28 #if defined(POLARSSL_SSL_SRV_C)
37 static int ssl_parse_servername_ext(
ssl_context *ssl,
38 const unsigned char *buf,
42 size_t servername_list_size, hostname_len;
43 const unsigned char *p;
45 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
46 if( servername_list_size + 2 != len )
53 while( servername_list_size > 0 )
55 hostname_len = ( ( p[1] << 8 ) | p[2] );
56 if( hostname_len + 3 > servername_list_size )
64 ret = ssl->
f_sni( ssl->
p_sni, ssl, p + 3, hostname_len );
74 servername_list_size -= hostname_len + 3;
75 p += hostname_len + 3;
78 if( servername_list_size != 0 )
87 static int ssl_parse_renegotiation_info(
ssl_context *ssl,
88 const unsigned char *buf,
95 if( len != 1 || buf[0] != 0x0 )
97 SSL_DEBUG_MSG( 1, (
"non-zero length renegotiated connection field" ) );
115 SSL_DEBUG_MSG( 1, (
"non-matching renegotiated connection field" ) );
127 static int ssl_parse_signature_algorithms_ext(
ssl_context *ssl,
128 const unsigned char *buf,
131 size_t sig_alg_list_size;
132 const unsigned char *p;
134 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
135 if( sig_alg_list_size + 2 != len ||
136 sig_alg_list_size %2 != 0 )
143 while( sig_alg_list_size > 0 )
147 sig_alg_list_size -= 2;
151 #if defined(POLARSSL_SHA4_C)
163 #if defined(POLARSSL_SHA2_C)
186 sig_alg_list_size -= 2;
190 SSL_DEBUG_MSG( 3, (
"client hello v3, signature_algorithm ext: %d",
196 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
197 static int ssl_parse_client_hello_v2(
ssl_context *ssl )
202 unsigned int ciph_len, sess_len, chal_len;
203 unsigned char *buf, *p;
209 SSL_DEBUG_MSG( 1, (
"client hello v2 illegal for renegotiation" ) );
224 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
225 SSL_DEBUG_MSG( 3, (
"client hello v2, max. version: [%d:%d]",
245 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
247 if( n < 17 || n > 512 )
259 SSL_DEBUG_MSG( 1, (
"client only supports ssl smaller than minimum"
292 ciph_len = ( buf[0] << 8 ) | buf[1];
293 sess_len = ( buf[2] << 8 ) | buf[3];
294 chal_len = ( buf[4] << 8 ) | buf[5];
296 SSL_DEBUG_MSG( 3, (
"ciph_len: %d, sess_len: %d, chal_len: %d",
297 ciph_len, sess_len, chal_len ) );
302 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
314 if( chal_len < 8 || chal_len > 32 )
320 if( n != 6 + ciph_len + sess_len + chal_len )
329 buf + 6 + ciph_len, sess_len );
331 buf + 6 + ciph_len + sess_len, chal_len );
333 p = buf + 6 + ciph_len;
345 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
349 SSL_DEBUG_MSG( 3, (
"received TLS_EMPTY_RENEGOTIATION_INFO " ) );
352 SSL_DEBUG_MSG( 1, (
"received RENEGOTIATION SCSV during renegotiation" ) );
366 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
371 goto have_ciphersuite_v2;
389 SSL_DEBUG_MSG( 1, (
"legacy renegotiation, breaking off handshake" ) );
406 static int ssl_parse_client_hello(
ssl_context *ssl )
411 unsigned int ciph_len, sess_len;
412 unsigned int comp_len;
413 unsigned int ext_len = 0;
414 unsigned char *buf, *p, *ext;
415 int renegotiation_info_seen = 0;
416 int handshake_failure = 0;
429 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
430 if( ( buf[0] & 0x80 ) != 0 )
431 return ssl_parse_client_hello_v2( ssl );
439 ( buf[3] << 8 ) | buf[4] ) );
440 SSL_DEBUG_MSG( 3, (
"client hello v3, protocol ver: [%d:%d]",
463 n = ( buf[3] << 8 ) | buf[4];
465 if( n < 45 || n > 512 )
506 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
507 SSL_DEBUG_MSG( 3, (
"client hello v3, max. version: [%d:%d]",
528 SSL_DEBUG_MSG( 1, (
"client only supports ssl smaller than minimum"
529 " [%d:%d] < [%d:%d]",
552 if( buf[1] != 0 || n != (
unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
563 if( sess_len > 32 || sess_len > n - 42 )
578 ciph_len = ( buf[39 + sess_len] << 8 )
579 | ( buf[40 + sess_len] );
581 if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
590 comp_len = buf[41 + sess_len + ciph_len];
592 if( comp_len < 1 || comp_len > 16 ||
593 comp_len > n - 42 - sess_len - ciph_len )
602 if( n > 42 + sess_len + ciph_len + comp_len )
604 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
605 | ( buf[43 + sess_len + ciph_len + comp_len] );
607 if( ( ext_len > 0 && ext_len < 4 ) ||
608 n != 44 + sess_len + ciph_len + comp_len + ext_len )
611 SSL_DEBUG_BUF( 3,
"Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
617 #if defined(POLARSSL_ZLIB_SUPPORT)
618 for( i = 0; i < comp_len; ++i )
631 buf + 38, sess_len );
633 buf + 41 + sess_len, ciph_len );
635 buf + 42 + sess_len + ciph_len, comp_len );
640 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
644 SSL_DEBUG_MSG( 3, (
"received TLS_EMPTY_RENEGOTIATION_INFO " ) );
647 SSL_DEBUG_MSG( 1, (
"received RENEGOTIATION SCSV during renegotiation" ) );
664 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
669 goto have_ciphersuite;
681 ext = buf + 44 + sess_len + ciph_len + comp_len;
685 unsigned int ext_id = ( ( ext[0] << 8 )
687 unsigned int ext_size = ( ( ext[2] << 8 )
690 if( ext_size + 4 > ext_len )
699 if( ssl->
f_sni == NULL )
702 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
709 renegotiation_info_seen = 1;
711 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
717 SSL_DEBUG_MSG( 3, (
"found signature_algorithms extension" ) );
721 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
727 SSL_DEBUG_MSG( 3, (
"unknown extension found: %d (ignoring)",
731 ext_len -= 4 + ext_size;
734 if( ext_len > 0 && ext_len < 4 )
747 SSL_DEBUG_MSG( 1, (
"legacy renegotiation, breaking off handshake" ) );
748 handshake_failure = 1;
752 renegotiation_info_seen == 0 )
754 SSL_DEBUG_MSG( 1, (
"renegotiation_info extension missing (secure)" ) );
755 handshake_failure = 1;
762 handshake_failure = 1;
766 renegotiation_info_seen == 1 )
768 SSL_DEBUG_MSG( 1, (
"renegotiation_info extension present (legacy)" ) );
769 handshake_failure = 1;
772 if( handshake_failure == 1 )
788 static int ssl_write_server_hello(
ssl_context *ssl )
793 unsigned char *buf, *p;
797 if( ssl->
f_rng == NULL )
820 *p++ = (
unsigned char)( t >> 24 );
821 *p++ = (
unsigned char)( t >> 16 );
822 *p++ = (
unsigned char)( t >> 8 );
823 *p++ = (
unsigned char)( t );
825 SSL_DEBUG_MSG( 3, (
"server hello, current time: %lu", t ) );
827 if( ( ret = ssl->
f_rng( ssl->
p_rng, p, 28 ) ) != 0 )
834 SSL_DEBUG_BUF( 3,
"server hello, random bytes", buf + 6, 32 );
877 SSL_DEBUG_MSG( 3, (
"server hello, session id len.: %d", n ) );
893 SSL_DEBUG_MSG( 3, (
"server hello, prepping for secure renegotiation extension" ) );
896 SSL_DEBUG_MSG( 3, (
"server hello, total extension length: %d",
899 *p++ = (
unsigned char)( ( ext_len >> 8 ) & 0xFF );
900 *p++ = (
unsigned char)( ( ext_len ) & 0xFF );
905 SSL_DEBUG_MSG( 3, (
"client hello, secure renegotiation extension" ) );
931 static int ssl_write_certificate_request(
ssl_context *ssl )
934 size_t n = 0, dn_size, total_dn_size;
935 unsigned char *buf, *p;
999 while( crt != NULL && crt->
version != 0)
1001 if( p - buf > 4096 )
1005 *p++ = (
unsigned char)( dn_size >> 8 );
1006 *p++ = (
unsigned char)( dn_size );
1012 total_dn_size += 2 + dn_size;
1019 ssl->
out_msg[6 + n] = (
unsigned char)( total_dn_size >> 8 );
1020 ssl->
out_msg[7 + n] = (
unsigned char)( total_dn_size );
1029 static int ssl_write_server_key_exchange(
ssl_context *ssl )
1031 #if defined(POLARSSL_DHM_C)
1033 size_t n, rsa_key_len = 0;
1034 unsigned char hash[64];
1036 unsigned int hashlen = 0;
1054 SSL_DEBUG_MSG( 2, (
"<= skip write server key exchange" ) );
1059 #if !defined(POLARSSL_DHM_C)
1140 #if defined(POLARSSL_SHA4_C)
1167 #if defined(POLARSSL_SHA2_C)
1233 ssl->
out_msg[4 + n] = (
unsigned char)( rsa_key_len >> 8 );
1234 ssl->
out_msg[5 + n] = (
unsigned char)( rsa_key_len );
1240 hash_id, hashlen, hash,
1270 static int ssl_write_server_hello_done(
ssl_context *ssl )
1293 static int ssl_parse_client_key_exchange(
ssl_context *ssl )
1331 #if !defined(POLARSSL_DHM_C)
1348 ssl->
in_msg + 6, n ) ) != 0 )
1388 if( ssl->
in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
1389 ssl->
in_msg[5] != ( ( n ) & 0xFF ) )
1445 static int ssl_parse_certificate_verify(
ssl_context *ssl )
1448 size_t n = 0, n1, n2;
1449 unsigned char hash[48];
1451 unsigned int hashlen;
1493 SSL_DEBUG_MSG( 1, (
"peer not adhering to requested sig_alg for verify message" ) );
1519 if( n + n1 + 6 != ssl->
in_hslen || n1 != n2 )
1527 hash_id, hashlen, hash, ssl->
in_msg + 6 + n );
1554 switch( ssl->
state )
1564 ret = ssl_parse_client_hello( ssl );
1575 ret = ssl_write_server_hello( ssl );
1583 ret = ssl_write_server_key_exchange( ssl );
1587 ret = ssl_write_certificate_request( ssl );
1591 ret = ssl_write_server_hello_done( ssl );
1606 ret = ssl_parse_client_key_exchange( ssl );
1610 ret = ssl_parse_certificate_verify( ssl );
#define SSL_HS_CLIENT_KEY_EXCHANGE
#define SSL_ALERT_LEVEL_FATAL
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS 1.2.
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
int(* f_rng)(void *, unsigned char *, size_t)
#define TLS_EXT_SERVERNAME_HOSTNAME
SHA-256 context structure.
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS
Processing of the ClientKeyExchange handshake message failed in DHM Calculate Secret.
void(* update_checksum)(ssl_context *, unsigned char *, size_t)
#define SSL_DEBUG_RET(level, text, ret)
const int ** ciphersuites
char peer_verify_data[36]
#define SSL_HS_CLIENT_HELLO
int ssl_get_ciphersuite_min_version(const int ciphersuite_id)
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
#define SSL_HS_SERVER_KEY_EXCHANGE
ssl_session * session_negotiate
int ssl_parse_certificate(ssl_context *ssl)
int ssl_parse_finished(ssl_context *ssl)
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS 1.2.
#define SSL_RENEGOTIATION
int ssl_write_finished(ssl_context *ssl)
Configuration options (set of defines)
#define SSL_DEBUG_MSG(level, args)
void ssl_handshake_wrapup(ssl_context *ssl)
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP
Processing of the ClientKeyExchange handshake message failed in DHM Read Public.
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
Container for an X.509 certificate.
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
#define SSL_MAJOR_VERSION_3
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
unsigned char premaster[POLARSSL_MPI_MAX_SIZE]
void sha4_starts(sha4_context *ctx, int is384)
SHA-512 context setup.
#define SSL_HS_CERTIFICATE_REQUEST
#define SSL_CERT_TYPE_RSA_SIGN
#define TLS_RSA_WITH_AES_256_GCM_SHA384
ssl_handshake_params * handshake
#define SSL_MSG_HANDSHAKE
int ssl_write_certificate(ssl_context *ssl)
#define SSL_ALERT_MSG_PROTOCOL_VERSION
#define POLARSSL_ERR_SSL_NO_RNG
No RNG was provided to the SSL module.
rsa_key_len_func rsa_key_len
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME
#define SSL_MINOR_VERSION_0
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Handshake protocol not within min/max boundaries.
#define SSL_HS_SERVER_HELLO_DONE
#define TLS_DHE_RSA_WITH_DES_CBC_SHA
Weak! Not in TLS 1.2.
void sha4_update(sha4_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
unsigned char * p
ASN1 data, e.g.
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
void md5_starts(md5_context *ctx)
MD5 context setup.
int ssl_flush_output(ssl_context *ssl)
rsa_decrypt_func rsa_decrypt
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA
#define SSL_HS_SERVER_HELLO
#define SSL_COMPRESS_DEFLATE
#define SSL_MINOR_VERSION_3
#define TLS_EXT_RENEGOTIATION_INFO
int ssl_parse_change_cipher_spec(ssl_context *ssl)
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO
Processing of the ClientHello handshake message failed.
struct _x509_cert * next
Next certificate in the CA-chain.
#define SSL_EMPTY_RENEGOTIATION_INFO
renegotiation info ext
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS 1.2.
#define SSL_DEBUG_BUF(level, text, buf, len)
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
Processing of the ClientKeyExchange handshake message failed.
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED
The own private key is not set, but needed.
#define SSL_INITIAL_HANDSHAKE
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
void sha2_update(sha2_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int allow_legacy_renegotiation
#define SSL_COMPRESS_NULL
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen)
Derive and export the shared secret (G^Y)^X mod P.
int ssl_read_record(ssl_context *ssl)
size_t len
ASN1 length, e.g.
void sha4(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
#define SSL_HS_CERTIFICATE_VERIFY
#define TLS_EXT_SERVERNAME
#define SSL_DEBUG_MPI(level, text, X)
size_t mpi_size(const mpi *X)
Return the total size in bytes.
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
x509_buf subject_raw
The raw subject data (DER).
#define SSL_LEGACY_BREAK_HANDSHAKE
SHA-512 context structure.
#define SSL_LEGACY_RENEGOTIATION
#define SSL_SECURE_RENEGOTIATION
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
void sha2(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
int ssl_derive_keys(ssl_context *ssl)
void sha4_finish(sha4_context *ctx, unsigned char output[64])
SHA-512 final digest.
static int safer_memcmp(const void *a, const void *b, size_t n)
void ssl_optimize_checksum(ssl_context *ssl, int ciphersuite)
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
void sha2_starts(sha2_context *ctx, int is224)
SHA-256 context setup.
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS 1.2.
int version
The X.509 version.
rsa_context rsa
Container for the RSA context.
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int dhm_make_params(dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Setup and write the ServerKeyExchange parameters.
int ssl_write_record(ssl_context *ssl)
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
Processing of the CertificateVerify handshake message failed.
int rsa_pkcs1_verify(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 verification using the mode from the context. ...
int dhm_read_public(dhm_context *ctx, const unsigned char *input, size_t ilen)
Import the peer's public value G^Y.
unsigned char randbytes[64]
void sha2_finish(sha2_context *ctx, unsigned char output[32])
SHA-256 final digest.
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN
The server has no ciphersuites in common with the client.