TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 606b4ba20f0d95d4fd3d0965601b3aaa380c744d / . / library / ssl_srv.c
blob: 7de15779aa362496f4c0d32e16e5937eaa355ff7 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]26#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]32#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]36#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]50#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]51/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
59static void ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t *olen )
61{
62 unsigned char *p = buf;
63#if defined(POLARSSL_X509_PARSE_C)
64 size_t cert_len;
65#endif /* POLARSSL_X509_PARSE_C */
66
67 memcpy( p, session, sizeof( ssl_session ) );
68 p += sizeof( ssl_session );
69
70#if defined(POLARSSL_X509_PARSE_C)
71 ((ssl_session *) buf)->peer_cert = NULL;
72
73 if( session->peer_cert == NULL )
74 cert_len = 0;
75 else
76 cert_len = session->peer_cert->raw.len;
77
78 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
79 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
80 *p++ = (unsigned char)( cert_len & 0xFF );
81
82 if( session->peer_cert != NULL )
83 memcpy( p, session->peer_cert->raw.p, cert_len );
84
85 p += cert_len;
86#endif /* POLARSSL_X509_PARSE_C */
87
88 *olen = p - buf;
89}
90
91/*
92 * Unserialise session, see ssl_save_session()
93 */
94static int ssl_load_session( ssl_session *session,
95 const unsigned char *buf, size_t len )
96{
97 int ret;
98 const unsigned char *p = buf;
99 const unsigned char * const end = buf + len;
100#if defined(POLARSSL_X509_PARSE_C)
101 size_t cert_len;
102#endif /* POLARSSL_X509_PARSE_C */
103
104 if( p + sizeof( ssl_session ) > end )
105 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
106
107 memcpy( session, p, sizeof( ssl_session ) );
108 p += sizeof( ssl_session );
109
110#if defined(POLARSSL_X509_PARSE_C)
111 if( p + 3 > end )
112 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
113
114 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
115 p += 3;
116
117 if( cert_len == 0 )
118 {
119 session->peer_cert = NULL;
120 }
121 else
122 {
123 if( p + cert_len > end )
124 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
125
126 session->peer_cert = polarssl_malloc( cert_len );
127
128 if( session->peer_cert == NULL )
129 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
130
131 memset( session->peer_cert, 0, sizeof( x509_cert ) );
132
133 if( ( ret = x509parse_crt( session->peer_cert, p, cert_len ) ) != 0 )
134 {
135 polarssl_free( session->peer_cert );
136 free( session->peer_cert );
137 session->peer_cert = NULL;
138 return( ret );
139 }
140
141 p += cert_len;
142 }
143#endif /* POLARSSL_X509_PARSE_C */
144
145 if( p != end )
146 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
147
148 return( 0 );
149}
150
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]151/*
152 * Create session ticket, secured as recommended in RFC 5077 section 4:
153 *
154 * struct {
155 * opaque key_name[16];
156 * opaque iv[16];
157 * opaque encrypted_state<0..2^16-1>;
158 * opaque mac[32];
159 * } ticket;
160 *
161 * (the internal state structure differs, however).
162 */
163static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
164{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]165 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]166 unsigned char * const start = ssl->out_msg + 10;
167 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]168 unsigned char *state;
169 unsigned char iv[16];
170 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]171
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]172 if( ssl->ticket_keys == NULL )
173 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
174
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]175 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]176 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]177 p += 16;
178
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]179 /* Generate and write IV (with a copy for aes_crypt) */
180 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
181 return( ret );
182 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]183 p += 16;
184
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]185 /* Dump session state */
186 state = p + 2;
187 ssl_save_session( ssl->session_negotiate, state, &clear_len );
188 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]189
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]190 /* Apply PKCS padding */
191 pad_len = 16 - clear_len % 16;
192 enc_len = clear_len + pad_len;
193 for( i = clear_len; i < enc_len; i++ )
194 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]195
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]196 /* Encrypt */
197 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
198 enc_len, iv, state, state ) ) != 0 )
199 {
200 return( ret );
201 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]202
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]203 /* Write length */
204 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
205 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
206 p = state + enc_len;
207
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]208 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
209 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]210 p += 32;
211
212 *tlen = p - start;
213
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]214 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]215
216 return( 0 );
217}
218
219/*
220 * Load session ticket (see ssl_write_ticket for structure)
221 */
222static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]223 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]224 size_t len )
225{
226 int ret;
227 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]228 unsigned char *key_name = buf;
229 unsigned char *iv = buf + 16;
230 unsigned char *enc_len_p = iv + 16;
231 unsigned char *ticket = enc_len_p + 2;
232 unsigned char *mac;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]233 unsigned char computed_mac[16];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]234 size_t enc_len, clear_len, i;
235 unsigned char pad_len;
236
237 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]238
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]239 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]240 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
241
242 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
243 mac = ticket + enc_len;
244
245 if( len != enc_len + 66 )
246 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
247
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]248 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]249 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
250 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]251
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]252 /* Check mac */
253 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
254 computed_mac, 0 );
255 ret = 0;
256 for( i = 0; i < 32; i++ )
257 if( mac[i] != computed_mac[i] )
258 ret = POLARSSL_ERR_SSL_INVALID_MAC;
259 if( ret != 0 )
260 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]261
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]262 /* Decrypt */
263 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
264 enc_len, iv, ticket, ticket ) ) != 0 )
265 {
266 return( ret );
267 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]268
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]269 /* Check PKCS padding */
270 pad_len = ticket[enc_len - 1];
271
272 ret = 0;
273 for( i = 2; i < pad_len; i++ )
274 if( ticket[enc_len - i] != pad_len )
275 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
276 if( ret != 0 )
277 return( ret );
278
279 clear_len = enc_len - pad_len;
280
281 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
282
283 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]284 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
285 {
286 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
287 memset( &session, 0, sizeof( ssl_session ) );
288 return( ret );
289 }
290
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame^]291#if defined(POLARSSL_HAVE_TIME)
292 /* Check if still valid */
293 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
294 {
295 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
296 memset( &session, 0, sizeof( ssl_session ) );
297 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
298 }
299#endif
300
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]301 /*
302 * Keep the session ID sent by the client, since we MUST send it back to
303 * inform him we're accepting the ticket (RFC 5077 section 3.4)
304 */
305 session.length = ssl->session_negotiate->length;
306 memcpy( &session.id, ssl->session_negotiate->id, session.length );
307
308 ssl_session_free( ssl->session_negotiate );
309 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
310 memset( &session, 0, sizeof( ssl_session ) );
311
312 return( 0 );
313}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]314#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]315
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]316static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]317 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]318 size_t len )
319{
320 int ret;
321 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]322 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]323
324 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
325 if( servername_list_size + 2 != len )
326 {
327 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
328 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
329 }
330
331 p = buf + 2;
332 while( servername_list_size > 0 )
333 {
334 hostname_len = ( ( p[1] << 8 ) | p[2] );
335 if( hostname_len + 3 > servername_list_size )
336 {
337 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
338 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
339 }
340
341 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
342 {
343 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
344 if( ret != 0 )
345 {
346 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
347 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
348 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
349 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]350 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]351 }
352
353 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]354 p += hostname_len + 3;
355 }
356
357 if( servername_list_size != 0 )
358 {
359 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
360 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]361 }
362
363 return( 0 );
364}
365
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]366static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]367 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]368 size_t len )
369{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]370 int ret;
371
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]372 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
373 {
374 if( len != 1 || buf[0] != 0x0 )
375 {
376 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]377
378 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
379 return( ret );
380
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]381 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
382 }
383
384 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
385 }
386 else
387 {
388 if( len != 1 + ssl->verify_data_len ||
389 buf[0] != ssl->verify_data_len ||
390 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
391 {
392 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]393
394 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
395 return( ret );
396
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]397 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
398 }
399 }
400
401 return( 0 );
402}
403
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]404static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
405 const unsigned char *buf,
406 size_t len )
407{
408 size_t sig_alg_list_size;
409 const unsigned char *p;
410
411 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
412 if( sig_alg_list_size + 2 != len ||
413 sig_alg_list_size %2 != 0 )
414 {
415 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
416 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
417 }
418
419 p = buf + 2;
420 while( sig_alg_list_size > 0 )
421 {
422 if( p[1] != SSL_SIG_RSA )
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]423 {
424 sig_alg_list_size -= 2;
425 p += 2;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]426 continue;
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]427 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]428#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]429 if( p[0] == SSL_HASH_SHA512 )
430 {
431 ssl->handshake->sig_alg = SSL_HASH_SHA512;
432 break;
433 }
434 if( p[0] == SSL_HASH_SHA384 )
435 {
436 ssl->handshake->sig_alg = SSL_HASH_SHA384;
437 break;
438 }
439#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]440#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]441 if( p[0] == SSL_HASH_SHA256 )
442 {
443 ssl->handshake->sig_alg = SSL_HASH_SHA256;
444 break;
445 }
446 if( p[0] == SSL_HASH_SHA224 )
447 {
448 ssl->handshake->sig_alg = SSL_HASH_SHA224;
449 break;
450 }
451#endif
452 if( p[0] == SSL_HASH_SHA1 )
453 {
454 ssl->handshake->sig_alg = SSL_HASH_SHA1;
455 break;
456 }
457 if( p[0] == SSL_HASH_MD5 )
458 {
459 ssl->handshake->sig_alg = SSL_HASH_MD5;
460 break;
461 }
462
463 sig_alg_list_size -= 2;
464 p += 2;
465 }
466
467 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
468 ssl->handshake->sig_alg ) );
469
470 return( 0 );
471}
472
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]473#if defined(POLARSSL_ECP_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]474static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
475 const unsigned char *buf,
476 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]477{
478 size_t list_size;
479 const unsigned char *p;
480
481 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
482 if( list_size + 2 != len ||
483 list_size % 2 != 0 )
484 {
485 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
486 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
487 }
488
489 p = buf + 2;
490 while( list_size > 0 )
491 {
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]492#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
493 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP192R1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]494 {
495 ssl->handshake->ec_curve = p[1];
496 return( 0 );
497 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]498#endif
499#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
500 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP224R1 )
501 {
502 ssl->handshake->ec_curve = p[1];
503 return( 0 );
504 }
505#endif
506#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
507 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP256R1 )
508 {
509 ssl->handshake->ec_curve = p[1];
510 return( 0 );
511 }
512#endif
513#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
514 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP384R1 )
515 {
516 ssl->handshake->ec_curve = p[1];
517 return( 0 );
518 }
519#endif
520#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
521 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP521R1 )
522 {
523 ssl->handshake->ec_curve = p[1];
524 return( 0 );
525 }
526#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]527
528 list_size -= 2;
529 p += 2;
530 }
531
532 return( 0 );
533}
534
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]535static int ssl_parse_supported_point_formats( ssl_context *ssl,
536 const unsigned char *buf,
537 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]538{
539 size_t list_size;
540 const unsigned char *p;
541
542 list_size = buf[0];
543 if( list_size + 1 != len )
544 {
545 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
546 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
547 }
548
549 p = buf + 2;
550 while( list_size > 0 )
551 {
552 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
553 p[0] == POLARSSL_ECP_PF_COMPRESSED )
554 {
555 ssl->handshake->ec_point_format = p[0];
556 return( 0 );
557 }
558
559 list_size--;
560 p++;
561 }
562
563 return( 0 );
564}
565#endif /* POLARSSL_ECP_C */
566
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]567static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
568 const unsigned char *buf,
569 size_t len )
570{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]571 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]572 {
573 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
574 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
575 }
576
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]577 ssl->session_negotiate->mfl_code = buf[0];
578
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]579 return( 0 );
580}
581
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]582static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
583 const unsigned char *buf,
584 size_t len )
585{
586 if( len != 0 )
587 {
588 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
589 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
590 }
591
592 ((void) buf);
593
594 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
595
596 return( 0 );
597}
598
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]599#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]600static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]601 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]602 size_t len )
603{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]604 int ret;
605
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]606 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
607 return( 0 );
608
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]609 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]610 ssl->handshake->new_session_ticket = 1;
611
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]612 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
613
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]614 if( len == 0 )
615 return( 0 );
616
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]617 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
618 {
619 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
620 return( 0 );
621 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]622
623 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]624 * Failures are ok: just ignore the ticket and proceed.
625 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]626 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
627 {
628 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]629 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]630 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]631
632 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
633
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]634 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]635
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]636 /* Don't send a new ticket after all, this one is OK */
637 ssl->handshake->new_session_ticket = 0;
638
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]639 return( 0 );
640}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]641#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]642
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]643#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
644static int ssl_parse_client_hello_v2( ssl_context *ssl )
645{
646 int ret;
647 unsigned int i, j;
648 size_t n;
649 unsigned int ciph_len, sess_len, chal_len;
650 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]651 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]652 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]653
654 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
655
656 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
657 {
658 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
659
660 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
661 return( ret );
662
663 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
664 }
665
666 buf = ssl->in_hdr;
667
668 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
669
670 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
671 buf[2] ) );
672 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
673 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
674 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
675 buf[3], buf[4] ) );
676
677 /*
678 * SSLv2 Client Hello
679 *
680 * Record layer:
681 * 0 . 1 message length
682 *
683 * SSL layer:
684 * 2 . 2 message type
685 * 3 . 4 protocol version
686 */
687 if( buf[2] != SSL_HS_CLIENT_HELLO ||
688 buf[3] != SSL_MAJOR_VERSION_3 )
689 {
690 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
691 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
692 }
693
694 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
695
696 if( n < 17 || n > 512 )
697 {
698 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
699 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
700 }
701
702 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]703 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
704 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]705
706 if( ssl->minor_ver < ssl->min_minor_ver )
707 {
708 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
709 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
710 ssl->min_major_ver, ssl->min_minor_ver ) );
711
712 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
713 SSL_ALERT_MSG_PROTOCOL_VERSION );
714 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
715 }
716
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]717 ssl->handshake->max_major_ver = buf[3];
718 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]719
720 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
721 {
722 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
723 return( ret );
724 }
725
726 ssl->handshake->update_checksum( ssl, buf + 2, n );
727
728 buf = ssl->in_msg;
729 n = ssl->in_left - 5;
730
731 /*
732 * 0 . 1 ciphersuitelist length
733 * 2 . 3 session id length
734 * 4 . 5 challenge length
735 * 6 . .. ciphersuitelist
736 * .. . .. session id
737 * .. . .. challenge
738 */
739 SSL_DEBUG_BUF( 4, "record contents", buf, n );
740
741 ciph_len = ( buf[0] << 8 ) | buf[1];
742 sess_len = ( buf[2] << 8 ) | buf[3];
743 chal_len = ( buf[4] << 8 ) | buf[5];
744
745 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
746 ciph_len, sess_len, chal_len ) );
747
748 /*
749 * Make sure each parameter length is valid
750 */
751 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
752 {
753 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
754 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
755 }
756
757 if( sess_len > 32 )
758 {
759 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
760 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
761 }
762
763 if( chal_len < 8 || chal_len > 32 )
764 {
765 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
766 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
767 }
768
769 if( n != 6 + ciph_len + sess_len + chal_len )
770 {
771 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
772 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
773 }
774
775 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
776 buf + 6, ciph_len );
777 SSL_DEBUG_BUF( 3, "client hello, session id",
778 buf + 6 + ciph_len, sess_len );
779 SSL_DEBUG_BUF( 3, "client hello, challenge",
780 buf + 6 + ciph_len + sess_len, chal_len );
781
782 p = buf + 6 + ciph_len;
783 ssl->session_negotiate->length = sess_len;
784 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
785 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
786
787 p += sess_len;
788 memset( ssl->handshake->randbytes, 0, 64 );
789 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
790
791 /*
792 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
793 */
794 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
795 {
796 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
797 {
798 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
799 if( ssl->renegotiation == SSL_RENEGOTIATION )
800 {
801 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
802
803 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
804 return( ret );
805
806 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
807 }
808 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
809 break;
810 }
811 }
812
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]813 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
814 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]815 {
816 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
817 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]818 // Only allow non-ECC ciphersuites as we do not have extensions
819 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]820 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]821 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
822 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]823 {
824 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
825
826 if( ciphersuite_info == NULL )
827 {
828 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
829 ciphersuites[i] ) );
830 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
831 }
832
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]833 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
834 ciphersuite_info->max_minor_ver < ssl->minor_ver )
835 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]836
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]837 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]838 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]839 }
840 }
841
842 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
843
844 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
845
846have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]847 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]848 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]849 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]850
851 /*
852 * SSLv2 Client Hello relevant renegotiation security checks
853 */
854 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
855 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
856 {
857 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
858
859 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
860 return( ret );
861
862 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
863 }
864
865 ssl->in_left = 0;
866 ssl->state++;
867
868 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
869
870 return( 0 );
871}
872#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
873
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]874static int ssl_parse_client_hello( ssl_context *ssl )
875{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]876 int ret;
877 unsigned int i, j;
878 size_t n;
879 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]880 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]881 unsigned int ext_len = 0;
882 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]883 int renegotiation_info_seen = 0;
884 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]885 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]886 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]887
888 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
889
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]890 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
891 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]892 {
893 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
894 return( ret );
895 }
896
897 buf = ssl->in_hdr;
898
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]899#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
900 if( ( buf[0] & 0x80 ) != 0 )
901 return ssl_parse_client_hello_v2( ssl );
902#endif
903
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]904 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
905
906 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
907 buf[0] ) );
908 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
909 ( buf[3] << 8 ) | buf[4] ) );
910 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
911 buf[1], buf[2] ) );
912
913 /*
914 * SSLv3 Client Hello
915 *
916 * Record layer:
917 * 0 . 0 message type
918 * 1 . 2 protocol version
919 * 3 . 4 message length
920 */
921 if( buf[0] != SSL_MSG_HANDSHAKE ||
922 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]923 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]924 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
925 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
926 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]927
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]928 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +0200[diff] [blame]930 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]931 {
932 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
933 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
934 }
935
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]936 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
937 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]938 {
939 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
940 return( ret );
941 }
942
943 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]944 if( !ssl->renegotiation )
945 n = ssl->in_left - 5;
946 else
947 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]948
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]949 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]950
951 /*
952 * SSL layer:
953 * 0 . 0 handshake type
954 * 1 . 3 handshake length
955 * 4 . 5 protocol version
956 * 6 . 9 UNIX time()
957 * 10 . 37 random bytes
958 * 38 . 38 session id length
959 * 39 . 38+x session id
960 * 39+x . 40+x ciphersuitelist length
961 * 41+x . .. ciphersuitelist
962 * .. . .. compression alg.
963 * .. . .. extensions
964 */
965 SSL_DEBUG_BUF( 4, "record contents", buf, n );
966
967 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
968 buf[0] ) );
969 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
970 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
971 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
972 buf[4], buf[5] ) );
973
974 /*
975 * Check the handshake type and protocol version
976 */
977 if( buf[0] != SSL_HS_CLIENT_HELLO ||
978 buf[4] != SSL_MAJOR_VERSION_3 )
979 {
980 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
981 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
982 }
983
984 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]985 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
986 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]987
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]988 if( ssl->minor_ver < ssl->min_minor_ver )
989 {
990 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
991 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]992 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]993
994 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
995 SSL_ALERT_MSG_PROTOCOL_VERSION );
996
997 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
998 }
999
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1000 ssl->handshake->max_major_ver = buf[4];
1001 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1002
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1003 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1004
1005 /*
1006 * Check the handshake message length
1007 */
1008 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1009 {
1010 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1011 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1012 }
1013
1014 /*
1015 * Check the session length
1016 */
1017 sess_len = buf[38];
1018
1019 if( sess_len > 32 )
1020 {
1021 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1022 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1023 }
1024
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1025 ssl->session_negotiate->length = sess_len;
1026 memset( ssl->session_negotiate->id, 0,
1027 sizeof( ssl->session_negotiate->id ) );
1028 memcpy( ssl->session_negotiate->id, buf + 39,
1029 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1030
1031 /*
1032 * Check the ciphersuitelist length
1033 */
1034 ciph_len = ( buf[39 + sess_len] << 8 )
1035 | ( buf[40 + sess_len] );
1036
1037 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1038 {
1039 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1040 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1041 }
1042
1043 /*
1044 * Check the compression algorithms length
1045 */
1046 comp_len = buf[41 + sess_len + ciph_len];
1047
1048 if( comp_len < 1 || comp_len > 16 )
1049 {
1050 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1051 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1052 }
1053
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1054 /*
1055 * Check the extension length
1056 */
1057 if( n > 42 + sess_len + ciph_len + comp_len )
1058 {
1059 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1060 | ( buf[43 + sess_len + ciph_len + comp_len] );
1061
1062 if( ( ext_len > 0 && ext_len < 4 ) ||
1063 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1064 {
1065 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1066 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1067 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1068 }
1069 }
1070
1071 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1072#if defined(POLARSSL_ZLIB_SUPPORT)
1073 for( i = 0; i < comp_len; ++i )
1074 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1075 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1077 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1078 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079 }
1080 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1081#endif
1082
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1083 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1084 buf + 6, 32 );
1085 SSL_DEBUG_BUF( 3, "client hello, session id",
1086 buf + 38, sess_len );
1087 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1088 buf + 41 + sess_len, ciph_len );
1089 SSL_DEBUG_BUF( 3, "client hello, compression",
1090 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1091
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1092 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1093 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1094 */
1095 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1096 {
1097 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1098 {
1099 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1100 if( ssl->renegotiation == SSL_RENEGOTIATION )
1101 {
1102 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1103
1104 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1105 return( ret );
1106
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1107 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1108 }
1109 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1110 break;
1111 }
1112 }
1113
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1114 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1115
1116 while( ext_len )
1117 {
1118 unsigned int ext_id = ( ( ext[0] << 8 )
1119 | ( ext[1] ) );
1120 unsigned int ext_size = ( ( ext[2] << 8 )
1121 | ( ext[3] ) );
1122
1123 if( ext_size + 4 > ext_len )
1124 {
1125 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1126 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1127 }
1128 switch( ext_id )
1129 {
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1130 case TLS_EXT_SERVERNAME:
1131 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1132 if( ssl->f_sni == NULL )
1133 break;
1134
1135 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1136 if( ret != 0 )
1137 return( ret );
1138 break;
1139
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1140 case TLS_EXT_RENEGOTIATION_INFO:
1141 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1142 renegotiation_info_seen = 1;
1143
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1144 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1145 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1146 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1147 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1148
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1149 case TLS_EXT_SIG_ALG:
1150 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1151 if( ssl->renegotiation == SSL_RENEGOTIATION )
1152 break;
1153
1154 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1155 if( ret != 0 )
1156 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1157 break;
1158
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1159#if defined(POLARSSL_ECP_C)
1160 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1161 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1162
1163 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1164 if( ret != 0 )
1165 return( ret );
1166 break;
1167
1168 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1169 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1170
1171 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1172 if( ret != 0 )
1173 return( ret );
1174 break;
1175#endif /* POLARSSL_ECP_C */
1176
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1177 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1178 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1179
1180 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1181 if( ret != 0 )
1182 return( ret );
1183 break;
1184
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1185 case TLS_EXT_TRUNCATED_HMAC:
1186 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1187
1188 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1189 if( ret != 0 )
1190 return( ret );
1191 break;
1192
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1193#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1194 case TLS_EXT_SESSION_TICKET:
1195 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1196
1197 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1198 if( ret != 0 )
1199 return( ret );
1200 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1201#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1202
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1203 default:
1204 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1205 ext_id ) );
1206 }
1207
1208 ext_len -= 4 + ext_size;
1209 ext += 4 + ext_size;
1210
1211 if( ext_len > 0 && ext_len < 4 )
1212 {
1213 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1214 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1215 }
1216 }
1217
1218 /*
1219 * Renegotiation security checks
1220 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1221 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1222 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1223 {
1224 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1225 handshake_failure = 1;
1226 }
1227 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1228 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1229 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1230 {
1231 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1232 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1233 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1234 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1235 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1236 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1237 {
1238 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1239 handshake_failure = 1;
1240 }
1241 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1242 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1243 renegotiation_info_seen == 1 )
1244 {
1245 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1246 handshake_failure = 1;
1247 }
1248
1249 if( handshake_failure == 1 )
1250 {
1251 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1252 return( ret );
1253
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1254 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1255 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1256
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1257 /*
1258 * Search for a matching ciphersuite
1259 * (At the end because we need information from the EC-based extensions)
1260 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1261 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1262 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1263 {
1264 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1265 j += 2, p += 2 )
1266 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1267 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1268 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1269 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1270 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1271
1272 if( ciphersuite_info == NULL )
1273 {
1274 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1275 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1276 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1277 }
1278
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1279 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1280 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1281 continue;
1282
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1283 if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
1284 ssl->handshake->ec_curve == 0 )
1285 continue;
1286
1287 goto have_ciphersuite;
1288 }
1289 }
1290 }
1291
1292 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1293
1294 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1295 return( ret );
1296
1297 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1298
1299have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1300 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1301 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1302 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1303
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304 ssl->in_left = 0;
1305 ssl->state++;
1306
1307 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1308
1309 return( 0 );
1310}
1311
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1312static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1313 unsigned char *buf,
1314 size_t *olen )
1315{
1316 unsigned char *p = buf;
1317
1318 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1319 {
1320 *olen = 0;
1321 return;
1322 }
1323
1324 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1325
1326 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1327 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1328
1329 *p++ = 0x00;
1330 *p++ = 0x00;
1331
1332 *olen = 4;
1333}
1334
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1335#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1336static void ssl_write_session_ticket_ext( ssl_context *ssl,
1337 unsigned char *buf,
1338 size_t *olen )
1339{
1340 unsigned char *p = buf;
1341
1342 if( ssl->handshake->new_session_ticket == 0 )
1343 {
1344 *olen = 0;
1345 return;
1346 }
1347
1348 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1349
1350 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1351 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1352
1353 *p++ = 0x00;
1354 *p++ = 0x00;
1355
1356 *olen = 4;
1357}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1358#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1359
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1360static void ssl_write_renegotiation_ext( ssl_context *ssl,
1361 unsigned char *buf,
1362 size_t *olen )
1363{
1364 unsigned char *p = buf;
1365
1366 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1367 {
1368 *olen = 0;
1369 return;
1370 }
1371
1372 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1373
1374 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1375 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1376
1377 *p++ = 0x00;
1378 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1379 *p++ = ssl->verify_data_len * 2 & 0xFF;
1380
1381 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1382 p += ssl->verify_data_len;
1383 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1384 p += ssl->verify_data_len;
1385
1386 *olen = 5 + ssl->verify_data_len * 2;
1387}
1388
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1389static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1390 unsigned char *buf,
1391 size_t *olen )
1392{
1393 unsigned char *p = buf;
1394
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1395 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1396 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1397 *olen = 0;
1398 return;
1399 }
1400
1401 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1402
1403 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1404 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1405
1406 *p++ = 0x00;
1407 *p++ = 1;
1408
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1409 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1410
1411 *olen = 5;
1412}
1413
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1414static int ssl_write_server_hello( ssl_context *ssl )
1415{
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1416#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1417 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1418#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1419 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1420 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1421 unsigned char *buf, *p;
1422
1423 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1424
1425 /*
1426 * 0 . 0 handshake type
1427 * 1 . 3 handshake length
1428 * 4 . 5 protocol version
1429 * 6 . 9 UNIX time()
1430 * 10 . 37 random bytes
1431 */
1432 buf = ssl->out_msg;
1433 p = buf + 4;
1434
1435 *p++ = (unsigned char) ssl->major_ver;
1436 *p++ = (unsigned char) ssl->minor_ver;
1437
1438 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1439 buf[4], buf[5] ) );
1440
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1441#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1442 t = time( NULL );
1443 *p++ = (unsigned char)( t >> 24 );
1444 *p++ = (unsigned char)( t >> 16 );
1445 *p++ = (unsigned char)( t >> 8 );
1446 *p++ = (unsigned char)( t );
1447
1448 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1449#else
1450 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1451 return( ret );
1452
1453 p += 4;
1454#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1455
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1456 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1457 return( ret );
1458
1459 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1460
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1461 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1462
1463 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1464
1465 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1466 * Resume is 0 by default, see ssl_handshake_init().
1467 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1468 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1469 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1470 if( ssl->handshake->resume == 0 &&
1471 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]1472 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1473 ssl->f_get_cache != NULL &&
1474 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1475 {
1476 ssl->handshake->resume = 1;
1477 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1478
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1479 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1480 {
1481 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1482 * New session, create a new session id,
1483 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1485 ssl->state++;
1486
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1487#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1488 if( ssl->handshake->new_session_ticket == 0 )
1489 {
1490 ssl->session_negotiate->length = n = 32;
1491 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1492 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1493 return( ret );
1494 }
1495 else
1496 {
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1497 ssl->session_negotiate->length = n = 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1498 memset( ssl->session_negotiate->id, 0, 32 );
1499 }
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1500#else
1501 ssl->session_negotiate->length = n = 32;
1502 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1503 n ) ) != 0 )
1504 return( ret );
1505#endif /* POLARSSL_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1506 }
1507 else
1508 {
1509 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1510 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1511 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1512 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1513 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1514
1515 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1516 {
1517 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1518 return( ret );
1519 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1520 }
1521
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1522 /*
1523 * 38 . 38 session id length
1524 * 39 . 38+n session id
1525 * 39+n . 40+n chosen ciphersuite
1526 * 41+n . 41+n chosen compression alg.
1527 * 42+n . 43+n extensions length
1528 * 44+n . 43+n+m extensions
1529 */
1530 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1531 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1532 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1533
1534 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1535 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1536 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1537 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1538
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1539 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1540 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1541 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1542
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1543 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1544 ssl->session_negotiate->ciphersuite ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1545 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1546 ssl->session_negotiate->compression ) );
1547
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1548 /*
1549 * First write extensions, then the total length
1550 */
1551 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1552 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1553
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1554 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1555 ext_len += olen;
1556
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1557 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1558 ext_len += olen;
1559
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1560#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1561 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1562 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1563#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1564
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1565 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1566
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1567 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1568 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1569 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1570
1571 ssl->out_msglen = p - buf;
1572 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1573 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1574
1575 ret = ssl_write_record( ssl );
1576
1577 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1578
1579 return( ret );
1580}
1581
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1582#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1583 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1584 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1585static int ssl_write_certificate_request( ssl_context *ssl )
1586{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]1587 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1588 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1589
1590 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1591
1592 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1593 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1594 {
1595 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1596 ssl->state++;
1597 return( 0 );
1598 }
1599
1600 return( ret );
1601}
1602#else
1603static int ssl_write_certificate_request( ssl_context *ssl )
1604{
1605 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1606 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1607 size_t n = 0, dn_size, total_dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1608 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1609 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1610
1611 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1612
1613 ssl->state++;
1614
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1615 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1616 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1617 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1618 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1619 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1620 return( 0 );
1621 }
1622
1623 /*
1624 * 0 . 0 handshake type
1625 * 1 . 3 handshake length
1626 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1627 * 5 .. m-1 cert types
1628 * m .. m+1 sig alg length (TLS 1.2 only)
1629 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1630 * n .. n+1 length of all DNs
1631 * n+2 .. n+3 length of DN 1
1632 * n+4 .. ... Distinguished Name #1
1633 * ... .. ... length of DN 2, etc.
1634 */
1635 buf = ssl->out_msg;
1636 p = buf + 4;
1637
1638 /*
1639 * At the moment, only RSA certificates are supported
1640 */
1641 *p++ = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1642 *p++ = SSL_CERT_TYPE_RSA_SIGN;
1643
1644 /*
1645 * Add signature_algorithms for verify (TLS 1.2)
1646 * Only add current running algorithm that is already required for
1647 * requested ciphersuite.
1648 *
1649 * Length is always 2
1650 */
Paul Bakker21dca692013-01-03 11:41:08 +0100[diff] [blame]1651 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1652 {
1653 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1654
1655 *p++ = 0;
1656 *p++ = 2;
1657
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]1658 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1659 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1660 {
1661 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1662 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1663
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1664 *p++ = ssl->handshake->verify_sig_alg;
1665 *p++ = SSL_SIG_RSA;
1666
1667 n += 4;
1668 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1669
1670 p += 2;
1671 crt = ssl->ca_chain;
1672
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1673 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1674 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1675 {
1676 if( p - buf > 4096 )
1677 break;
1678
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1679 dn_size = crt->subject_raw.len;
1680 *p++ = (unsigned char)( dn_size >> 8 );
1681 *p++ = (unsigned char)( dn_size );
1682 memcpy( p, crt->subject_raw.p, dn_size );
1683 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1684
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1685 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1686
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1687 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1688 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1689 }
1690
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1691 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1692 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1693 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1694 ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
1695 ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696
1697 ret = ssl_write_record( ssl );
1698
1699 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1700
1701 return( ret );
1702}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1703#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1704 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1705 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1706
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1707static int ssl_write_server_key_exchange( ssl_context *ssl )
1708{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1709 int ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1710 size_t n = 0, len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1711 unsigned char hash[64];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1712 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker35a7fe52012-10-31 09:07:14 +0000[diff] [blame]1713 unsigned int hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1714 unsigned char *p = ssl->out_msg + 4;
1715 unsigned char *dig_sig = p;
1716 size_t dig_sig_len = 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1717
1718 const ssl_ciphersuite_t *ciphersuite_info;
1719 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1720
1721 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1722
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1723 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1724 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
1725 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1726 {
1727 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1728 ssl->state++;
1729 return( 0 );
1730 }
1731
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1732#if defined(POLARSSL_RSA_C)
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1733 if( ssl->rsa_key == NULL )
1734 {
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]1735 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1736 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1737 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1738#endif /* POLARSSL_RSA_C */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1739
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1740#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1741 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1742 {
1743 /* TODO: Support identity hints */
1744 *(p++) = 0x00;
1745 *(p++) = 0x00;
1746
1747 n += 2;
1748 }
1749#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1750
1751#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1752 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1753 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1754 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1755 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1756 /*
1757 * Ephemeral DH parameters:
1758 *
1759 * struct {
1760 * opaque dh_p<1..2^16-1>;
1761 * opaque dh_g<1..2^16-1>;
1762 * opaque dh_Ys<1..2^16-1>;
1763 * } ServerDHParams;
1764 */
1765 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1766 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1767 {
1768 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1769 return( ret );
1770 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1771
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1772 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1773 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1774 p,
1775 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1776 {
1777 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1778 return( ret );
1779 }
1780
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1781 dig_sig = p;
1782 dig_sig_len = len;
1783
1784 p += len;
1785 n += len;
1786
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1787 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1788 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1789 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1790 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1791 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1792#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1793 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1794
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1795#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1796 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1798 /*
1799 * Ephemeral ECDH parameters:
1800 *
1801 * struct {
1802 * ECParameters curve_params;
1803 * ECPoint public;
1804 * } ServerECDHParams;
1805 */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1806 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
1807 ssl->handshake->ec_curve ) ) != 0 )
1808 {
1809 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1810 return( ret );
1811 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1813 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1814 &len,
1815 p,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1816 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1817 {
1818 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1819 return( ret );
1820 }
1821
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1822 dig_sig = p;
1823 dig_sig_len = len;
1824
1825 p += len;
1826 n += len;
1827
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1828 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
1829 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1830#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1831
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1832#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1833 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
1834 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1835 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1836 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1837 size_t rsa_key_len = 0;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1838
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1839 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1840 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1841 md5_context md5;
1842 sha1_context sha1;
1843
1844 /*
1845 * digitally-signed struct {
1846 * opaque md5_hash[16];
1847 * opaque sha_hash[20];
1848 * };
1849 *
1850 * md5_hash
1851 * MD5(ClientHello.random + ServerHello.random
1852 * + ServerParams);
1853 * sha_hash
1854 * SHA(ClientHello.random + ServerHello.random
1855 * + ServerParams);
1856 */
1857 md5_starts( &md5 );
1858 md5_update( &md5, ssl->handshake->randbytes, 64 );
1859 md5_update( &md5, dig_sig, dig_sig_len );
1860 md5_finish( &md5, hash );
1861
1862 sha1_starts( &sha1 );
1863 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1864 sha1_update( &sha1, dig_sig, dig_sig_len );
1865 sha1_finish( &sha1, hash + 16 );
1866
1867 hashlen = 36;
1868 md_alg = POLARSSL_MD_NONE;
1869 }
1870 else
1871 {
1872 md_context_t ctx;
1873
1874 /*
1875 * digitally-signed struct {
1876 * opaque client_random[32];
1877 * opaque server_random[32];
1878 * ServerDHParams params;
1879 * };
1880 */
1881 switch( ssl->handshake->sig_alg )
1882 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1883#if defined(POLARSSL_MD5_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1884 case SSL_HASH_MD5:
1885 md_alg = POLARSSL_MD_MD5;
1886 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1887#endif
1888#if defined(POLARSSL_SHA1_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1889 case SSL_HASH_SHA1:
1890 md_alg = POLARSSL_MD_SHA1;
1891 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1892#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1893#if defined(POLARSSL_SHA256_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1894 case SSL_HASH_SHA224:
1895 md_alg = POLARSSL_MD_SHA224;
1896 break;
1897 case SSL_HASH_SHA256:
1898 md_alg = POLARSSL_MD_SHA256;
1899 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1900#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1901#if defined(POLARSSL_SHA512_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1902 case SSL_HASH_SHA384:
1903 md_alg = POLARSSL_MD_SHA384;
1904 break;
1905 case SSL_HASH_SHA512:
1906 md_alg = POLARSSL_MD_SHA512;
1907 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1908#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1909 default:
1910 /* Should never happen */
1911 return( -1 );
1912 }
1913
1914 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1915 {
1916 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1917 return( ret );
1918 }
1919
1920 md_starts( &ctx );
1921 md_update( &ctx, ssl->handshake->randbytes, 64 );
1922 md_update( &ctx, dig_sig, dig_sig_len );
1923 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]1924
1925 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
1926 {
1927 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
1928 return( ret );
1929 }
1930
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1931 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1932
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1933 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
1934
1935 if ( ssl->rsa_key )
1936 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
1937
1938 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1939 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1940 *(p++) = ssl->handshake->sig_alg;
1941 *(p++) = SSL_SIG_RSA;
1942
1943 n += 2;
1944 }
1945
1946 *(p++) = (unsigned char)( rsa_key_len >> 8 );
1947 *(p++) = (unsigned char)( rsa_key_len );
1948 n += 2;
1949
1950 if ( ssl->rsa_key )
1951 {
1952 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1953 RSA_PRIVATE, md_alg, hashlen, hash, p );
1954 }
1955
1956 if( ret != 0 )
1957 {
1958 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1959 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1960 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1961
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1962 SSL_DEBUG_BUF( 3, "my RSA sig", p, rsa_key_len );
1963
1964 p += rsa_key_len;
1965 n += rsa_key_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1966 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1967#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
1968 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1969
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1970 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1972 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
1973
1974 ssl->state++;
1975
1976 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1977 {
1978 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1979 return( ret );
1980 }
1981
1982 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
1983
1984 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1985}
1986
1987static int ssl_write_server_hello_done( ssl_context *ssl )
1988{
1989 int ret;
1990
1991 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
1992
1993 ssl->out_msglen = 4;
1994 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1995 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
1996
1997 ssl->state++;
1998
1999 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2000 {
2001 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2002 return( ret );
2003 }
2004
2005 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2006
2007 return( 0 );
2008}
2009
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2010#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2011 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2012static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2013 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2014{
2015 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2016 size_t n;
2017
2018 /*
2019 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2020 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2021 if( *p + 2 > end )
2022 {
2023 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2024 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2025 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2026
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2027 n = ( (*p)[0] << 8 ) | (*p)[1];
2028 *p += 2;
2029
2030 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2031 {
2032 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2033 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2034 }
2035
2036 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2037 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2038 {
2039 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2040 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2041 }
2042
2043 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2044
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2045 return( ret );
2046}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2047#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2048 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2049
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2050#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2051static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2052{
2053 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2054 size_t n;
2055
2056 /*
2057 * Receive client public key and calculate premaster
2058 */
2059 n = ssl->in_msg[3];
2060
2061 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2062 n + 4 != ssl->in_hslen )
2063 {
2064 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2065 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2066 }
2067
2068 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2069 ssl->in_msg + 4, n ) ) != 0 )
2070 {
2071 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2072 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2073 }
2074
2075 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2076
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2077 return( ret );
2078}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2079#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2080
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2081#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2082static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2083{
2084 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2085 size_t i, n = 0;
2086
2087 if( ssl->rsa_key == NULL )
2088 {
2089 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2090 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2091 }
2092
2093 /*
2094 * Decrypt the premaster using own private RSA key
2095 */
2096 i = 4;
2097 if( ssl->rsa_key )
2098 n = ssl->rsa_key_len( ssl->rsa_key );
2099 ssl->handshake->pmslen = 48;
2100
2101 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2102 {
2103 i += 2;
2104 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2105 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2106 {
2107 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2108 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2109 }
2110 }
2111
2112 if( ssl->in_hslen != i + n )
2113 {
2114 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2115 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2116 }
2117
2118 if( ssl->rsa_key ) {
2119 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
2120 &ssl->handshake->pmslen,
2121 ssl->in_msg + i,
2122 ssl->handshake->premaster,
2123 sizeof(ssl->handshake->premaster) );
2124 }
2125
2126 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]2127 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2128 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2129 {
2130 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2131
2132 /*
2133 * Protection against Bleichenbacher's attack:
2134 * invalid PKCS#1 v1.5 padding must not cause
2135 * the connection to end immediately; instead,
2136 * send a bad_record_mac later in the handshake.
2137 */
2138 ssl->handshake->pmslen = 48;
2139
2140 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2141 ssl->handshake->pmslen );
2142 if( ret != 0 )
2143 return( ret );
2144 }
2145
2146 return( ret );
2147}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2148#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2149
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2150#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2151 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2152static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2153 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2154{
2155 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2156 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2157
2158 if( ssl->psk == NULL || ssl->psk_identity == NULL ||
2159 ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
2160 {
2161 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2162 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2163 }
2164
2165 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2166 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2167 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2168 if( *p + 2 > end )
2169 {
2170 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2171 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2172 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2173
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2174 n = ( (*p)[0] << 8 ) | (*p)[1];
2175 *p += 2;
2176
2177 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2178 {
2179 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2180 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2181 }
2182
2183 if( n != ssl->psk_identity_len ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2184 memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2185 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2186 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2187 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2188 }
2189
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2190 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2191 ret = 0;
2192
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2193 return( ret );
2194}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2195#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2196 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2197
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198static int ssl_parse_client_key_exchange( ssl_context *ssl )
2199{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2200 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2201 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2202 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2203
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2204 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205
2206 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2207
2208 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2209 {
2210 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2211 return( ret );
2212 }
2213
2214 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2215 {
2216 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2217 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2218 }
2219
2220 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2221 {
2222 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2223 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2224 }
2225
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2226 p = ssl->in_msg + 4;
2227 end = ssl->in_msg + ssl->in_msglen;
2228
2229#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2230 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2231 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2232 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2233 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2234 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2235 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2236 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2237
2238 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2239
2240 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2241 ssl->handshake->premaster,
2242 &ssl->handshake->pmslen ) ) != 0 )
2243 {
2244 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2245 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2246 }
2247
2248 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2249 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2250 else
2251#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2252#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
2253 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2254 {
2255 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2257 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2258 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2259 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2260
2261 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2262 &ssl->handshake->pmslen,
2263 ssl->handshake->premaster,
2264 POLARSSL_MPI_MAX_SIZE ) ) != 0 )
2265 {
2266 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2267 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2268 }
2269
2270 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2271 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2272 else
2273#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2274#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2275 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2276 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2277 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2278 {
2279 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2280 return( ret );
2281 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2282
2283 // Set up the premaster secret
2284 //
2285 p = ssl->handshake->premaster;
2286 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2287 *(p++) = (unsigned char)( ssl->psk_len );
2288 p += ssl->psk_len;
2289
2290 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2291 *(p++) = (unsigned char)( ssl->psk_len );
2292 memcpy( p, ssl->psk, ssl->psk_len );
2293 p += ssl->psk_len;
2294
2295 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2296 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2297 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2298#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2299#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2300 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2301 {
2302 size_t n;
2303
2304 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2305 {
2306 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2307 return( ret );
2308 }
2309 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2310 {
2311 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2312 return( ret );
2313 }
2314
2315 // Set up the premaster secret
2316 //
2317 p = ssl->handshake->premaster;
2318 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2319 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2320
2321 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2322 p, &n ) ) != 0 )
2323 {
2324 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2325 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2326 }
2327
2328 if( n != ssl->handshake->dhm_ctx.len )
2329 {
2330 SSL_DEBUG_MSG( 1, ( "dhm_calc_secret result smaller than DHM" ) );
2331 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2332 }
2333
2334 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2335
2336 p += ssl->handshake->dhm_ctx.len;
2337
2338 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2339 *(p++) = (unsigned char)( ssl->psk_len );
2340 memcpy( p, ssl->psk, ssl->psk_len );
2341 p += ssl->psk_len;
2342
2343 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2344 }
2345 else
2346#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2347#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2348 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2349 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2350 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2351 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2352 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2353 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2354 }
2355 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2356 else
2357#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2358 {
2359 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2360 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2361
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2362 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2363 {
2364 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2365 return( ret );
2366 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2367
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2368 ssl->state++;
2369
2370 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2371
2372 return( 0 );
2373}
2374
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2375#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2376 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2377 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2378static int ssl_parse_certificate_verify( ssl_context *ssl )
2379{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2380 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2381 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2382
2383 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2384
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2385 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2386 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2387 {
2388 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2389 ssl->state++;
2390 return( 0 );
2391 }
2392
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2393 return( ret );
2394}
2395#else
2396static int ssl_parse_certificate_verify( ssl_context *ssl )
2397{
2398 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2399 size_t n = 0, n1, n2;
2400 unsigned char hash[48];
2401 md_type_t md_alg = POLARSSL_MD_NONE;
2402 unsigned int hashlen = 0;
2403 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2404
2405 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2406
2407 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2408 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2409 {
2410 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2411 ssl->state++;
2412 return( 0 );
2413 }
2414
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2415 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2416 {
2417 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2418 ssl->state++;
2419 return( 0 );
2420 }
2421
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2422 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2423
2424 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2425 {
2426 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2427 return( ret );
2428 }
2429
2430 ssl->state++;
2431
2432 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2433 {
2434 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2435 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2436 }
2437
2438 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2439 {
2440 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2441 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2442 }
2443
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2444 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2445 {
2446 /*
2447 * As server we know we either have SSL_HASH_SHA384 or
2448 * SSL_HASH_SHA256
2449 */
2450 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
2451 ssl->in_msg[5] != SSL_SIG_RSA )
2452 {
2453 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
2454 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2455 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2456
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2457 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2458 md_alg = POLARSSL_MD_SHA384;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2459 else
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2460 md_alg = POLARSSL_MD_SHA256;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2461
2462 n += 2;
2463 }
2464 else
2465 {
2466 hashlen = 36;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2467 md_alg = POLARSSL_MD_NONE;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2468 }
2469
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2470 /* EC NOT IMPLEMENTED YET */
2471 if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA )
2472 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2473
2474 n1 = pk_rsa( ssl->session_negotiate->peer_cert->pk )->len;
Paul Bakker78ce5072012-11-23 14:23:53 +0100[diff] [blame]2475 n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2476
2477 if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2478 {
2479 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2480 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2481 }
2482
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2483 ret = rsa_pkcs1_verify( pk_rsa( ssl->session_negotiate->peer_cert->pk ),
2484 RSA_PUBLIC, md_alg, hashlen, hash,
2485 ssl->in_msg + 6 + n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2486 if( ret != 0 )
2487 {
2488 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
2489 return( ret );
2490 }
2491
2492 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2493
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2494 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2495}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2496#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2497 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2498 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2499
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2500#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2501static int ssl_write_new_session_ticket( ssl_context *ssl )
2502{
2503 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2504 size_t tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2505
2506 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2507
2508 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2509 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2510
2511 /*
2512 * struct {
2513 * uint32 ticket_lifetime_hint;
2514 * opaque ticket<0..2^16-1>;
2515 * } NewSessionTicket;
2516 *
2517 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2518 * 8 . 9 ticket_len (n)
2519 * 10 . 9+n ticket content
2520 */
2521 ssl->out_msg[4] = 0x00;
2522 ssl->out_msg[5] = 0x00;
2523 ssl->out_msg[6] = 0x00;
2524 ssl->out_msg[7] = 0x00;
2525
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]2526 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2527 {
2528 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2529 tlen = 0;
2530 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2531
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2532 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2533 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2534
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2535 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2536
2537 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2538 {
2539 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2540 return( ret );
2541 }
2542
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2543 /* No need to remember writing a NewSessionTicket any more */
2544 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2545
2546 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2547
2548 return( 0 );
2549}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2550#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2552/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2553 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2554 */
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2555int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2556{
2557 int ret = 0;
2558
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2559 if( ssl->state == SSL_HANDSHAKE_OVER )
2560 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2561
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2562 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2563
2564 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2565 return( ret );
2566
2567 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2568 {
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2569 case SSL_HELLO_REQUEST:
2570 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2571 break;
2572
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2573 /*
2574 * <== ClientHello
2575 */
2576 case SSL_CLIENT_HELLO:
2577 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2578 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2579
2580 /*
2581 * ==> ServerHello
2582 * Certificate
2583 * ( ServerKeyExchange )
2584 * ( CertificateRequest )
2585 * ServerHelloDone
2586 */
2587 case SSL_SERVER_HELLO:
2588 ret = ssl_write_server_hello( ssl );
2589 break;
2590
2591 case SSL_SERVER_CERTIFICATE:
2592 ret = ssl_write_certificate( ssl );
2593 break;
2594
2595 case SSL_SERVER_KEY_EXCHANGE:
2596 ret = ssl_write_server_key_exchange( ssl );
2597 break;
2598
2599 case SSL_CERTIFICATE_REQUEST:
2600 ret = ssl_write_certificate_request( ssl );
2601 break;
2602
2603 case SSL_SERVER_HELLO_DONE:
2604 ret = ssl_write_server_hello_done( ssl );
2605 break;
2606
2607 /*
2608 * <== ( Certificate/Alert )
2609 * ClientKeyExchange
2610 * ( CertificateVerify )
2611 * ChangeCipherSpec
2612 * Finished
2613 */
2614 case SSL_CLIENT_CERTIFICATE:
2615 ret = ssl_parse_certificate( ssl );
2616 break;
2617
2618 case SSL_CLIENT_KEY_EXCHANGE:
2619 ret = ssl_parse_client_key_exchange( ssl );
2620 break;
2621
2622 case SSL_CERTIFICATE_VERIFY:
2623 ret = ssl_parse_certificate_verify( ssl );
2624 break;
2625
2626 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2627 ret = ssl_parse_change_cipher_spec( ssl );
2628 break;
2629
2630 case SSL_CLIENT_FINISHED:
2631 ret = ssl_parse_finished( ssl );
2632 break;
2633
2634 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2635 * ==> ( NewSessionTicket )
2636 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2637 * Finished
2638 */
2639 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2640#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2641 if( ssl->handshake->new_session_ticket != 0 )
2642 ret = ssl_write_new_session_ticket( ssl );
2643 else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2644#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2645 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2646 break;
2647
2648 case SSL_SERVER_FINISHED:
2649 ret = ssl_write_finished( ssl );
2650 break;
2651
2652 case SSL_FLUSH_BUFFERS:
2653 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2654 ssl->state = SSL_HANDSHAKE_WRAPUP;
2655 break;
2656
2657 case SSL_HANDSHAKE_WRAPUP:
2658 ssl_handshake_wrapup( ssl );
2659 break;
2660
2661 default:
2662 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2663 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2664 }
2665
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2666 return( ret );
2667}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2668#endif