search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
initial commit; it works
[psslcertgen.git] / src / libpolarssl / ssl_srv.c
blob861bda359074ef91ee12f8c472ff0670ef69ec5e
1 /*
2 * SSLv3/TLSv1 server-side functions
3 *
4 * Copyright (C) 2006-2012, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
26 #include "config.h"
27
28 #if defined(POLARSSL_SSL_SRV_C)
29
30 #include "debug.h"
31 #include "ssl.h"
32
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <time.h>
36
37 static int ssl_parse_servername_ext( ssl_context *ssl,
38 const unsigned char *buf,
39 size_t len )
40 {
41 int ret;
42 size_t servername_list_size, hostname_len;
43 const unsigned char *p;
44
45 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
46 if( servername_list_size + 2 != len )
47 {
48 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
49 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
50 }
51
52 p = buf + 2;
53 while( servername_list_size > 0 )
54 {
55 hostname_len = ( ( p[1] << 8 ) | p[2] );
56 if( hostname_len + 3 > servername_list_size )
57 {
58 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
59 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
60 }
61
62 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
63 {
64 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
65 if( ret != 0 )
66 {
67 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
68 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
69 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
70 }
71 return( 0 );
72 }
73
74 servername_list_size -= hostname_len + 3;
75 p += hostname_len + 3;
76 }
77
78 if( servername_list_size != 0 )
79 {
80 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
81 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
82 }
83
84 return( 0 );
85 }
86
87 static int ssl_parse_renegotiation_info( ssl_context *ssl,
88 const unsigned char *buf,
89 size_t len )
90 {
91 int ret;
92
93 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
94 {
95 if( len != 1 || buf[0] != 0x0 )
96 {
97 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
98
99 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
100 return( ret );
101
102 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
103 }
104
105 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
106 }
107 else
108 {
109 if( len != 1 + ssl->verify_data_len ||
110 buf[0] != ssl->verify_data_len ||
111 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
112 {
113 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
114
115 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
116 return( ret );
117
118 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
119 }
120 }
121
122 return( 0 );
123 }
124
125 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
126 const unsigned char *buf,
127 size_t len )
128 {
129 size_t sig_alg_list_size;
130 const unsigned char *p;
131
132 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
133 if( sig_alg_list_size + 2 != len ||
134 sig_alg_list_size %2 != 0 )
135 {
136 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
137 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
138 }
139
140 p = buf + 2;
141 while( sig_alg_list_size > 0 )
142 {
143 if( p[1] != SSL_SIG_RSA )
144 {
145 sig_alg_list_size -= 2;
146 p += 2;
147 continue;
148 }
149 #if defined(POLARSSL_SHA4_C)
150 if( p[0] == SSL_HASH_SHA512 )
151 {
152 ssl->handshake->sig_alg = SSL_HASH_SHA512;
153 break;
154 }
155 if( p[0] == SSL_HASH_SHA384 )
156 {
157 ssl->handshake->sig_alg = SSL_HASH_SHA384;
158 break;
159 }
160 #endif
161 #if defined(POLARSSL_SHA2_C)
162 if( p[0] == SSL_HASH_SHA256 )
163 {
164 ssl->handshake->sig_alg = SSL_HASH_SHA256;
165 break;
166 }
167 if( p[0] == SSL_HASH_SHA224 )
168 {
169 ssl->handshake->sig_alg = SSL_HASH_SHA224;
170 break;
171 }
172 #endif
173 if( p[0] == SSL_HASH_SHA1 )
174 {
175 ssl->handshake->sig_alg = SSL_HASH_SHA1;
176 break;
177 }
178 if( p[0] == SSL_HASH_MD5 )
179 {
180 ssl->handshake->sig_alg = SSL_HASH_MD5;
181 break;
182 }
183
184 sig_alg_list_size -= 2;
185 p += 2;
186 }
187
188 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
189 ssl->handshake->sig_alg ) );
190
191 return( 0 );
192 }
193
194 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
195 static int ssl_parse_client_hello_v2( ssl_context *ssl )
196 {
197 int ret;
198 unsigned int i, j;
199 size_t n;
200 unsigned int ciph_len, sess_len, chal_len;
201 unsigned char *buf, *p;
202
203 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
204
205 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
206 {
207 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
208
209 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
210 return( ret );
211
212 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
213 }
214
215 buf = ssl->in_hdr;
216
217 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
218
219 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
220 buf[2] ) );
221 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
222 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
223 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
224 buf[3], buf[4] ) );
225
226 /*
227 * SSLv2 Client Hello
228 *
229 * Record layer:
230 * 0 . 1 message length
231 *
232 * SSL layer:
233 * 2 . 2 message type
234 * 3 . 4 protocol version
235 */
236 if( buf[2] != SSL_HS_CLIENT_HELLO ||
237 buf[3] != SSL_MAJOR_VERSION_3 )
238 {
239 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
240 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
241 }
242
243 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
244
245 if( n < 17 || n > 512 )
246 {
247 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
248 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
249 }
250
251 ssl->major_ver = SSL_MAJOR_VERSION_3;
252 ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_3 )
253 ? buf[4] : SSL_MINOR_VERSION_3;
254
255 if( ssl->minor_ver < ssl->min_minor_ver )
256 {
257 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
258 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
259 ssl->min_major_ver, ssl->min_minor_ver ) );
260
261 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
262 SSL_ALERT_MSG_PROTOCOL_VERSION );
263 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
264 }
265
266 ssl->max_major_ver = buf[3];
267 ssl->max_minor_ver = buf[4];
268
269 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
270 {
271 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
272 return( ret );
273 }
274
275 ssl->handshake->update_checksum( ssl, buf + 2, n );
276
277 buf = ssl->in_msg;
278 n = ssl->in_left - 5;
279
280 /*
281 * 0 . 1 ciphersuitelist length
282 * 2 . 3 session id length
283 * 4 . 5 challenge length
284 * 6 . .. ciphersuitelist
285 * .. . .. session id
286 * .. . .. challenge
287 */
288 SSL_DEBUG_BUF( 4, "record contents", buf, n );
289
290 ciph_len = ( buf[0] << 8 ) | buf[1];
291 sess_len = ( buf[2] << 8 ) | buf[3];
292 chal_len = ( buf[4] << 8 ) | buf[5];
293
294 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
295 ciph_len, sess_len, chal_len ) );
296
297 /*
298 * Make sure each parameter length is valid
299 */
300 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
301 {
302 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
303 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
304 }
305
306 if( sess_len > 32 )
307 {
308 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
309 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
310 }
311
312 if( chal_len < 8 || chal_len > 32 )
313 {
314 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
315 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
316 }
317
318 if( n != 6 + ciph_len + sess_len + chal_len )
319 {
320 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
321 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
322 }
323
324 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
325 buf + 6, ciph_len );
326 SSL_DEBUG_BUF( 3, "client hello, session id",
327 buf + 6 + ciph_len, sess_len );
328 SSL_DEBUG_BUF( 3, "client hello, challenge",
329 buf + 6 + ciph_len + sess_len, chal_len );
330
331 p = buf + 6 + ciph_len;
332 ssl->session_negotiate->length = sess_len;
333 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
334 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
335
336 p += sess_len;
337 memset( ssl->handshake->randbytes, 0, 64 );
338 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
339
340 /*
341 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
342 */
343 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
344 {
345 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
346 {
347 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
348 if( ssl->renegotiation == SSL_RENEGOTIATION )
349 {
350 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
351
352 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
353 return( ret );
354
355 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
356 }
357 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
358 break;
359 }
360 }
361
362 for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
363 {
364 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
365 {
366 if( p[0] == 0 &&
367 p[1] == 0 &&
368 p[2] == ssl->ciphersuites[ssl->minor_ver][i] )
369 goto have_ciphersuite_v2;
370 }
371 }
372
373 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
374
375 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
376
377 have_ciphersuite_v2:
378 ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
379 ssl_optimize_checksum( ssl, ssl->session_negotiate->ciphersuite );
380
381 /*
382 * SSLv2 Client Hello relevant renegotiation security checks
383 */
384 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
385 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
386 {
387 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
388
389 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
390 return( ret );
391
392 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
393 }
394
395 ssl->in_left = 0;
396 ssl->state++;
397
398 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
399
400 return( 0 );
401 }
402 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
403
404 static int ssl_parse_client_hello( ssl_context *ssl )
405 {
406 int ret;
407 unsigned int i, j;
408 size_t n;
409 unsigned int ciph_len, sess_len;
410 unsigned int comp_len;
411 unsigned int ext_len = 0;
412 unsigned char *buf, *p, *ext;
413 int renegotiation_info_seen = 0;
414 int handshake_failure = 0;
415
416 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
417
418 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
419 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
420 {
421 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
422 return( ret );
423 }
424
425 buf = ssl->in_hdr;
426
427 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
428 if( ( buf[0] & 0x80 ) != 0 )
429 return ssl_parse_client_hello_v2( ssl );
430 #endif
431
432 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
433
434 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
435 buf[0] ) );
436 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
437 ( buf[3] << 8 ) | buf[4] ) );
438 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
439 buf[1], buf[2] ) );
440
441 /*
442 * SSLv3 Client Hello
443 *
444 * Record layer:
445 * 0 . 0 message type
446 * 1 . 2 protocol version
447 * 3 . 4 message length
448 */
449 if( buf[0] != SSL_MSG_HANDSHAKE ||
450 buf[1] != SSL_MAJOR_VERSION_3 )
451 {
452 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
453 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
454 }
455
456 n = ( buf[3] << 8 ) | buf[4];
457
458 if( n < 45 || n > 512 )
459 {
460 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
461 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
462 }
463
464 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
465 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
466 {
467 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
468 return( ret );
469 }
470
471 buf = ssl->in_msg;
472 if( !ssl->renegotiation )
473 n = ssl->in_left - 5;
474 else
475 n = ssl->in_msglen;
476
477 ssl->handshake->update_checksum( ssl, buf, n );
478
479 /*
480 * SSL layer:
481 * 0 . 0 handshake type
482 * 1 . 3 handshake length
483 * 4 . 5 protocol version
484 * 6 . 9 UNIX time()
485 * 10 . 37 random bytes
486 * 38 . 38 session id length
487 * 39 . 38+x session id
488 * 39+x . 40+x ciphersuitelist length
489 * 41+x . .. ciphersuitelist
490 * .. . .. compression alg.
491 * .. . .. extensions
492 */
493 SSL_DEBUG_BUF( 4, "record contents", buf, n );
494
495 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
496 buf[0] ) );
497 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
498 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
499 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
500 buf[4], buf[5] ) );
501
502 /*
503 * Check the handshake type and protocol version
504 */
505 if( buf[0] != SSL_HS_CLIENT_HELLO ||
506 buf[4] != SSL_MAJOR_VERSION_3 )
507 {
508 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
509 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
510 }
511
512 ssl->major_ver = SSL_MAJOR_VERSION_3;
513 ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_3 )
514 ? buf[5] : SSL_MINOR_VERSION_3;
515
516 if( ssl->minor_ver < ssl->min_minor_ver )
517 {
518 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
519 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
520 ssl->min_major_ver, ssl->min_minor_ver ) );
521
522 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
523 SSL_ALERT_MSG_PROTOCOL_VERSION );
524
525 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
526 }
527
528 ssl->max_major_ver = buf[4];
529 ssl->max_minor_ver = buf[5];
530
531 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
532
533 /*
534 * Check the handshake message length
535 */
536 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
537 {
538 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
539 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
540 }
541
542 /*
543 * Check the session length
544 */
545 sess_len = buf[38];
546
547 if( sess_len > 32 )
548 {
549 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
550 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
551 }
552
553 ssl->session_negotiate->length = sess_len;
554 memset( ssl->session_negotiate->id, 0,
555 sizeof( ssl->session_negotiate->id ) );
556 memcpy( ssl->session_negotiate->id, buf + 39,
557 ssl->session_negotiate->length );
558
559 /*
560 * Check the ciphersuitelist length
561 */
562 ciph_len = ( buf[39 + sess_len] << 8 )
563 | ( buf[40 + sess_len] );
564
565 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
566 {
567 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
568 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
569 }
570
571 /*
572 * Check the compression algorithms length
573 */
574 comp_len = buf[41 + sess_len + ciph_len];
575
576 if( comp_len < 1 || comp_len > 16 )
577 {
578 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
579 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
580 }
581
582 /*
583 * Check the extension length
584 */
585 if( n > 42 + sess_len + ciph_len + comp_len )
586 {
587 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
588 | ( buf[43 + sess_len + ciph_len + comp_len] );
589
590 if( ( ext_len > 0 && ext_len < 4 ) ||
591 n != 44 + sess_len + ciph_len + comp_len + ext_len )
592 {
593 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
594 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
595 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
596 }
597 }
598
599 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
600 #if defined(POLARSSL_ZLIB_SUPPORT)
601 for( i = 0; i < comp_len; ++i )
602 {
603 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
604 {
605 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
606 break;
607 }
608 }
609 #endif
610
611 SSL_DEBUG_BUF( 3, "client hello, random bytes",
612 buf + 6, 32 );
613 SSL_DEBUG_BUF( 3, "client hello, session id",
614 buf + 38, sess_len );
615 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
616 buf + 41 + sess_len, ciph_len );
617 SSL_DEBUG_BUF( 3, "client hello, compression",
618 buf + 42 + sess_len + ciph_len, comp_len );
619
620 /*
621 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
622 */
623 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
624 {
625 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
626 {
627 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
628 if( ssl->renegotiation == SSL_RENEGOTIATION )
629 {
630 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
631
632 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
633 return( ret );
634
635 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
636 }
637 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
638 break;
639 }
640 }
641
642 /*
643 * Search for a matching ciphersuite
644 */
645 for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
646 {
647 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
648 j += 2, p += 2 )
649 {
650 if( p[0] == 0 && p[1] == ssl->ciphersuites[ssl->minor_ver][i] )
651 goto have_ciphersuite;
652 }
653 }
654
655 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
656
657 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
658
659 have_ciphersuite:
660 ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
661 ssl_optimize_checksum( ssl, ssl->session_negotiate->ciphersuite );
662
663 ext = buf + 44 + sess_len + ciph_len + comp_len;
664
665 while( ext_len )
666 {
667 unsigned int ext_id = ( ( ext[0] << 8 )
668 | ( ext[1] ) );
669 unsigned int ext_size = ( ( ext[2] << 8 )
670 | ( ext[3] ) );
671
672 if( ext_size + 4 > ext_len )
673 {
674 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
675 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
676 }
677 switch( ext_id )
678 {
679 case TLS_EXT_SERVERNAME:
680 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
681 if( ssl->f_sni == NULL )
682 break;
683
684 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
685 if( ret != 0 )
686 return( ret );
687 break;
688
689 case TLS_EXT_RENEGOTIATION_INFO:
690 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
691 renegotiation_info_seen = 1;
692
693 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
694 if( ret != 0 )
695 return( ret );
696 break;
697
698 case TLS_EXT_SIG_ALG:
699 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
700 if( ssl->renegotiation == SSL_RENEGOTIATION )
701 break;
702
703 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
704 if( ret != 0 )
705 return( ret );
706 break;
707
708 default:
709 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
710 ext_id ) );
711 }
712
713 ext_len -= 4 + ext_size;
714 ext += 4 + ext_size;
715
716 if( ext_len > 0 && ext_len < 4 )
717 {
718 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
719 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
720 }
721 }
722
723 /*
724 * Renegotiation security checks
725 */
726 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
727 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
728 {
729 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
730 handshake_failure = 1;
731 }
732 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
733 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
734 renegotiation_info_seen == 0 )
735 {
736 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
737 handshake_failure = 1;
738 }
739 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
740 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
741 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
742 {
743 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
744 handshake_failure = 1;
745 }
746 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
747 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
748 renegotiation_info_seen == 1 )
749 {
750 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
751 handshake_failure = 1;
752 }
753
754 if( handshake_failure == 1 )
755 {
756 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
757 return( ret );
758
759 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
760 }
761
762 ssl->in_left = 0;
763 ssl->state++;
764
765 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
766
767 return( 0 );
768 }
769
770 static int ssl_write_server_hello( ssl_context *ssl )
771 {
772 time_t t;
773 int ret, n;
774 size_t ext_len = 0;
775 unsigned char *buf, *p;
776
777 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
778
779 /*
780 * 0 . 0 handshake type
781 * 1 . 3 handshake length
782 * 4 . 5 protocol version
783 * 6 . 9 UNIX time()
784 * 10 . 37 random bytes
785 */
786 buf = ssl->out_msg;
787 p = buf + 4;
788
789 *p++ = (unsigned char) ssl->major_ver;
790 *p++ = (unsigned char) ssl->minor_ver;
791
792 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
793 buf[4], buf[5] ) );
794
795 t = time( NULL );
796 *p++ = (unsigned char)( t >> 24 );
797 *p++ = (unsigned char)( t >> 16 );
798 *p++ = (unsigned char)( t >> 8 );
799 *p++ = (unsigned char)( t );
800
801 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
802
803 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
804 return( ret );
805
806 p += 28;
807
808 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
809
810 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
811
812 /*
813 * 38 . 38 session id length
814 * 39 . 38+n session id
815 * 39+n . 40+n chosen ciphersuite
816 * 41+n . 41+n chosen compression alg.
817 */
818 ssl->session_negotiate->length = n = 32;
819 *p++ = (unsigned char) ssl->session_negotiate->length;
820
821 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
822 ssl->f_get_cache == NULL ||
823 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) != 0 )
824 {
825 /*
826 * Not found, create a new session id
827 */
828 ssl->handshake->resume = 0;
829 ssl->state++;
830
831 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
832 n ) ) != 0 )
833 return( ret );
834 }
835 else
836 {
837 /*
838 * Found a matching session, resuming it
839 */
840 ssl->handshake->resume = 1;
841 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
842
843 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
844 {
845 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
846 return( ret );
847 }
848 }
849
850 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
851 p += ssl->session_negotiate->length;
852
853 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
854 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
855 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
856 ssl->handshake->resume ? "a" : "no" ) );
857
858 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
859 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
860 *p++ = (unsigned char)( ssl->session_negotiate->compression );
861
862 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
863 ssl->session_negotiate->ciphersuite ) );
864 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
865 ssl->session_negotiate->compression ) );
866
867 if( ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION )
868 {
869 SSL_DEBUG_MSG( 3, ( "server hello, prepping for secure renegotiation extension" ) );
870 ext_len += 5 + ssl->verify_data_len * 2;
871
872 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d",
873 ext_len ) );
874
875 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
876 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
877
878 /*
879 * Secure renegotiation
880 */
881 SSL_DEBUG_MSG( 3, ( "client hello, secure renegotiation extension" ) );
882
883 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
884 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
885
886 *p++ = 0x00;
887 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
888 *p++ = ssl->verify_data_len * 2 & 0xFF;
889
890 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
891 p += ssl->verify_data_len;
892 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
893 p += ssl->verify_data_len;
894 }
895
896 ssl->out_msglen = p - buf;
897 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
898 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
899
900 ret = ssl_write_record( ssl );
901
902 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
903
904 return( ret );
905 }
906
907 static int ssl_write_certificate_request( ssl_context *ssl )
908 {
909 int ret;
910 size_t n = 0, dn_size, total_dn_size;
911 unsigned char *buf, *p;
912 const x509_cert *crt;
913
914 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
915
916 ssl->state++;
917
918 if( ssl->authmode == SSL_VERIFY_NONE )
919 {
920 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
921 return( 0 );
922 }
923
924 /*
925 * 0 . 0 handshake type
926 * 1 . 3 handshake length
927 * 4 . 4 cert type count
928 * 5 .. m-1 cert types
929 * m .. m+1 sig alg length (TLS 1.2 only)
930 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
931 * n .. n+1 length of all DNs
932 * n+2 .. n+3 length of DN 1
933 * n+4 .. ... Distinguished Name #1
934 * ... .. ... length of DN 2, etc.
935 */
936 buf = ssl->out_msg;
937 p = buf + 4;
938
939 /*
940 * At the moment, only RSA certificates are supported
941 */
942 *p++ = 1;
943 *p++ = SSL_CERT_TYPE_RSA_SIGN;
944
945 /*
946 * Add signature_algorithms for verify (TLS 1.2)
947 * Only add current running algorithm that is already required for
948 * requested ciphersuite.
949 *
950 * Length is always 2
951 */
952 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
953 {
954 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
955
956 *p++ = 0;
957 *p++ = 2;
958
959 if( ssl->session_negotiate->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
960 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
961 {
962 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
963 }
964
965 *p++ = ssl->handshake->verify_sig_alg;
966 *p++ = SSL_SIG_RSA;
967
968 n += 4;
969 }
970
971 p += 2;
972 crt = ssl->ca_chain;
973
974 total_dn_size = 0;
975 while( crt != NULL && crt->version != 0)
976 {
977 if( p - buf > 4096 )
978 break;
979
980 dn_size = crt->subject_raw.len;
981 *p++ = (unsigned char)( dn_size >> 8 );
982 *p++ = (unsigned char)( dn_size );
983 memcpy( p, crt->subject_raw.p, dn_size );
984 p += dn_size;
985
986 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
987
988 total_dn_size += 2 + dn_size;
989 crt = crt->next;
990 }
991
992 ssl->out_msglen = p - buf;
993 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
994 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
995 ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
996 ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
997
998 ret = ssl_write_record( ssl );
999
1000 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1001
1002 return( ret );
1003 }
1004
1005 static int ssl_write_server_key_exchange( ssl_context *ssl )
1006 {
1007 #if defined(POLARSSL_DHM_C)
1008 int ret;
1009 size_t n, rsa_key_len = 0;
1010 unsigned char hash[64];
1011 int hash_id = 0;
1012 unsigned int hashlen = 0;
1013 #endif
1014
1015 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1016
1017 if( ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_DES_CBC_SHA &&
1018 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA &&
1019 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
1020 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
1021 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
1022 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
1023 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA &&
1024 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA &&
1025 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 &&
1026 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 &&
1027 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 &&
1028 ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
1029 {
1030 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1031 ssl->state++;
1032 return( 0 );
1033 }
1034
1035 #if !defined(POLARSSL_DHM_C)
1036 SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
1037 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
1038 #else
1039
1040 if( ssl->rsa_key == NULL )
1041 {
1042 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1043 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
1044 }
1045
1046 /*
1047 * Ephemeral DH parameters:
1048 *
1049 * struct {
1050 * opaque dh_p<1..2^16-1>;
1051 * opaque dh_g<1..2^16-1>;
1052 * opaque dh_Ys<1..2^16-1>;
1053 * } ServerDHParams;
1054 */
1055 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1056 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1057 {
1058 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1059 return( ret );
1060 }
1061
1062 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1063 mpi_size( &ssl->handshake->dhm_ctx.P ),
1064 ssl->out_msg + 4,
1065 &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
1066 {
1067 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1068 return( ret );
1069 }
1070
1071 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1072 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1073 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1074 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1075
1076 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1077 {
1078 md5_context md5;
1079 sha1_context sha1;
1080
1081 /*
1082 * digitally-signed struct {
1083 * opaque md5_hash[16];
1084 * opaque sha_hash[20];
1085 * };
1086 *
1087 * md5_hash
1088 * MD5(ClientHello.random + ServerHello.random
1089 * + ServerParams);
1090 * sha_hash
1091 * SHA(ClientHello.random + ServerHello.random
1092 * + ServerParams);
1093 */
1094 md5_starts( &md5 );
1095 md5_update( &md5, ssl->handshake->randbytes, 64 );
1096 md5_update( &md5, ssl->out_msg + 4, n );
1097 md5_finish( &md5, hash );
1098
1099 sha1_starts( &sha1 );
1100 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1101 sha1_update( &sha1, ssl->out_msg + 4, n );
1102 sha1_finish( &sha1, hash + 16 );
1103
1104 hashlen = 36;
1105 hash_id = SIG_RSA_RAW;
1106 }
1107 else
1108 {
1109 /*
1110 * digitally-signed struct {
1111 * opaque client_random[32];
1112 * opaque server_random[32];
1113 * ServerDHParams params;
1114 * };
1115 */
1116 #if defined(POLARSSL_SHA4_C)
1117 if( ssl->handshake->sig_alg == SSL_HASH_SHA512 )
1118 {
1119 sha4_context sha4;
1120
1121 sha4_starts( &sha4, 0 );
1122 sha4_update( &sha4, ssl->handshake->randbytes, 64 );
1123 sha4_update( &sha4, ssl->out_msg + 4, n );
1124 sha4_finish( &sha4, hash );
1125
1126 hashlen = 64;
1127 hash_id = SIG_RSA_SHA512;
1128 }
1129 else if( ssl->handshake->sig_alg == SSL_HASH_SHA384 )
1130 {
1131 sha4_context sha4;
1132
1133 sha4_starts( &sha4, 1 );
1134 sha4_update( &sha4, ssl->handshake->randbytes, 64 );
1135 sha4_update( &sha4, ssl->out_msg + 4, n );
1136 sha4_finish( &sha4, hash );
1137
1138 hashlen = 48;
1139 hash_id = SIG_RSA_SHA384;
1140 }
1141 else
1142 #endif
1143 #if defined(POLARSSL_SHA2_C)
1144 if( ssl->handshake->sig_alg == SSL_HASH_SHA256 )
1145 {
1146 sha2_context sha2;
1147
1148 sha2_starts( &sha2, 0 );
1149 sha2_update( &sha2, ssl->handshake->randbytes, 64 );
1150 sha2_update( &sha2, ssl->out_msg + 4, n );
1151 sha2_finish( &sha2, hash );
1152
1153 hashlen = 32;
1154 hash_id = SIG_RSA_SHA256;
1155 }
1156 else if( ssl->handshake->sig_alg == SSL_HASH_SHA224 )
1157 {
1158 sha2_context sha2;
1159
1160 sha2_starts( &sha2, 1 );
1161 sha2_update( &sha2, ssl->handshake->randbytes, 64 );
1162 sha2_update( &sha2, ssl->out_msg + 4, n );
1163 sha2_finish( &sha2, hash );
1164
1165 hashlen = 24;
1166 hash_id = SIG_RSA_SHA224;
1167 }
1168 else
1169 #endif
1170 if( ssl->handshake->sig_alg == SSL_HASH_SHA1 )
1171 {
1172 sha1_context sha1;
1173
1174 sha1_starts( &sha1 );
1175 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1176 sha1_update( &sha1, ssl->out_msg + 4, n );
1177 sha1_finish( &sha1, hash );
1178
1179 hashlen = 20;
1180 hash_id = SIG_RSA_SHA1;
1181 }
1182 else if( ssl->handshake->sig_alg == SSL_HASH_MD5 )
1183 {
1184 md5_context md5;
1185
1186 md5_starts( &md5 );
1187 md5_update( &md5, ssl->handshake->randbytes, 64 );
1188 md5_update( &md5, ssl->out_msg + 4, n );
1189 md5_finish( &md5, hash );
1190
1191 hashlen = 16;
1192 hash_id = SIG_RSA_MD5;
1193 }
1194 }
1195
1196 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
1197
1198 if ( ssl->rsa_key )
1199 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
1200
1201 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1202 {
1203 ssl->out_msg[4 + n] = ssl->handshake->sig_alg;
1204 ssl->out_msg[5 + n] = SSL_SIG_RSA;
1205
1206 n += 2;
1207 }
1208
1209 ssl->out_msg[4 + n] = (unsigned char)( rsa_key_len >> 8 );
1210 ssl->out_msg[5 + n] = (unsigned char)( rsa_key_len );
1211
1212 if ( ssl->rsa_key )
1213 {
1214 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1215 RSA_PRIVATE,
1216 hash_id, hashlen, hash,
1217 ssl->out_msg + 6 + n );
1218 }
1219
1220 if( ret != 0 )
1221 {
1222 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
1223 return( ret );
1224 }
1225
1226 SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, rsa_key_len );
1227
1228 ssl->out_msglen = 6 + n + rsa_key_len;
1229 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1230 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
1231
1232 ssl->state++;
1233
1234 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1235 {
1236 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1237 return( ret );
1238 }
1239
1240 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
1241
1242 return( 0 );
1243 #endif
1244 }
1245
1246 static int ssl_write_server_hello_done( ssl_context *ssl )
1247 {
1248 int ret;
1249
1250 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
1251
1252 ssl->out_msglen = 4;
1253 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1254 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
1255
1256 ssl->state++;
1257
1258 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1259 {
1260 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1261 return( ret );
1262 }
1263
1264 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
1265
1266 return( 0 );
1267 }
1268
1269 static int ssl_parse_client_key_exchange( ssl_context *ssl )
1270 {
1271 int ret;
1272 size_t i, n = 0;
1273
1274 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
1275
1276 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1277 {
1278 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1279 return( ret );
1280 }
1281
1282 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1283 {
1284 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1285 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
1286 }
1287
1288 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
1289 {
1290 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1291 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
1292 }
1293
1294 if( ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_DES_CBC_SHA ||
1295 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA ||
1296 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA ||
1297 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA ||
1298 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 ||
1299 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 ||
1300 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA ||
1301 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA ||
1302 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ||
1303 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 ||
1304 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ||
1305 ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
1306 {
1307 #if !defined(POLARSSL_DHM_C)
1308 SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
1309 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
1310 #else
1311 /*
1312 * Receive G^Y mod P, premaster = (G^Y)^X mod P
1313 */
1314 n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
1315
1316 if( n < 1 || n > ssl->handshake->dhm_ctx.len ||
1317 n + 6 != ssl->in_hslen )
1318 {
1319 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1320 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
1321 }
1322
1323 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
1324 ssl->in_msg + 6, n ) ) != 0 )
1325 {
1326 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
1327 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP );
1328 }
1329
1330 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1331
1332 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1333
1334 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1335 ssl->handshake->premaster,
1336 &ssl->handshake->pmslen ) ) != 0 )
1337 {
1338 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1339 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS );
1340 }
1341
1342 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1343 #endif
1344 }
1345 else
1346 {
1347 if( ssl->rsa_key == NULL )
1348 {
1349 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1350 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
1351 }
1352
1353 /*
1354 * Decrypt the premaster using own private RSA key
1355 */
1356 i = 4;
1357 if( ssl->rsa_key )
1358 n = ssl->rsa_key_len( ssl->rsa_key );
1359 ssl->handshake->pmslen = 48;
1360
1361 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
1362 {
1363 i += 2;
1364 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
1365 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
1366 {
1367 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1368 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
1369 }
1370 }
1371
1372 if( ssl->in_hslen != i + n )
1373 {
1374 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1375 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
1376 }
1377
1378 if( ssl->rsa_key ) {
1379 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
1380 &ssl->handshake->pmslen,
1381 ssl->in_msg + i,
1382 ssl->handshake->premaster,
1383 sizeof(ssl->handshake->premaster) );
1384 }
1385
1386 if( ret != 0 || ssl->handshake->pmslen != 48 ||
1387 ssl->handshake->premaster[0] != ssl->max_major_ver ||
1388 ssl->handshake->premaster[1] != ssl->max_minor_ver )
1389 {
1390 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1391
1392 /*
1393 * Protection against Bleichenbacher's attack:
1394 * invalid PKCS#1 v1.5 padding must not cause
1395 * the connection to end immediately; instead,
1396 * send a bad_record_mac later in the handshake.
1397 */
1398 ssl->handshake->pmslen = 48;
1399
1400 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
1401 ssl->handshake->pmslen );
1402 if( ret != 0 )
1403 return( ret );
1404 }
1405 }
1406
1407 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1408 {
1409 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1410 return( ret );
1411 }
1412
1413 ssl->state++;
1414
1415 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
1416
1417 return( 0 );
1418 }
1419
1420 static int ssl_parse_certificate_verify( ssl_context *ssl )
1421 {
1422 int ret;
1423 size_t n = 0, n1, n2;
1424 unsigned char hash[48];
1425 int hash_id;
1426 unsigned int hashlen;
1427
1428 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
1429
1430 if( ssl->session_negotiate->peer_cert == NULL )
1431 {
1432 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
1433 ssl->state++;
1434 return( 0 );
1435 }
1436
1437 ssl->handshake->calc_verify( ssl, hash );
1438
1439 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1440 {
1441 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1442 return( ret );
1443 }
1444
1445 ssl->state++;
1446
1447 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1448 {
1449 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1450 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
1451 }
1452
1453 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
1454 {
1455 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1456 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
1457 }
1458
1459 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1460 {
1461 /*
1462 * As server we know we either have SSL_HASH_SHA384 or
1463 * SSL_HASH_SHA256
1464 */
1465 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
1466 ssl->in_msg[5] != SSL_SIG_RSA )
1467 {
1468 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
1469 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
1470 }
1471
1472 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
1473 {
1474 hashlen = 48;
1475 hash_id = SIG_RSA_SHA384;
1476 }
1477 else
1478 {
1479 hashlen = 32;
1480 hash_id = SIG_RSA_SHA256;
1481 }
1482
1483 n += 2;
1484 }
1485 else
1486 {
1487 hashlen = 36;
1488 hash_id = SIG_RSA_RAW;
1489 }
1490
1491 n1 = ssl->session_negotiate->peer_cert->rsa.len;
1492 n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
1493
1494 if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
1495 {
1496 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1497 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
1498 }
1499
1500 ret = rsa_pkcs1_verify( &ssl->session_negotiate->peer_cert->rsa, RSA_PUBLIC,
1501 hash_id, hashlen, hash, ssl->in_msg + 6 + n );
1502 if( ret != 0 )
1503 {
1504 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
1505 return( ret );
1506 }
1507
1508 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
1509
1510 return( 0 );
1511 }
1512
1513 /*
1514 * SSL handshake -- server side -- single step
1515 */
1516 int ssl_handshake_server_step( ssl_context *ssl )
1517 {
1518 int ret = 0;
1519
1520 if( ssl->state == SSL_HANDSHAKE_OVER )
1521 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1522
1523 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
1524
1525 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1526 return( ret );
1527
1528 switch( ssl->state )
1529 {
1530 case SSL_HELLO_REQUEST:
1531 ssl->state = SSL_CLIENT_HELLO;
1532 break;
1533
1534 /*
1535 * <== ClientHello
1536 */
1537 case SSL_CLIENT_HELLO:
1538 ret = ssl_parse_client_hello( ssl );
1539 break;
1540
1541 /*
1542 * ==> ServerHello
1543 * Certificate
1544 * ( ServerKeyExchange )
1545 * ( CertificateRequest )
1546 * ServerHelloDone
1547 */
1548 case SSL_SERVER_HELLO:
1549 ret = ssl_write_server_hello( ssl );
1550 break;
1551
1552 case SSL_SERVER_CERTIFICATE:
1553 ret = ssl_write_certificate( ssl );
1554 break;
1555
1556 case SSL_SERVER_KEY_EXCHANGE:
1557 ret = ssl_write_server_key_exchange( ssl );
1558 break;
1559
1560 case SSL_CERTIFICATE_REQUEST:
1561 ret = ssl_write_certificate_request( ssl );
1562 break;
1563
1564 case SSL_SERVER_HELLO_DONE:
1565 ret = ssl_write_server_hello_done( ssl );
1566 break;
1567
1568 /*
1569 * <== ( Certificate/Alert )
1570 * ClientKeyExchange
1571 * ( CertificateVerify )
1572 * ChangeCipherSpec
1573 * Finished
1574 */
1575 case SSL_CLIENT_CERTIFICATE:
1576 ret = ssl_parse_certificate( ssl );
1577 break;
1578
1579 case SSL_CLIENT_KEY_EXCHANGE:
1580 ret = ssl_parse_client_key_exchange( ssl );
1581 break;
1582
1583 case SSL_CERTIFICATE_VERIFY:
1584 ret = ssl_parse_certificate_verify( ssl );
1585 break;
1586
1587 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
1588 ret = ssl_parse_change_cipher_spec( ssl );
1589 break;
1590
1591 case SSL_CLIENT_FINISHED:
1592 ret = ssl_parse_finished( ssl );
1593 break;
1594
1595 /*
1596 * ==> ChangeCipherSpec
1597 * Finished
1598 */
1599 case SSL_SERVER_CHANGE_CIPHER_SPEC:
1600 ret = ssl_write_change_cipher_spec( ssl );
1601 break;
1602
1603 case SSL_SERVER_FINISHED:
1604 ret = ssl_write_finished( ssl );
1605 break;
1606
1607 case SSL_FLUSH_BUFFERS:
1608 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
1609 ssl->state = SSL_HANDSHAKE_WRAPUP;
1610 break;
1611
1612 case SSL_HANDSHAKE_WRAPUP:
1613 ssl_handshake_wrapup( ssl );
1614 break;
1615
1616 default:
1617 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
1618 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1619 }
1620
1621 return( ret );
1622 }
1623 #endif
per-site certificate generator for PolarSSL