PolarSSL v1.3.1
ssl_srv.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 server-side functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_SRV_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 #if defined(POLARSSL_ECP_C)
33 #include "polarssl/ecp.h"
34 #endif
35 
36 #if defined(POLARSSL_MEMORY_C)
37 #include "polarssl/memory.h"
38 #else
39 #define polarssl_malloc malloc
40 #define polarssl_free free
41 #endif
42 
43 #include <stdlib.h>
44 #include <stdio.h>
45 
46 #if defined(POLARSSL_HAVE_TIME)
47 #include <time.h>
48 #endif
49 
50 #if defined(POLARSSL_SSL_SESSION_TICKETS)
51 /*
52  * Serialize a session in the following format:
53  * 0 . n-1 session structure, n = sizeof(ssl_session)
54  * n . n+2 peer_cert length = m (0 if no certificate)
55  * n+3 . n+2+m peer cert ASN.1
56  *
57  * Assumes ticket is NULL (always true on server side).
58  */
59 static int ssl_save_session( const ssl_session *session,
60  unsigned char *buf, size_t buf_len,
61  size_t *olen )
62 {
63  unsigned char *p = buf;
64  size_t left = buf_len;
65 #if defined(POLARSSL_X509_CRT_PARSE_C)
66  size_t cert_len;
67 #endif /* POLARSSL_X509_CRT_PARSE_C */
68 
69  if( left < sizeof( ssl_session ) )
70  return( -1 );
71 
72  memcpy( p, session, sizeof( ssl_session ) );
73  p += sizeof( ssl_session );
74  left -= sizeof( ssl_session );
75 
76 #if defined(POLARSSL_X509_CRT_PARSE_C)
77  ((ssl_session *) buf)->peer_cert = NULL;
78 
79  if( session->peer_cert == NULL )
80  cert_len = 0;
81  else
82  cert_len = session->peer_cert->raw.len;
83 
84  if( left < 3 + cert_len )
85  return( -1 );
86 
87  *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
88  *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
89  *p++ = (unsigned char)( cert_len & 0xFF );
90 
91  if( session->peer_cert != NULL )
92  memcpy( p, session->peer_cert->raw.p, cert_len );
93 
94  p += cert_len;
95 #endif /* POLARSSL_X509_CRT_PARSE_C */
96 
97  *olen = p - buf;
98 
99  return( 0 );
100 }
101 
102 /*
103  * Unserialise session, see ssl_save_session()
104  */
105 static int ssl_load_session( ssl_session *session,
106  const unsigned char *buf, size_t len )
107 {
108  const unsigned char *p = buf;
109  const unsigned char * const end = buf + len;
110 #if defined(POLARSSL_X509_CRT_PARSE_C)
111  size_t cert_len;
112 #endif /* POLARSSL_X509_CRT_PARSE_C */
113 
114  if( p + sizeof( ssl_session ) > end )
116 
117  memcpy( session, p, sizeof( ssl_session ) );
118  p += sizeof( ssl_session );
119 
120 #if defined(POLARSSL_X509_CRT_PARSE_C)
121  if( p + 3 > end )
123 
124  cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
125  p += 3;
126 
127  if( cert_len == 0 )
128  {
129  session->peer_cert = NULL;
130  }
131  else
132  {
133  int ret;
134 
135  if( p + cert_len > end )
137 
138  session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
139 
140  if( session->peer_cert == NULL )
142 
143  x509_crt_init( session->peer_cert );
144 
145  if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 )
146  {
147  x509_crt_free( session->peer_cert );
148  polarssl_free( session->peer_cert );
149  session->peer_cert = NULL;
150  return( ret );
151  }
152 
153  p += cert_len;
154  }
155 #endif /* POLARSSL_X509_CRT_PARSE_C */
156 
157  if( p != end )
159 
160  return( 0 );
161 }
162 
163 /*
164  * Create session ticket, secured as recommended in RFC 5077 section 4:
165  *
166  * struct {
167  * opaque key_name[16];
168  * opaque iv[16];
169  * opaque encrypted_state<0..2^16-1>;
170  * opaque mac[32];
171  * } ticket;
172  *
173  * (the internal state structure differs, however).
174  */
175 static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
176 {
177  int ret;
178  unsigned char * const start = ssl->out_msg + 10;
179  unsigned char *p = start;
180  unsigned char *state;
181  unsigned char iv[16];
182  size_t clear_len, enc_len, pad_len, i;
183 
184  *tlen = 0;
185 
186  if( ssl->ticket_keys == NULL )
188 
189  /* Write key name */
190  memcpy( p, ssl->ticket_keys->key_name, 16 );
191  p += 16;
192 
193  /* Generate and write IV (with a copy for aes_crypt) */
194  if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
195  return( ret );
196  memcpy( iv, p, 16 );
197  p += 16;
198 
199  /*
200  * Dump session state
201  *
202  * After the session state itself, we still need room for 16 bytes of
203  * padding and 32 bytes of MAC, so there's only so much room left
204  */
205  state = p + 2;
206  if( ssl_save_session( ssl->session_negotiate, state,
207  SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
208  &clear_len ) != 0 )
209  {
211  }
212  SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
213 
214  /* Apply PKCS padding */
215  pad_len = 16 - clear_len % 16;
216  enc_len = clear_len + pad_len;
217  for( i = clear_len; i < enc_len; i++ )
218  state[i] = (unsigned char) pad_len;
219 
220  /* Encrypt */
221  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
222  enc_len, iv, state, state ) ) != 0 )
223  {
224  return( ret );
225  }
226 
227  /* Write length */
228  *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
229  *p++ = (unsigned char)( ( enc_len ) & 0xFF );
230  p = state + enc_len;
231 
232  /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
233  sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
234  p += 32;
235 
236  *tlen = p - start;
237 
238  SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
239 
240  return( 0 );
241 }
242 
243 /*
244  * Load session ticket (see ssl_write_ticket for structure)
245  */
246 static int ssl_parse_ticket( ssl_context *ssl,
247  unsigned char *buf,
248  size_t len )
249 {
250  int ret;
251  ssl_session session;
252  unsigned char *key_name = buf;
253  unsigned char *iv = buf + 16;
254  unsigned char *enc_len_p = iv + 16;
255  unsigned char *ticket = enc_len_p + 2;
256  unsigned char *mac;
257  unsigned char computed_mac[32];
258  size_t enc_len, clear_len, i;
259  unsigned char pad_len;
260 
261  SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
262 
263  if( len < 34 || ssl->ticket_keys == NULL )
265 
266  enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
267  mac = ticket + enc_len;
268 
269  if( len != enc_len + 66 )
271 
272  /* Check name */
273  if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
275 
276  /* Check mac */
277  sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
278  computed_mac, 0 );
279  ret = 0;
280  for( i = 0; i < 32; i++ )
281  if( mac[i] != computed_mac[i] )
283  if( ret != 0 )
284  return( ret );
285 
286  /* Decrypt */
287  if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
288  enc_len, iv, ticket, ticket ) ) != 0 )
289  {
290  return( ret );
291  }
292 
293  /* Check PKCS padding */
294  pad_len = ticket[enc_len - 1];
295 
296  ret = 0;
297  for( i = 2; i < pad_len; i++ )
298  if( ticket[enc_len - i] != pad_len )
300  if( ret != 0 )
301  return( ret );
302 
303  clear_len = enc_len - pad_len;
304 
305  SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
306 
307  /* Actually load session */
308  if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
309  {
310  SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
311  memset( &session, 0, sizeof( ssl_session ) );
312  return( ret );
313  }
314 
315 #if defined(POLARSSL_HAVE_TIME)
316  /* Check if still valid */
317  if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
318  {
319  SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
320  memset( &session, 0, sizeof( ssl_session ) );
322  }
323 #endif
324 
325  /*
326  * Keep the session ID sent by the client, since we MUST send it back to
327  * inform him we're accepting the ticket (RFC 5077 section 3.4)
328  */
329  session.length = ssl->session_negotiate->length;
330  memcpy( &session.id, ssl->session_negotiate->id, session.length );
331 
333  memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
334  memset( &session, 0, sizeof( ssl_session ) );
335 
336  return( 0 );
337 }
338 #endif /* POLARSSL_SSL_SESSION_TICKETS */
339 
340 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
341 /*
342  * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
343  * making it act on ssl->hanshake->sni_key_cert instead.
344  */
345 static int ssl_sni_wrapper( ssl_context *ssl,
346  const unsigned char* name, size_t len )
347 {
348  int ret;
349  ssl_key_cert *key_cert_ori = ssl->key_cert;
350 
351  ssl->key_cert = NULL;
352  ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
353  ssl->handshake->sni_key_cert = ssl->key_cert;
354 
355  ssl->key_cert = key_cert_ori;
356 
357  return( ret );
358 }
359 
360 static int ssl_parse_servername_ext( ssl_context *ssl,
361  const unsigned char *buf,
362  size_t len )
363 {
364  int ret;
365  size_t servername_list_size, hostname_len;
366  const unsigned char *p;
367 
368  servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
369  if( servername_list_size + 2 != len )
370  {
371  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
373  }
374 
375  p = buf + 2;
376  while( servername_list_size > 0 )
377  {
378  hostname_len = ( ( p[1] << 8 ) | p[2] );
379  if( hostname_len + 3 > servername_list_size )
380  {
381  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
383  }
384 
385  if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
386  {
387  ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
388  if( ret != 0 )
389  {
393  }
394  return( 0 );
395  }
396 
397  servername_list_size -= hostname_len + 3;
398  p += hostname_len + 3;
399  }
400 
401  if( servername_list_size != 0 )
402  {
403  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
405  }
406 
407  return( 0 );
408 }
409 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
410 
411 static int ssl_parse_renegotiation_info( ssl_context *ssl,
412  const unsigned char *buf,
413  size_t len )
414 {
415  int ret;
416 
418  {
419  if( len != 1 || buf[0] != 0x0 )
420  {
421  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
422 
423  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
424  return( ret );
425 
427  }
428 
430  }
431  else
432  {
433  if( len != 1 + ssl->verify_data_len ||
434  buf[0] != ssl->verify_data_len ||
435  memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
436  {
437  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
438 
439  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
440  return( ret );
441 
443  }
444  }
445 
446  return( 0 );
447 }
448 
449 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
450 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
451  const unsigned char *buf,
452  size_t len )
453 {
454  size_t sig_alg_list_size;
455  const unsigned char *p;
456 
457  sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
458  if( sig_alg_list_size + 2 != len ||
459  sig_alg_list_size %2 != 0 )
460  {
461  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
463  }
464 
465  p = buf + 2;
466  while( sig_alg_list_size > 0 )
467  {
468  /*
469  * For now, just ignore signature algorithm and rely on offered
470  * ciphersuites only. To be fixed later.
471  */
472 #if defined(POLARSSL_SHA512_C)
473  if( p[0] == SSL_HASH_SHA512 )
474  {
476  break;
477  }
478  if( p[0] == SSL_HASH_SHA384 )
479  {
481  break;
482  }
483 #endif
484 #if defined(POLARSSL_SHA256_C)
485  if( p[0] == SSL_HASH_SHA256 )
486  {
488  break;
489  }
490  if( p[0] == SSL_HASH_SHA224 )
491  {
493  break;
494  }
495 #endif
496  if( p[0] == SSL_HASH_SHA1 )
497  {
499  break;
500  }
501  if( p[0] == SSL_HASH_MD5 )
502  {
504  break;
505  }
506 
507  sig_alg_list_size -= 2;
508  p += 2;
509  }
510 
511  SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
512  ssl->handshake->sig_alg ) );
513 
514  return( 0 );
515 }
516 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
517 
518 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
519 static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
520  const unsigned char *buf,
521  size_t len )
522 {
523  size_t list_size, our_size;
524  const unsigned char *p;
525  const ecp_curve_info *curve_info, **curves;
526 
527  list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
528  if( list_size + 2 != len ||
529  list_size % 2 != 0 )
530  {
531  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
533  }
534 
535  /* Don't allow our peer to make use allocated too much memory,
536  * and leave room for a final 0 */
537  our_size = list_size / 2 + 1;
538  if( our_size > POLARSSL_ECP_DP_MAX )
539  our_size = POLARSSL_ECP_DP_MAX;
540 
541  if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
543 
544  /* explicit void pointer cast for buggy MS compiler */
545  memset( (void *) curves, 0, our_size * sizeof( *curves ) );
546  ssl->handshake->curves = curves;
547 
548  p = buf + 2;
549  while( list_size > 0 && our_size > 1 )
550  {
551  curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
552 
553  if( curve_info != NULL )
554  {
555  *curves++ = curve_info;
556  our_size--;
557  }
558 
559  list_size -= 2;
560  p += 2;
561  }
562 
563  return( 0 );
564 }
565 
566 static int ssl_parse_supported_point_formats( ssl_context *ssl,
567  const unsigned char *buf,
568  size_t len )
569 {
570  size_t list_size;
571  const unsigned char *p;
572 
573  list_size = buf[0];
574  if( list_size + 1 != len )
575  {
576  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
578  }
579 
580  p = buf + 2;
581  while( list_size > 0 )
582  {
583  if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
585  {
586  ssl->handshake->ecdh_ctx.point_format = p[0];
587  SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
588  return( 0 );
589  }
590 
591  list_size--;
592  p++;
593  }
594 
595  return( 0 );
596 }
597 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
598 
599 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
600 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
601  const unsigned char *buf,
602  size_t len )
603 {
604  if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
605  {
606  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
608  }
609 
610  ssl->session_negotiate->mfl_code = buf[0];
611 
612  return( 0 );
613 }
614 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
615 
616 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
617 static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
618  const unsigned char *buf,
619  size_t len )
620 {
621  if( len != 0 )
622  {
623  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
625  }
626 
627  ((void) buf);
628 
630 
631  return( 0 );
632 }
633 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
634 
635 #if defined(POLARSSL_SSL_SESSION_TICKETS)
636 static int ssl_parse_session_ticket_ext( ssl_context *ssl,
637  unsigned char *buf,
638  size_t len )
639 {
640  int ret;
641 
643  return( 0 );
644 
645  /* Remember the client asked us to send a new ticket */
646  ssl->handshake->new_session_ticket = 1;
647 
648  SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
649 
650  if( len == 0 )
651  return( 0 );
652 
654  {
655  SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
656  return( 0 );
657  }
658 
659  /*
660  * Failures are ok: just ignore the ticket and proceed.
661  */
662  if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
663  {
664  SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
665  return( 0 );
666  }
667 
668  SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
669 
670  ssl->handshake->resume = 1;
671 
672  /* Don't send a new ticket after all, this one is OK */
673  ssl->handshake->new_session_ticket = 0;
674 
675  return( 0 );
676 }
677 #endif /* POLARSSL_SSL_SESSION_TICKETS */
678 
679 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
680 static int ssl_parse_client_hello_v2( ssl_context *ssl )
681 {
682  int ret;
683  unsigned int i, j;
684  size_t n;
685  unsigned int ciph_len, sess_len, chal_len;
686  unsigned char *buf, *p;
687  const int *ciphersuites;
688  const ssl_ciphersuite_t *ciphersuite_info;
689 
690  SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
691 
693  {
694  SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
695 
696  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
697  return( ret );
698 
700  }
701 
702  buf = ssl->in_hdr;
703 
704  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
705 
706  SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
707  buf[2] ) );
708  SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
709  ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
710  SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
711  buf[3], buf[4] ) );
712 
713  /*
714  * SSLv2 Client Hello
715  *
716  * Record layer:
717  * 0 . 1 message length
718  *
719  * SSL layer:
720  * 2 . 2 message type
721  * 3 . 4 protocol version
722  */
723  if( buf[2] != SSL_HS_CLIENT_HELLO ||
724  buf[3] != SSL_MAJOR_VERSION_3 )
725  {
726  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
728  }
729 
730  n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
731 
732  if( n < 17 || n > 512 )
733  {
734  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
736  }
737 
739  ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
740  ? buf[4] : ssl->max_minor_ver;
741 
742  if( ssl->minor_ver < ssl->min_minor_ver )
743  {
744  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
745  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
746  ssl->min_major_ver, ssl->min_minor_ver ) );
747 
751  }
752 
753  ssl->handshake->max_major_ver = buf[3];
754  ssl->handshake->max_minor_ver = buf[4];
755 
756  if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
757  {
758  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
759  return( ret );
760  }
761 
762  ssl->handshake->update_checksum( ssl, buf + 2, n );
763 
764  buf = ssl->in_msg;
765  n = ssl->in_left - 5;
766 
767  /*
768  * 0 . 1 ciphersuitelist length
769  * 2 . 3 session id length
770  * 4 . 5 challenge length
771  * 6 . .. ciphersuitelist
772  * .. . .. session id
773  * .. . .. challenge
774  */
775  SSL_DEBUG_BUF( 4, "record contents", buf, n );
776 
777  ciph_len = ( buf[0] << 8 ) | buf[1];
778  sess_len = ( buf[2] << 8 ) | buf[3];
779  chal_len = ( buf[4] << 8 ) | buf[5];
780 
781  SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
782  ciph_len, sess_len, chal_len ) );
783 
784  /*
785  * Make sure each parameter length is valid
786  */
787  if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
788  {
789  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
791  }
792 
793  if( sess_len > 32 )
794  {
795  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
797  }
798 
799  if( chal_len < 8 || chal_len > 32 )
800  {
801  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
803  }
804 
805  if( n != 6 + ciph_len + sess_len + chal_len )
806  {
807  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
809  }
810 
811  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
812  buf + 6, ciph_len );
813  SSL_DEBUG_BUF( 3, "client hello, session id",
814  buf + 6 + ciph_len, sess_len );
815  SSL_DEBUG_BUF( 3, "client hello, challenge",
816  buf + 6 + ciph_len + sess_len, chal_len );
817 
818  p = buf + 6 + ciph_len;
819  ssl->session_negotiate->length = sess_len;
820  memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
821  memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
822 
823  p += sess_len;
824  memset( ssl->handshake->randbytes, 0, 64 );
825  memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
826 
827  /*
828  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
829  */
830  for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
831  {
832  if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
833  {
834  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
835  if( ssl->renegotiation == SSL_RENEGOTIATION )
836  {
837  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
838 
839  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
840  return( ret );
841 
843  }
845  break;
846  }
847  }
848 
849  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
850  for( i = 0; ciphersuites[i] != 0; i++ )
851  {
852  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
853  {
854  // Only allow non-ECC ciphersuites as we do not have extensions
855  //
856  if( p[0] == 0 && p[1] == 0 &&
857  ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
858  p[2] == ( ciphersuites[i] & 0xFF ) )
859  {
860  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
861 
862  if( ciphersuite_info == NULL )
863  {
864  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
865  ciphersuites[i] ) );
867  }
868 
869  if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
870  ciphersuite_info->max_minor_ver < ssl->minor_ver )
871  continue;
872 
873  goto have_ciphersuite_v2;
874  }
875  }
876  }
877 
878  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
879 
881 
882 have_ciphersuite_v2:
883  ssl->session_negotiate->ciphersuite = ciphersuites[i];
884  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
886 
887  /*
888  * SSLv2 Client Hello relevant renegotiation security checks
889  */
892  {
893  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
894 
895  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
896  return( ret );
897 
899  }
900 
901  ssl->in_left = 0;
902  ssl->state++;
903 
904  SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
905 
906  return( 0 );
907 }
908 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
909 
910 #if defined(POLARSSL_X509_CRT_PARSE_C)
911 #if defined(POLARSSL_ECDSA_C)
912 static int ssl_key_matches_curves( pk_context *pk,
913  const ecp_curve_info **curves )
914 {
915  const ecp_curve_info **crv = curves;
916  ecp_group_id grp_id = pk_ec( *pk )->grp.id;
917 
918  while( *crv != NULL )
919  {
920  if( (*crv)->grp_id == grp_id )
921  return( 1 );
922  crv++;
923  }
924 
925  return( 0 );
926 }
927 #endif /* POLARSSL_ECDSA_C */
928 
929 /*
930  * Try picking a certificate for this ciphersuite,
931  * return 0 on success and -1 on failure.
932  */
933 static int ssl_pick_cert( ssl_context *ssl,
934  const ssl_ciphersuite_t * ciphersuite_info )
935 {
936  ssl_key_cert *cur, *list;
937  pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
938 
939 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
940  if( ssl->handshake->sni_key_cert != NULL )
941  list = ssl->handshake->sni_key_cert;
942  else
943 #endif
944  list = ssl->handshake->key_cert;
945 
946  if( pk_alg == POLARSSL_PK_NONE )
947  return( 0 );
948 
949  for( cur = list; cur != NULL; cur = cur->next )
950  {
951  if( ! pk_can_do( cur->key, pk_alg ) )
952  continue;
953 
954 #if defined(POLARSSL_ECDSA_C)
955  if( pk_alg == POLARSSL_PK_ECDSA )
956  {
957  if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
958  break;
959  }
960  else
961 #endif
962  break;
963  }
964 
965  if( cur == NULL )
966  return( -1 );
967 
968  ssl->handshake->key_cert = cur;
969  return( 0 );
970 }
971 #endif /* POLARSSL_X509_CRT_PARSE_C */
972 
973 static int ssl_parse_client_hello( ssl_context *ssl )
974 {
975  int ret;
976  unsigned int i, j;
977  size_t n;
978  unsigned int ciph_len, sess_len;
979  unsigned int comp_len;
980  unsigned int ext_len = 0;
981  unsigned char *buf, *p, *ext;
982  int renegotiation_info_seen = 0;
983  int handshake_failure = 0;
984  const int *ciphersuites;
985  const ssl_ciphersuite_t *ciphersuite_info;
986 
987  SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
988 
989  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
990  ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
991  {
992  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
993  return( ret );
994  }
995 
996  buf = ssl->in_hdr;
997 
998 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
999  if( ( buf[0] & 0x80 ) != 0 )
1000  return ssl_parse_client_hello_v2( ssl );
1001 #endif
1002 
1003  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1004 
1005  SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1006  buf[0] ) );
1007  SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1008  ( buf[3] << 8 ) | buf[4] ) );
1009  SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1010  buf[1], buf[2] ) );
1011 
1012  /*
1013  * SSLv3 Client Hello
1014  *
1015  * Record layer:
1016  * 0 . 0 message type
1017  * 1 . 2 protocol version
1018  * 3 . 4 message length
1019  */
1020  if( buf[0] != SSL_MSG_HANDSHAKE ||
1021  buf[1] != SSL_MAJOR_VERSION_3 )
1022  {
1023  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1025  }
1026 
1027  n = ( buf[3] << 8 ) | buf[4];
1028 
1029  if( n < 45 || n > 2048 )
1030  {
1031  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1033  }
1034 
1035  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1036  ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1037  {
1038  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1039  return( ret );
1040  }
1041 
1042  buf = ssl->in_msg;
1043  if( !ssl->renegotiation )
1044  n = ssl->in_left - 5;
1045  else
1046  n = ssl->in_msglen;
1047 
1048  ssl->handshake->update_checksum( ssl, buf, n );
1049 
1050  /*
1051  * SSL layer:
1052  * 0 . 0 handshake type
1053  * 1 . 3 handshake length
1054  * 4 . 5 protocol version
1055  * 6 . 9 UNIX time()
1056  * 10 . 37 random bytes
1057  * 38 . 38 session id length
1058  * 39 . 38+x session id
1059  * 39+x . 40+x ciphersuitelist length
1060  * 41+x . .. ciphersuitelist
1061  * .. . .. compression alg.
1062  * .. . .. extensions
1063  */
1064  SSL_DEBUG_BUF( 4, "record contents", buf, n );
1065 
1066  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1067  buf[0] ) );
1068  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1069  ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1070  SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1071  buf[4], buf[5] ) );
1072 
1073  /*
1074  * Check the handshake type and protocol version
1075  */
1076  if( buf[0] != SSL_HS_CLIENT_HELLO ||
1077  buf[4] != SSL_MAJOR_VERSION_3 )
1078  {
1079  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1081  }
1082 
1084  ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1085  ? buf[5] : ssl->max_minor_ver;
1086 
1087  if( ssl->minor_ver < ssl->min_minor_ver )
1088  {
1089  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1090  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
1091  ssl->min_major_ver, ssl->min_minor_ver ) );
1092 
1095 
1097  }
1098 
1099  ssl->handshake->max_major_ver = buf[4];
1100  ssl->handshake->max_minor_ver = buf[5];
1101 
1102  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
1103 
1104  /*
1105  * Check the handshake message length
1106  */
1107  if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1108  {
1109  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1111  }
1112 
1113  /*
1114  * Check the session length
1115  */
1116  sess_len = buf[38];
1117 
1118  if( sess_len > 32 )
1119  {
1120  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1122  }
1123 
1124  ssl->session_negotiate->length = sess_len;
1125  memset( ssl->session_negotiate->id, 0,
1126  sizeof( ssl->session_negotiate->id ) );
1127  memcpy( ssl->session_negotiate->id, buf + 39,
1128  ssl->session_negotiate->length );
1129 
1130  /*
1131  * Check the ciphersuitelist length
1132  */
1133  ciph_len = ( buf[39 + sess_len] << 8 )
1134  | ( buf[40 + sess_len] );
1135 
1136  if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1137  {
1138  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1140  }
1141 
1142  /*
1143  * Check the compression algorithms length
1144  */
1145  comp_len = buf[41 + sess_len + ciph_len];
1146 
1147  if( comp_len < 1 || comp_len > 16 )
1148  {
1149  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1151  }
1152 
1153  /*
1154  * Check the extension length
1155  */
1156  if( n > 42 + sess_len + ciph_len + comp_len )
1157  {
1158  ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1159  | ( buf[43 + sess_len + ciph_len + comp_len] );
1160 
1161  if( ( ext_len > 0 && ext_len < 4 ) ||
1162  n != 44 + sess_len + ciph_len + comp_len + ext_len )
1163  {
1164  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1165  SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1167  }
1168  }
1169 
1171 #if defined(POLARSSL_ZLIB_SUPPORT)
1172  for( i = 0; i < comp_len; ++i )
1173  {
1174  if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
1175  {
1177  break;
1178  }
1179  }
1180 #endif
1181 
1182  SSL_DEBUG_BUF( 3, "client hello, random bytes",
1183  buf + 6, 32 );
1184  SSL_DEBUG_BUF( 3, "client hello, session id",
1185  buf + 38, sess_len );
1186  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1187  buf + 41 + sess_len, ciph_len );
1188  SSL_DEBUG_BUF( 3, "client hello, compression",
1189  buf + 42 + sess_len + ciph_len, comp_len );
1190 
1191  /*
1192  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1193  */
1194  for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1195  {
1196  if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1197  {
1198  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1199  if( ssl->renegotiation == SSL_RENEGOTIATION )
1200  {
1201  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1202 
1203  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1204  return( ret );
1205 
1207  }
1209  break;
1210  }
1211  }
1212 
1213  ext = buf + 44 + sess_len + ciph_len + comp_len;
1214 
1215  while( ext_len )
1216  {
1217  unsigned int ext_id = ( ( ext[0] << 8 )
1218  | ( ext[1] ) );
1219  unsigned int ext_size = ( ( ext[2] << 8 )
1220  | ( ext[3] ) );
1221 
1222  if( ext_size + 4 > ext_len )
1223  {
1224  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1226  }
1227  switch( ext_id )
1228  {
1229 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
1230  case TLS_EXT_SERVERNAME:
1231  SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1232  if( ssl->f_sni == NULL )
1233  break;
1234 
1235  ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1236  if( ret != 0 )
1237  return( ret );
1238  break;
1239 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
1240 
1242  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1243  renegotiation_info_seen = 1;
1244 
1245  ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1246  if( ret != 0 )
1247  return( ret );
1248  break;
1249 
1250 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1251  case TLS_EXT_SIG_ALG:
1252  SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1253  if( ssl->renegotiation == SSL_RENEGOTIATION )
1254  break;
1255 
1256  ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1257  if( ret != 0 )
1258  return( ret );
1259  break;
1260 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1261 
1262 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1264  SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1265 
1266  ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1267  if( ret != 0 )
1268  return( ret );
1269  break;
1270 
1272  SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1273 
1274  ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1275  if( ret != 0 )
1276  return( ret );
1277  break;
1278 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1279 
1280 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1282  SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1283 
1284  ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1285  if( ret != 0 )
1286  return( ret );
1287  break;
1288 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1289 
1290 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1292  SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1293 
1294  ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1295  if( ret != 0 )
1296  return( ret );
1297  break;
1298 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1299 
1300 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1302  SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1303 
1304  ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1305  if( ret != 0 )
1306  return( ret );
1307  break;
1308 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1309 
1310  default:
1311  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1312  ext_id ) );
1313  }
1314 
1315  ext_len -= 4 + ext_size;
1316  ext += 4 + ext_size;
1317 
1318  if( ext_len > 0 && ext_len < 4 )
1319  {
1320  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1322  }
1323  }
1324 
1325  /*
1326  * Renegotiation security checks
1327  */
1330  {
1331  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1332  handshake_failure = 1;
1333  }
1334  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1336  renegotiation_info_seen == 0 )
1337  {
1338  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1339  handshake_failure = 1;
1340  }
1341  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1344  {
1345  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1346  handshake_failure = 1;
1347  }
1348  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1350  renegotiation_info_seen == 1 )
1351  {
1352  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1353  handshake_failure = 1;
1354  }
1355 
1356  if( handshake_failure == 1 )
1357  {
1358  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1359  return( ret );
1360 
1362  }
1363 
1364  /*
1365  * Search for a matching ciphersuite
1366  * (At the end because we need information from the EC-based extensions
1367  * and certificate from the SNI callback triggered by the SNI extension.)
1368  */
1369  ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1370  for( i = 0; ciphersuites[i] != 0; i++ )
1371  {
1372  for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1373  j += 2, p += 2 )
1374  {
1375  if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1376  p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
1377  {
1378  ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
1379 
1380  if( ciphersuite_info == NULL )
1381  {
1382  SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found",
1383  ciphersuites[i] ) );
1385  }
1386 
1387  if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1388  ciphersuite_info->max_minor_ver < ssl->minor_ver )
1389  continue;
1390 
1391 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1392  if( ssl_ciphersuite_uses_ec( ciphersuite_info ) &&
1393  ( ssl->handshake->curves == NULL ||
1394  ssl->handshake->curves[0] == NULL ) )
1395  continue;
1396 #endif
1397 
1398 #if defined(POLARSSL_X509_CRT_PARSE_C)
1399  /*
1400  * Final check: if ciphersuite requires us to have a
1401  * certificate/key of a particular type:
1402  * - select the appropriate certificate if we have one, or
1403  * - try the next ciphersuite if we don't
1404  * This must be done last since we modify the key_cert list.
1405  */
1406  if( ssl_pick_cert( ssl, ciphersuite_info ) != 0 )
1407  continue;
1408 #endif
1409 
1410  goto have_ciphersuite;
1411  }
1412  }
1413  }
1414 
1415  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1416 
1417  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1418  return( ret );
1419 
1421 
1422 have_ciphersuite:
1423  ssl->session_negotiate->ciphersuite = ciphersuites[i];
1424  ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1426 
1427  ssl->in_left = 0;
1428  ssl->state++;
1429 
1430  SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1431 
1432  return( 0 );
1433 }
1434 
1435 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1436 static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1437  unsigned char *buf,
1438  size_t *olen )
1439 {
1440  unsigned char *p = buf;
1441 
1443  {
1444  *olen = 0;
1445  return;
1446  }
1447 
1448  SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1449 
1450  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1451  *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1452 
1453  *p++ = 0x00;
1454  *p++ = 0x00;
1455 
1456  *olen = 4;
1457 }
1458 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
1459 
1460 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1461 static void ssl_write_session_ticket_ext( ssl_context *ssl,
1462  unsigned char *buf,
1463  size_t *olen )
1464 {
1465  unsigned char *p = buf;
1466 
1467  if( ssl->handshake->new_session_ticket == 0 )
1468  {
1469  *olen = 0;
1470  return;
1471  }
1472 
1473  SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1474 
1475  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1476  *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1477 
1478  *p++ = 0x00;
1479  *p++ = 0x00;
1480 
1481  *olen = 4;
1482 }
1483 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1484 
1485 static void ssl_write_renegotiation_ext( ssl_context *ssl,
1486  unsigned char *buf,
1487  size_t *olen )
1488 {
1489  unsigned char *p = buf;
1490 
1492  {
1493  *olen = 0;
1494  return;
1495  }
1496 
1497  SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1498 
1499  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1500  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1501 
1502  *p++ = 0x00;
1503  *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1504  *p++ = ssl->verify_data_len * 2 & 0xFF;
1505 
1506  memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1507  p += ssl->verify_data_len;
1508  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1509  p += ssl->verify_data_len;
1510 
1511  *olen = 5 + ssl->verify_data_len * 2;
1512 }
1513 
1514 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1515 static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1516  unsigned char *buf,
1517  size_t *olen )
1518 {
1519  unsigned char *p = buf;
1520 
1522  {
1523  *olen = 0;
1524  return;
1525  }
1526 
1527  SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1528 
1529  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1530  *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1531 
1532  *p++ = 0x00;
1533  *p++ = 1;
1534 
1535  *p++ = ssl->session_negotiate->mfl_code;
1536 
1537  *olen = 5;
1538 }
1539 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
1540 
1541 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1542 static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1543  unsigned char *buf,
1544  size_t *olen )
1545 {
1546  unsigned char *p = buf;
1547  ((void) ssl);
1548 
1549  *olen = 0;
1550 
1551  SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1552 
1553  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1554  *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1555 
1556  *p++ = 0x00;
1557  *p++ = 2;
1558 
1559  *p++ = 1;
1561 
1562  *olen = 6;
1563 }
1564 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
1565 
1566 static int ssl_write_server_hello( ssl_context *ssl )
1567 {
1568 #if defined(POLARSSL_HAVE_TIME)
1569  time_t t;
1570 #endif
1571  int ret;
1572  size_t olen, ext_len = 0, n;
1573  unsigned char *buf, *p;
1574 
1575  SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1576 
1577  /*
1578  * 0 . 0 handshake type
1579  * 1 . 3 handshake length
1580  * 4 . 5 protocol version
1581  * 6 . 9 UNIX time()
1582  * 10 . 37 random bytes
1583  */
1584  buf = ssl->out_msg;
1585  p = buf + 4;
1586 
1587  *p++ = (unsigned char) ssl->major_ver;
1588  *p++ = (unsigned char) ssl->minor_ver;
1589 
1590  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1591  buf[4], buf[5] ) );
1592 
1593 #if defined(POLARSSL_HAVE_TIME)
1594  t = time( NULL );
1595  *p++ = (unsigned char)( t >> 24 );
1596  *p++ = (unsigned char)( t >> 16 );
1597  *p++ = (unsigned char)( t >> 8 );
1598  *p++ = (unsigned char)( t );
1599 
1600  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1601 #else
1602  if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1603  return( ret );
1604 
1605  p += 4;
1606 #endif
1607 
1608  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1609  return( ret );
1610 
1611  p += 28;
1612 
1613  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
1614 
1615  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1616 
1617  /*
1618  * Resume is 0 by default, see ssl_handshake_init().
1619  * It may be already set to 1 by ssl_parse_session_ticket_ext().
1620  * If not, try looking up session ID in our cache.
1621  */
1622  if( ssl->handshake->resume == 0 &&
1624  ssl->session_negotiate->length != 0 &&
1625  ssl->f_get_cache != NULL &&
1626  ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1627  {
1628  ssl->handshake->resume = 1;
1629  }
1630 
1631  if( ssl->handshake->resume == 0 )
1632  {
1633  /*
1634  * New session, create a new session id,
1635  * unless we're about to issue a session ticket
1636  */
1637  ssl->state++;
1638 
1639 #if defined(POLARSSL_HAVE_TIME)
1640  ssl->session_negotiate->start = time( NULL );
1641 #endif
1642 
1643 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1644  if( ssl->handshake->new_session_ticket != 0 )
1645  {
1646  ssl->session_negotiate->length = n = 0;
1647  memset( ssl->session_negotiate->id, 0, 32 );
1648  }
1649  else
1650 #endif /* POLARSSL_SSL_SESSION_TICKETS */
1651  {
1652  ssl->session_negotiate->length = n = 32;
1653  if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1654  n ) ) != 0 )
1655  return( ret );
1656  }
1657  }
1658  else
1659  {
1660  /*
1661  * Resuming a session
1662  */
1663  n = ssl->session_negotiate->length;
1665 
1666  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1667  {
1668  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1669  return( ret );
1670  }
1671  }
1672 
1673  /*
1674  * 38 . 38 session id length
1675  * 39 . 38+n session id
1676  * 39+n . 40+n chosen ciphersuite
1677  * 41+n . 41+n chosen compression alg.
1678  * 42+n . 43+n extensions length
1679  * 44+n . 43+n+m extensions
1680  */
1681  *p++ = (unsigned char) ssl->session_negotiate->length;
1682  memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1683  p += ssl->session_negotiate->length;
1684 
1685  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1686  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1687  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1688  ssl->handshake->resume ? "a" : "no" ) );
1689 
1690  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1691  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1692  *p++ = (unsigned char)( ssl->session_negotiate->compression );
1693 
1694  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1696  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
1697  ssl->session_negotiate->compression ) );
1698 
1699  /*
1700  * First write extensions, then the total length
1701  */
1702  ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1703  ext_len += olen;
1704 
1705 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
1706  ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1707  ext_len += olen;
1708 #endif
1709 
1710 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
1711  ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1712  ext_len += olen;
1713 #endif
1714 
1715 #if defined(POLARSSL_SSL_SESSION_TICKETS)
1716  ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1717  ext_len += olen;
1718 #endif
1719 
1720 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
1721  ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1722  ext_len += olen;
1723 #endif
1724 
1725  SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
1726 
1727  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1728  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1729  p += ext_len;
1730 
1731  ssl->out_msglen = p - buf;
1733  ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1734 
1735  ret = ssl_write_record( ssl );
1736 
1737  SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1738 
1739  return( ret );
1740 }
1741 
1742 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1743  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1744  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1745  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1746 static int ssl_write_certificate_request( ssl_context *ssl )
1747 {
1749  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1750 
1751  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1752 
1753  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1754  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1755  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1756  {
1757  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1758  ssl->state++;
1759  return( 0 );
1760  }
1761 
1762  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
1763  return( ret );
1764 }
1765 #else
1766 static int ssl_write_certificate_request( ssl_context *ssl )
1767 {
1769  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1770  size_t dn_size, total_dn_size; /* excluding length bytes */
1771  size_t ct_len, sa_len; /* including length bytes */
1772  unsigned char *buf, *p;
1773  const x509_crt *crt;
1774 
1775  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1776 
1777  ssl->state++;
1778 
1779  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1780  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1781  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
1782  ssl->authmode == SSL_VERIFY_NONE )
1783  {
1784  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1785  return( 0 );
1786  }
1787 
1788  /*
1789  * 0 . 0 handshake type
1790  * 1 . 3 handshake length
1791  * 4 . 4 cert type count
1792  * 5 .. m-1 cert types
1793  * m .. m+1 sig alg length (TLS 1.2 only)
1794  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
1795  * n .. n+1 length of all DNs
1796  * n+2 .. n+3 length of DN 1
1797  * n+4 .. ... Distinguished Name #1
1798  * ... .. ... length of DN 2, etc.
1799  */
1800  buf = ssl->out_msg;
1801  p = buf + 4;
1802 
1803  /*
1804  * Supported certificate types
1805  *
1806  * ClientCertificateType certificate_types<1..2^8-1>;
1807  * enum { (255) } ClientCertificateType;
1808  */
1809  ct_len = 0;
1810 
1811 #if defined(POLARSSL_RSA_C)
1812  p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
1813 #endif
1814 #if defined(POLARSSL_ECDSA_C)
1815  p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
1816 #endif
1817 
1818  p[0] = (unsigned char) ct_len++;
1819  p += ct_len;
1820 
1821  sa_len = 0;
1822 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
1823  /*
1824  * Add signature_algorithms for verify (TLS 1.2)
1825  *
1826  * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
1827  *
1828  * struct {
1829  * HashAlgorithm hash;
1830  * SignatureAlgorithm signature;
1831  * } SignatureAndHashAlgorithm;
1832  *
1833  * enum { (255) } HashAlgorithm;
1834  * enum { (255) } SignatureAlgorithm;
1835  */
1836  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1837  {
1838  /*
1839  * Only use current running hash algorithm that is already required
1840  * for requested ciphersuite.
1841  */
1843 
1846  {
1848  }
1849 
1850  /*
1851  * Supported signature algorithms
1852  */
1853 #if defined(POLARSSL_RSA_C)
1854  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1855  p[2 + sa_len++] = SSL_SIG_RSA;
1856 #endif
1857 #if defined(POLARSSL_ECDSA_C)
1858  p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1859  p[2 + sa_len++] = SSL_SIG_ECDSA;
1860 #endif
1861 
1862  p[0] = (unsigned char)( sa_len >> 8 );
1863  p[1] = (unsigned char)( sa_len );
1864  sa_len += 2;
1865  p += sa_len;
1866  }
1867 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
1868 
1869  /*
1870  * DistinguishedName certificate_authorities<0..2^16-1>;
1871  * opaque DistinguishedName<1..2^16-1>;
1872  */
1873  p += 2;
1874  crt = ssl->ca_chain;
1875 
1876  total_dn_size = 0;
1877  while( crt != NULL )
1878  {
1879  if( p - buf > 4096 )
1880  break;
1881 
1882  dn_size = crt->subject_raw.len;
1883  *p++ = (unsigned char)( dn_size >> 8 );
1884  *p++ = (unsigned char)( dn_size );
1885  memcpy( p, crt->subject_raw.p, dn_size );
1886  p += dn_size;
1887 
1888  SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1889 
1890  total_dn_size += 2 + dn_size;
1891  crt = crt->next;
1892  }
1893 
1894  ssl->out_msglen = p - buf;
1897  ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
1898  ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
1899 
1900  ret = ssl_write_record( ssl );
1901 
1902  SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1903 
1904  return( ret );
1905 }
1906 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1907  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1908  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
1909 
1910 static int ssl_write_server_key_exchange( ssl_context *ssl )
1911 {
1912  int ret;
1913  size_t n = 0;
1914  const ssl_ciphersuite_t *ciphersuite_info =
1916 
1917 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1918  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
1919  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1920  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1921  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1922  unsigned char *p = ssl->out_msg + 4;
1923  unsigned char *dig_signed = p;
1924  size_t dig_signed_len = 0, len;
1925  ((void) dig_signed);
1926  ((void) dig_signed_len);
1927 #endif
1928 
1929  SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1930 
1931  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
1932  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1933  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
1934  {
1935  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1936  ssl->state++;
1937  return( 0 );
1938  }
1939 
1940 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
1941  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1942  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1943  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1944  {
1945  /* TODO: Support identity hints */
1946  *(p++) = 0x00;
1947  *(p++) = 0x00;
1948 
1949  n += 2;
1950  }
1951 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
1952  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1953 
1954 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1955  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1956  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1957  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1958  {
1959  /*
1960  * Ephemeral DH parameters:
1961  *
1962  * struct {
1963  * opaque dh_p<1..2^16-1>;
1964  * opaque dh_g<1..2^16-1>;
1965  * opaque dh_Ys<1..2^16-1>;
1966  * } ServerDHParams;
1967  */
1968  if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1969  ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1970  {
1971  SSL_DEBUG_RET( 1, "mpi_copy", ret );
1972  return( ret );
1973  }
1974 
1975  if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1976  (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
1977  p,
1978  &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
1979  {
1980  SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1981  return( ret );
1982  }
1983 
1984  dig_signed = p;
1985  dig_signed_len = len;
1986 
1987  p += len;
1988  n += len;
1989 
1990  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1991  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1992  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1993  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1994  }
1995 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1996  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1997 
1998 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1999  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2000  defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2001 
2002  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2003  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2004  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2005  {
2006  /*
2007  * Ephemeral ECDH parameters:
2008  *
2009  * struct {
2010  * ECParameters curve_params;
2011  * ECPoint public;
2012  * } ServerECDHParams;
2013  */
2014  if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
2015  ssl->handshake->curves[0]->grp_id ) ) != 0 )
2016  {
2017  SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2018  return( ret );
2019  }
2020 
2021  SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
2022  (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
2023 
2024  if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2025  p, SSL_MAX_CONTENT_LEN - n,
2026  ssl->f_rng, ssl->p_rng ) ) != 0 )
2027  {
2028  SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2029  return( ret );
2030  }
2031 
2032  dig_signed = p;
2033  dig_signed_len = len;
2034 
2035  p += len;
2036  n += len;
2037 
2038  SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2039  }
2040 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2041  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2042  POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2043 
2044 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2045  defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2046  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2047  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2048  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2049  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2050  {
2051  size_t signature_len = 0;
2052  unsigned int hashlen = 0;
2053  unsigned char hash[64];
2054  md_type_t md_alg = POLARSSL_MD_NONE;
2055 
2056  /*
2057  * Choose hash algorithm. NONE means MD5 + SHA1 here.
2058  */
2059 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2060  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2061  {
2062  md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2063 
2064  if( md_alg == POLARSSL_MD_NONE )
2065  {
2066  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2068  }
2069  }
2070  else
2071 #endif
2072 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2073  defined(POLARSSL_SSL_PROTO_TLS1_1)
2074  if ( ciphersuite_info->key_exchange ==
2076  {
2077  md_alg = POLARSSL_MD_SHA1;
2078  }
2079  else
2080 #endif
2081  {
2082  md_alg = POLARSSL_MD_NONE;
2083  }
2084 
2085  /*
2086  * Compute the hash to be signed
2087  */
2088 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2089  defined(POLARSSL_SSL_PROTO_TLS1_1)
2090  if( md_alg == POLARSSL_MD_NONE )
2091  {
2092  md5_context md5;
2094 
2095  /*
2096  * digitally-signed struct {
2097  * opaque md5_hash[16];
2098  * opaque sha_hash[20];
2099  * };
2100  *
2101  * md5_hash
2102  * MD5(ClientHello.random + ServerHello.random
2103  * + ServerParams);
2104  * sha_hash
2105  * SHA(ClientHello.random + ServerHello.random
2106  * + ServerParams);
2107  */
2108  md5_starts( &md5 );
2109  md5_update( &md5, ssl->handshake->randbytes, 64 );
2110  md5_update( &md5, dig_signed, dig_signed_len );
2111  md5_finish( &md5, hash );
2112 
2113  sha1_starts( &sha1 );
2114  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
2115  sha1_update( &sha1, dig_signed, dig_signed_len );
2116  sha1_finish( &sha1, hash + 16 );
2117 
2118  hashlen = 36;
2119  }
2120  else
2121 #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2122  POLARSSL_SSL_PROTO_TLS1_1 */
2123 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2124  defined(POLARSSL_SSL_PROTO_TLS1_2)
2125  if( md_alg != POLARSSL_MD_NONE )
2126  {
2127  md_context_t ctx;
2128 
2129  /* Info from md_alg will be used instead */
2130  hashlen = 0;
2131 
2132  /*
2133  * digitally-signed struct {
2134  * opaque client_random[32];
2135  * opaque server_random[32];
2136  * ServerDHParams params;
2137  * };
2138  */
2139  if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
2140  {
2141  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2142  return( ret );
2143  }
2144 
2145  md_starts( &ctx );
2146  md_update( &ctx, ssl->handshake->randbytes, 64 );
2147  md_update( &ctx, dig_signed, dig_signed_len );
2148  md_finish( &ctx, hash );
2149 
2150  if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2151  {
2152  SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2153  return( ret );
2154  }
2155 
2156  }
2157  else
2158 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2159  POLARSSL_SSL_PROTO_TLS1_2 */
2160  {
2161  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2163  }
2164 
2165  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2166  (unsigned int) ( md_info_from_type( md_alg ) )->size );
2167 
2168  /*
2169  * Make the signature
2170  */
2171  if( ssl_own_key( ssl ) == NULL )
2172  {
2173  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2175  }
2176 
2177 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2178  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2179  {
2180  *(p++) = ssl->handshake->sig_alg;
2181  *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
2182 
2183  n += 2;
2184  }
2185 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2186 
2187  if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
2188  p + 2 , &signature_len,
2189  ssl->f_rng, ssl->p_rng ) ) != 0 )
2190  {
2191  SSL_DEBUG_RET( 1, "pk_sign", ret );
2192  return( ret );
2193  }
2194 
2195  *(p++) = (unsigned char)( signature_len >> 8 );
2196  *(p++) = (unsigned char)( signature_len );
2197  n += 2;
2198 
2199  SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
2200 
2201  p += signature_len;
2202  n += signature_len;
2203  }
2204 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2205  POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2206  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2207 
2208  ssl->out_msglen = 4 + n;
2211 
2212  ssl->state++;
2213 
2214  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2215  {
2216  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2217  return( ret );
2218  }
2219 
2220  SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2221 
2222  return( 0 );
2223 }
2224 
2225 static int ssl_write_server_hello_done( ssl_context *ssl )
2226 {
2227  int ret;
2228 
2229  SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2230 
2231  ssl->out_msglen = 4;
2234 
2235  ssl->state++;
2236 
2237  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2238  {
2239  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2240  return( ret );
2241  }
2242 
2243  SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2244 
2245  return( 0 );
2246 }
2247 
2248 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2249  defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2250 static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2251  const unsigned char *end )
2252 {
2254  size_t n;
2255 
2256  /*
2257  * Receive G^Y mod P, premaster = (G^Y)^X mod P
2258  */
2259  if( *p + 2 > end )
2260  {
2261  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2263  }
2264 
2265  n = ( (*p)[0] << 8 ) | (*p)[1];
2266  *p += 2;
2267 
2268  if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
2269  {
2270  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2272  }
2273 
2274  if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
2275  *p, n ) ) != 0 )
2276  {
2277  SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2279  }
2280 
2281  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2282 
2283  return( ret );
2284 }
2285 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2286  POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2287 
2288 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2289  defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2290 static int ssl_parse_encrypted_pms( ssl_context *ssl,
2291  const unsigned char *p,
2292  const unsigned char *end,
2293  size_t pms_offset )
2294 {
2295  int ret;
2296  size_t len = pk_get_len( ssl_own_key( ssl ) );
2297  unsigned char *pms = ssl->handshake->premaster + pms_offset;
2298 
2299  if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
2300  {
2301  SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
2303  }
2304 
2305  /*
2306  * Decrypt the premaster using own private RSA key
2307  */
2308 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2309  defined(POLARSSL_SSL_PROTO_TLS1_2)
2310  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2311  {
2312  if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2313  *p++ != ( ( len ) & 0xFF ) )
2314  {
2315  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2317  }
2318  }
2319 #endif
2320 
2321  if( p + len != end )
2322  {
2323  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2325  }
2326 
2327  ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2328  pms, &ssl->handshake->pmslen,
2329  sizeof(ssl->handshake->premaster),
2330  ssl->f_rng, ssl->p_rng );
2331 
2332  if( ret != 0 || ssl->handshake->pmslen != 48 ||
2333  pms[0] != ssl->handshake->max_major_ver ||
2334  pms[1] != ssl->handshake->max_minor_ver )
2335  {
2336  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2337 
2338  /*
2339  * Protection against Bleichenbacher's attack:
2340  * invalid PKCS#1 v1.5 padding must not cause
2341  * the connection to end immediately; instead,
2342  * send a bad_record_mac later in the handshake.
2343  */
2344  ssl->handshake->pmslen = 48;
2345 
2346  ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
2347  if( ret != 0 )
2348  return( ret );
2349  }
2350 
2351  return( ret );
2352 }
2353 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2354  POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2355 
2356 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
2357 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2358  const unsigned char *end )
2359 {
2360  int ret = 0;
2361  size_t n;
2362 
2363  if( ssl->f_psk == NULL &&
2364  ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2365  ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
2366  {
2367  SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2369  }
2370 
2371  /*
2372  * Receive client pre-shared key identity name
2373  */
2374  if( *p + 2 > end )
2375  {
2376  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2378  }
2379 
2380  n = ( (*p)[0] << 8 ) | (*p)[1];
2381  *p += 2;
2382 
2383  if( n < 1 || n > 65535 || *p + n > end )
2384  {
2385  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2387  }
2388 
2389  if( ssl->f_psk != NULL )
2390  {
2391  if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
2393  }
2394 
2395  if( ret == 0 )
2396  {
2397  if( n != ssl->psk_identity_len ||
2398  memcmp( ssl->psk_identity, *p, n ) != 0 )
2399  {
2401  }
2402  }
2403 
2405  {
2406  SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
2407  if( ( ret = ssl_send_alert_message( ssl,
2410  {
2411  return( ret );
2412  }
2413 
2415  }
2416 
2417  *p += n;
2418  ret = 0;
2419 
2420  return( ret );
2421 }
2422 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
2423 
2424 static int ssl_parse_client_key_exchange( ssl_context *ssl )
2425 {
2426  int ret;
2427  const ssl_ciphersuite_t *ciphersuite_info;
2428 
2429  ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2430 
2431  SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2432 
2433  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2434  {
2435  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2436  return( ret );
2437  }
2438 
2439  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2440  {
2441  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2443  }
2444 
2445  if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2446  {
2447  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2449  }
2450 
2451 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
2452  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
2453  {
2454  unsigned char *p = ssl->in_msg + 4;
2455  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2456 
2457  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2458  {
2459  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2460  return( ret );
2461  }
2462 
2463  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2464 
2465  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2466  ssl->handshake->premaster,
2467  &ssl->handshake->pmslen,
2468  ssl->f_rng, ssl->p_rng ) ) != 0 )
2469  {
2470  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2472  }
2473 
2474  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2475  }
2476  else
2477 #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2478 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2479  defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2480  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2481  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2482  {
2483  size_t n = ssl->in_msg[3];
2484 
2485  if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2486  n + 4 != ssl->in_hslen )
2487  {
2488  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2490  }
2491 
2492  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2493  ssl->in_msg + 4, n ) ) != 0 )
2494  {
2495  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2497  }
2498 
2499  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2500 
2501  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2502  &ssl->handshake->pmslen,
2503  ssl->handshake->premaster,
2505  ssl->f_rng, ssl->p_rng ) ) != 0 )
2506  {
2507  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2509  }
2510 
2511  SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
2512  }
2513  else
2514 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2515  POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2516 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2517  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
2518  {
2519  unsigned char *p = ssl->in_msg + 4;
2520  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2521 
2522  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2523  {
2524  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2525  return( ret );
2526  }
2527 
2528  if( ( ret = ssl_psk_derive_premaster( ssl,
2529  ciphersuite_info->key_exchange ) ) != 0 )
2530  {
2531  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2532  return( ret );
2533  }
2534  }
2535  else
2536 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2537 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2538  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2539  {
2540  unsigned char *p = ssl->in_msg + 4;
2541  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2542 
2543  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2544  {
2545  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2546  return( ret );
2547  }
2548 
2549  if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
2550  {
2551  SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
2552  return( ret );
2553  }
2554 
2555  if( ( ret = ssl_psk_derive_premaster( ssl,
2556  ciphersuite_info->key_exchange ) ) != 0 )
2557  {
2558  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2559  return( ret );
2560  }
2561  }
2562  else
2563 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
2564 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2565  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2566  {
2567  unsigned char *p = ssl->in_msg + 4;
2568  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2569 
2570  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2571  {
2572  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2573  return( ret );
2574  }
2575  if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2576  {
2577  SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2578  return( ret );
2579  }
2580 
2581  if( ( ret = ssl_psk_derive_premaster( ssl,
2582  ciphersuite_info->key_exchange ) ) != 0 )
2583  {
2584  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2585  return( ret );
2586  }
2587  }
2588  else
2589 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2590 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2591  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2592  {
2593  unsigned char *p = ssl->in_msg + 4;
2594  unsigned char *end = ssl->in_msg + ssl->in_msglen;
2595 
2596  if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2597  {
2598  SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2599  return( ret );
2600  }
2601 
2602  if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2603  p, end - p ) ) != 0 )
2604  {
2605  SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2607  }
2608 
2609  SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2610 
2611  if( ( ret = ssl_psk_derive_premaster( ssl,
2612  ciphersuite_info->key_exchange ) ) != 0 )
2613  {
2614  SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2615  return( ret );
2616  }
2617  }
2618  else
2619 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2620 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2621  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
2622  {
2623  if( ( ret = ssl_parse_encrypted_pms( ssl,
2624  ssl->in_msg + 4,
2625  ssl->in_msg + ssl->in_msglen,
2626  0 ) ) != 0 )
2627  {
2628  SSL_DEBUG_RET( 1, ( "ssl_parse_parse_ecrypted_pms_secret" ), ret );
2629  return( ret );
2630  }
2631  }
2632  else
2633 #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2634  {
2635  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2637  }
2638 
2639  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2640  {
2641  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2642  return( ret );
2643  }
2644 
2645  ssl->state++;
2646 
2647  SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2648 
2649  return( 0 );
2650 }
2651 
2652 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2653  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2654  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2655  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2656 static int ssl_parse_certificate_verify( ssl_context *ssl )
2657 {
2659  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2660 
2661  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2662 
2663  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2664  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2665  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2666  {
2667  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2668  ssl->state++;
2669  return( 0 );
2670  }
2671 
2672  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2673  return( ret );
2674 }
2675 #else
2676 static int ssl_parse_certificate_verify( ssl_context *ssl )
2677 {
2679  size_t sa_len, sig_len;
2680  unsigned char hash[48];
2681  unsigned char *hash_start = hash;
2682  size_t hashlen;
2683 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2684  pk_type_t pk_alg;
2685 #endif
2686  md_type_t md_alg;
2687  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2688 
2689  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2690 
2691  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2692  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
2693  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2694  {
2695  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2696  ssl->state++;
2697  return( 0 );
2698  }
2699 
2700  if( ssl->session_negotiate->peer_cert == NULL )
2701  {
2702  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2703  ssl->state++;
2704  return( 0 );
2705  }
2706 
2707  ssl->handshake->calc_verify( ssl, hash );
2708 
2709  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2710  {
2711  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2712  return( ret );
2713  }
2714 
2715  ssl->state++;
2716 
2717  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2718  {
2719  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2721  }
2722 
2723  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2724  {
2725  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2727  }
2728 
2729  /*
2730  * 0 . 0 handshake type
2731  * 1 . 3 handshake length
2732  * 4 . 5 sig alg (TLS 1.2 only)
2733  * 4+n . 5+n signature length (n = sa_len)
2734  * 6+n . 6+n+m signature (m = sig_len)
2735  */
2736 
2737 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2738  defined(POLARSSL_SSL_PROTO_TLS1_1)
2739  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
2740  {
2741  sa_len = 0;
2742 
2743  md_alg = POLARSSL_MD_NONE;
2744  hashlen = 36;
2745 
2746  /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
2747  if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2748  POLARSSL_PK_ECDSA ) )
2749  {
2750  hash_start += 16;
2751  hashlen -= 16;
2752  md_alg = POLARSSL_MD_SHA1;
2753  }
2754  }
2755  else
2756 #endif
2757 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2758  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2759  {
2760  sa_len = 2;
2761 
2762  /*
2763  * Hash
2764  */
2765  if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
2766  {
2767  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2768  " for verify message" ) );
2770  }
2771 
2772  md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
2773 
2774  /* Info from md_alg will be used instead */
2775  hashlen = 0;
2776 
2777  /*
2778  * Signature
2779  */
2780  if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
2781  == POLARSSL_PK_NONE )
2782  {
2783  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2784  " for verify message" ) );
2786  }
2787 
2788  /*
2789  * Check the certificate's key type matches the signature alg
2790  */
2791  if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2792  {
2793  SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
2795  }
2796  }
2797  else
2798 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2799  {
2800  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2802  }
2803 
2804  sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
2805 
2806  if( sa_len + sig_len + 6 != ssl->in_hslen )
2807  {
2808  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
2810  }
2811 
2812  if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
2813  md_alg, hash_start, hashlen,
2814  ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
2815  {
2816  SSL_DEBUG_RET( 1, "pk_verify", ret );
2817  return( ret );
2818  }
2819 
2820  SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2821 
2822  return( ret );
2823 }
2824 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2825  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2826  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2827 
2828 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2829 static int ssl_write_new_session_ticket( ssl_context *ssl )
2830 {
2831  int ret;
2832  size_t tlen;
2833  uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
2834 
2835  SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2836 
2839 
2840  /*
2841  * struct {
2842  * uint32 ticket_lifetime_hint;
2843  * opaque ticket<0..2^16-1>;
2844  * } NewSessionTicket;
2845  *
2846  * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2847  * 8 . 9 ticket_len (n)
2848  * 10 . 9+n ticket content
2849  */
2850 
2851  ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
2852  ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
2853  ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
2854  ssl->out_msg[7] = ( lifetime ) & 0xFF;
2855 
2856  if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2857  {
2858  SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2859  tlen = 0;
2860  }
2861 
2862  ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2863  ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
2864 
2865  ssl->out_msglen = 10 + tlen;
2866 
2867  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2868  {
2869  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2870  return( ret );
2871  }
2872 
2873  /* No need to remember writing a NewSessionTicket any more */
2874  ssl->handshake->new_session_ticket = 0;
2875 
2876  SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2877 
2878  return( 0 );
2879 }
2880 #endif /* POLARSSL_SSL_SESSION_TICKETS */
2881 
2882 /*
2883  * SSL handshake -- server side -- single step
2884  */
2886 {
2887  int ret = 0;
2888 
2889  if( ssl->state == SSL_HANDSHAKE_OVER )
2891 
2892  SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2893 
2894  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2895  return( ret );
2896 
2897  switch( ssl->state )
2898  {
2899  case SSL_HELLO_REQUEST:
2900  ssl->state = SSL_CLIENT_HELLO;
2901  break;
2902 
2903  /*
2904  * <== ClientHello
2905  */
2906  case SSL_CLIENT_HELLO:
2907  ret = ssl_parse_client_hello( ssl );
2908  break;
2909 
2910  /*
2911  * ==> ServerHello
2912  * Certificate
2913  * ( ServerKeyExchange )
2914  * ( CertificateRequest )
2915  * ServerHelloDone
2916  */
2917  case SSL_SERVER_HELLO:
2918  ret = ssl_write_server_hello( ssl );
2919  break;
2920 
2922  ret = ssl_write_certificate( ssl );
2923  break;
2924 
2926  ret = ssl_write_server_key_exchange( ssl );
2927  break;
2928 
2930  ret = ssl_write_certificate_request( ssl );
2931  break;
2932 
2933  case SSL_SERVER_HELLO_DONE:
2934  ret = ssl_write_server_hello_done( ssl );
2935  break;
2936 
2937  /*
2938  * <== ( Certificate/Alert )
2939  * ClientKeyExchange
2940  * ( CertificateVerify )
2941  * ChangeCipherSpec
2942  * Finished
2943  */
2945  ret = ssl_parse_certificate( ssl );
2946  break;
2947 
2949  ret = ssl_parse_client_key_exchange( ssl );
2950  break;
2951 
2953  ret = ssl_parse_certificate_verify( ssl );
2954  break;
2955 
2957  ret = ssl_parse_change_cipher_spec( ssl );
2958  break;
2959 
2960  case SSL_CLIENT_FINISHED:
2961  ret = ssl_parse_finished( ssl );
2962  break;
2963 
2964  /*
2965  * ==> ( NewSessionTicket )
2966  * ChangeCipherSpec
2967  * Finished
2968  */
2970 #if defined(POLARSSL_SSL_SESSION_TICKETS)
2971  if( ssl->handshake->new_session_ticket != 0 )
2972  ret = ssl_write_new_session_ticket( ssl );
2973  else
2974 #endif
2975  ret = ssl_write_change_cipher_spec( ssl );
2976  break;
2977 
2978  case SSL_SERVER_FINISHED:
2979  ret = ssl_write_finished( ssl );
2980  break;
2981 
2982  case SSL_FLUSH_BUFFERS:
2983  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2984  ssl->state = SSL_HANDSHAKE_WRAPUP;
2985  break;
2986 
2987  case SSL_HANDSHAKE_WRAPUP:
2988  ssl_handshake_wrapup( ssl );
2989  break;
2990 
2991  default:
2992  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2994  }
2995 
2996  return( ret );
2997 }
2998 #endif