PolarSSL v1.2.12
ssl_srv.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 server-side functions
3  *
4  * Copyright (C) 2006-2012, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #include "polarssl/config.h"
27 
28 #if defined(POLARSSL_SSL_SRV_C)
29 
30 #include "polarssl/debug.h"
31 #include "polarssl/ssl.h"
32 
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <time.h>
36 
37 static int ssl_parse_servername_ext( ssl_context *ssl,
38  const unsigned char *buf,
39  size_t len )
40 {
41  int ret;
42  size_t servername_list_size, hostname_len;
43  const unsigned char *p;
44 
45  servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
46  if( servername_list_size + 2 != len )
47  {
48  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
50  }
51 
52  p = buf + 2;
53  while( servername_list_size > 0 )
54  {
55  hostname_len = ( ( p[1] << 8 ) | p[2] );
56  if( hostname_len + 3 > servername_list_size )
57  {
58  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
60  }
61 
62  if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
63  {
64  ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
65  if( ret != 0 )
66  {
70  }
71  return( 0 );
72  }
73 
74  servername_list_size -= hostname_len + 3;
75  p += hostname_len + 3;
76  }
77 
78  if( servername_list_size != 0 )
79  {
80  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
82  }
83 
84  return( 0 );
85 }
86 
87 static int ssl_parse_renegotiation_info( ssl_context *ssl,
88  const unsigned char *buf,
89  size_t len )
90 {
91  int ret;
92 
94  {
95  if( len != 1 || buf[0] != 0x0 )
96  {
97  SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
98 
99  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
100  return( ret );
101 
103  }
104 
106  }
107  else
108  {
109  /* Check verify-data in constant-time. The length OTOH is no secret */
110  if( len != 1 + ssl->verify_data_len ||
111  buf[0] != ssl->verify_data_len ||
112  safer_memcmp( buf + 1, ssl->peer_verify_data,
113  ssl->verify_data_len ) != 0 )
114  {
115  SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
116 
117  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
118  return( ret );
119 
121  }
122  }
123 
124  return( 0 );
125 }
126 
127 static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
128  const unsigned char *buf,
129  size_t len )
130 {
131  size_t sig_alg_list_size;
132  const unsigned char *p;
133 
134  sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
135  if( sig_alg_list_size + 2 != len ||
136  sig_alg_list_size %2 != 0 )
137  {
138  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
140  }
141 
142  p = buf + 2;
143  while( sig_alg_list_size > 0 )
144  {
145  if( p[1] != SSL_SIG_RSA )
146  {
147  sig_alg_list_size -= 2;
148  p += 2;
149  continue;
150  }
151 #if defined(POLARSSL_SHA4_C)
152  if( p[0] == SSL_HASH_SHA512 )
153  {
155  break;
156  }
157  if( p[0] == SSL_HASH_SHA384 )
158  {
160  break;
161  }
162 #endif
163 #if defined(POLARSSL_SHA2_C)
164  if( p[0] == SSL_HASH_SHA256 )
165  {
167  break;
168  }
169  if( p[0] == SSL_HASH_SHA224 )
170  {
172  break;
173  }
174 #endif
175  if( p[0] == SSL_HASH_SHA1 )
176  {
178  break;
179  }
180  if( p[0] == SSL_HASH_MD5 )
181  {
183  break;
184  }
185 
186  sig_alg_list_size -= 2;
187  p += 2;
188  }
189 
190  SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
191  ssl->handshake->sig_alg ) );
192 
193  return( 0 );
194 }
195 
196 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
197 static int ssl_parse_client_hello_v2( ssl_context *ssl )
198 {
199  int ret;
200  unsigned int i, j;
201  size_t n;
202  unsigned int ciph_len, sess_len, chal_len;
203  unsigned char *buf, *p;
204 
205  SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
206 
208  {
209  SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
210 
211  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
212  return( ret );
213 
215  }
216 
217  buf = ssl->in_hdr;
218 
219  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
220 
221  SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
222  buf[2] ) );
223  SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
224  ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
225  SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
226  buf[3], buf[4] ) );
227 
228  /*
229  * SSLv2 Client Hello
230  *
231  * Record layer:
232  * 0 . 1 message length
233  *
234  * SSL layer:
235  * 2 . 2 message type
236  * 3 . 4 protocol version
237  */
238  if( buf[2] != SSL_HS_CLIENT_HELLO ||
239  buf[3] != SSL_MAJOR_VERSION_3 )
240  {
241  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
243  }
244 
245  n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
246 
247  if( n < 17 || n > 512 )
248  {
249  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
251  }
252 
254  ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_3 )
255  ? buf[4] : SSL_MINOR_VERSION_3;
256 
257  if( ssl->minor_ver < ssl->min_minor_ver )
258  {
259  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
260  " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
261  ssl->min_major_ver, ssl->min_minor_ver ) );
262 
266  }
267 
268  ssl->max_major_ver = buf[3];
269  ssl->max_minor_ver = buf[4];
270 
271  if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
272  {
273  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
274  return( ret );
275  }
276 
277  ssl->handshake->update_checksum( ssl, buf + 2, n );
278 
279  buf = ssl->in_msg;
280  n = ssl->in_left - 5;
281 
282  /*
283  * 0 . 1 ciphersuitelist length
284  * 2 . 3 session id length
285  * 4 . 5 challenge length
286  * 6 . .. ciphersuitelist
287  * .. . .. session id
288  * .. . .. challenge
289  */
290  SSL_DEBUG_BUF( 4, "record contents", buf, n );
291 
292  ciph_len = ( buf[0] << 8 ) | buf[1];
293  sess_len = ( buf[2] << 8 ) | buf[3];
294  chal_len = ( buf[4] << 8 ) | buf[5];
295 
296  SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
297  ciph_len, sess_len, chal_len ) );
298 
299  /*
300  * Make sure each parameter length is valid
301  */
302  if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
303  {
304  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
306  }
307 
308  if( sess_len > 32 )
309  {
310  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
312  }
313 
314  if( chal_len < 8 || chal_len > 32 )
315  {
316  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
318  }
319 
320  if( n != 6 + ciph_len + sess_len + chal_len )
321  {
322  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
324  }
325 
326  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
327  buf + 6, ciph_len );
328  SSL_DEBUG_BUF( 3, "client hello, session id",
329  buf + 6 + ciph_len, sess_len );
330  SSL_DEBUG_BUF( 3, "client hello, challenge",
331  buf + 6 + ciph_len + sess_len, chal_len );
332 
333  p = buf + 6 + ciph_len;
334  ssl->session_negotiate->length = sess_len;
335  memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
336  memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
337 
338  p += sess_len;
339  memset( ssl->handshake->randbytes, 0, 64 );
340  memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
341 
342  /*
343  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
344  */
345  for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
346  {
347  if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
348  {
349  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
350  if( ssl->renegotiation == SSL_RENEGOTIATION )
351  {
352  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
353 
354  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
355  return( ret );
356 
358  }
360  break;
361  }
362  }
363 
364  for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
365  {
366  for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
367  {
368  if( p[0] == 0 &&
369  p[1] == 0 &&
370  p[2] == ssl->ciphersuites[ssl->minor_ver][i] )
371  goto have_ciphersuite_v2;
372  }
373  }
374 
375  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
376 
378 
379 have_ciphersuite_v2:
380  ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
382 
383  /*
384  * SSLv2 Client Hello relevant renegotiation security checks
385  */
388  {
389  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
390 
391  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
392  return( ret );
393 
395  }
396 
397  ssl->in_left = 0;
398  ssl->state++;
399 
400  SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
401 
402  return( 0 );
403 }
404 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
405 
406 static int ssl_parse_client_hello( ssl_context *ssl )
407 {
408  int ret;
409  unsigned int i, j;
410  size_t n;
411  unsigned int ciph_len, sess_len;
412  unsigned int comp_len;
413  unsigned int ext_len = 0;
414  unsigned char *buf, *p, *ext;
415  int renegotiation_info_seen = 0;
416  int handshake_failure = 0;
417 
418  SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
419 
420  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
421  ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
422  {
423  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
424  return( ret );
425  }
426 
427  buf = ssl->in_hdr;
428 
429 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
430  if( ( buf[0] & 0x80 ) != 0 )
431  return ssl_parse_client_hello_v2( ssl );
432 #endif
433 
434  SSL_DEBUG_BUF( 4, "record header", buf, 5 );
435 
436  SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
437  buf[0] ) );
438  SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
439  ( buf[3] << 8 ) | buf[4] ) );
440  SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
441  buf[1], buf[2] ) );
442 
443  /*
444  * SSLv3/TLS Client Hello
445  *
446  * Record layer:
447  * 0 . 0 message type
448  * 1 . 2 protocol version
449  * 3 . 4 message length
450  */
451 
452  /* According to RFC 5246 Appendix E.1, the version here is typically
453  * "{03,00}, the lowest version number supported by the client, [or] the
454  * value of ClientHello.client_version", so the only meaningful check here
455  * is the major version shouldn't be less than 3 */
456  if( buf[0] != SSL_MSG_HANDSHAKE ||
457  buf[1] < SSL_MAJOR_VERSION_3 )
458  {
459  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
461  }
462 
463  n = ( buf[3] << 8 ) | buf[4];
464 
465  if( n < 45 || n > 512 )
466  {
467  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
469  }
470 
471  if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
472  ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
473  {
474  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
475  return( ret );
476  }
477 
478  buf = ssl->in_msg;
479  if( !ssl->renegotiation )
480  n = ssl->in_left - 5;
481  else
482  n = ssl->in_msglen;
483 
484  ssl->handshake->update_checksum( ssl, buf, n );
485 
486  /*
487  * SSL layer:
488  * 0 . 0 handshake type
489  * 1 . 3 handshake length
490  * 4 . 5 protocol version
491  * 6 . 9 UNIX time()
492  * 10 . 37 random bytes
493  * 38 . 38 session id length
494  * 39 . 38+x session id
495  * 39+x . 40+x ciphersuitelist length
496  * 41+x . 40+y ciphersuitelist
497  * 41+y . 41+y compression alg length
498  * 42+y . 41+z compression algs
499  * .. . .. extensions
500  */
501  SSL_DEBUG_BUF( 4, "record contents", buf, n );
502 
503  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
504  buf[0] ) );
505  SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
506  ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
507  SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
508  buf[4], buf[5] ) );
509 
510  /*
511  * Check the handshake type and protocol version
512  */
513  if( buf[0] != SSL_HS_CLIENT_HELLO )
514  {
515  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
517  }
518 
519  ssl->major_ver = buf[4];
520  ssl->minor_ver = buf[5];
521 
522  ssl->max_major_ver = ssl->major_ver;
523  ssl->max_minor_ver = ssl->minor_ver;
524 
525  if( ssl->major_ver < ssl->min_major_ver ||
526  ssl->minor_ver < ssl->min_minor_ver )
527  {
528  SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
529  " [%d:%d] < [%d:%d]",
530  ssl->major_ver, ssl->minor_ver,
531  ssl->min_major_ver, ssl->min_minor_ver ) );
532 
535 
537  }
538 
539  if( ssl->major_ver > ssl->max_major_ver )
540  {
541  ssl->major_ver = ssl->max_major_ver;
542  ssl->minor_ver = ssl->max_minor_ver;
543  }
544  else if( ssl->minor_ver > ssl->max_minor_ver )
545  ssl->minor_ver = ssl->max_minor_ver;
546 
547  memcpy( ssl->handshake->randbytes, buf + 6, 32 );
548 
549  /*
550  * Check the handshake message length
551  */
552  if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
553  {
554  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
556  }
557 
558  /*
559  * Check the session length
560  */
561  sess_len = buf[38];
562 
563  if( sess_len > 32 || sess_len > n - 42 )
564  {
565  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
567  }
568 
569  ssl->session_negotiate->length = sess_len;
570  memset( ssl->session_negotiate->id, 0,
571  sizeof( ssl->session_negotiate->id ) );
572  memcpy( ssl->session_negotiate->id, buf + 39,
573  ssl->session_negotiate->length );
574 
575  /*
576  * Check the ciphersuitelist length
577  */
578  ciph_len = ( buf[39 + sess_len] << 8 )
579  | ( buf[40 + sess_len] );
580 
581  if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
582  {
583  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
585  }
586 
587  /*
588  * Check the compression algorithms length
589  */
590  comp_len = buf[41 + sess_len + ciph_len];
591 
592  if( comp_len < 1 || comp_len > 16 ||
593  comp_len > n - 42 - sess_len - ciph_len )
594  {
595  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
597  }
598 
599  /*
600  * Check the extension length
601  */
602  if( n > 42 + sess_len + ciph_len + comp_len )
603  {
604  ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
605  | ( buf[43 + sess_len + ciph_len + comp_len] );
606 
607  if( ( ext_len > 0 && ext_len < 4 ) ||
608  n != 44 + sess_len + ciph_len + comp_len + ext_len )
609  {
610  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
611  SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
613  }
614  }
615 
617 #if defined(POLARSSL_ZLIB_SUPPORT)
618  for( i = 0; i < comp_len; ++i )
619  {
620  if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
621  {
623  break;
624  }
625  }
626 #endif
627 
628  SSL_DEBUG_BUF( 3, "client hello, random bytes",
629  buf + 6, 32 );
630  SSL_DEBUG_BUF( 3, "client hello, session id",
631  buf + 38, sess_len );
632  SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
633  buf + 41 + sess_len, ciph_len );
634  SSL_DEBUG_BUF( 3, "client hello, compression",
635  buf + 42 + sess_len + ciph_len, comp_len );
636 
637  /*
638  * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
639  */
640  for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
641  {
642  if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
643  {
644  SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
645  if( ssl->renegotiation == SSL_RENEGOTIATION )
646  {
647  SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
648 
649  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
650  return( ret );
651 
653  }
655  break;
656  }
657  }
658 
659  /*
660  * Search for a matching ciphersuite
661  */
662  for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
663  {
664  for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
665  j += 2, p += 2 )
666  {
667  if( p[0] == 0 && p[1] == ssl->ciphersuites[ssl->minor_ver][i] &&
669  goto have_ciphersuite;
670  }
671  }
672 
673  SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
674 
676 
677 have_ciphersuite:
678  ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
680 
681  ext = buf + 44 + sess_len + ciph_len + comp_len;
682 
683  while( ext_len )
684  {
685  unsigned int ext_id = ( ( ext[0] << 8 )
686  | ( ext[1] ) );
687  unsigned int ext_size = ( ( ext[2] << 8 )
688  | ( ext[3] ) );
689 
690  if( ext_size + 4 > ext_len )
691  {
692  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
694  }
695  switch( ext_id )
696  {
697  case TLS_EXT_SERVERNAME:
698  SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
699  if( ssl->f_sni == NULL )
700  break;
701 
702  ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
703  if( ret != 0 )
704  return( ret );
705  break;
706 
708  SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
709  renegotiation_info_seen = 1;
710 
711  ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
712  if( ret != 0 )
713  return( ret );
714  break;
715 
716  case TLS_EXT_SIG_ALG:
717  SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
718  if( ssl->renegotiation == SSL_RENEGOTIATION )
719  break;
720 
721  ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
722  if( ret != 0 )
723  return( ret );
724  break;
725 
726  default:
727  SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
728  ext_id ) );
729  }
730 
731  ext_len -= 4 + ext_size;
732  ext += 4 + ext_size;
733 
734  if( ext_len > 0 && ext_len < 4 )
735  {
736  SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
738  }
739  }
740 
741  /*
742  * Renegotiation security checks
743  */
746  {
747  SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
748  handshake_failure = 1;
749  }
750  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
752  renegotiation_info_seen == 0 )
753  {
754  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
755  handshake_failure = 1;
756  }
757  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
760  {
761  SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
762  handshake_failure = 1;
763  }
764  else if( ssl->renegotiation == SSL_RENEGOTIATION &&
766  renegotiation_info_seen == 1 )
767  {
768  SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
769  handshake_failure = 1;
770  }
771 
772  if( handshake_failure == 1 )
773  {
774  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
775  return( ret );
776 
778  }
779 
780  ssl->in_left = 0;
781  ssl->state++;
782 
783  SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
784 
785  return( 0 );
786 }
787 
788 static int ssl_write_server_hello( ssl_context *ssl )
789 {
790  time_t t;
791  int ret, n;
792  size_t ext_len = 0;
793  unsigned char *buf, *p;
794 
795  SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
796 
797  if( ssl->f_rng == NULL )
798  {
799  SSL_DEBUG_MSG( 1, ( "no RNG provided") );
800  return( POLARSSL_ERR_SSL_NO_RNG );
801  }
802 
803  /*
804  * 0 . 0 handshake type
805  * 1 . 3 handshake length
806  * 4 . 5 protocol version
807  * 6 . 9 UNIX time()
808  * 10 . 37 random bytes
809  */
810  buf = ssl->out_msg;
811  p = buf + 4;
812 
813  *p++ = (unsigned char) ssl->major_ver;
814  *p++ = (unsigned char) ssl->minor_ver;
815 
816  SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
817  buf[4], buf[5] ) );
818 
819  t = time( NULL );
820  *p++ = (unsigned char)( t >> 24 );
821  *p++ = (unsigned char)( t >> 16 );
822  *p++ = (unsigned char)( t >> 8 );
823  *p++ = (unsigned char)( t );
824 
825  SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
826 
827  if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
828  return( ret );
829 
830  p += 28;
831 
832  memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
833 
834  SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
835 
836  /*
837  * 38 . 38 session id length
838  * 39 . 38+n session id
839  * 39+n . 40+n chosen ciphersuite
840  * 41+n . 41+n chosen compression alg.
841  */
842  ssl->session_negotiate->length = n = 32;
843  *p++ = (unsigned char) ssl->session_negotiate->length;
844 
845  if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
846  ssl->f_get_cache == NULL ||
847  ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) != 0 )
848  {
849  /*
850  * Not found, create a new session id
851  */
852  ssl->handshake->resume = 0;
853  ssl->state++;
854 
855  if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
856  n ) ) != 0 )
857  return( ret );
858  }
859  else
860  {
861  /*
862  * Found a matching session, resuming it
863  */
864  ssl->handshake->resume = 1;
866 
867  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
868  {
869  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
870  return( ret );
871  }
872  }
873 
874  memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
875  p += ssl->session_negotiate->length;
876 
877  SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
878  SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
879  SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
880  ssl->handshake->resume ? "a" : "no" ) );
881 
882  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
883  *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
884  *p++ = (unsigned char)( ssl->session_negotiate->compression );
885 
886  SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
887  ssl->session_negotiate->ciphersuite ) );
888  SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
889  ssl->session_negotiate->compression ) );
890 
892  {
893  SSL_DEBUG_MSG( 3, ( "server hello, prepping for secure renegotiation extension" ) );
894  ext_len += 5 + ssl->verify_data_len * 2;
895 
896  SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d",
897  ext_len ) );
898 
899  *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
900  *p++ = (unsigned char)( ( ext_len ) & 0xFF );
901 
902  /*
903  * Secure renegotiation
904  */
905  SSL_DEBUG_MSG( 3, ( "client hello, secure renegotiation extension" ) );
906 
907  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
908  *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
909 
910  *p++ = 0x00;
911  *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
912  *p++ = ssl->verify_data_len * 2 & 0xFF;
913 
914  memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
915  p += ssl->verify_data_len;
916  memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
917  p += ssl->verify_data_len;
918  }
919 
920  ssl->out_msglen = p - buf;
922  ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
923 
924  ret = ssl_write_record( ssl );
925 
926  SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
927 
928  return( ret );
929 }
930 
931 static int ssl_write_certificate_request( ssl_context *ssl )
932 {
933  int ret;
934  size_t n = 0, dn_size, total_dn_size;
935  unsigned char *buf, *p;
936  const x509_cert *crt;
937 
938  SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
939 
940  ssl->state++;
941 
942  if( ssl->authmode == SSL_VERIFY_NONE )
943  {
944  SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
945  return( 0 );
946  }
947 
948  /*
949  * 0 . 0 handshake type
950  * 1 . 3 handshake length
951  * 4 . 4 cert type count
952  * 5 .. m-1 cert types
953  * m .. m+1 sig alg length (TLS 1.2 only)
954  * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
955  * n .. n+1 length of all DNs
956  * n+2 .. n+3 length of DN 1
957  * n+4 .. ... Distinguished Name #1
958  * ... .. ... length of DN 2, etc.
959  */
960  buf = ssl->out_msg;
961  p = buf + 4;
962 
963  /*
964  * At the moment, only RSA certificates are supported
965  */
966  *p++ = 1;
967  *p++ = SSL_CERT_TYPE_RSA_SIGN;
968 
969  /*
970  * Add signature_algorithms for verify (TLS 1.2)
971  * Only add current running algorithm that is already required for
972  * requested ciphersuite.
973  *
974  * Length is always 2
975  */
976  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
977  {
979 
980  *p++ = 0;
981  *p++ = 2;
982 
985  {
987  }
988 
989  *p++ = ssl->handshake->verify_sig_alg;
990  *p++ = SSL_SIG_RSA;
991 
992  n += 4;
993  }
994 
995  p += 2;
996  crt = ssl->ca_chain;
997 
998  total_dn_size = 0;
999  while( crt != NULL && crt->version != 0)
1000  {
1001  if( p - buf > 4096 )
1002  break;
1003 
1004  dn_size = crt->subject_raw.len;
1005  *p++ = (unsigned char)( dn_size >> 8 );
1006  *p++ = (unsigned char)( dn_size );
1007  memcpy( p, crt->subject_raw.p, dn_size );
1008  p += dn_size;
1009 
1010  SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1011 
1012  total_dn_size += 2 + dn_size;
1013  crt = crt->next;
1014  }
1015 
1016  ssl->out_msglen = p - buf;
1019  ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
1020  ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
1021 
1022  ret = ssl_write_record( ssl );
1023 
1024  SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1025 
1026  return( ret );
1027 }
1028 
1029 static int ssl_write_server_key_exchange( ssl_context *ssl )
1030 {
1031 #if defined(POLARSSL_DHM_C)
1032  int ret;
1033  size_t n, rsa_key_len = 0;
1034  unsigned char hash[64];
1035  int hash_id = 0;
1036  unsigned int hashlen = 0;
1037 #endif
1038 
1039  SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1040 
1053  {
1054  SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1055  ssl->state++;
1056  return( 0 );
1057  }
1058 
1059 #if !defined(POLARSSL_DHM_C)
1060  SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
1062 #else
1063 
1064  if( ssl->rsa_key == NULL )
1065  {
1066  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1068  }
1069 
1070  /*
1071  * Ephemeral DH parameters:
1072  *
1073  * struct {
1074  * opaque dh_p<1..2^16-1>;
1075  * opaque dh_g<1..2^16-1>;
1076  * opaque dh_Ys<1..2^16-1>;
1077  * } ServerDHParams;
1078  */
1079  if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1080  ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1081  {
1082  SSL_DEBUG_RET( 1, "mpi_copy", ret );
1083  return( ret );
1084  }
1085 
1086  if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1087  mpi_size( &ssl->handshake->dhm_ctx.P ),
1088  ssl->out_msg + 4,
1089  &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
1090  {
1091  SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1092  return( ret );
1093  }
1094 
1095  SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1096  SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1097  SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1098  SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1099 
1100  if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
1101  {
1102  md5_context md5;
1104 
1105  /*
1106  * digitally-signed struct {
1107  * opaque md5_hash[16];
1108  * opaque sha_hash[20];
1109  * };
1110  *
1111  * md5_hash
1112  * MD5(ClientHello.random + ServerHello.random
1113  * + ServerParams);
1114  * sha_hash
1115  * SHA(ClientHello.random + ServerHello.random
1116  * + ServerParams);
1117  */
1118  md5_starts( &md5 );
1119  md5_update( &md5, ssl->handshake->randbytes, 64 );
1120  md5_update( &md5, ssl->out_msg + 4, n );
1121  md5_finish( &md5, hash );
1122 
1123  sha1_starts( &sha1 );
1124  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1125  sha1_update( &sha1, ssl->out_msg + 4, n );
1126  sha1_finish( &sha1, hash + 16 );
1127 
1128  hashlen = 36;
1129  hash_id = SIG_RSA_RAW;
1130  }
1131  else
1132  {
1133  /*
1134  * digitally-signed struct {
1135  * opaque client_random[32];
1136  * opaque server_random[32];
1137  * ServerDHParams params;
1138  * };
1139  */
1140 #if defined(POLARSSL_SHA4_C)
1141  if( ssl->handshake->sig_alg == SSL_HASH_SHA512 )
1142  {
1144 
1145  sha4_starts( &sha4, 0 );
1146  sha4_update( &sha4, ssl->handshake->randbytes, 64 );
1147  sha4_update( &sha4, ssl->out_msg + 4, n );
1148  sha4_finish( &sha4, hash );
1149 
1150  hashlen = 64;
1151  hash_id = SIG_RSA_SHA512;
1152  }
1153  else if( ssl->handshake->sig_alg == SSL_HASH_SHA384 )
1154  {
1156 
1157  sha4_starts( &sha4, 1 );
1158  sha4_update( &sha4, ssl->handshake->randbytes, 64 );
1159  sha4_update( &sha4, ssl->out_msg + 4, n );
1160  sha4_finish( &sha4, hash );
1161 
1162  hashlen = 48;
1163  hash_id = SIG_RSA_SHA384;
1164  }
1165  else
1166 #endif
1167 #if defined(POLARSSL_SHA2_C)
1168  if( ssl->handshake->sig_alg == SSL_HASH_SHA256 )
1169  {
1171 
1172  sha2_starts( &sha2, 0 );
1173  sha2_update( &sha2, ssl->handshake->randbytes, 64 );
1174  sha2_update( &sha2, ssl->out_msg + 4, n );
1175  sha2_finish( &sha2, hash );
1176 
1177  hashlen = 32;
1178  hash_id = SIG_RSA_SHA256;
1179  }
1180  else if( ssl->handshake->sig_alg == SSL_HASH_SHA224 )
1181  {
1183 
1184  sha2_starts( &sha2, 1 );
1185  sha2_update( &sha2, ssl->handshake->randbytes, 64 );
1186  sha2_update( &sha2, ssl->out_msg + 4, n );
1187  sha2_finish( &sha2, hash );
1188 
1189  hashlen = 24;
1190  hash_id = SIG_RSA_SHA224;
1191  }
1192  else
1193 #endif
1194  if( ssl->handshake->sig_alg == SSL_HASH_SHA1 )
1195  {
1197 
1198  sha1_starts( &sha1 );
1199  sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1200  sha1_update( &sha1, ssl->out_msg + 4, n );
1201  sha1_finish( &sha1, hash );
1202 
1203  hashlen = 20;
1204  hash_id = SIG_RSA_SHA1;
1205  }
1206  else if( ssl->handshake->sig_alg == SSL_HASH_MD5 )
1207  {
1208  md5_context md5;
1209 
1210  md5_starts( &md5 );
1211  md5_update( &md5, ssl->handshake->randbytes, 64 );
1212  md5_update( &md5, ssl->out_msg + 4, n );
1213  md5_finish( &md5, hash );
1214 
1215  hashlen = 16;
1216  hash_id = SIG_RSA_MD5;
1217  }
1218  }
1219 
1220  SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
1221 
1222  if ( ssl->rsa_key )
1223  rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
1224 
1225  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1226  {
1227  ssl->out_msg[4 + n] = ssl->handshake->sig_alg;
1228  ssl->out_msg[5 + n] = SSL_SIG_RSA;
1229 
1230  n += 2;
1231  }
1232 
1233  ssl->out_msg[4 + n] = (unsigned char)( rsa_key_len >> 8 );
1234  ssl->out_msg[5 + n] = (unsigned char)( rsa_key_len );
1235 
1236  if ( ssl->rsa_key )
1237  {
1238  ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1239  RSA_PRIVATE,
1240  hash_id, hashlen, hash,
1241  ssl->out_msg + 6 + n );
1242  }
1243 
1244  if( ret != 0 )
1245  {
1246  SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
1247  return( ret );
1248  }
1249 
1250  SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, rsa_key_len );
1251 
1252  ssl->out_msglen = 6 + n + rsa_key_len;
1255 
1256  ssl->state++;
1257 
1258  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1259  {
1260  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1261  return( ret );
1262  }
1263 
1264  SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
1265 
1266  return( 0 );
1267 #endif
1268 }
1269 
1270 static int ssl_write_server_hello_done( ssl_context *ssl )
1271 {
1272  int ret;
1273 
1274  SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
1275 
1276  ssl->out_msglen = 4;
1279 
1280  ssl->state++;
1281 
1282  if( ( ret = ssl_write_record( ssl ) ) != 0 )
1283  {
1284  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1285  return( ret );
1286  }
1287 
1288  SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
1289 
1290  return( 0 );
1291 }
1292 
1293 static int ssl_parse_client_key_exchange( ssl_context *ssl )
1294 {
1295  int ret;
1296  size_t i, n = 0;
1297 
1298  SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
1299 
1300  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1301  {
1302  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1303  return( ret );
1304  }
1305 
1306  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1307  {
1308  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1310  }
1311 
1312  if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
1313  {
1314  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1316  }
1317 
1330  {
1331 #if !defined(POLARSSL_DHM_C)
1332  SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
1334 #else
1335  /*
1336  * Receive G^Y mod P, premaster = (G^Y)^X mod P
1337  */
1338  n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
1339 
1340  if( n < 1 || n > ssl->handshake->dhm_ctx.len ||
1341  n + 6 != ssl->in_hslen )
1342  {
1343  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1345  }
1346 
1347  if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
1348  ssl->in_msg + 6, n ) ) != 0 )
1349  {
1350  SSL_DEBUG_RET( 1, "dhm_read_public", ret );
1352  }
1353 
1354  SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1355 
1356  ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
1357 
1358  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
1359  ssl->handshake->premaster,
1360  &ssl->handshake->pmslen ) ) != 0 )
1361  {
1362  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
1364  }
1365 
1366  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1367 #endif
1368  }
1369  else
1370  {
1371  if( ssl->rsa_key == NULL )
1372  {
1373  SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1375  }
1376 
1377  /*
1378  * Decrypt the premaster using own private RSA key
1379  */
1380  i = 4;
1381  if( ssl->rsa_key )
1382  n = ssl->rsa_key_len( ssl->rsa_key );
1383  ssl->handshake->pmslen = 48;
1384 
1385  if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
1386  {
1387  i += 2;
1388  if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
1389  ssl->in_msg[5] != ( ( n ) & 0xFF ) )
1390  {
1391  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1393  }
1394  }
1395 
1396  if( ssl->in_hslen != i + n )
1397  {
1398  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1400  }
1401 
1402  if( ssl->rsa_key ) {
1403  ret = ssl->rsa_decrypt( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1404  RSA_PRIVATE,
1405  &ssl->handshake->pmslen,
1406  ssl->in_msg + i,
1407  ssl->handshake->premaster,
1408  sizeof(ssl->handshake->premaster) );
1409  }
1410 
1411  if( ret != 0 || ssl->handshake->pmslen != 48 ||
1412  ssl->handshake->premaster[0] != ssl->max_major_ver ||
1413  ssl->handshake->premaster[1] != ssl->max_minor_ver )
1414  {
1415  SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
1416 
1417  /*
1418  * Protection against Bleichenbacher's attack:
1419  * invalid PKCS#1 v1.5 padding must not cause
1420  * the connection to end immediately; instead,
1421  * send a bad_record_mac later in the handshake.
1422  */
1423  ssl->handshake->pmslen = 48;
1424 
1425  ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
1426  ssl->handshake->pmslen );
1427  if( ret != 0 )
1428  return( ret );
1429  }
1430  }
1431 
1432  if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1433  {
1434  SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1435  return( ret );
1436  }
1437 
1438  ssl->state++;
1439 
1440  SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
1441 
1442  return( 0 );
1443 }
1444 
1445 static int ssl_parse_certificate_verify( ssl_context *ssl )
1446 {
1447  int ret;
1448  size_t n = 0, n1, n2;
1449  unsigned char hash[48];
1450  int hash_id;
1451  unsigned int hashlen;
1452 
1453  SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
1454 
1455  if( ssl->session_negotiate->peer_cert == NULL )
1456  {
1457  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
1458  ssl->state++;
1459  return( 0 );
1460  }
1461 
1462  ssl->handshake->calc_verify( ssl, hash );
1463 
1464  if( ( ret = ssl_read_record( ssl ) ) != 0 )
1465  {
1466  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1467  return( ret );
1468  }
1469 
1470  ssl->state++;
1471 
1472  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1473  {
1474  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1476  }
1477 
1478  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
1479  {
1480  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1482  }
1483 
1484  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
1485  {
1486  /*
1487  * As server we know we either have SSL_HASH_SHA384 or
1488  * SSL_HASH_SHA256
1489  */
1490  if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
1491  ssl->in_msg[5] != SSL_SIG_RSA )
1492  {
1493  SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
1495  }
1496 
1498  {
1499  hashlen = 48;
1500  hash_id = SIG_RSA_SHA384;
1501  }
1502  else
1503  {
1504  hashlen = 32;
1505  hash_id = SIG_RSA_SHA256;
1506  }
1507 
1508  n += 2;
1509  }
1510  else
1511  {
1512  hashlen = 36;
1513  hash_id = SIG_RSA_RAW;
1514  }
1515 
1516  n1 = ssl->session_negotiate->peer_cert->rsa.len;
1517  n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
1518 
1519  if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
1520  {
1521  SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
1523  }
1524 
1526  NULL, NULL, RSA_PUBLIC,
1527  hash_id, hashlen, hash, ssl->in_msg + 6 + n );
1528  if( ret != 0 )
1529  {
1530  SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
1531  return( ret );
1532  }
1533 
1534  SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
1535 
1536  return( 0 );
1537 }
1538 
1539 /*
1540  * SSL handshake -- server side -- single step
1541  */
1543 {
1544  int ret = 0;
1545 
1546  if( ssl->state == SSL_HANDSHAKE_OVER )
1548 
1549  SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
1550 
1551  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1552  return( ret );
1553 
1554  switch( ssl->state )
1555  {
1556  case SSL_HELLO_REQUEST:
1557  ssl->state = SSL_CLIENT_HELLO;
1558  break;
1559 
1560  /*
1561  * <== ClientHello
1562  */
1563  case SSL_CLIENT_HELLO:
1564  ret = ssl_parse_client_hello( ssl );
1565  break;
1566 
1567  /*
1568  * ==> ServerHello
1569  * Certificate
1570  * ( ServerKeyExchange )
1571  * ( CertificateRequest )
1572  * ServerHelloDone
1573  */
1574  case SSL_SERVER_HELLO:
1575  ret = ssl_write_server_hello( ssl );
1576  break;
1577 
1579  ret = ssl_write_certificate( ssl );
1580  break;
1581 
1583  ret = ssl_write_server_key_exchange( ssl );
1584  break;
1585 
1587  ret = ssl_write_certificate_request( ssl );
1588  break;
1589 
1590  case SSL_SERVER_HELLO_DONE:
1591  ret = ssl_write_server_hello_done( ssl );
1592  break;
1593 
1594  /*
1595  * <== ( Certificate/Alert )
1596  * ClientKeyExchange
1597  * ( CertificateVerify )
1598  * ChangeCipherSpec
1599  * Finished
1600  */
1602  ret = ssl_parse_certificate( ssl );
1603  break;
1604 
1606  ret = ssl_parse_client_key_exchange( ssl );
1607  break;
1608 
1610  ret = ssl_parse_certificate_verify( ssl );
1611  break;
1612 
1614  ret = ssl_parse_change_cipher_spec( ssl );
1615  break;
1616 
1617  case SSL_CLIENT_FINISHED:
1618  ret = ssl_parse_finished( ssl );
1619  break;
1620 
1621  /*
1622  * ==> ChangeCipherSpec
1623  * Finished
1624  */
1626  ret = ssl_write_change_cipher_spec( ssl );
1627  break;
1628 
1629  case SSL_SERVER_FINISHED:
1630  ret = ssl_write_finished( ssl );
1631  break;
1632 
1633  case SSL_FLUSH_BUFFERS:
1634  SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
1635  ssl->state = SSL_HANDSHAKE_WRAPUP;
1636  break;
1637 
1638  case SSL_HANDSHAKE_WRAPUP:
1639  ssl_handshake_wrapup( ssl );
1640  break;
1641 
1642  default:
1643  SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
1645  }
1646 
1647  return( ret );
1648 }
1649 #endif