TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / d2f068e071bc4cb9b672dbf0a64ed816cd0560d4 / . / library / ssl_srv.c
blob: 4a71367756d94623936cd85df91e4727f0f0ce4c [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]26#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]32#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]36#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]50#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]51/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]59static int ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t buf_len,
61 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]62{
63 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]64 size_t left = buf_len;
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]65#if defined(POLARSSL_X509_PARSE_C)
66 size_t cert_len;
67#endif /* POLARSSL_X509_PARSE_C */
68
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]69 if( left < sizeof( ssl_session ) )
70 return( -1 );
71
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]72 memcpy( p, session, sizeof( ssl_session ) );
73 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]74 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]75
76#if defined(POLARSSL_X509_PARSE_C)
77 ((ssl_session *) buf)->peer_cert = NULL;
78
79 if( session->peer_cert == NULL )
80 cert_len = 0;
81 else
82 cert_len = session->peer_cert->raw.len;
83
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]84 if( left < 3 + cert_len )
85 return( -1 );
86
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]87 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
88 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
89 *p++ = (unsigned char)( cert_len & 0xFF );
90
91 if( session->peer_cert != NULL )
92 memcpy( p, session->peer_cert->raw.p, cert_len );
93
94 p += cert_len;
95#endif /* POLARSSL_X509_PARSE_C */
96
97 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]98
99 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]100}
101
102/*
103 * Unserialise session, see ssl_save_session()
104 */
105static int ssl_load_session( ssl_session *session,
106 const unsigned char *buf, size_t len )
107{
108 int ret;
109 const unsigned char *p = buf;
110 const unsigned char * const end = buf + len;
111#if defined(POLARSSL_X509_PARSE_C)
112 size_t cert_len;
113#endif /* POLARSSL_X509_PARSE_C */
114
115 if( p + sizeof( ssl_session ) > end )
116 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
117
118 memcpy( session, p, sizeof( ssl_session ) );
119 p += sizeof( ssl_session );
120
121#if defined(POLARSSL_X509_PARSE_C)
122 if( p + 3 > end )
123 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
124
125 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
126 p += 3;
127
128 if( cert_len == 0 )
129 {
130 session->peer_cert = NULL;
131 }
132 else
133 {
134 if( p + cert_len > end )
135 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
136
137 session->peer_cert = polarssl_malloc( cert_len );
138
139 if( session->peer_cert == NULL )
140 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
141
142 memset( session->peer_cert, 0, sizeof( x509_cert ) );
143
144 if( ( ret = x509parse_crt( session->peer_cert, p, cert_len ) ) != 0 )
145 {
146 polarssl_free( session->peer_cert );
147 free( session->peer_cert );
148 session->peer_cert = NULL;
149 return( ret );
150 }
151
152 p += cert_len;
153 }
154#endif /* POLARSSL_X509_PARSE_C */
155
156 if( p != end )
157 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
158
159 return( 0 );
160}
161
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]162/*
163 * Create session ticket, secured as recommended in RFC 5077 section 4:
164 *
165 * struct {
166 * opaque key_name[16];
167 * opaque iv[16];
168 * opaque encrypted_state<0..2^16-1>;
169 * opaque mac[32];
170 * } ticket;
171 *
172 * (the internal state structure differs, however).
173 */
174static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
175{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]176 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]177 unsigned char * const start = ssl->out_msg + 10;
178 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]179 unsigned char *state;
180 unsigned char iv[16];
181 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]182
Manuel Pégourié-Gonnard0a201712013-08-23 16:25:16 +0200[diff] [blame]183 *tlen = 0;
184
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]185 if( ssl->ticket_keys == NULL )
186 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
187
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]188 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]189 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]190 p += 16;
191
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]192 /* Generate and write IV (with a copy for aes_crypt) */
193 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
194 return( ret );
195 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]196 p += 16;
197
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]198 /*
199 * Dump session state
200 *
201 * After the session state itself, we still need room for 16 bytes of
202 * padding and 32 bytes of MAC, so there's only so much room left
203 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]204 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]205 if( ssl_save_session( ssl->session_negotiate, state,
206 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
207 &clear_len ) != 0 )
208 {
209 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
210 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]211 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]212
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]213 /* Apply PKCS padding */
214 pad_len = 16 - clear_len % 16;
215 enc_len = clear_len + pad_len;
216 for( i = clear_len; i < enc_len; i++ )
217 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]218
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]219 /* Encrypt */
220 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
221 enc_len, iv, state, state ) ) != 0 )
222 {
223 return( ret );
224 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]225
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]226 /* Write length */
227 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
228 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
229 p = state + enc_len;
230
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]231 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
232 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]233 p += 32;
234
235 *tlen = p - start;
236
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]237 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]238
239 return( 0 );
240}
241
242/*
243 * Load session ticket (see ssl_write_ticket for structure)
244 */
245static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]246 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]247 size_t len )
248{
249 int ret;
250 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]251 unsigned char *key_name = buf;
252 unsigned char *iv = buf + 16;
253 unsigned char *enc_len_p = iv + 16;
254 unsigned char *ticket = enc_len_p + 2;
255 unsigned char *mac;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]256 unsigned char computed_mac[16];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]257 size_t enc_len, clear_len, i;
258 unsigned char pad_len;
259
260 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]261
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]262 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]263 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
264
265 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
266 mac = ticket + enc_len;
267
268 if( len != enc_len + 66 )
269 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
270
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]271 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]272 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
273 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]274
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]275 /* Check mac */
276 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
277 computed_mac, 0 );
278 ret = 0;
279 for( i = 0; i < 32; i++ )
280 if( mac[i] != computed_mac[i] )
281 ret = POLARSSL_ERR_SSL_INVALID_MAC;
282 if( ret != 0 )
283 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]284
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]285 /* Decrypt */
286 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
287 enc_len, iv, ticket, ticket ) ) != 0 )
288 {
289 return( ret );
290 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]291
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]292 /* Check PKCS padding */
293 pad_len = ticket[enc_len - 1];
294
295 ret = 0;
296 for( i = 2; i < pad_len; i++ )
297 if( ticket[enc_len - i] != pad_len )
298 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
299 if( ret != 0 )
300 return( ret );
301
302 clear_len = enc_len - pad_len;
303
304 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
305
306 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]307 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
308 {
309 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
310 memset( &session, 0, sizeof( ssl_session ) );
311 return( ret );
312 }
313
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]314#if defined(POLARSSL_HAVE_TIME)
315 /* Check if still valid */
316 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
317 {
318 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
319 memset( &session, 0, sizeof( ssl_session ) );
320 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
321 }
322#endif
323
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]324 /*
325 * Keep the session ID sent by the client, since we MUST send it back to
326 * inform him we're accepting the ticket (RFC 5077 section 3.4)
327 */
328 session.length = ssl->session_negotiate->length;
329 memcpy( &session.id, ssl->session_negotiate->id, session.length );
330
331 ssl_session_free( ssl->session_negotiate );
332 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
333 memset( &session, 0, sizeof( ssl_session ) );
334
335 return( 0 );
336}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]337#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]338
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]339static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]340 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]341 size_t len )
342{
343 int ret;
344 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]345 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]346
347 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
348 if( servername_list_size + 2 != len )
349 {
350 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
351 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
352 }
353
354 p = buf + 2;
355 while( servername_list_size > 0 )
356 {
357 hostname_len = ( ( p[1] << 8 ) | p[2] );
358 if( hostname_len + 3 > servername_list_size )
359 {
360 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
361 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
362 }
363
364 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
365 {
366 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
367 if( ret != 0 )
368 {
369 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
370 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
371 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
372 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]373 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]374 }
375
376 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]377 p += hostname_len + 3;
378 }
379
380 if( servername_list_size != 0 )
381 {
382 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
383 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]384 }
385
386 return( 0 );
387}
388
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]389static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]390 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]391 size_t len )
392{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]393 int ret;
394
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]395 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
396 {
397 if( len != 1 || buf[0] != 0x0 )
398 {
399 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]400
401 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
402 return( ret );
403
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]404 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
405 }
406
407 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
408 }
409 else
410 {
411 if( len != 1 + ssl->verify_data_len ||
412 buf[0] != ssl->verify_data_len ||
413 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
414 {
415 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]416
417 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
418 return( ret );
419
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]420 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
421 }
422 }
423
424 return( 0 );
425}
426
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]427#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]428static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
429 const unsigned char *buf,
430 size_t len )
431{
432 size_t sig_alg_list_size;
433 const unsigned char *p;
434
435 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
436 if( sig_alg_list_size + 2 != len ||
437 sig_alg_list_size %2 != 0 )
438 {
439 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
440 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
441 }
442
443 p = buf + 2;
444 while( sig_alg_list_size > 0 )
445 {
446 if( p[1] != SSL_SIG_RSA )
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]447 {
448 sig_alg_list_size -= 2;
449 p += 2;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]450 continue;
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]451 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]452#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]453 if( p[0] == SSL_HASH_SHA512 )
454 {
455 ssl->handshake->sig_alg = SSL_HASH_SHA512;
456 break;
457 }
458 if( p[0] == SSL_HASH_SHA384 )
459 {
460 ssl->handshake->sig_alg = SSL_HASH_SHA384;
461 break;
462 }
463#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]464#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]465 if( p[0] == SSL_HASH_SHA256 )
466 {
467 ssl->handshake->sig_alg = SSL_HASH_SHA256;
468 break;
469 }
470 if( p[0] == SSL_HASH_SHA224 )
471 {
472 ssl->handshake->sig_alg = SSL_HASH_SHA224;
473 break;
474 }
475#endif
476 if( p[0] == SSL_HASH_SHA1 )
477 {
478 ssl->handshake->sig_alg = SSL_HASH_SHA1;
479 break;
480 }
481 if( p[0] == SSL_HASH_MD5 )
482 {
483 ssl->handshake->sig_alg = SSL_HASH_MD5;
484 break;
485 }
486
487 sig_alg_list_size -= 2;
488 p += 2;
489 }
490
491 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
492 ssl->handshake->sig_alg ) );
493
494 return( 0 );
495}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]496#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]497
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]498#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]499static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
500 const unsigned char *buf,
501 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]502{
503 size_t list_size;
504 const unsigned char *p;
505
506 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
507 if( list_size + 2 != len ||
508 list_size % 2 != 0 )
509 {
510 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
511 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
512 }
513
514 p = buf + 2;
515 while( list_size > 0 )
516 {
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]517#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
518 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP192R1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]519 {
520 ssl->handshake->ec_curve = p[1];
521 return( 0 );
522 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]523#endif
524#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
525 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP224R1 )
526 {
527 ssl->handshake->ec_curve = p[1];
528 return( 0 );
529 }
530#endif
531#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
532 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP256R1 )
533 {
534 ssl->handshake->ec_curve = p[1];
535 return( 0 );
536 }
537#endif
538#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
539 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP384R1 )
540 {
541 ssl->handshake->ec_curve = p[1];
542 return( 0 );
543 }
544#endif
545#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
546 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP521R1 )
547 {
548 ssl->handshake->ec_curve = p[1];
549 return( 0 );
550 }
551#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]552
553 list_size -= 2;
554 p += 2;
555 }
556
557 return( 0 );
558}
559
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]560static int ssl_parse_supported_point_formats( ssl_context *ssl,
561 const unsigned char *buf,
562 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]563{
564 size_t list_size;
565 const unsigned char *p;
566
567 list_size = buf[0];
568 if( list_size + 1 != len )
569 {
570 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
571 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
572 }
573
574 p = buf + 2;
575 while( list_size > 0 )
576 {
577 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
578 p[0] == POLARSSL_ECP_PF_COMPRESSED )
579 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]580 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]581 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]582 return( 0 );
583 }
584
585 list_size--;
586 p++;
587 }
588
589 return( 0 );
590}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]591#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]592
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]593#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]594static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
595 const unsigned char *buf,
596 size_t len )
597{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]598 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]599 {
600 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
601 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
602 }
603
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]604 ssl->session_negotiate->mfl_code = buf[0];
605
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]606 return( 0 );
607}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]608#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]609
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]610#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]611static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
612 const unsigned char *buf,
613 size_t len )
614{
615 if( len != 0 )
616 {
617 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
618 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
619 }
620
621 ((void) buf);
622
623 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
624
625 return( 0 );
626}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]627#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]628
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]629#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]630static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]631 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]632 size_t len )
633{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]634 int ret;
635
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]636 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
637 return( 0 );
638
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]639 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]640 ssl->handshake->new_session_ticket = 1;
641
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]642 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
643
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]644 if( len == 0 )
645 return( 0 );
646
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]647 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
648 {
649 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
650 return( 0 );
651 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]652
653 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]654 * Failures are ok: just ignore the ticket and proceed.
655 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]656 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
657 {
658 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]659 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]660 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]661
662 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
663
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]664 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]665
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]666 /* Don't send a new ticket after all, this one is OK */
667 ssl->handshake->new_session_ticket = 0;
668
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]669 return( 0 );
670}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]671#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]672
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]673#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
674static int ssl_parse_client_hello_v2( ssl_context *ssl )
675{
676 int ret;
677 unsigned int i, j;
678 size_t n;
679 unsigned int ciph_len, sess_len, chal_len;
680 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]681 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]682 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]683
684 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
685
686 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
687 {
688 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
689
690 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
691 return( ret );
692
693 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
694 }
695
696 buf = ssl->in_hdr;
697
698 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
699
700 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
701 buf[2] ) );
702 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
703 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
704 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
705 buf[3], buf[4] ) );
706
707 /*
708 * SSLv2 Client Hello
709 *
710 * Record layer:
711 * 0 . 1 message length
712 *
713 * SSL layer:
714 * 2 . 2 message type
715 * 3 . 4 protocol version
716 */
717 if( buf[2] != SSL_HS_CLIENT_HELLO ||
718 buf[3] != SSL_MAJOR_VERSION_3 )
719 {
720 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
721 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
722 }
723
724 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
725
726 if( n < 17 || n > 512 )
727 {
728 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
729 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
730 }
731
732 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]733 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
734 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]735
736 if( ssl->minor_ver < ssl->min_minor_ver )
737 {
738 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
739 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
740 ssl->min_major_ver, ssl->min_minor_ver ) );
741
742 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
743 SSL_ALERT_MSG_PROTOCOL_VERSION );
744 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
745 }
746
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]747 ssl->handshake->max_major_ver = buf[3];
748 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]749
750 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
751 {
752 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
753 return( ret );
754 }
755
756 ssl->handshake->update_checksum( ssl, buf + 2, n );
757
758 buf = ssl->in_msg;
759 n = ssl->in_left - 5;
760
761 /*
762 * 0 . 1 ciphersuitelist length
763 * 2 . 3 session id length
764 * 4 . 5 challenge length
765 * 6 . .. ciphersuitelist
766 * .. . .. session id
767 * .. . .. challenge
768 */
769 SSL_DEBUG_BUF( 4, "record contents", buf, n );
770
771 ciph_len = ( buf[0] << 8 ) | buf[1];
772 sess_len = ( buf[2] << 8 ) | buf[3];
773 chal_len = ( buf[4] << 8 ) | buf[5];
774
775 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
776 ciph_len, sess_len, chal_len ) );
777
778 /*
779 * Make sure each parameter length is valid
780 */
781 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
782 {
783 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
784 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
785 }
786
787 if( sess_len > 32 )
788 {
789 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
790 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
791 }
792
793 if( chal_len < 8 || chal_len > 32 )
794 {
795 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
796 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
797 }
798
799 if( n != 6 + ciph_len + sess_len + chal_len )
800 {
801 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
802 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
803 }
804
805 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
806 buf + 6, ciph_len );
807 SSL_DEBUG_BUF( 3, "client hello, session id",
808 buf + 6 + ciph_len, sess_len );
809 SSL_DEBUG_BUF( 3, "client hello, challenge",
810 buf + 6 + ciph_len + sess_len, chal_len );
811
812 p = buf + 6 + ciph_len;
813 ssl->session_negotiate->length = sess_len;
814 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
815 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
816
817 p += sess_len;
818 memset( ssl->handshake->randbytes, 0, 64 );
819 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
820
821 /*
822 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
823 */
824 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
825 {
826 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
827 {
828 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
829 if( ssl->renegotiation == SSL_RENEGOTIATION )
830 {
831 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
832
833 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
834 return( ret );
835
836 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
837 }
838 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
839 break;
840 }
841 }
842
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]843 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
844 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]845 {
846 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
847 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]848 // Only allow non-ECC ciphersuites as we do not have extensions
849 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]850 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]851 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
852 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]853 {
854 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
855
856 if( ciphersuite_info == NULL )
857 {
858 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
859 ciphersuites[i] ) );
860 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
861 }
862
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]863 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
864 ciphersuite_info->max_minor_ver < ssl->minor_ver )
865 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]866
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]867 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]868 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]869 }
870 }
871
872 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
873
874 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
875
876have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]877 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]878 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]879 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]880
881 /*
882 * SSLv2 Client Hello relevant renegotiation security checks
883 */
884 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
885 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
886 {
887 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
888
889 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
890 return( ret );
891
892 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
893 }
894
895 ssl->in_left = 0;
896 ssl->state++;
897
898 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
899
900 return( 0 );
901}
902#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
903
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]904static int ssl_parse_client_hello( ssl_context *ssl )
905{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]906 int ret;
907 unsigned int i, j;
908 size_t n;
909 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]910 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]911 unsigned int ext_len = 0;
912 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]913 int renegotiation_info_seen = 0;
914 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]915 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]916 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]917
918 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
919
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]920 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
921 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]922 {
923 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
924 return( ret );
925 }
926
927 buf = ssl->in_hdr;
928
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]929#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
930 if( ( buf[0] & 0x80 ) != 0 )
931 return ssl_parse_client_hello_v2( ssl );
932#endif
933
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]934 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
935
936 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
937 buf[0] ) );
938 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
939 ( buf[3] << 8 ) | buf[4] ) );
940 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
941 buf[1], buf[2] ) );
942
943 /*
944 * SSLv3 Client Hello
945 *
946 * Record layer:
947 * 0 . 0 message type
948 * 1 . 2 protocol version
949 * 3 . 4 message length
950 */
951 if( buf[0] != SSL_MSG_HANDSHAKE ||
952 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]953 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]954 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
955 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
956 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]958 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]959
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +0200[diff] [blame]960 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]961 {
962 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
963 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
964 }
965
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]966 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
967 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]968 {
969 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
970 return( ret );
971 }
972
973 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]974 if( !ssl->renegotiation )
975 n = ssl->in_left - 5;
976 else
977 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]978
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]979 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]980
981 /*
982 * SSL layer:
983 * 0 . 0 handshake type
984 * 1 . 3 handshake length
985 * 4 . 5 protocol version
986 * 6 . 9 UNIX time()
987 * 10 . 37 random bytes
988 * 38 . 38 session id length
989 * 39 . 38+x session id
990 * 39+x . 40+x ciphersuitelist length
991 * 41+x . .. ciphersuitelist
992 * .. . .. compression alg.
993 * .. . .. extensions
994 */
995 SSL_DEBUG_BUF( 4, "record contents", buf, n );
996
997 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
998 buf[0] ) );
999 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1000 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1001 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1002 buf[4], buf[5] ) );
1003
1004 /*
1005 * Check the handshake type and protocol version
1006 */
1007 if( buf[0] != SSL_HS_CLIENT_HELLO ||
1008 buf[4] != SSL_MAJOR_VERSION_3 )
1009 {
1010 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1011 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1012 }
1013
1014 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1015 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1016 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1017
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1018 if( ssl->minor_ver < ssl->min_minor_ver )
1019 {
1020 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1021 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]1022 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1023
1024 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1025 SSL_ALERT_MSG_PROTOCOL_VERSION );
1026
1027 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1028 }
1029
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1030 ssl->handshake->max_major_ver = buf[4];
1031 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1032
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1033 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1034
1035 /*
1036 * Check the handshake message length
1037 */
1038 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1039 {
1040 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1041 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1042 }
1043
1044 /*
1045 * Check the session length
1046 */
1047 sess_len = buf[38];
1048
1049 if( sess_len > 32 )
1050 {
1051 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1052 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1053 }
1054
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1055 ssl->session_negotiate->length = sess_len;
1056 memset( ssl->session_negotiate->id, 0,
1057 sizeof( ssl->session_negotiate->id ) );
1058 memcpy( ssl->session_negotiate->id, buf + 39,
1059 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1060
1061 /*
1062 * Check the ciphersuitelist length
1063 */
1064 ciph_len = ( buf[39 + sess_len] << 8 )
1065 | ( buf[40 + sess_len] );
1066
1067 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1068 {
1069 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1070 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1071 }
1072
1073 /*
1074 * Check the compression algorithms length
1075 */
1076 comp_len = buf[41 + sess_len + ciph_len];
1077
1078 if( comp_len < 1 || comp_len > 16 )
1079 {
1080 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1081 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1082 }
1083
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1084 /*
1085 * Check the extension length
1086 */
1087 if( n > 42 + sess_len + ciph_len + comp_len )
1088 {
1089 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1090 | ( buf[43 + sess_len + ciph_len + comp_len] );
1091
1092 if( ( ext_len > 0 && ext_len < 4 ) ||
1093 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1094 {
1095 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1096 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1097 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1098 }
1099 }
1100
1101 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1102#if defined(POLARSSL_ZLIB_SUPPORT)
1103 for( i = 0; i < comp_len; ++i )
1104 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1105 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1106 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1107 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1108 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109 }
1110 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1111#endif
1112
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1113 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1114 buf + 6, 32 );
1115 SSL_DEBUG_BUF( 3, "client hello, session id",
1116 buf + 38, sess_len );
1117 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1118 buf + 41 + sess_len, ciph_len );
1119 SSL_DEBUG_BUF( 3, "client hello, compression",
1120 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1121
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1122 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1123 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1124 */
1125 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1126 {
1127 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1128 {
1129 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1130 if( ssl->renegotiation == SSL_RENEGOTIATION )
1131 {
1132 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1133
1134 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1135 return( ret );
1136
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1137 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1138 }
1139 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1140 break;
1141 }
1142 }
1143
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1144 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1145
1146 while( ext_len )
1147 {
1148 unsigned int ext_id = ( ( ext[0] << 8 )
1149 | ( ext[1] ) );
1150 unsigned int ext_size = ( ( ext[2] << 8 )
1151 | ( ext[3] ) );
1152
1153 if( ext_size + 4 > ext_len )
1154 {
1155 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1156 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1157 }
1158 switch( ext_id )
1159 {
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1160 case TLS_EXT_SERVERNAME:
1161 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1162 if( ssl->f_sni == NULL )
1163 break;
1164
1165 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1166 if( ret != 0 )
1167 return( ret );
1168 break;
1169
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1170 case TLS_EXT_RENEGOTIATION_INFO:
1171 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1172 renegotiation_info_seen = 1;
1173
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1174 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1175 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1176 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1177 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1178
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]1179#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1180 case TLS_EXT_SIG_ALG:
1181 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1182 if( ssl->renegotiation == SSL_RENEGOTIATION )
1183 break;
1184
1185 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1186 if( ret != 0 )
1187 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1188 break;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]1189#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1190
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1191#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1192 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1193 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1194
1195 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1196 if( ret != 0 )
1197 return( ret );
1198 break;
1199
1200 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1201 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1202
1203 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1204 if( ret != 0 )
1205 return( ret );
1206 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1207#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1208
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1209#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1210 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1211 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1212
1213 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1214 if( ret != 0 )
1215 return( ret );
1216 break;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1217#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1218
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1219#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1220 case TLS_EXT_TRUNCATED_HMAC:
1221 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1222
1223 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1224 if( ret != 0 )
1225 return( ret );
1226 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1227#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1228
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1229#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1230 case TLS_EXT_SESSION_TICKET:
1231 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1232
1233 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1234 if( ret != 0 )
1235 return( ret );
1236 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1237#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1238
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1239 default:
1240 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1241 ext_id ) );
1242 }
1243
1244 ext_len -= 4 + ext_size;
1245 ext += 4 + ext_size;
1246
1247 if( ext_len > 0 && ext_len < 4 )
1248 {
1249 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1250 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1251 }
1252 }
1253
1254 /*
1255 * Renegotiation security checks
1256 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1257 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1258 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1259 {
1260 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1261 handshake_failure = 1;
1262 }
1263 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1264 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1265 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1266 {
1267 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1268 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1269 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1270 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1271 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1272 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1273 {
1274 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1275 handshake_failure = 1;
1276 }
1277 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1278 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1279 renegotiation_info_seen == 1 )
1280 {
1281 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1282 handshake_failure = 1;
1283 }
1284
1285 if( handshake_failure == 1 )
1286 {
1287 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1288 return( ret );
1289
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1290 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1291 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1292
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1293 /*
1294 * Search for a matching ciphersuite
1295 * (At the end because we need information from the EC-based extensions)
1296 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1297 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1298 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1299 {
1300 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1301 j += 2, p += 2 )
1302 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1303 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1304 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1305 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1306 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1307
1308 if( ciphersuite_info == NULL )
1309 {
1310 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1311 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1312 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1313 }
1314
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1315 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1316 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1317 continue;
1318
Paul Bakker5fd49172013-08-19 13:29:26 +0200[diff] [blame]1319#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1320 if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
1321 ssl->handshake->ec_curve == 0 )
1322 continue;
Paul Bakker5fd49172013-08-19 13:29:26 +0200[diff] [blame]1323#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1324
1325 goto have_ciphersuite;
1326 }
1327 }
1328 }
1329
1330 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1331
1332 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1333 return( ret );
1334
1335 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1336
1337have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1338 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1339 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1340 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1341
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342 ssl->in_left = 0;
1343 ssl->state++;
1344
1345 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1346
1347 return( 0 );
1348}
1349
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1350#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1351static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1352 unsigned char *buf,
1353 size_t *olen )
1354{
1355 unsigned char *p = buf;
1356
1357 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1358 {
1359 *olen = 0;
1360 return;
1361 }
1362
1363 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1364
1365 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1366 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1367
1368 *p++ = 0x00;
1369 *p++ = 0x00;
1370
1371 *olen = 4;
1372}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1373#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1374
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1375#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1376static void ssl_write_session_ticket_ext( ssl_context *ssl,
1377 unsigned char *buf,
1378 size_t *olen )
1379{
1380 unsigned char *p = buf;
1381
1382 if( ssl->handshake->new_session_ticket == 0 )
1383 {
1384 *olen = 0;
1385 return;
1386 }
1387
1388 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1389
1390 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1391 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1392
1393 *p++ = 0x00;
1394 *p++ = 0x00;
1395
1396 *olen = 4;
1397}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1398#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1399
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1400static void ssl_write_renegotiation_ext( ssl_context *ssl,
1401 unsigned char *buf,
1402 size_t *olen )
1403{
1404 unsigned char *p = buf;
1405
1406 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1407 {
1408 *olen = 0;
1409 return;
1410 }
1411
1412 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1413
1414 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1415 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1416
1417 *p++ = 0x00;
1418 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1419 *p++ = ssl->verify_data_len * 2 & 0xFF;
1420
1421 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1422 p += ssl->verify_data_len;
1423 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1424 p += ssl->verify_data_len;
1425
1426 *olen = 5 + ssl->verify_data_len * 2;
1427}
1428
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1429#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1430static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1431 unsigned char *buf,
1432 size_t *olen )
1433{
1434 unsigned char *p = buf;
1435
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1436 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1437 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1438 *olen = 0;
1439 return;
1440 }
1441
1442 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1443
1444 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1445 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1446
1447 *p++ = 0x00;
1448 *p++ = 1;
1449
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1450 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1451
1452 *olen = 5;
1453}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1454#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1455
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1456#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1457static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1458 unsigned char *buf,
1459 size_t *olen )
1460{
1461 unsigned char *p = buf;
1462 ((void) ssl);
1463
1464 *olen = 0;
1465
1466 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1467
1468 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1469 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1470
1471 *p++ = 0x00;
1472 *p++ = 2;
1473
1474 *p++ = 1;
1475 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1476
1477 *olen = 6;
1478}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1479#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1480
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1481static int ssl_write_server_hello( ssl_context *ssl )
1482{
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1483#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1485#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1486 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1487 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1488 unsigned char *buf, *p;
1489
1490 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1491
1492 /*
1493 * 0 . 0 handshake type
1494 * 1 . 3 handshake length
1495 * 4 . 5 protocol version
1496 * 6 . 9 UNIX time()
1497 * 10 . 37 random bytes
1498 */
1499 buf = ssl->out_msg;
1500 p = buf + 4;
1501
1502 *p++ = (unsigned char) ssl->major_ver;
1503 *p++ = (unsigned char) ssl->minor_ver;
1504
1505 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1506 buf[4], buf[5] ) );
1507
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1508#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1509 t = time( NULL );
1510 *p++ = (unsigned char)( t >> 24 );
1511 *p++ = (unsigned char)( t >> 16 );
1512 *p++ = (unsigned char)( t >> 8 );
1513 *p++ = (unsigned char)( t );
1514
1515 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1516#else
1517 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1518 return( ret );
1519
1520 p += 4;
1521#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1523 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1524 return( ret );
1525
1526 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1527
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1528 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1529
1530 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1531
1532 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1533 * Resume is 0 by default, see ssl_handshake_init().
1534 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1535 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1536 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1537 if( ssl->handshake->resume == 0 &&
1538 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]1539 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1540 ssl->f_get_cache != NULL &&
1541 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1542 {
1543 ssl->handshake->resume = 1;
1544 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1545
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1546 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1547 {
1548 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1549 * New session, create a new session id,
1550 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1551 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1552 ssl->state++;
1553
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1554#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1555 if( ssl->handshake->new_session_ticket == 0 )
1556 {
1557 ssl->session_negotiate->length = n = 32;
1558 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1559 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1560 return( ret );
1561 }
1562 else
1563 {
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1564 ssl->session_negotiate->length = n = 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1565 memset( ssl->session_negotiate->id, 0, 32 );
1566 }
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1567#else
1568 ssl->session_negotiate->length = n = 32;
1569 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1570 n ) ) != 0 )
1571 return( ret );
1572#endif /* POLARSSL_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1573 }
1574 else
1575 {
1576 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1577 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1578 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1579 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1580 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1581
1582 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1583 {
1584 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1585 return( ret );
1586 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1587 }
1588
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1589 /*
1590 * 38 . 38 session id length
1591 * 39 . 38+n session id
1592 * 39+n . 40+n chosen ciphersuite
1593 * 41+n . 41+n chosen compression alg.
1594 * 42+n . 43+n extensions length
1595 * 44+n . 43+n+m extensions
1596 */
1597 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1598 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1599 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1600
1601 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1602 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1603 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1604 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1605
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1606 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1607 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1608 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1609
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1610 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1611 ssl->session_negotiate->ciphersuite ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1612 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1613 ssl->session_negotiate->compression ) );
1614
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1615 /*
1616 * First write extensions, then the total length
1617 */
1618 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1619 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1620
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1621#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1622 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1623 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1624#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1625
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1626#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1627 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1628 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1629#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1630
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1631#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1632 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1633 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1634#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1635
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1636#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1637 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1638 ext_len += olen;
1639#endif
1640
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1641 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1642
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1643 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1644 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1645 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1646
1647 ssl->out_msglen = p - buf;
1648 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1649 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1650
1651 ret = ssl_write_record( ssl );
1652
1653 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1654
1655 return( ret );
1656}
1657
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1658#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1659 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1660 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1661static int ssl_write_certificate_request( ssl_context *ssl )
1662{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]1663 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1664 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1665
1666 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1667
1668 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1669 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1670 {
1671 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1672 ssl->state++;
1673 return( 0 );
1674 }
1675
1676 return( ret );
1677}
1678#else
1679static int ssl_write_certificate_request( ssl_context *ssl )
1680{
1681 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1682 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1683 size_t n = 0, dn_size, total_dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1684 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1685 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1686
1687 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1688
1689 ssl->state++;
1690
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1691 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1692 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1693 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1694 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1695 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696 return( 0 );
1697 }
1698
1699 /*
1700 * 0 . 0 handshake type
1701 * 1 . 3 handshake length
1702 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1703 * 5 .. m-1 cert types
1704 * m .. m+1 sig alg length (TLS 1.2 only)
1705 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1706 * n .. n+1 length of all DNs
1707 * n+2 .. n+3 length of DN 1
1708 * n+4 .. ... Distinguished Name #1
1709 * ... .. ... length of DN 2, etc.
1710 */
1711 buf = ssl->out_msg;
1712 p = buf + 4;
1713
1714 /*
1715 * At the moment, only RSA certificates are supported
1716 */
1717 *p++ = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1718 *p++ = SSL_CERT_TYPE_RSA_SIGN;
1719
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]1720#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1721 /*
1722 * Add signature_algorithms for verify (TLS 1.2)
1723 * Only add current running algorithm that is already required for
1724 * requested ciphersuite.
1725 *
1726 * Length is always 2
1727 */
Paul Bakker21dca692013-01-03 11:41:08 +0100[diff] [blame]1728 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1729 {
1730 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1731
1732 *p++ = 0;
1733 *p++ = 2;
1734
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]1735 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1736 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1737 {
1738 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1739 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1740
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1741 *p++ = ssl->handshake->verify_sig_alg;
1742 *p++ = SSL_SIG_RSA;
1743
1744 n += 4;
1745 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]1746#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747
1748 p += 2;
1749 crt = ssl->ca_chain;
1750
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1751 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1752 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1753 {
1754 if( p - buf > 4096 )
1755 break;
1756
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1757 dn_size = crt->subject_raw.len;
1758 *p++ = (unsigned char)( dn_size >> 8 );
1759 *p++ = (unsigned char)( dn_size );
1760 memcpy( p, crt->subject_raw.p, dn_size );
1761 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1763 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1764
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1765 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1766 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1767 }
1768
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1769 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1770 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1771 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1772 ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
1773 ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1774
1775 ret = ssl_write_record( ssl );
1776
1777 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1778
1779 return( ret );
1780}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1781#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1782 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1783 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1785static int ssl_write_server_key_exchange( ssl_context *ssl )
1786{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1787 int ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1788 size_t n = 0, len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1789 unsigned char hash[64];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1790 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker35a7fe52012-10-31 09:07:14 +0000[diff] [blame]1791 unsigned int hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1792 unsigned char *p = ssl->out_msg + 4;
1793 unsigned char *dig_sig = p;
1794 size_t dig_sig_len = 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1795
1796 const ssl_ciphersuite_t *ciphersuite_info;
1797 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798
1799 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1800
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1801 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1802 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
1803 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804 {
1805 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1806 ssl->state++;
1807 return( 0 );
1808 }
1809
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1810#if defined(POLARSSL_RSA_C)
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1811 if( ssl->rsa_key == NULL )
1812 {
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]1813 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1814 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1815 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1816#endif /* POLARSSL_RSA_C */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1817
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1818#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1819 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1820 {
1821 /* TODO: Support identity hints */
1822 *(p++) = 0x00;
1823 *(p++) = 0x00;
1824
1825 n += 2;
1826 }
1827#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1828
1829#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1830 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1831 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1832 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1833 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1834 /*
1835 * Ephemeral DH parameters:
1836 *
1837 * struct {
1838 * opaque dh_p<1..2^16-1>;
1839 * opaque dh_g<1..2^16-1>;
1840 * opaque dh_Ys<1..2^16-1>;
1841 * } ServerDHParams;
1842 */
1843 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1844 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1845 {
1846 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1847 return( ret );
1848 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1849
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1850 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1851 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1852 p,
1853 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1854 {
1855 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1856 return( ret );
1857 }
1858
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1859 dig_sig = p;
1860 dig_sig_len = len;
1861
1862 p += len;
1863 n += len;
1864
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1865 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1866 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1867 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1868 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1869 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1870#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1871 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1872
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1873#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1874 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1875 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1876 /*
1877 * Ephemeral ECDH parameters:
1878 *
1879 * struct {
1880 * ECParameters curve_params;
1881 * ECPoint public;
1882 * } ServerECDHParams;
1883 */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1884 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
1885 ssl->handshake->ec_curve ) ) != 0 )
1886 {
1887 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1888 return( ret );
1889 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1891 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1892 &len,
1893 p,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1894 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1895 {
1896 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1897 return( ret );
1898 }
1899
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1900 dig_sig = p;
1901 dig_sig_len = len;
1902
1903 p += len;
1904 n += len;
1905
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1906 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
1907 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1908#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1910#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1911 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
1912 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1913 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1914 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1915 size_t rsa_key_len = 0;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1916
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]1917#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
1918 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1919 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1920 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1921 md5_context md5;
1922 sha1_context sha1;
1923
1924 /*
1925 * digitally-signed struct {
1926 * opaque md5_hash[16];
1927 * opaque sha_hash[20];
1928 * };
1929 *
1930 * md5_hash
1931 * MD5(ClientHello.random + ServerHello.random
1932 * + ServerParams);
1933 * sha_hash
1934 * SHA(ClientHello.random + ServerHello.random
1935 * + ServerParams);
1936 */
1937 md5_starts( &md5 );
1938 md5_update( &md5, ssl->handshake->randbytes, 64 );
1939 md5_update( &md5, dig_sig, dig_sig_len );
1940 md5_finish( &md5, hash );
1941
1942 sha1_starts( &sha1 );
1943 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1944 sha1_update( &sha1, dig_sig, dig_sig_len );
1945 sha1_finish( &sha1, hash + 16 );
1946
1947 hashlen = 36;
1948 md_alg = POLARSSL_MD_NONE;
1949 }
1950 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]1951#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
1952 POLARSSL_SSL_PROTO_TLS1_1 */
1953#if defined(POLARSSL_SSL_PROTO_TLS1_2)
1954 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1955 {
1956 md_context_t ctx;
1957
1958 /*
1959 * digitally-signed struct {
1960 * opaque client_random[32];
1961 * opaque server_random[32];
1962 * ServerDHParams params;
1963 * };
1964 */
1965 switch( ssl->handshake->sig_alg )
1966 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1967#if defined(POLARSSL_MD5_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1968 case SSL_HASH_MD5:
1969 md_alg = POLARSSL_MD_MD5;
1970 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1971#endif
1972#if defined(POLARSSL_SHA1_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1973 case SSL_HASH_SHA1:
1974 md_alg = POLARSSL_MD_SHA1;
1975 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1976#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1977#if defined(POLARSSL_SHA256_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1978 case SSL_HASH_SHA224:
1979 md_alg = POLARSSL_MD_SHA224;
1980 break;
1981 case SSL_HASH_SHA256:
1982 md_alg = POLARSSL_MD_SHA256;
1983 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1984#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1985#if defined(POLARSSL_SHA512_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1986 case SSL_HASH_SHA384:
1987 md_alg = POLARSSL_MD_SHA384;
1988 break;
1989 case SSL_HASH_SHA512:
1990 md_alg = POLARSSL_MD_SHA512;
1991 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1992#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1993 default:
1994 /* Should never happen */
1995 return( -1 );
1996 }
1997
1998 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1999 {
2000 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2001 return( ret );
2002 }
2003
2004 md_starts( &ctx );
2005 md_update( &ctx, ssl->handshake->randbytes, 64 );
2006 md_update( &ctx, dig_sig, dig_sig_len );
2007 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]2008
2009 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2010 {
2011 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2012 return( ret );
2013 }
2014
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2015 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]2016 else
2017#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2018 /* Should never happen */
2019 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2020
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2021 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2022
2023 if ( ssl->rsa_key )
2024 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
2025
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]2026#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2027 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2028 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2029 *(p++) = ssl->handshake->sig_alg;
2030 *(p++) = SSL_SIG_RSA;
2031
2032 n += 2;
2033 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]2034#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2035
2036 *(p++) = (unsigned char)( rsa_key_len >> 8 );
2037 *(p++) = (unsigned char)( rsa_key_len );
2038 n += 2;
2039
2040 if ( ssl->rsa_key )
2041 {
2042 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
2043 RSA_PRIVATE, md_alg, hashlen, hash, p );
2044 }
2045
2046 if( ret != 0 )
2047 {
2048 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2049 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2050 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2051
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2052 SSL_DEBUG_BUF( 3, "my RSA sig", p, rsa_key_len );
2053
2054 p += rsa_key_len;
2055 n += rsa_key_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2056 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2057#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2058 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2059
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2060 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2061 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2062 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2063
2064 ssl->state++;
2065
2066 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2067 {
2068 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2069 return( ret );
2070 }
2071
2072 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2073
2074 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2075}
2076
2077static int ssl_write_server_hello_done( ssl_context *ssl )
2078{
2079 int ret;
2080
2081 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2082
2083 ssl->out_msglen = 4;
2084 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2085 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2086
2087 ssl->state++;
2088
2089 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2090 {
2091 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2092 return( ret );
2093 }
2094
2095 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2096
2097 return( 0 );
2098}
2099
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2100#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2101 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2102static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2103 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2104{
2105 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2106 size_t n;
2107
2108 /*
2109 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2110 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2111 if( *p + 2 > end )
2112 {
2113 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2114 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2115 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2116
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2117 n = ( (*p)[0] << 8 ) | (*p)[1];
2118 *p += 2;
2119
2120 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2121 {
2122 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2123 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2124 }
2125
2126 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2127 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2128 {
2129 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2130 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2131 }
2132
2133 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2134
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2135 return( ret );
2136}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2137#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2138 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2139
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2140#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2141static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2142{
2143 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2144 size_t n;
2145
2146 /*
2147 * Receive client public key and calculate premaster
2148 */
2149 n = ssl->in_msg[3];
2150
2151 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2152 n + 4 != ssl->in_hslen )
2153 {
2154 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2155 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2156 }
2157
2158 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2159 ssl->in_msg + 4, n ) ) != 0 )
2160 {
2161 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2162 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2163 }
2164
2165 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2166
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2167 return( ret );
2168}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2169#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2170
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2171#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2172static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2173{
2174 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2175 size_t i, n = 0;
2176
2177 if( ssl->rsa_key == NULL )
2178 {
2179 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2180 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2181 }
2182
2183 /*
2184 * Decrypt the premaster using own private RSA key
2185 */
2186 i = 4;
2187 if( ssl->rsa_key )
2188 n = ssl->rsa_key_len( ssl->rsa_key );
2189 ssl->handshake->pmslen = 48;
2190
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]2191#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2192 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2193 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2194 {
2195 i += 2;
2196 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2197 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2198 {
2199 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2200 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2201 }
2202 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]2203#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2204
2205 if( ssl->in_hslen != i + n )
2206 {
2207 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2208 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2209 }
2210
2211 if( ssl->rsa_key ) {
2212 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
2213 &ssl->handshake->pmslen,
2214 ssl->in_msg + i,
2215 ssl->handshake->premaster,
2216 sizeof(ssl->handshake->premaster) );
2217 }
2218
2219 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]2220 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2221 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2222 {
2223 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2224
2225 /*
2226 * Protection against Bleichenbacher's attack:
2227 * invalid PKCS#1 v1.5 padding must not cause
2228 * the connection to end immediately; instead,
2229 * send a bad_record_mac later in the handshake.
2230 */
2231 ssl->handshake->pmslen = 48;
2232
2233 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2234 ssl->handshake->pmslen );
2235 if( ret != 0 )
2236 return( ret );
2237 }
2238
2239 return( ret );
2240}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2241#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2242
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2243#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2244 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2245static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2246 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2247{
2248 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2249 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2250
2251 if( ssl->psk == NULL || ssl->psk_identity == NULL ||
2252 ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
2253 {
2254 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2255 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2256 }
2257
2258 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2259 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2260 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2261 if( *p + 2 > end )
2262 {
2263 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2264 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2265 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2266
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2267 n = ( (*p)[0] << 8 ) | (*p)[1];
2268 *p += 2;
2269
2270 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2271 {
2272 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2273 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2274 }
2275
2276 if( n != ssl->psk_identity_len ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2277 memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2278 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2279 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2280 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2281 }
2282
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2283 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2284 ret = 0;
2285
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2286 return( ret );
2287}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2288#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2289 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2290
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2291static int ssl_parse_client_key_exchange( ssl_context *ssl )
2292{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2293 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2294 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2295 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2296
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2297 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2298
2299 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2300
2301 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2302 {
2303 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2304 return( ret );
2305 }
2306
2307 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2308 {
2309 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2310 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2311 }
2312
2313 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2314 {
2315 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2316 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2317 }
2318
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2319 p = ssl->in_msg + 4;
2320 end = ssl->in_msg + ssl->in_msglen;
2321
2322#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2323 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2324 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2325 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2326 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2327 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2328 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2329 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2330
2331 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2332
2333 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2334 ssl->handshake->premaster,
2335 &ssl->handshake->pmslen ) ) != 0 )
2336 {
2337 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2338 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2339 }
2340
2341 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2342 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2343 else
2344#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2345#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
2346 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2347 {
2348 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2349 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2350 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2351 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2352 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2353
2354 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2355 &ssl->handshake->pmslen,
2356 ssl->handshake->premaster,
2357 POLARSSL_MPI_MAX_SIZE ) ) != 0 )
2358 {
2359 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2360 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2361 }
2362
2363 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2364 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2365 else
2366#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2367#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2368 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2369 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2370 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2371 {
2372 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2373 return( ret );
2374 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2375
2376 // Set up the premaster secret
2377 //
2378 p = ssl->handshake->premaster;
2379 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2380 *(p++) = (unsigned char)( ssl->psk_len );
2381 p += ssl->psk_len;
2382
2383 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2384 *(p++) = (unsigned char)( ssl->psk_len );
2385 memcpy( p, ssl->psk, ssl->psk_len );
2386 p += ssl->psk_len;
2387
2388 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2389 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2390 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2391#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2392#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2393 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2394 {
2395 size_t n;
2396
2397 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2398 {
2399 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2400 return( ret );
2401 }
2402 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2403 {
2404 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2405 return( ret );
2406 }
2407
2408 // Set up the premaster secret
2409 //
2410 p = ssl->handshake->premaster;
2411 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2412 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2413
2414 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2415 p, &n ) ) != 0 )
2416 {
2417 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2418 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2419 }
2420
2421 if( n != ssl->handshake->dhm_ctx.len )
2422 {
2423 SSL_DEBUG_MSG( 1, ( "dhm_calc_secret result smaller than DHM" ) );
2424 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2425 }
2426
2427 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2428
2429 p += ssl->handshake->dhm_ctx.len;
2430
2431 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2432 *(p++) = (unsigned char)( ssl->psk_len );
2433 memcpy( p, ssl->psk, ssl->psk_len );
2434 p += ssl->psk_len;
2435
2436 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2437 }
2438 else
2439#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2440#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2441 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2442 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2443 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2444 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2445 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2446 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2447 }
2448 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2449 else
2450#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2451 {
2452 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2453 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2454
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2455 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2456 {
2457 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2458 return( ret );
2459 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2460
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2461 ssl->state++;
2462
2463 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2464
2465 return( 0 );
2466}
2467
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2468#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2469 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2470 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2471static int ssl_parse_certificate_verify( ssl_context *ssl )
2472{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2473 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2474 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2475
2476 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2477
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2478 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2479 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2480 {
2481 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2482 ssl->state++;
2483 return( 0 );
2484 }
2485
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2486 return( ret );
2487}
2488#else
2489static int ssl_parse_certificate_verify( ssl_context *ssl )
2490{
2491 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2492 size_t n = 0, n1, n2;
2493 unsigned char hash[48];
2494 md_type_t md_alg = POLARSSL_MD_NONE;
2495 unsigned int hashlen = 0;
2496 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2497
2498 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2499
2500 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2501 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2502 {
2503 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2504 ssl->state++;
2505 return( 0 );
2506 }
2507
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2508 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2509 {
2510 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2511 ssl->state++;
2512 return( 0 );
2513 }
2514
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2515 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2516
2517 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2518 {
2519 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2520 return( ret );
2521 }
2522
2523 ssl->state++;
2524
2525 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2526 {
2527 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2528 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2529 }
2530
2531 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2532 {
2533 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2534 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2535 }
2536
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]2537#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2538 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2539 {
2540 /*
2541 * As server we know we either have SSL_HASH_SHA384 or
2542 * SSL_HASH_SHA256
2543 */
2544 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
2545 ssl->in_msg[5] != SSL_SIG_RSA )
2546 {
2547 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
2548 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2549 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2550
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2551 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2552 md_alg = POLARSSL_MD_SHA384;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2553 else
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2554 md_alg = POLARSSL_MD_SHA256;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2555
2556 n += 2;
2557 }
2558 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]2559#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2560#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2561 defined(POLARSSL_SSL_PROTO_TLS1_1)
2562 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2563 {
2564 hashlen = 36;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2565 md_alg = POLARSSL_MD_NONE;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2566 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame^]2567 else
2568#endif
2569 /* Should never happen */
2570 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2571
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2572 /* EC NOT IMPLEMENTED YET */
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2573 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2574 POLARSSL_PK_RSA ) )
2575 {
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2576 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2577 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2578
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2579 n1 = pk_get_size( &ssl->session_negotiate->peer_cert->pk ) / 8;
Paul Bakker78ce5072012-11-23 14:23:53 +0100[diff] [blame]2580 n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2581
2582 if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2583 {
2584 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2585 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2586 }
2587
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2588 ret = rsa_pkcs1_verify( pk_rsa( ssl->session_negotiate->peer_cert->pk ),
2589 RSA_PUBLIC, md_alg, hashlen, hash,
2590 ssl->in_msg + 6 + n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2591 if( ret != 0 )
2592 {
2593 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
2594 return( ret );
2595 }
2596
2597 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2598
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2599 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2600}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2601#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2602 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2603 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2604
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2605#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2606static int ssl_write_new_session_ticket( ssl_context *ssl )
2607{
2608 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2609 size_t tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2610
2611 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2612
2613 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2614 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2615
2616 /*
2617 * struct {
2618 * uint32 ticket_lifetime_hint;
2619 * opaque ticket<0..2^16-1>;
2620 * } NewSessionTicket;
2621 *
2622 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2623 * 8 . 9 ticket_len (n)
2624 * 10 . 9+n ticket content
2625 */
2626 ssl->out_msg[4] = 0x00;
2627 ssl->out_msg[5] = 0x00;
2628 ssl->out_msg[6] = 0x00;
2629 ssl->out_msg[7] = 0x00;
2630
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]2631 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2632 {
2633 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2634 tlen = 0;
2635 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2636
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2637 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2638 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2639
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2640 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2641
2642 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2643 {
2644 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2645 return( ret );
2646 }
2647
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2648 /* No need to remember writing a NewSessionTicket any more */
2649 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2650
2651 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2652
2653 return( 0 );
2654}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2655#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2656
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2657/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2658 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2659 */
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2660int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2661{
2662 int ret = 0;
2663
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2664 if( ssl->state == SSL_HANDSHAKE_OVER )
2665 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2666
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2667 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2668
2669 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2670 return( ret );
2671
2672 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2673 {
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2674 case SSL_HELLO_REQUEST:
2675 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2676 break;
2677
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2678 /*
2679 * <== ClientHello
2680 */
2681 case SSL_CLIENT_HELLO:
2682 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2683 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2684
2685 /*
2686 * ==> ServerHello
2687 * Certificate
2688 * ( ServerKeyExchange )
2689 * ( CertificateRequest )
2690 * ServerHelloDone
2691 */
2692 case SSL_SERVER_HELLO:
2693 ret = ssl_write_server_hello( ssl );
2694 break;
2695
2696 case SSL_SERVER_CERTIFICATE:
2697 ret = ssl_write_certificate( ssl );
2698 break;
2699
2700 case SSL_SERVER_KEY_EXCHANGE:
2701 ret = ssl_write_server_key_exchange( ssl );
2702 break;
2703
2704 case SSL_CERTIFICATE_REQUEST:
2705 ret = ssl_write_certificate_request( ssl );
2706 break;
2707
2708 case SSL_SERVER_HELLO_DONE:
2709 ret = ssl_write_server_hello_done( ssl );
2710 break;
2711
2712 /*
2713 * <== ( Certificate/Alert )
2714 * ClientKeyExchange
2715 * ( CertificateVerify )
2716 * ChangeCipherSpec
2717 * Finished
2718 */
2719 case SSL_CLIENT_CERTIFICATE:
2720 ret = ssl_parse_certificate( ssl );
2721 break;
2722
2723 case SSL_CLIENT_KEY_EXCHANGE:
2724 ret = ssl_parse_client_key_exchange( ssl );
2725 break;
2726
2727 case SSL_CERTIFICATE_VERIFY:
2728 ret = ssl_parse_certificate_verify( ssl );
2729 break;
2730
2731 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2732 ret = ssl_parse_change_cipher_spec( ssl );
2733 break;
2734
2735 case SSL_CLIENT_FINISHED:
2736 ret = ssl_parse_finished( ssl );
2737 break;
2738
2739 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2740 * ==> ( NewSessionTicket )
2741 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2742 * Finished
2743 */
2744 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2745#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2746 if( ssl->handshake->new_session_ticket != 0 )
2747 ret = ssl_write_new_session_ticket( ssl );
2748 else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2749#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2750 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2751 break;
2752
2753 case SSL_SERVER_FINISHED:
2754 ret = ssl_write_finished( ssl );
2755 break;
2756
2757 case SSL_FLUSH_BUFFERS:
2758 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2759 ssl->state = SSL_HANDSHAKE_WRAPUP;
2760 break;
2761
2762 case SSL_HANDSHAKE_WRAPUP:
2763 ssl_handshake_wrapup( ssl );
2764 break;
2765
2766 default:
2767 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2768 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2769 }
2770
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2771 return( ret );
2772}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2773#endif