PolarSSL v1.2.9
ssl_srv.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 server-side functions
3  *
4  * Copyright (C) 2006-2012, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_SRV_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <time.h>
36 
37 static int ssl_parse_servername_ext( ssl_context *ssl,
38  const unsigned char *buf,
39  size_t len )
40 {
41  int ret;
42  size_t servername_list_size, hostname_len;
43  const unsigned char *p;
44 
45  servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
46  if( servername_list_size + 2 != len )
47  {
48  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
50  }
51 
52  p = buf + 2;
53  while( servername_list_size > 0 )
54  {
55  hostname_len = ( ( p[1] << 8 ) | p[2] );
56  if( hostname_len + 3 > servername_list_size )
57  {
58  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
60  }
61 
62  if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
63  {
64  ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
65  if( ret != 0 )
66  {
70  }
71  return( 0 );
72  }
73 
74  servername_list_size -= hostname_len + 3;
75  p += hostname_len + 3;
76  }
77 
78  if( servername_list_size != 0 )
79  {
80  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
82  }
83 
84  return( 0 );
85 }
86 
87 static int ssl_parse_renegotiation_info( ssl_context *ssl,
88  const unsigned char *buf,
89  size_t len )
90 {
91  int ret;
92 
94  {
95  if( len != 1 || buf[0] != 0x0 )
96  {
97  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
98 
99  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
100  return( ret );
101 
103  }
104 
106  }
107  else
108  {
109  if( len != 1 + ssl->verify_data_len ||
110  buf[0] != ssl->verify_data_len ||
111  memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
112  {
113  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
114 
115  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
116  return( ret );
117 
119  }
120  }
121 
122  return( 0 );
123 }
124 
125 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
126  const unsigned char *buf,
127  size_t len )
128 {
129  size_t sig_alg_list_size;
130  const unsigned char *p;
131 
132  sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
133  if( sig_alg_list_size + 2 != len ||
134  sig_alg_list_size %2 != 0 )
135  {
136  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
138  }
139 
140  p = buf + 2;
141  while( sig_alg_list_size > 0 )
142  {
143  if( p[1] != SSL_SIG_RSA )
144  {
145  sig_alg_list_size -= 2;
146  p += 2;
147  continue;
148  }
149 #if defined(POLARSSL_SHA4_C)
150  if( p[0] == SSL_HASH_SHA512 )
151  {
153  break;
154  }
155  if( p[0] == SSL_HASH_SHA384 )
156  {
158  break;
159  }
160 #endif
161 #if defined(POLARSSL_SHA2_C)
162  if( p[0] == SSL_HASH_SHA256 )
163  {
165  break;
166  }
167  if( p[0] == SSL_HASH_SHA224 )
168  {
170  break;
171  }
172 #endif
173  if( p[0] == SSL_HASH_SHA1 )
174  {
176  break;
177  }
178  if( p[0] == SSL_HASH_MD5 )
179  {
181  break;
182  }
183 
184  sig_alg_list_size -= 2;
185  p += 2;
186  }
187 
188  SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
189  ssl->handshake->sig_alg ) );
190 
191  return( 0 );
192 }
193 
194 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
195 static int ssl_parse_client_hello_v2( ssl_context *ssl )
196 {
197  int ret;
198  unsigned int i, j;
199  size_t n;
200  unsigned int ciph_len, sess_len, chal_len;
201  unsigned char *buf, *p;
202 
203  SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
204 
206  {
207  SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
208 
209  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
210  return( ret );
211 
213  }
214 
215  buf = ssl->in_hdr;
216 
217  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
218 
219  SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
220  buf[2] ) );
221  SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
222  ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
223  SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
224  buf[3], buf[4] ) );
225 
226  /*
227  * SSLv2 Client Hello
228  *
229  * Record layer:
230  * 0 . 1 message length
231  *
232  * SSL layer:
233  * 2 . 2 message type
234  * 3 . 4 protocol version
235  */
236  if( buf[2] != SSL_HS_CLIENT_HELLO ||
237  buf[3] != SSL_MAJOR_VERSION_3 )
238  {
239  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
241  }
242 
243  n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
244 
245  if( n < 17 || n > 512 )
246  {
247  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
249  }
250 
252  ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_3 )
253  ? buf[4] : SSL_MINOR_VERSION_3;
254 
255  if( ssl->minor_ver < ssl->min_minor_ver )
256  {
257  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
258  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
259  ssl->min_major_ver, ssl->min_minor_ver ) );
260 
264  }
265 
266  ssl->max_major_ver = buf[3];
267  ssl->max_minor_ver = buf[4];
268 
269  if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
270  {
271  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
272  return( ret );
273  }
274 
275  ssl->handshake->update_checksum( ssl, buf + 2, n );
276 
277  buf = ssl->in_msg;
278  n = ssl->in_left - 5;
279 
280  /*
281  * 0 . 1 ciphersuitelist length
282  * 2 . 3 session id length
283  * 4 . 5 challenge length
284  * 6 . .. ciphersuitelist
285  * .. . .. session id
286  * .. . .. challenge
287  */
288  SSL_DEBUG_BUF( 4, "record contents", buf, n );
289 
290  ciph_len = ( buf[0] << 8 ) | buf[1];
291  sess_len = ( buf[2] << 8 ) | buf[3];
292  chal_len = ( buf[4] << 8 ) | buf[5];
293 
294  SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
295  ciph_len, sess_len, chal_len ) );
296 
297  /*
298  * Make sure each parameter length is valid
299  */
300  if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
301  {
302  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
304  }
305 
306  if( sess_len > 32 )
307  {
308  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
310  }
311 
312  if( chal_len < 8 || chal_len > 32 )
313  {
314  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
316  }
317 
318  if( n != 6 + ciph_len + sess_len + chal_len )
319  {
320  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
322  }
323 
324  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
325  buf + 6, ciph_len );
326  SSL_DEBUG_BUF( 3, "client hello, session id",
327  buf + 6 + ciph_len, sess_len );
328  SSL_DEBUG_BUF( 3, "client hello, challenge",
329  buf + 6 + ciph_len + sess_len, chal_len );
330 
331  p = buf + 6 + ciph_len;
332  ssl->session_negotiate->length = sess_len;
333  memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
334  memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
335 
336  p += sess_len;
337  memset( ssl->handshake->randbytes, 0, 64 );
338  memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
339 
340  /*
341  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
342  */
343  for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
344  {
345  if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
346  {
347  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
348  if( ssl->renegotiation == SSL_RENEGOTIATION )
349  {
350  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
351 
352  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
353  return( ret );
354 
356  }
358  break;
359  }
360  }
361 
362  for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
363  {
364  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
365  {
366  if( p[0] == 0 &&
367  p[1] == 0 &&
368  p[2] == ssl->ciphersuites[ssl->minor_ver][i] )
369  goto have_ciphersuite_v2;
370  }
371  }
372 
373  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
374 
376 
377 have_ciphersuite_v2:
378  ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
380 
381  /*
382  * SSLv2 Client Hello relevant renegotiation security checks
383  */
386  {
387  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
388 
389  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
390  return( ret );
391 
393  }
394 
395  ssl->in_left = 0;
396  ssl->state++;
397 
398  SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
399 
400  return( 0 );
401 }
402 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
403 
404 static int ssl_parse_client_hello( ssl_context *ssl )
405 {
406  int ret;
407  unsigned int i, j;
408  size_t n;
409  unsigned int ciph_len, sess_len;
410  unsigned int comp_len;
411  unsigned int ext_len = 0;
412  unsigned char *buf, *p, *ext;
413  int renegotiation_info_seen = 0;
414  int handshake_failure = 0;
415 
416  SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
417 
418  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
419  ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
420  {
421  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
422  return( ret );
423  }
424 
425  buf = ssl->in_hdr;
426 
427 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
428  if( ( buf[0] & 0x80 ) != 0 )
429  return ssl_parse_client_hello_v2( ssl );
430 #endif
431 
432  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
433 
434  SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
435  buf[0] ) );
436  SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
437  ( buf[3] << 8 ) | buf[4] ) );
438  SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
439  buf[1], buf[2] ) );
440 
441  /*
442  * SSLv3 Client Hello
443  *
444  * Record layer:
445  * 0 . 0 message type
446  * 1 . 2 protocol version
447  * 3 . 4 message length
448  */
449  if( buf[0] != SSL_MSG_HANDSHAKE ||
450  buf[1] != SSL_MAJOR_VERSION_3 )
451  {
452  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
454  }
455 
456  n = ( buf[3] << 8 ) | buf[4];
457 
458  if( n < 45 || n > 512 )
459  {
460  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
462  }
463 
464  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
465  ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
466  {
467  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
468  return( ret );
469  }
470 
471  buf = ssl->in_msg;
472  if( !ssl->renegotiation )
473  n = ssl->in_left - 5;
474  else
475  n = ssl->in_msglen;
476 
477  ssl->handshake->update_checksum( ssl, buf, n );
478 
479  /*
480  * SSL layer:
481  * 0 . 0 handshake type
482  * 1 . 3 handshake length
483  * 4 . 5 protocol version
484  * 6 . 9 UNIX time()
485  * 10 . 37 random bytes
486  * 38 . 38 session id length
487  * 39 . 38+x session id
488  * 39+x . 40+x ciphersuitelist length
489  * 41+x . .. ciphersuitelist
490  * .. . .. compression alg.
491  * .. . .. extensions
492  */
493  SSL_DEBUG_BUF( 4, "record contents", buf, n );
494 
495  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
496  buf[0] ) );
497  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
498  ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
499  SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
500  buf[4], buf[5] ) );
501 
502  /*
503  * Check the handshake type and protocol version
504  */
505  if( buf[0] != SSL_HS_CLIENT_HELLO ||
506  buf[4] != SSL_MAJOR_VERSION_3 )
507  {
508  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
510  }
511 
513  ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_3 )
514  ? buf[5] : SSL_MINOR_VERSION_3;
515 
516  if( ssl->minor_ver < ssl->min_minor_ver )
517  {
518  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
519  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
520  ssl->min_major_ver, ssl->min_minor_ver ) );
521 
524 
526  }
527 
528  ssl->max_major_ver = buf[4];
529  ssl->max_minor_ver = buf[5];
530 
531  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
532 
533  /*
534  * Check the handshake message length
535  */
536  if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
537  {
538  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
540  }
541 
542  /*
543  * Check the session length
544  */
545  sess_len = buf[38];
546 
547  if( sess_len > 32 )
548  {
549  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
551  }
552 
553  ssl->session_negotiate->length = sess_len;
554  memset( ssl->session_negotiate->id, 0,
555  sizeof( ssl->session_negotiate->id ) );
556  memcpy( ssl->session_negotiate->id, buf + 39,
557  ssl->session_negotiate->length );
558 
559  /*
560  * Check the ciphersuitelist length
561  */
562  ciph_len = ( buf[39 + sess_len] << 8 )
563  | ( buf[40 + sess_len] );
564 
565  if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
566  {
567  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
569  }
570 
571  /*
572  * Check the compression algorithms length
573  */
574  comp_len = buf[41 + sess_len + ciph_len];
575 
576  if( comp_len < 1 || comp_len > 16 )
577  {
578  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
580  }
581 
582  /*
583  * Check the extension length
584  */
585  if( n > 42 + sess_len + ciph_len + comp_len )
586  {
587  ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
588  | ( buf[43 + sess_len + ciph_len + comp_len] );
589 
590  if( ( ext_len > 0 && ext_len < 4 ) ||
591  n != 44 + sess_len + ciph_len + comp_len + ext_len )
592  {
593  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
594  SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
596  }
597  }
598 
600 #if defined(POLARSSL_ZLIB_SUPPORT)
601  for( i = 0; i < comp_len; ++i )
602  {
603  if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
604  {
606  break;
607  }
608  }
609 #endif
610 
611  SSL_DEBUG_BUF( 3, "client hello, random bytes",
612  buf + 6, 32 );
613  SSL_DEBUG_BUF( 3, "client hello, session id",
614  buf + 38, sess_len );
615  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
616  buf + 41 + sess_len, ciph_len );
617  SSL_DEBUG_BUF( 3, "client hello, compression",
618  buf + 42 + sess_len + ciph_len, comp_len );
619 
620  /*
621  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
622  */
623  for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
624  {
625  if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
626  {
627  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
628  if( ssl->renegotiation == SSL_RENEGOTIATION )
629  {
630  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
631 
632  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
633  return( ret );
634 
636  }
638  break;
639  }
640  }
641 
642  /*
643  * Search for a matching ciphersuite
644  */
645  for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
646  {
647  for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
648  j += 2, p += 2 )
649  {
650  if( p[0] == 0 && p[1] == ssl->ciphersuites[ssl->minor_ver][i] &&
652  goto have_ciphersuite;
653  }
654  }
655 
656  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
657 
659 
660 have_ciphersuite:
661  ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
663 
664  ext = buf + 44 + sess_len + ciph_len + comp_len;
665 
666  while( ext_len )
667  {
668  unsigned int ext_id = ( ( ext[0] << 8 )
669  | ( ext[1] ) );
670  unsigned int ext_size = ( ( ext[2] << 8 )
671  | ( ext[3] ) );
672 
673  if( ext_size + 4 > ext_len )
674  {
675  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
677  }
678  switch( ext_id )
679  {
680  case TLS_EXT_SERVERNAME:
681  SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
682  if( ssl->f_sni == NULL )
683  break;
684 
685  ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
686  if( ret != 0 )
687  return( ret );
688  break;
689 
691  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
692  renegotiation_info_seen = 1;
693 
694  ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
695  if( ret != 0 )
696  return( ret );
697  break;
698 
699  case TLS_EXT_SIG_ALG:
700  SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
701  if( ssl->renegotiation == SSL_RENEGOTIATION )
702  break;
703 
704  ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
705  if( ret != 0 )
706  return( ret );
707  break;
708 
709  default:
710  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
711  ext_id ) );
712  }
713 
714  ext_len -= 4 + ext_size;
715  ext += 4 + ext_size;
716 
717  if( ext_len > 0 && ext_len < 4 )
718  {
719  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
721  }
722  }
723 
724  /*
725  * Renegotiation security checks
726  */
729  {
730  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
731  handshake_failure = 1;
732  }
733  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
735  renegotiation_info_seen == 0 )
736  {
737  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
738  handshake_failure = 1;
739  }
740  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
743  {
744  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
745  handshake_failure = 1;
746  }
747  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
749  renegotiation_info_seen == 1 )
750  {
751  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
752  handshake_failure = 1;
753  }
754 
755  if( handshake_failure == 1 )
756  {
757  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
758  return( ret );
759 
761  }
762 
763  ssl->in_left = 0;
764  ssl->state++;
765 
766  SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
767 
768  return( 0 );
769 }
770 
771 static int ssl_write_server_hello( ssl_context *ssl )
772 {
773  time_t t;
774  int ret, n;
775  size_t ext_len = 0;
776  unsigned char *buf, *p;
777 
778  SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
779 
780  /*
781  * 0 . 0 handshake type
782  * 1 . 3 handshake length
783  * 4 . 5 protocol version
784  * 6 . 9 UNIX time()
785  * 10 . 37 random bytes
786  */
787  buf = ssl->out_msg;
788  p = buf + 4;
789 
790  *p++ = (unsigned char) ssl->major_ver;
791  *p++ = (unsigned char) ssl->minor_ver;
792 
793  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
794  buf[4], buf[5] ) );
795 
796  t = time( NULL );
797  *p++ = (unsigned char)( t >> 24 );
798  *p++ = (unsigned char)( t >> 16 );
799  *p++ = (unsigned char)( t >> 8 );
800  *p++ = (unsigned char)( t );
801 
802  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
803 
804  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
805  return( ret );
806 
807  p += 28;
808 
809  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
810 
811  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
812 
813  /*
814  * 38 . 38 session id length
815  * 39 . 38+n session id
816  * 39+n . 40+n chosen ciphersuite
817  * 41+n . 41+n chosen compression alg.
818  */
819  ssl->session_negotiate->length = n = 32;
820  *p++ = (unsigned char) ssl->session_negotiate->length;
821 
822  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
823  ssl->f_get_cache == NULL ||
824  ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) != 0 )
825  {
826  /*
827  * Not found, create a new session id
828  */
829  ssl->handshake->resume = 0;
830  ssl->state++;
831 
832  if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
833  n ) ) != 0 )
834  return( ret );
835  }
836  else
837  {
838  /*
839  * Found a matching session, resuming it
840  */
841  ssl->handshake->resume = 1;
843 
844  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
845  {
846  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
847  return( ret );
848  }
849  }
850 
851  memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
852  p += ssl->session_negotiate->length;
853 
854  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
855  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
856  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
857  ssl->handshake->resume ? "a" : "no" ) );
858 
859  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
860  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
861  *p++ = (unsigned char)( ssl->session_negotiate->compression );
862 
863  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
864  ssl->session_negotiate->ciphersuite ) );
865  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
866  ssl->session_negotiate->compression ) );
867 
869  {
870  SSL_DEBUG_MSG( 3, ( "server hello, prepping for secure renegotiation extension" ) );
871  ext_len += 5 + ssl->verify_data_len * 2;
872 
873  SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d",
874  ext_len ) );
875 
876  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
877  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
878 
879  /*
880  * Secure renegotiation
881  */
882  SSL_DEBUG_MSG( 3, ( "client hello, secure renegotiation extension" ) );
883 
884  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
885  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
886 
887  *p++ = 0x00;
888  *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
889  *p++ = ssl->verify_data_len * 2 & 0xFF;
890 
891  memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
892  p += ssl->verify_data_len;
893  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
894  p += ssl->verify_data_len;
895  }
896 
897  ssl->out_msglen = p - buf;
899  ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
900 
901  ret = ssl_write_record( ssl );
902 
903  SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
904 
905  return( ret );
906 }
907 
908 static int ssl_write_certificate_request( ssl_context *ssl )
909 {
910  int ret;
911  size_t n = 0, dn_size, total_dn_size;
912  unsigned char *buf, *p;
913  const x509_cert *crt;
914 
915  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
916 
917  ssl->state++;
918 
919  if( ssl->authmode == SSL_VERIFY_NONE )
920  {
921  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
922  return( 0 );
923  }
924 
925  /*
926  * 0 . 0 handshake type
927  * 1 . 3 handshake length
928  * 4 . 4 cert type count
929  * 5 .. m-1 cert types
930  * m .. m+1 sig alg length (TLS 1.2 only)
931  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
932  * n .. n+1 length of all DNs
933  * n+2 .. n+3 length of DN 1
934  * n+4 .. ... Distinguished Name #1
935  * ... .. ... length of DN 2, etc.
936  */
937  buf = ssl->out_msg;
938  p = buf + 4;
939 
940  /*
941  * At the moment, only RSA certificates are supported
942  */
943  *p++ = 1;
944  *p++ = SSL_CERT_TYPE_RSA_SIGN;
945 
946  /*
947  * Add signature_algorithms for verify (TLS 1.2)
948  * Only add current running algorithm that is already required for
949  * requested ciphersuite.
950  *
951  * Length is always 2
952  */
953  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
954  {
956 
957  *p++ = 0;
958  *p++ = 2;
959 
962  {
964  }
965 
966  *p++ = ssl->handshake->verify_sig_alg;
967  *p++ = SSL_SIG_RSA;
968 
969  n += 4;
970  }
971 
972  p += 2;
973  crt = ssl->ca_chain;
974 
975  total_dn_size = 0;
976  while( crt != NULL && crt->version != 0)
977  {
978  if( p - buf > 4096 )
979  break;
980 
981  dn_size = crt->subject_raw.len;
982  *p++ = (unsigned char)( dn_size >> 8 );
983  *p++ = (unsigned char)( dn_size );
984  memcpy( p, crt->subject_raw.p, dn_size );
985  p += dn_size;
986 
987  SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
988 
989  total_dn_size += 2 + dn_size;
990  crt = crt->next;
991  }
992 
993  ssl->out_msglen = p - buf;
996  ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
997  ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
998 
999  ret = ssl_write_record( ssl );
1000 
1001  SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1002 
1003  return( ret );
1004 }
1005 
1006 static int ssl_write_server_key_exchange( ssl_context *ssl )
1007 {
1008 #if defined(POLARSSL_DHM_C)
1009  int ret;
1010  size_t n, rsa_key_len = 0;
1011  unsigned char hash[64];
1012  int hash_id = 0;
1013  unsigned int hashlen = 0;
1014 #endif
1015 
1016  SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1017 
1030  {
1031  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1032  ssl->state++;
1033  return( 0 );
1034  }
1035 
1036 #if !defined(POLARSSL_DHM_C)
1037  SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
1039 #else
1040 
1041  if( ssl->rsa_key == NULL )
1042  {
1043  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1045  }
1046 
1047  /*
1048  * Ephemeral DH parameters:
1049  *
1050  * struct {
1051  * opaque dh_p<1..2^16-1>;
1052  * opaque dh_g<1..2^16-1>;
1053  * opaque dh_Ys<1..2^16-1>;
1054  * } ServerDHParams;
1055  */
1056  if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1057  ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1058  {
1059  SSL_DEBUG_RET( 1, "mpi_copy", ret );
1060  return( ret );
1061  }
1062 
1063  if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1064  mpi_size( &ssl->handshake->dhm_ctx.P ),
1065  ssl->out_msg + 4,
1066  &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
1067  {
1068  SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1069  return( ret );
1070  }
1071 
1072  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1073  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1074  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1075  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1076 
1077  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1078  {
1079  md5_context md5;
1081 
1082  /*
1083  * digitally-signed struct {
1084  * opaque md5_hash[16];
1085  * opaque sha_hash[20];
1086  * };
1087  *
1088  * md5_hash
1089  * MD5(ClientHello.random + ServerHello.random
1090  * + ServerParams);
1091  * sha_hash
1092  * SHA(ClientHello.random + ServerHello.random
1093  * + ServerParams);
1094  */
1095  md5_starts( &md5 );
1096  md5_update( &md5, ssl->handshake->randbytes, 64 );
1097  md5_update( &md5, ssl->out_msg + 4, n );
1098  md5_finish( &md5, hash );
1099 
1100  sha1_starts( &sha1 );
1101  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1102  sha1_update( &sha1, ssl->out_msg + 4, n );
1103  sha1_finish( &sha1, hash + 16 );
1104 
1105  hashlen = 36;
1106  hash_id = SIG_RSA_RAW;
1107  }
1108  else
1109  {
1110  /*
1111  * digitally-signed struct {
1112  * opaque client_random[32];
1113  * opaque server_random[32];
1114  * ServerDHParams params;
1115  * };
1116  */
1117 #if defined(POLARSSL_SHA4_C)
1118  if( ssl->handshake->sig_alg == SSL_HASH_SHA512 )
1119  {
1121 
1122  sha4_starts( &sha4, 0 );
1123  sha4_update( &sha4, ssl->handshake->randbytes, 64 );
1124  sha4_update( &sha4, ssl->out_msg + 4, n );
1125  sha4_finish( &sha4, hash );
1126 
1127  hashlen = 64;
1128  hash_id = SIG_RSA_SHA512;
1129  }
1130  else if( ssl->handshake->sig_alg == SSL_HASH_SHA384 )
1131  {
1133 
1134  sha4_starts( &sha4, 1 );
1135  sha4_update( &sha4, ssl->handshake->randbytes, 64 );
1136  sha4_update( &sha4, ssl->out_msg + 4, n );
1137  sha4_finish( &sha4, hash );
1138 
1139  hashlen = 48;
1140  hash_id = SIG_RSA_SHA384;
1141  }
1142  else
1143 #endif
1144 #if defined(POLARSSL_SHA2_C)
1145  if( ssl->handshake->sig_alg == SSL_HASH_SHA256 )
1146  {
1148 
1149  sha2_starts( &sha2, 0 );
1150  sha2_update( &sha2, ssl->handshake->randbytes, 64 );
1151  sha2_update( &sha2, ssl->out_msg + 4, n );
1152  sha2_finish( &sha2, hash );
1153 
1154  hashlen = 32;
1155  hash_id = SIG_RSA_SHA256;
1156  }
1157  else if( ssl->handshake->sig_alg == SSL_HASH_SHA224 )
1158  {
1160 
1161  sha2_starts( &sha2, 1 );
1162  sha2_update( &sha2, ssl->handshake->randbytes, 64 );
1163  sha2_update( &sha2, ssl->out_msg + 4, n );
1164  sha2_finish( &sha2, hash );
1165 
1166  hashlen = 24;
1167  hash_id = SIG_RSA_SHA224;
1168  }
1169  else
1170 #endif
1171  if( ssl->handshake->sig_alg == SSL_HASH_SHA1 )
1172  {
1174 
1175  sha1_starts( &sha1 );
1176  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1177  sha1_update( &sha1, ssl->out_msg + 4, n );
1178  sha1_finish( &sha1, hash );
1179 
1180  hashlen = 20;
1181  hash_id = SIG_RSA_SHA1;
1182  }
1183  else if( ssl->handshake->sig_alg == SSL_HASH_MD5 )
1184  {
1185  md5_context md5;
1186 
1187  md5_starts( &md5 );
1188  md5_update( &md5, ssl->handshake->randbytes, 64 );
1189  md5_update( &md5, ssl->out_msg + 4, n );
1190  md5_finish( &md5, hash );
1191 
1192  hashlen = 16;
1193  hash_id = SIG_RSA_MD5;
1194  }
1195  }
1196 
1197  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
1198 
1199  if ( ssl->rsa_key )
1200  rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
1201 
1202  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1203  {
1204  ssl->out_msg[4 + n] = ssl->handshake->sig_alg;
1205  ssl->out_msg[5 + n] = SSL_SIG_RSA;
1206 
1207  n += 2;
1208  }
1209 
1210  ssl->out_msg[4 + n] = (unsigned char)( rsa_key_len >> 8 );
1211  ssl->out_msg[5 + n] = (unsigned char)( rsa_key_len );
1212 
1213  if ( ssl->rsa_key )
1214  {
1215  ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1216  RSA_PRIVATE,
1217  hash_id, hashlen, hash,
1218  ssl->out_msg + 6 + n );
1219  }
1220 
1221  if( ret != 0 )
1222  {
1223  SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
1224  return( ret );
1225  }
1226 
1227  SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, rsa_key_len );
1228 
1229  ssl->out_msglen = 6 + n + rsa_key_len;
1232 
1233  ssl->state++;
1234 
1235  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1236  {
1237  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1238  return( ret );
1239  }
1240 
1241  SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
1242 
1243  return( 0 );
1244 #endif
1245 }
1246 
1247 static int ssl_write_server_hello_done( ssl_context *ssl )
1248 {
1249  int ret;
1250 
1251  SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
1252 
1253  ssl->out_msglen = 4;
1256 
1257  ssl->state++;
1258 
1259  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1260  {
1261  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1262  return( ret );
1263  }
1264 
1265  SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
1266 
1267  return( 0 );
1268 }
1269 
1270 static int ssl_parse_client_key_exchange( ssl_context *ssl )
1271 {
1272  int ret;
1273  size_t i, n = 0;
1274 
1275  SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
1276 
1277  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1278  {
1279  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1280  return( ret );
1281  }
1282 
1283  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1284  {
1285  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1287  }
1288 
1289  if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
1290  {
1291  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1293  }
1294 
1307  {
1308 #if !defined(POLARSSL_DHM_C)
1309  SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
1311 #else
1312  /*
1313  * Receive G^Y mod P, premaster = (G^Y)^X mod P
1314  */
1315  n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
1316 
1317  if( n < 1 || n > ssl->handshake->dhm_ctx.len ||
1318  n + 6 != ssl->in_hslen )
1319  {
1320  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1322  }
1323 
1324  if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
1325  ssl->in_msg + 6, n ) ) != 0 )
1326  {
1327  SSL_DEBUG_RET( 1, "dhm_read_public", ret );
1329  }
1330 
1331  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1332 
1333  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1334 
1335  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1336  ssl->handshake->premaster,
1337  &ssl->handshake->pmslen ) ) != 0 )
1338  {
1339  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1341  }
1342 
1343  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1344 #endif
1345  }
1346  else
1347  {
1348  if( ssl->rsa_key == NULL )
1349  {
1350  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1352  }
1353 
1354  /*
1355  * Decrypt the premaster using own private RSA key
1356  */
1357  i = 4;
1358  if( ssl->rsa_key )
1359  n = ssl->rsa_key_len( ssl->rsa_key );
1360  ssl->handshake->pmslen = 48;
1361 
1362  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
1363  {
1364  i += 2;
1365  if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
1366  ssl->in_msg[5] != ( ( n ) & 0xFF ) )
1367  {
1368  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1370  }
1371  }
1372 
1373  if( ssl->in_hslen != i + n )
1374  {
1375  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1377  }
1378 
1379  if( ssl->rsa_key ) {
1380  ret = ssl->rsa_decrypt( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1381  RSA_PRIVATE,
1382  &ssl->handshake->pmslen,
1383  ssl->in_msg + i,
1384  ssl->handshake->premaster,
1385  sizeof(ssl->handshake->premaster) );
1386  }
1387 
1388  if( ret != 0 || ssl->handshake->pmslen != 48 ||
1389  ssl->handshake->premaster[0] != ssl->max_major_ver ||
1390  ssl->handshake->premaster[1] != ssl->max_minor_ver )
1391  {
1392  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1393 
1394  /*
1395  * Protection against Bleichenbacher's attack:
1396  * invalid PKCS#1 v1.5 padding must not cause
1397  * the connection to end immediately; instead,
1398  * send a bad_record_mac later in the handshake.
1399  */
1400  ssl->handshake->pmslen = 48;
1401 
1402  ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
1403  ssl->handshake->pmslen );
1404  if( ret != 0 )
1405  return( ret );
1406  }
1407  }
1408 
1409  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1410  {
1411  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1412  return( ret );
1413  }
1414 
1415  ssl->state++;
1416 
1417  SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
1418 
1419  return( 0 );
1420 }
1421 
1422 static int ssl_parse_certificate_verify( ssl_context *ssl )
1423 {
1424  int ret;
1425  size_t n = 0, n1, n2;
1426  unsigned char hash[48];
1427  int hash_id;
1428  unsigned int hashlen;
1429 
1430  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
1431 
1432  if( ssl->session_negotiate->peer_cert == NULL )
1433  {
1434  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
1435  ssl->state++;
1436  return( 0 );
1437  }
1438 
1439  ssl->handshake->calc_verify( ssl, hash );
1440 
1441  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1442  {
1443  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1444  return( ret );
1445  }
1446 
1447  ssl->state++;
1448 
1449  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1450  {
1451  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1453  }
1454 
1455  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
1456  {
1457  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1459  }
1460 
1461  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1462  {
1463  /*
1464  * As server we know we either have SSL_HASH_SHA384 or
1465  * SSL_HASH_SHA256
1466  */
1467  if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
1468  ssl->in_msg[5] != SSL_SIG_RSA )
1469  {
1470  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
1472  }
1473 
1475  {
1476  hashlen = 48;
1477  hash_id = SIG_RSA_SHA384;
1478  }
1479  else
1480  {
1481  hashlen = 32;
1482  hash_id = SIG_RSA_SHA256;
1483  }
1484 
1485  n += 2;
1486  }
1487  else
1488  {
1489  hashlen = 36;
1490  hash_id = SIG_RSA_RAW;
1491  }
1492 
1493  n1 = ssl->session_negotiate->peer_cert->rsa.len;
1494  n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
1495 
1496  if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
1497  {
1498  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1500  }
1501 
1503  NULL, NULL, RSA_PUBLIC,
1504  hash_id, hashlen, hash, ssl->in_msg + 6 + n );
1505  if( ret != 0 )
1506  {
1507  SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
1508  return( ret );
1509  }
1510 
1511  SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
1512 
1513  return( 0 );
1514 }
1515 
1516 /*
1517  * SSL handshake -- server side -- single step
1518  */
1520 {
1521  int ret = 0;
1522 
1523  if( ssl->state == SSL_HANDSHAKE_OVER )
1525 
1526  SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
1527 
1528  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1529  return( ret );
1530 
1531  switch( ssl->state )
1532  {
1533  case SSL_HELLO_REQUEST:
1534  ssl->state = SSL_CLIENT_HELLO;
1535  break;
1536 
1537  /*
1538  * <== ClientHello
1539  */
1540  case SSL_CLIENT_HELLO:
1541  ret = ssl_parse_client_hello( ssl );
1542  break;
1543 
1544  /*
1545  * ==> ServerHello
1546  * Certificate
1547  * ( ServerKeyExchange )
1548  * ( CertificateRequest )
1549  * ServerHelloDone
1550  */
1551  case SSL_SERVER_HELLO:
1552  ret = ssl_write_server_hello( ssl );
1553  break;
1554 
1556  ret = ssl_write_certificate( ssl );
1557  break;
1558 
1560  ret = ssl_write_server_key_exchange( ssl );
1561  break;
1562 
1564  ret = ssl_write_certificate_request( ssl );
1565  break;
1566 
1567  case SSL_SERVER_HELLO_DONE:
1568  ret = ssl_write_server_hello_done( ssl );
1569  break;
1570 
1571  /*
1572  * <== ( Certificate/Alert )
1573  * ClientKeyExchange
1574  * ( CertificateVerify )
1575  * ChangeCipherSpec
1576  * Finished
1577  */
1579  ret = ssl_parse_certificate( ssl );
1580  break;
1581 
1583  ret = ssl_parse_client_key_exchange( ssl );
1584  break;
1585 
1587  ret = ssl_parse_certificate_verify( ssl );
1588  break;
1589 
1591  ret = ssl_parse_change_cipher_spec( ssl );
1592  break;
1593 
1594  case SSL_CLIENT_FINISHED:
1595  ret = ssl_parse_finished( ssl );
1596  break;
1597 
1598  /*
1599  * ==> ChangeCipherSpec
1600  * Finished
1601  */
1603  ret = ssl_write_change_cipher_spec( ssl );
1604  break;
1605 
1606  case SSL_SERVER_FINISHED:
1607  ret = ssl_write_finished( ssl );
1608  break;
1609 
1610  case SSL_FLUSH_BUFFERS:
1611  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
1612  ssl->state = SSL_HANDSHAKE_WRAPUP;
1613  break;
1614 
1615  case SSL_HANDSHAKE_WRAPUP:
1616  ssl_handshake_wrapup( ssl );
1617  break;
1618 
1619  default:
1620  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
1622  }
1623 
1624  return( ret );
1625 }
1626 #endif
#define SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:255
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:218
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:173
size_t length
Definition: ssl.h:322
#define SIG_RSA_MD5
Definition: rsa.h:51
int ciphersuite
Definition: ssl.h:320
mpi P
Definition: dhm.h:139
size_t in_hslen
Definition: ssl.h:469
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:419
#define TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:262
SHA-256 context structure.
Definition: sha2.h:50
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS
Processing of the ClientKeyExchange handshake message failed in DHM Calculate Secret.
Definition: ssl.h:85
int major_ver
Definition: ssl.h:408
void(* update_checksum)(ssl_context *, unsigned char *, size_t)
Definition: ssl.h:384
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:38
SHA-1 context structure.
Definition: sha1.h:50
int compression
Definition: ssl.h:321
const int ** ciphersuites
Definition: ssl.h:505
int state
Definition: ssl.h:405
char peer_verify_data[36]
Definition: ssl.h:525
#define SSL_HS_CLIENT_HELLO
Definition: ssl.h:248
Debug functions.
int ssl_get_ciphersuite_min_version(const int ciphersuite_id)
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:426
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:385
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:251
x509_cert * peer_cert
Definition: ssl.h:325
#define SSL_HASH_SHA1
Definition: ssl.h:196
ssl_session * session_negotiate
Definition: ssl.h:444
x509_cert * ca_chain
Definition: ssl.h:492
int ssl_parse_certificate(ssl_context *ssl)
size_t out_msglen
Definition: ssl.h:480
mpi GX
Definition: dhm.h:142
#define SSL_SIG_RSA
Definition: ssl.h:202
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:428
rsa_sign_func rsa_sign
Definition: ssl.h:488
#define RSA_PUBLIC
Definition: rsa.h:58
mpi dhm_P
Definition: ssl.h:508
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:180
#define SSL_RENEGOTIATION
Definition: ssl.h:114
int ssl_write_finished(ssl_context *ssl)
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:35
mpi X
Definition: dhm.h:141
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:524
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP
Processing of the ClientKeyExchange handshake message failed in DHM Read Public.
Definition: ssl.h:84
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:187
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
size_t in_msglen
Definition: ssl.h:466
unsigned char * in_hdr
Definition: ssl.h:461
int secure_renegotiation
Definition: ssl.h:521
Container for an X.509 certificate.
Definition: x509.h:288
#define SSL_HASH_MD5
Definition: ssl.h:195
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:122
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:98
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Definition: ssl.h:164
unsigned char id[32]
Definition: ssl.h:323
size_t len
Definition: dhm.h:138
int max_major_ver
Definition: ssl.h:411
size_t len
Definition: rsa.h:138
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Definition: ssl.h:186
int max_minor_ver
Definition: ssl.h:412
unsigned char premaster[POLARSSL_MPI_MAX_SIZE]
Definition: ssl.h:394
void sha4_starts(sha4_context *ctx, int is384)
SHA-512 context setup.
#define TLS_EXT_SIG_ALG
Definition: ssl.h:264
#define SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:252
#define SSL_CERT_TYPE_RSA_SIGN
Definition: ssl.h:207
#define TLS_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:185
ssl_handshake_params * handshake
Definition: ssl.h:446
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:214
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:239
#define SIG_RSA_SHA512
Definition: rsa.h:56
rsa_key_len_func rsa_key_len
Definition: ssl.h:489
int in_msgtype
Definition: ssl.h:465
#define RSA_PRIVATE
Definition: rsa.h:59
size_t verify_data_len
Definition: ssl.h:523
mpi dhm_G
Definition: ssl.h:509
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME
Definition: ssl.h:245
#define SIG_RSA_SHA1
Definition: rsa.h:52
mpi G
Definition: dhm.h:140
int min_minor_ver
Definition: ssl.h:414
unsigned char * out_msg
Definition: ssl.h:477
#define SSL_MINOR_VERSION_0
Definition: ssl.h:99
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
Definition: ssl.h:93
#define SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:253
#define TLS_DHE_RSA_WITH_DES_CBC_SHA
Weak! Not in TLS 1.2.
Definition: ssl.h:158
void sha4_update(sha4_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:112
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition: ssl.h:176
mpi GY
Definition: dhm.h:143
void * p_get_cache
Definition: ssl.h:433
void md5_starts(md5_context *ctx)
MD5 context setup.
int authmode
Definition: ssl.h:500
int ssl_flush_output(ssl_context *ssl)
rsa_decrypt_func rsa_decrypt
Definition: ssl.h:487
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Definition: ssl.h:169
#define SSL_HS_SERVER_HELLO
Definition: ssl.h:249
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:107
unsigned char * in_msg
Definition: ssl.h:462
#define SSL_MINOR_VERSION_3
Definition: ssl.h:102
mpi K
Definition: dhm.h:144
MD5 context structure.
Definition: md5.h:50
#define TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:266
int ssl_parse_change_cipher_spec(ssl_context *ssl)
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:409
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO
Processing of the ClientHello handshake message failed.
Definition: ssl.h:77
struct _x509_cert * next
Next certificate in the CA-chain.
Definition: x509.h:328
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
Definition: ssl.h:189
#define SSL_HASH_SHA256
Definition: ssl.h:198
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:172
#define SSL_VERIFY_NONE
Definition: ssl.h:109
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:41
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Processing of the ClientKeyExchange handshake message failed.
Definition: ssl.h:83
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key is not set, but needed.
Definition: ssl.h:71
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:113
size_t in_left
Definition: ssl.h:467
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Definition: ssl.h:178
void sha2_update(sha2_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int allow_legacy_renegotiation
Definition: ssl.h:504
#define SSL_COMPRESS_NULL
Definition: ssl.h:106
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen)
Derive and export the shared secret (G^Y)^X mod P.
int ssl_read_record(ssl_context *ssl)
size_t len
ASN1 length, e.g.
Definition: asn1.h:111
void sha4(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
int out_msgtype
Definition: ssl.h:479
#define SIG_RSA_SHA224
Definition: rsa.h:53
#define SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:254
#define TLS_EXT_SERVERNAME
Definition: ssl.h:261
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:44
size_t mpi_size(const mpi *X)
Return the total size in bytes.
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
x509_buf subject_raw
The raw subject data (DER).
Definition: x509.h:298
#define SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:124
int min_major_ver
Definition: ssl.h:413
SHA-512 context structure.
Definition: sha4.h:51
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:116
#define SSL_HASH_SHA224
Definition: ssl.h:197
#define SSL_SECURE_RENEGOTIATION
Definition: ssl.h:117
#define SIG_RSA_SHA256
Definition: rsa.h:54
SSL/TLS functions.
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Definition: ssl.h:167
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:424
void sha2(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
void * rsa_key
Definition: ssl.h:486
int ssl_derive_keys(ssl_context *ssl)
void sha4_finish(sha4_context *ctx, unsigned char output[64])
SHA-512 final digest.
#define SIG_RSA_SHA384
Definition: rsa.h:55
int renegotiation
Definition: ssl.h:406
dhm_context dhm_ctx
Definition: ssl.h:373
#define SIG_RSA_RAW
Definition: rsa.h:48
void ssl_optimize_checksum(ssl_context *ssl, int ciphersuite)
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
void sha2_starts(sha2_context *ctx, int is224)
SHA-256 context setup.
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:182
int version
The X.509 version.
Definition: x509.h:293
rsa_context rsa
Container for the RSA context.
Definition: x509.h:307
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:60
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:61
#define SSL_HASH_SHA512
Definition: ssl.h:200
#define SSL_HASH_SHA384
Definition: ssl.h:199
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int dhm_make_params(dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExchange parameters.
int ssl_write_record(ssl_context *ssl)
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Processing of the CertificateVerify handshake message failed.
Definition: ssl.h:86
int rsa_pkcs1_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 verification using the mode from the context. ...
int dhm_read_public(dhm_context *ctx, const unsigned char *input, size_t ilen)
Import the peer&#39;s public value G^Y.
unsigned char randbytes[64]
Definition: ssl.h:393
void sha2_finish(sha2_context *ctx, unsigned char output[32])
SHA-256 final digest.
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN
The server has no ciphersuites in common with the client.
Definition: ssl.h:66
void * p_sni
Definition: ssl.h:435