962 if( ! pk_can_do( cur->key, pk_alg ) )
00963 continue;
00964
00965 #if defined(POLARSSL_ECDSA_C)
00966 if( pk_alg == POLARSSL_PK_ECDSA )
00967 {
00968 if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
00969 break;
00970 }
00971 else
00972 #endif
00973 break;
00974 }
00975
00976 if( cur == NULL )
00977 return( -1 );
00978
00979 ssl->handshake->key_cert = cur;
00980 return( 0 );
00981 }
00982 #endif
00983
00984 static int ssl_parse_client_hello( ssl_context *ssl )
00985 {
00986 int ret;
00987 unsigned int i, j;
00988 size_t n;
00989 unsigned int ciph_len, sess_len;
00990 unsigned int comp_len;
00991 unsigned int ext_len = 0;
00992 unsigned char *buf, *p, *ext;
00993 int renegotiation_info_seen = 0;
00994 int handshake_failure = 0;
00995 const int *ciphersuites;
00996 const ssl_ciphersuite_t *ciphersuite_info;
00997
00998 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
00999
01000 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
01001 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
01002 {
01003 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
01004 return( ret );
01005 }
01006
01007 buf = ssl->in_hdr;
01008
01009 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
01010 if( ( buf[0] & 0x80 ) != 0 )
01011 return ssl_parse_client_hello_v2( ssl );
01012 #endif
01013
01014 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
01015
01016 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
01017 buf[0] ) );
01018 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
01019 ( buf[3] << 8 ) | buf[4] ) );
01020 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
01021 buf[1], buf[2] ) );
01022
01023
01024
01025
01026
01027
01028
01029
01030
01031 if( buf[0] != SSL_MSG_HANDSHAKE ||
01032 buf[1] != SSL_MAJOR_VERSION_3 )
01033 {
01034 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01035 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01036 }
01037
01038 n = ( buf[3] << 8 ) | buf[4];
01039
01040 if( n < 45 || n > 2048 )
01041 {
01042 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01043 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01044 }
01045
01046 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
01047 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
01048 {
01049 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
01050 return( ret );
01051 }
01052
01053 buf = ssl->in_msg;
01054 if( !ssl->renegotiation )
01055 n = ssl->in_left - 5;
01056 else
01057 n = ssl->in_msglen;
01058
01059 ssl->handshake->update_checksum( ssl, buf, n );
01060
01061
01062
01063
01064
01065
01066
01067
01068
01069
01070
01071
01072
01073
01074
01075 SSL_DEBUG_BUF( 4, "record contents", buf, n );
01076
01077 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
01078 buf[0] ) );
01079 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
01080 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
01081 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
01082 buf[4], buf[5] ) );
01083
01084
01085
01086
01087 if( buf[0] != SSL_HS_CLIENT_HELLO ||
01088 buf[4] != SSL_MAJOR_VERSION_3 )
01089 {
01090 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01091 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01092 }
01093
01094 ssl->major_ver = SSL_MAJOR_VERSION_3;
01095 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
01096 ? buf[5] : ssl->max_minor_ver;
01097
01098 if( ssl->minor_ver < ssl->min_minor_ver )
01099 {
01100 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
01101 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
01102 ssl->min_major_ver, ssl->min_minor_ver ) );
01103
01104 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
01105 SSL_ALERT_MSG_PROTOCOL_VERSION );
01106
01107 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
01108 }
01109
01110 ssl->handshake->max_major_ver = buf[4];
01111 ssl->handshake->max_minor_ver = buf[5];
01112
01113 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
01114
01115
01116
01117
01118 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
01119 {
01120 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01121 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01122 }
01123
01124
01125
01126
01127 sess_len = buf[38];
01128
01129 if( sess_len > 32 )
01130 {
01131 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01132 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01133 }
01134
01135 ssl->session_negotiate->length = sess_len;
01136 memset( ssl->session_negotiate->id, 0,
01137 sizeof( ssl->session_negotiate->id ) );
01138 memcpy( ssl->session_negotiate->id, buf + 39,
01139 ssl->session_negotiate->length );
01140
01141
01142
01143
01144 ciph_len = ( buf[39 + sess_len] << 8 )
01145 | ( buf[40 + sess_len] );
01146
01147 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
01148 {
01149 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01150 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01151 }
01152
01153
01154
01155
01156 comp_len = buf[41 + sess_len + ciph_len];
01157
01158 if( comp_len < 1 || comp_len > 16 )
01159 {
01160 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01161 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01162 }
01163
01164
01165
01166
01167 if( n > 42 + sess_len + ciph_len + comp_len )
01168 {
01169 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
01170 | ( buf[43 + sess_len + ciph_len + comp_len] );
01171
01172 if( ( ext_len > 0 && ext_len < 4 ) ||
01173 n != 44 + sess_len + ciph_len + comp_len + ext_len )
01174 {
01175 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01176 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
01177 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01178 }
01179 }
01180
01181 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
01182 #if defined(POLARSSL_ZLIB_SUPPORT)
01183 for( i = 0; i < comp_len; ++i )
01184 {
01185 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
01186 {
01187 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
01188 break;
01189 }
01190 }
01191 #endif
01192
01193 SSL_DEBUG_BUF( 3, "client hello, random bytes",
01194 buf + 6, 32 );
01195 SSL_DEBUG_BUF( 3, "client hello, session id",
01196 buf + 38, sess_len );
01197 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
01198 buf + 41 + sess_len, ciph_len );
01199 SSL_DEBUG_BUF( 3, "client hello, compression",
01200 buf + 42 + sess_len + ciph_len, comp_len );
01201
01202
01203
01204
01205 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
01206 {
01207 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
01208 {
01209 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
01210 if( ssl->renegotiation == SSL_RENEGOTIATION )
01211 {
01212 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
01213
01214 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01215 return( ret );
01216
01217 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01218 }
01219 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
01220 break;
01221 }
01222 }
01223
01224 ext = buf + 44 + sess_len + ciph_len + comp_len;
01225
01226 while( ext_len )
01227 {
01228 unsigned int ext_id = ( ( ext[0] << 8 )
01229 | ( ext[1] ) );
01230 unsigned int ext_size = ( ( ext[2] << 8 )
01231 | ( ext[3] ) );
01232
01233 if( ext_size + 4 > ext_len )
01234 {
01235 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01236 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01237 }
01238 switch( ext_id )
01239 {
01240 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
01241 case TLS_EXT_SERVERNAME:
01242 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
01243 if( ssl->f_sni == NULL )
01244 break;
01245
01246 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
01247 if( ret != 0 )
01248 return( ret );
01249 break;
01250 #endif
01251
01252 case TLS_EXT_RENEGOTIATION_INFO:
01253 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
01254 renegotiation_info_seen = 1;
01255
01256 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
01257 if( ret != 0 )
01258 return( ret );
01259 break;
01260
01261 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
01262 case TLS_EXT_SIG_ALG:
01263 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
01264 if( ssl->renegotiation == SSL_RENEGOTIATION )
01265 break;
01266
01267 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
01268 if( ret != 0 )
01269 return( ret );
01270 break;
01271 #endif
01272
01273 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01274 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
01275 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
01276
01277 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
01278 if( ret != 0 )
01279 return( ret );
01280 break;
01281
01282 case TLS_EXT_SUPPORTED_POINT_FORMATS:
01283 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
01284 ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
01285
01286 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
01287 if( ret != 0 )
01288 return( ret );
01289 break;
01290 #endif
01291
01292 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
01293 case TLS_EXT_MAX_FRAGMENT_LENGTH:
01294 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
01295
01296 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
01297 if( ret != 0 )
01298 return( ret );
01299 break;
01300 #endif
01301
01302 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
01303 case TLS_EXT_TRUNCATED_HMAC:
01304 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
01305
01306 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
01307 if( ret != 0 )
01308 return( ret );
01309 break;
01310 #endif
01311
01312 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01313 case TLS_EXT_SESSION_TICKET:
01314 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
01315
01316 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
01317 if( ret != 0 )
01318 return( ret );
01319 break;
01320 #endif
01321
01322 default:
01323 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
01324 ext_id ) );
01325 }
01326
01327 ext_len -= 4 + ext_size;
01328 ext += 4 + ext_size;
01329
01330 if( ext_len > 0 && ext_len < 4 )
01331 {
01332 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
01333 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01334 }
01335 }
01336
01337
01338
01339
01340 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01341 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
01342 {
01343 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
01344 handshake_failure = 1;
01345 }
01346 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01347 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
01348 renegotiation_info_seen == 0 )
01349 {
01350 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
01351 handshake_failure = 1;
01352 }
01353 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01354 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01355 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
01356 {
01357 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
01358 handshake_failure = 1;
01359 }
01360 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
01361 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
01362 renegotiation_info_seen == 1 )
01363 {
01364 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
01365 handshake_failure = 1;
01366 }
01367
01368 if( handshake_failure == 1 )
01369 {
01370 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01371 return( ret );
01372
01373 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
01374 }
01375
01376
01377
01378
01379
01380
01381 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
01382 for( i = 0; ciphersuites[i] != 0; i++ )
01383 {
01384 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
01385 j += 2, p += 2 )
01386 {
01387 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
01388 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
01389 {
01390 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
01391
01392 if( ciphersuite_info == NULL )
01393 {
01394 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found",
01395 ciphersuites[i] ) );
01396 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
01397 }
01398
01399 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
01400 ciphersuite_info->max_minor_ver < ssl->minor_ver )
01401 continue;
01402
01403 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01404 if( ssl_ciphersuite_uses_ec( ciphersuite_info ) &&
01405 ( ssl->handshake->curves == NULL ||
01406 ssl->handshake->curves[0] == NULL ) )
01407 continue;
01408 #endif
01409
01410 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
01411
01412
01413 if( ssl_ciphersuite_uses_psk( ciphersuite_info ) &&
01414 ssl->f_psk == NULL &&
01415 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
01416 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
01417 continue;
01418 #endif
01419
01420 #if defined(POLARSSL_X509_CRT_PARSE_C)
01421
01422
01423
01424
01425
01426
01427
01428 if( ssl_pick_cert( ssl, ciphersuite_info ) != 0 )
01429 continue;
01430 #endif
01431
01432 goto have_ciphersuite;
01433 }
01434 }
01435 }
01436
01437 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
01438
01439 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
01440 return( ret );
01441
01442 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
01443
01444 have_ciphersuite:
01445 ssl->session_negotiate->ciphersuite = ciphersuites[i];
01446 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
01447 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
01448
01449 ssl->in_left = 0;
01450 ssl->state++;
01451
01452 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
01453
01454 return( 0 );
01455 }
01456
01457 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
01458 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
01459 unsigned char *buf,
01460 size_t *olen )
01461 {
01462 unsigned char *p = buf;
01463
01464 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
01465 {
01466 *olen = 0;
01467 return;
01468 }
01469
01470 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
01471
01472 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
01473 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
01474
01475 *p++ = 0x00;
01476 *p++ = 0x00;
01477
01478 *olen = 4;
01479 }
01480 #endif
01481
01482 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01483 static void ssl_write_session_ticket_ext( ssl_context *ssl,
01484 unsigned char *buf,
01485 size_t *olen )
01486 {
01487 unsigned char *p = buf;
01488
01489 if( ssl->handshake->new_session_ticket == 0 )
01490 {
01491 *olen = 0;
01492 return;
01493 }
01494
01495 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
01496
01497 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
01498 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
01499
01500 *p++ = 0x00;
01501 *p++ = 0x00;
01502
01503 *olen = 4;
01504 }
01505 #endif
01506
01507 static void ssl_write_renegotiation_ext( ssl_context *ssl,
01508 unsigned char *buf,
01509 size_t *olen )
01510 {
01511 unsigned char *p = buf;
01512
01513 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
01514 {
01515 *olen = 0;
01516 return;
01517 }
01518
01519 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
01520
01521 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
01522 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
01523
01524 *p++ = 0x00;
01525 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
01526 *p++ = ssl->verify_data_len * 2 & 0xFF;
01527
01528 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
01529 p += ssl->verify_data_len;
01530 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
01531 p += ssl->verify_data_len;
01532
01533 *olen = 5 + ssl->verify_data_len * 2;
01534 }
01535
01536 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
01537 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
01538 unsigned char *buf,
01539 size_t *olen )
01540 {
01541 unsigned char *p = buf;
01542
01543 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
01544 {
01545 *olen = 0;
01546 return;
01547 }
01548
01549 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
01550
01551 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
01552 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
01553
01554 *p++ = 0x00;
01555 *p++ = 1;
01556
01557 *p++ = ssl->session_negotiate->mfl_code;
01558
01559 *olen = 5;
01560 }
01561 #endif
01562
01563 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01564 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
01565 unsigned char *buf,
01566 size_t *olen )
01567 {
01568 unsigned char *p = buf;
01569 ((void) ssl);
01570
01571 if( ( ssl->handshake->cli_exts &
01572 TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
01573 {
01574 *olen = 0;
01575 return;
01576 }
01577
01578 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
01579
01580 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
01581 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
01582
01583 *p++ = 0x00;
01584 *p++ = 2;
01585
01586 *p++ = 1;
01587 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
01588
01589 *olen = 6;
01590 }
01591 #endif
01592
01593 static int ssl_write_server_hello( ssl_context *ssl )
01594 {
01595 #if defined(POLARSSL_HAVE_TIME)
01596 time_t t;
01597 #endif
01598 int ret;
01599 size_t olen, ext_len = 0, n;
01600 unsigned char *buf, *p;
01601
01602 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
01603
01604
01605
01606
01607
01608
01609
01610
01611 buf = ssl->out_msg;
01612 p = buf + 4;
01613
01614 *p++ = (unsigned char) ssl->major_ver;
01615 *p++ = (unsigned char) ssl->minor_ver;
01616
01617 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
01618 buf[4], buf[5] ) );
01619
01620 #if defined(POLARSSL_HAVE_TIME)
01621 t = time( NULL );
01622 *p++ = (unsigned char)( t >> 24 );
01623 *p++ = (unsigned char)( t >> 16 );
01624 *p++ = (unsigned char)( t >> 8 );
01625 *p++ = (unsigned char)( t );
01626
01627 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
01628 #else
01629 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
01630 return( ret );
01631
01632 p += 4;
01633 #endif
01634
01635 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
01636 return( ret );
01637
01638 p += 28;
01639
01640 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
01641
01642 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
01643
01644
01645
01646
01647
01648
01649 if( ssl->handshake->resume == 0 &&
01650 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
01651 ssl->session_negotiate->length != 0 &&
01652 ssl->f_get_cache != NULL &&
01653 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
01654 {
01655 ssl->handshake->resume = 1;
01656 }
01657
01658 if( ssl->handshake->resume == 0 )
01659 {
01660
01661
01662
01663
01664 ssl->state++;
01665
01666 #if defined(POLARSSL_HAVE_TIME)
01667 ssl->session_negotiate->start = time( NULL );
01668 #endif
01669
01670 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01671 if( ssl->handshake->new_session_ticket != 0 )
01672 {
01673 ssl->session_negotiate->length = n = 0;
01674 memset( ssl->session_negotiate->id, 0, 32 );
01675 }
01676 else
01677 #endif
01678 {
01679 ssl->session_negotiate->length = n = 32;
01680 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
01681 n ) ) != 0 )
01682 return( ret );
01683 }
01684 }
01685 else
01686 {
01687
01688
01689
01690 n = ssl->session_negotiate->length;
01691 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
01692
01693 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
01694 {
01695 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
01696 return( ret );
01697 }
01698 }
01699
01700
01701
01702
01703
01704
01705
01706
01707
01708 *p++ = (unsigned char) ssl->session_negotiate->length;
01709 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
01710 p += ssl->session_negotiate->length;
01711
01712 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
01713 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
01714 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
01715 ssl->handshake->resume ? "a" : "no" ) );
01716
01717 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
01718 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
01719 *p++ = (unsigned char)( ssl->session_negotiate->compression );
01720
01721 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
01722 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
01723 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
01724 ssl->session_negotiate->compression ) );
01725
01726
01727
01728
01729 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
01730 ext_len += olen;
01731
01732 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
01733 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
01734 ext_len += olen;
01735 #endif
01736
01737 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
01738 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
01739 ext_len += olen;
01740 #endif
01741
01742 #if defined(POLARSSL_SSL_SESSION_TICKETS)
01743 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
01744 ext_len += olen;
01745 #endif
01746
01747 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
01748 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
01749 ext_len += olen;
01750 #endif
01751
01752 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
01753
01754 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
01755 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
01756 p += ext_len;
01757
01758 ssl->out_msglen = p - buf;
01759 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01760 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
01761
01762 ret = ssl_write_record( ssl );
01763
01764 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
01765
01766 return( ret );
01767 }
01768
01769 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
01770 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
01771 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
01772 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01773 static int ssl_write_certificate_request( ssl_context *ssl )
01774 {
01775 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01776 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
01777
01778 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
01779
01780 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01781 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
01782 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
01783 {
01784 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
01785 ssl->state++;
01786 return( 0 );
01787 }
01788
01789 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
01790 return( ret );
01791 }
01792 #else
01793 static int ssl_write_certificate_request( ssl_context *ssl )
01794 {
01795 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01796 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
01797 size_t dn_size, total_dn_size;
01798 size_t ct_len, sa_len;
01799 unsigned char *buf, *p;
01800 const x509_crt *crt;
01801
01802 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
01803
01804 ssl->state++;
01805
01806 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01807 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
01808 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
01809 ssl->authmode == SSL_VERIFY_NONE )
01810 {
01811 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
01812 return( 0 );
01813 }
01814
01815
01816
01817
01818
01819
01820
01821
01822
01823
01824
01825
01826
01827 buf = ssl->out_msg;
01828 p = buf + 4;
01829
01830
01831
01832
01833
01834
01835
01836 ct_len = 0;
01837
01838 #if defined(POLARSSL_RSA_C)
01839 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
01840 #endif
01841 #if defined(POLARSSL_ECDSA_C)
01842 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
01843 #endif
01844
01845 p[0] = (unsigned char) ct_len++;
01846 p += ct_len;
01847
01848 sa_len = 0;
01849 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
01850
01851
01852
01853
01854
01855
01856
01857
01858
01859
01860
01861
01862
01863 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
01864 {
01865
01866
01867
01868
01869 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
01870
01871 if( ssl->transform_negotiate->ciphersuite_info->mac ==
01872 POLARSSL_MD_SHA384 )
01873 {
01874 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
01875 }
01876
01877
01878
01879
01880 #if defined(POLARSSL_RSA_C)
01881 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
01882 p[2 + sa_len++] = SSL_SIG_RSA;
01883 #endif
01884 #if defined(POLARSSL_ECDSA_C)
01885 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
01886 p[2 + sa_len++] = SSL_SIG_ECDSA;
01887 #endif
01888
01889 p[0] = (unsigned char)( sa_len >> 8 );
01890 p[1] = (unsigned char)( sa_len );
01891 sa_len += 2;
01892 p += sa_len;
01893 }
01894 #endif
01895
01896
01897
01898
01899
01900 p += 2;
01901 crt = ssl->ca_chain;
01902
01903 total_dn_size = 0;
01904 while( crt != NULL )
01905 {
01906 if( p - buf > 4096 )
01907 break;
01908
01909 dn_size = crt->subject_raw.len;
01910 *p++ = (unsigned char)( dn_size >> 8 );
01911 *p++ = (unsigned char)( dn_size );
01912 memcpy( p, crt->subject_raw.p, dn_size );
01913 p += dn_size;
01914
01915 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
01916
01917 total_dn_size += 2 + dn_size;
01918 crt = crt->next;
01919 }
01920
01921 ssl->out_msglen = p - buf;
01922 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01923 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
01924 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
01925 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
01926
01927 ret = ssl_write_record( ssl );
01928
01929 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
01930
01931 return( ret );
01932 }
01933 #endif
01934
01935
01936
01937 static int ssl_write_server_key_exchange( ssl_context *ssl )
01938 {
01939 int ret;
01940 size_t n = 0;
01941 const ssl_ciphersuite_t *ciphersuite_info =
01942 ssl->transform_negotiate->ciphersuite_info;
01943
01944 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01945 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
01946 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
01947 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
01948 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
01949 unsigned char *p = ssl->out_msg + 4;
01950 unsigned char *dig_signed = p;
01951 size_t dig_signed_len = 0, len;
01952 ((void) dig_signed);
01953 ((void) dig_signed_len);
01954 #endif
01955
01956 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
01957
01958 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
01959 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
01960 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
01961 {
01962 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
01963 ssl->state++;
01964 return( 0 );
01965 }
01966
01967 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
01968 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
01969 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
01970 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
01971 {
01972
01973 *(p++) = 0x00;
01974 *(p++) = 0x00;
01975
01976 n += 2;
01977 }
01978 #endif
01979
01980
01981 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
01982 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
01983 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
01984 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
01985 {
01986
01987
01988
01989
01990
01991
01992
01993
01994
01995 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
01996 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
01997 {
01998 SSL_DEBUG_RET( 1, "mpi_copy", ret );
01999 return( ret );
02000 }
02001
02002 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
02003 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
02004 p,
02005 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
02006 {
02007 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
02008 return( ret );
02009 }
02010
02011 dig_signed = p;
02012 dig_signed_len = len;
02013
02014 p += len;
02015 n += len;
02016
02017 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
02018 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
02019 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
02020 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
02021 }
02022 #endif
02023
02024
02025 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
02026 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
02027 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
02028
02029 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
02030 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
02031 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
02032 {
02033
02034
02035
02036
02037
02038
02039
02040
02041 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
02042 ssl->handshake->curves[0]->grp_id ) ) != 0 )
02043 {
02044 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
02045 return( ret );
02046 }
02047
02048 SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
02049 (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
02050
02051 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
02052 p, SSL_MAX_CONTENT_LEN - n,
02053 ssl->f_rng, ssl->p_rng ) ) != 0 )
02054 {
02055 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
02056 return( ret );
02057 }
02058
02059 dig_signed = p;
02060 dig_signed_len = len;
02061
02062 p += len;
02063 n += len;
02064
02065 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
02066 }
02067 #endif
02068
02069
02070
02071 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
02072 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
02073 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02074 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
02075 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
02076 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
02077 {
02078 size_t signature_len = 0;
02079 unsigned int hashlen = 0;
02080 unsigned char hash[64];
02081 md_type_t md_alg = POLARSSL_MD_NONE;
02082
02083
02084
02085
02086 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02087 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02088 {
02089 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
02090
02091 if( md_alg == POLARSSL_MD_NONE )
02092 {
02093 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02094 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02095 }
02096 }
02097 else
02098 #endif
02099 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02100 defined(POLARSSL_SSL_PROTO_TLS1_1)
02101 if ( ciphersuite_info->key_exchange ==
02102 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
02103 {
02104 md_alg = POLARSSL_MD_SHA1;
02105 }
02106 else
02107 #endif
02108 {
02109 md_alg = POLARSSL_MD_NONE;
02110 }
02111
02112
02113
02114
02115 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02116 defined(POLARSSL_SSL_PROTO_TLS1_1)
02117 if( md_alg == POLARSSL_MD_NONE )
02118 {
02119 md5_context md5;
02120 sha1_context sha1;
02121
02122
02123
02124
02125
02126
02127
02128
02129
02130
02131
02132
02133
02134
02135 md5_starts( &md5 );
02136 md5_update( &md5, ssl->handshake->randbytes, 64 );
02137 md5_update( &md5, dig_signed, dig_signed_len );
02138 md5_finish( &md5, hash );
02139
02140 sha1_starts( &sha1 );
02141 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
02142 sha1_update( &sha1, dig_signed, dig_signed_len );
02143 sha1_finish( &sha1, hash + 16 );
02144
02145 hashlen = 36;
02146 }
02147 else
02148 #endif
02149
02150 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
02151 defined(POLARSSL_SSL_PROTO_TLS1_2)
02152 if( md_alg != POLARSSL_MD_NONE )
02153 {
02154 md_context_t ctx;
02155
02156
02157 hashlen = 0;
02158
02159
02160
02161
02162
02163
02164
02165
02166 if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
02167 {
02168 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
02169 return( ret );
02170 }
02171
02172 md_starts( &ctx );
02173 md_update( &ctx, ssl->handshake->randbytes, 64 );
02174 md_update( &ctx, dig_signed, dig_signed_len );
02175 md_finish( &ctx, hash );
02176
02177 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
02178 {
02179 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
02180 return( ret );
02181 }
02182
02183 }
02184 else
02185 #endif
02186
02187 {
02188 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02189 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02190 }
02191
02192 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
02193 (unsigned int) ( md_info_from_type( md_alg ) )->size );
02194
02195
02196
02197
02198 if( ssl_own_key( ssl ) == NULL )
02199 {
02200 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
02201 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02202 }
02203
02204 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02205 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02206 {
02207 *(p++) = ssl->handshake->sig_alg;
02208 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
02209
02210 n += 2;
02211 }
02212 #endif
02213
02214 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
02215 p + 2 , &signature_len,
02216 ssl->f_rng, ssl->p_rng ) ) != 0 )
02217 {
02218 SSL_DEBUG_RET( 1, "pk_sign", ret );
02219 return( ret );
02220 }
02221
02222 *(p++) = (unsigned char)( signature_len >> 8 );
02223 *(p++) = (unsigned char)( signature_len );
02224 n += 2;
02225
02226 SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
02227
02228 p += signature_len;
02229 n += signature_len;
02230 }
02231 #endif
02232
02233
02234
02235 ssl->out_msglen = 4 + n;
02236 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02237 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
02238
02239 ssl->state++;
02240
02241 if( ( ret = ssl_write_record( ssl ) ) != 0 )
02242 {
02243 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02244 return( ret );
02245 }
02246
02247 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
02248
02249 return( 0 );
02250 }
02251
02252 static int ssl_write_server_hello_done( ssl_context *ssl )
02253 {
02254 int ret;
02255
02256 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
02257
02258 ssl->out_msglen = 4;
02259 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02260 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
02261
02262 ssl->state++;
02263
02264 if( ( ret = ssl_write_record( ssl ) ) != 0 )
02265 {
02266 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02267 return( ret );
02268 }
02269
02270 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
02271
02272 return( 0 );
02273 }
02274
02275 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
02276 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
02277 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
02278 const unsigned char *end )
02279 {
02280 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02281 size_t n;
02282
02283
02284
02285
02286 if( *p + 2 > end )
02287 {
02288 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02289 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02290 }
02291
02292 n = ( (*p)[0] << 8 ) | (*p)[1];
02293 *p += 2;
02294
02295 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
02296 {
02297 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02298 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02299 }
02300
02301 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
02302 *p, n ) ) != 0 )
02303 {
02304 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
02305 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
02306 }
02307
02308 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
02309
02310 return( ret );
02311 }
02312 #endif
02313
02314
02315 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
02316 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
02317 static int ssl_parse_encrypted_pms( ssl_context *ssl,
02318 const unsigned char *p,
02319 const unsigned char *end,
02320 size_t pms_offset )
02321 {
02322 int ret;
02323 size_t len = pk_get_len( ssl_own_key( ssl ) );
02324 unsigned char *pms = ssl->handshake->premaster + pms_offset;
02325
02326 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
02327 {
02328 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
02329 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02330 }
02331
02332
02333
02334
02335 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
02336 defined(POLARSSL_SSL_PROTO_TLS1_2)
02337 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
02338 {
02339 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
02340 *p++ != ( ( len ) & 0xFF ) )
02341 {
02342 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02343 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02344 }
02345 }
02346 #endif
02347
02348 if( p + len != end )
02349 {
02350 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02351 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02352 }
02353
02354 ret = pk_decrypt( ssl_own_key( ssl ), p, len,
02355 pms, &ssl->handshake->pmslen,
02356 sizeof(ssl->handshake->premaster),
02357 ssl->f_rng, ssl->p_rng );
02358
02359 if( ret != 0 || ssl->handshake->pmslen != 48 ||
02360 pms[0] != ssl->handshake->max_major_ver ||
02361 pms[1] != ssl->handshake->max_minor_ver )
02362 {
02363 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02364
02365
02366
02367
02368
02369
02370
02371 ssl->handshake->pmslen = 48;
02372
02373 ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
02374 if( ret != 0 )
02375 return( ret );
02376 }
02377
02378 return( ret );
02379 }
02380 #endif
02381
02382
02383 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
02384 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
02385 const unsigned char *end )
02386 {
02387 int ret = 0;
02388 size_t n;
02389
02390 if( ssl->f_psk == NULL &&
02391 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
02392 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
02393 {
02394 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
02395 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
02396 }
02397
02398
02399
02400
02401 if( *p + 2 > end )
02402 {
02403 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02404 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02405 }
02406
02407 n = ( (*p)[0] << 8 ) | (*p)[1];
02408 *p += 2;
02409
02410 if( n < 1 || n > 65535 || *p + n > end )
02411 {
02412 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02413 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02414 }
02415
02416 if( ssl->f_psk != NULL )
02417 {
02418 if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
02419 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
02420 }
02421
02422 if( ret == 0 )
02423 {
02424
02425
02426 if( n != ssl->psk_identity_len ||
02427 safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
02428 {
02429 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
02430 }
02431 }
02432
02433 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
02434 {
02435 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
02436 if( ( ret = ssl_send_alert_message( ssl,
02437 SSL_ALERT_LEVEL_FATAL,
02438 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
02439 {
02440 return( ret );
02441 }
02442
02443 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
02444 }
02445
02446 *p += n;
02447 ret = 0;
02448
02449 return( ret );
02450 }
02451 #endif
02452
02453 static int ssl_parse_client_key_exchange( ssl_context *ssl )
02454 {
02455 int ret;
02456 const ssl_ciphersuite_t *ciphersuite_info;
02457
02458 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02459
02460 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
02461
02462 if( ( ret = ssl_read_record( ssl ) ) != 0 )
02463 {
02464 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
02465 return( ret );
02466 }
02467
02468 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
02469 {
02470 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02471 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02472 }
02473
02474 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
02475 {
02476 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02477 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02478 }
02479
02480 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
02481 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
02482 {
02483 unsigned char *p = ssl->in_msg + 4;
02484 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02485
02486 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
02487 {
02488 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
02489 return( ret );
02490 }
02491
02492 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
02493
02494 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
02495 ssl->handshake->premaster,
02496 &ssl->handshake->pmslen,
02497 ssl->f_rng, ssl->p_rng ) ) != 0 )
02498 {
02499 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
02500 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
02501 }
02502
02503 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
02504 }
02505 else
02506 #endif
02507 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
02508 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02509 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
02510 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
02511 {
02512 size_t n = ssl->in_msg[3];
02513
02514 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
02515 n + 4 != ssl->in_hslen )
02516 {
02517 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
02518 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
02519 }
02520
02521 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
02522 ssl->in_msg + 4, n ) ) != 0 )
02523 {
02524 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
02525 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
02526 }
02527
02528 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
02529
02530 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
02531 &ssl->handshake->pmslen,
02532 ssl->handshake->premaster,
02533 POLARSSL_MPI_MAX_SIZE,
02534 ssl->f_rng, ssl->p_rng ) ) != 0 )
02535 {
02536 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
02537 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
02538 }
02539
02540 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
02541 }
02542 else
02543 #endif
02544
02545 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
02546 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
02547 {
02548 unsigned char *p = ssl->in_msg + 4;
02549 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02550
02551 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
02552 {
02553 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
02554 return( ret );
02555 }
02556
02557 if( ( ret = ssl_psk_derive_premaster( ssl,
02558 ciphersuite_info->key_exchange ) ) != 0 )
02559 {
02560 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
02561 return( ret );
02562 }
02563 }
02564 else
02565 #endif
02566 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
02567 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
02568 {
02569 unsigned char *p = ssl->in_msg + 4;
02570 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02571
02572 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
02573 {
02574 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
02575 return( ret );
02576 }
02577
02578 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
02579 {
02580 SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
02581 return( ret );
02582 }
02583
02584 if( ( ret = ssl_psk_derive_premaster( ssl,
02585 ciphersuite_info->key_exchange ) ) != 0 )
02586 {
02587 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
02588 return( ret );
02589 }
02590 }
02591 else
02592 #endif
02593 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
02594 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
02595 {
02596 unsigned char *p = ssl->in_msg + 4;
02597 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02598
02599 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
02600 {
02601 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
02602 return( ret );
02603 }
02604 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
02605 {
02606 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
02607 return( ret );
02608 }
02609
02610 if( ( ret = ssl_psk_derive_premaster( ssl,
02611 ciphersuite_info->key_exchange ) ) != 0 )
02612 {
02613 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
02614 return( ret );
02615 }
02616 }
02617 else
02618 #endif
02619 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
02620 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
02621 {
02622 unsigned char *p = ssl->in_msg + 4;
02623 unsigned char *end = ssl->in_msg + ssl->in_msglen;
02624
02625 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
02626 {
02627 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
02628 return( ret );
02629 }
02630
02631 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
02632 p, end - p ) ) != 0 )
02633 {
02634 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
02635 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
02636 }
02637
02638 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
02639
02640 if( ( ret = ssl_psk_derive_premaster( ssl,
02641 ciphersuite_info->key_exchange ) ) != 0 )
02642 {
02643 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
02644 return( ret );
02645 }
02646 }
02647 else
02648 #endif
02649 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
02650 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
02651 {
02652 if( ( ret = ssl_parse_encrypted_pms( ssl,
02653 ssl->in_msg + 4,
02654 ssl->in_msg + ssl->in_msglen,
02655 0 ) ) != 0 )
02656 {
02657 SSL_DEBUG_RET( 1, ( "ssl_parse_parse_ecrypted_pms_secret" ), ret );
02658 return( ret );
02659 }
02660 }
02661 else
02662 #endif
02663 {
02664 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02665 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02666 }
02667
02668 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
02669 {
02670 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
02671 return( ret );
02672 }
02673
02674 ssl->state++;
02675
02676 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
02677
02678 return( 0 );
02679 }
02680
02681 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
02682 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
02683 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
02684 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
02685 static int ssl_parse_certificate_verify( ssl_context *ssl )
02686 {
02687 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02688 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02689
02690 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
02691
02692 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
02693 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
02694 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
02695 {
02696 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
02697 ssl->state++;
02698 return( 0 );
02699 }
02700
02701 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
02702 return( ret );
02703 }
02704 #else
02705 static int ssl_parse_certificate_verify( ssl_context *ssl )
02706 {
02707 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02708 size_t sa_len, sig_len;
02709 unsigned char hash[48];
02710 unsigned char *hash_start = hash;
02711 size_t hashlen;
02712 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02713 pk_type_t pk_alg;
02714 #endif
02715 md_type_t md_alg;
02716 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
02717
02718 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
02719
02720 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
02721 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
02722 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
02723 {
02724 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
02725 ssl->state++;
02726 return( 0 );
02727 }
02728
02729 if( ssl->session_negotiate->peer_cert == NULL )
02730 {
02731 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
02732 ssl->state++;
02733 return( 0 );
02734 }
02735
02736 ssl->handshake->calc_verify( ssl, hash );
02737
02738 if( ( ret = ssl_read_record( ssl ) ) != 0 )
02739 {
02740 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
02741 return( ret );
02742 }
02743
02744 ssl->state++;
02745
02746 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
02747 {
02748 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
02749 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02750 }
02751
02752 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
02753 {
02754 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
02755 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02756 }
02757
02758
02759
02760
02761
02762
02763
02764
02765
02766 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
02767 defined(POLARSSL_SSL_PROTO_TLS1_1)
02768 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
02769 {
02770 sa_len = 0;
02771
02772 md_alg = POLARSSL_MD_NONE;
02773 hashlen = 36;
02774
02775
02776 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
02777 POLARSSL_PK_ECDSA ) )
02778 {
02779 hash_start += 16;
02780 hashlen -= 16;
02781 md_alg = POLARSSL_MD_SHA1;
02782 }
02783 }
02784 else
02785 #endif
02786 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
02787 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
02788 {
02789 sa_len = 2;
02790
02791
02792
02793
02794 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
02795 {
02796 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
02797 " for verify message" ) );
02798 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02799 }
02800
02801 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
02802
02803
02804 hashlen = 0;
02805
02806
02807
02808
02809 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
02810 == POLARSSL_PK_NONE )
02811 {
02812 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
02813 " for verify message" ) );
02814 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02815 }
02816
02817
02818
02819
02820 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
02821 {
02822 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
02823 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02824 }
02825 }
02826 else
02827 #endif
02828 {
02829 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
02830 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
02831 }
02832
02833 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
02834
02835 if( sa_len + sig_len + 6 != ssl->in_hslen )
02836 {
02837 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
02838 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
02839 }
02840
02841 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
02842 md_alg, hash_start, hashlen,
02843 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
02844 {
02845 SSL_DEBUG_RET( 1, "pk_verify", ret );
02846 return( ret );
02847 }
02848
02849 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
02850
02851 return( ret );
02852 }
02853 #endif
02854
02855
02856
02857 #if defined(POLARSSL_SSL_SESSION_TICKETS)
02858 static int ssl_write_new_session_ticket( ssl_context *ssl )
02859 {
02860 int ret;
02861 size_t tlen;
02862 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
02863
02864 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
02865
02866 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
02867 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
02868
02869
02870
02871
02872
02873
02874
02875
02876
02877
02878
02879
02880 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
02881 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
02882 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
02883 ssl->out_msg[7] = ( lifetime ) & 0xFF;
02884
02885 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
02886 {
02887 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
02888 tlen = 0;
02889 }
02890
02891 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
02892 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
02893
02894 ssl->out_msglen = 10 + tlen;
02895
02896 if( ( ret = ssl_write_record( ssl ) ) != 0 )
02897 {
02898 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02899 return( ret );
02900 }
02901
02902
02903 ssl->handshake->new_session_ticket = 0;
02904
02905 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
02906
02907 return( 0 );
02908 }
02909 #endif
02910
02911
02912
02913
02914 int ssl_handshake_server_step( ssl_context *ssl )
02915 {
02916 int ret = 0;
02917
02918 if( ssl->state == SSL_HANDSHAKE_OVER )
02919 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
02920
02921 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
02922
02923 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
02924 return( ret );
02925
02926 switch( ssl->state )
02927 {
02928 case SSL_HELLO_REQUEST:
02929 ssl->state = SSL_CLIENT_HELLO;
02930 break;
02931
02932
02933
02934
02935 case SSL_CLIENT_HELLO:
02936 ret = ssl_parse_client_hello( ssl );
02937 break;
02938
02939
02940
02941
02942
02943
02944
02945
02946 case SSL_SERVER_HELLO:
02947 ret = ssl_write_server_hello( ssl );
02948 break;
02949
02950 case SSL_SERVER_CERTIFICATE:
02951 ret = ssl_write_certificate( ssl );
02952 break;
02953
02954 case SSL_SERVER_KEY_EXCHANGE:
02955 ret = ssl_write_server_key_exchange( ssl );
02956 break;
02957
02958 case SSL_CERTIFICATE_REQUEST:
02959 ret = ssl_write_certificate_request( ssl );
02960 break;
02961
02962 case SSL_SERVER_HELLO_DONE:
02963 ret = ssl_write_server_hello_done( ssl );
02964 break;
02965
02966
02967
02968
02969
02970
02971
02972
02973 case SSL_CLIENT_CERTIFICATE:
02974 ret = ssl_parse_certificate( ssl );
02975 break;
02976
02977 case SSL_CLIENT_KEY_EXCHANGE:
02978 ret = ssl_parse_client_key_exchange( ssl );
02979 break;
02980
02981 case SSL_CERTIFICATE_VERIFY:
02982 ret = ssl_parse_certificate_verify( ssl );
02983 break;
02984
02985 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
02986 ret = ssl_parse_change_cipher_spec( ssl );
02987 break;
02988
02989 case SSL_CLIENT_FINISHED:
02990 ret = ssl_parse_finished( ssl );
02991 break;
02992
02993
02994
02995
02996
02997
02998 case SSL_SERVER_CHANGE_CIPHER_SPEC:
02999 #if defined(POLARSSL_SSL_SESSION_TICKETS)
03000 if( ssl->handshake->new_session_ticket != 0 )
03001 ret = ssl_write_new_session_ticket( ssl );
03002 else
03003 #endif
03004 ret = ssl_write_change_cipher_spec( ssl );
03005 break;
03006
03007 case SSL_SERVER_FINISHED:
03008 ret = ssl_write_finished( ssl );
03009 break;
03010
03011 case SSL_FLUSH_BUFFERS:
03012 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
03013 ssl->state = SSL_HANDSHAKE_WRAPUP;
03014 break;
03015
03016 case SSL_HANDSHAKE_WRAPUP:
03017 ssl_handshake_wrapup( ssl );
03018 break;
03019
03020 default:
03021 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
03022 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
03023 }
03024
03025 return( ret );
03026 }
03027 #endif
