TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 607d663b419f84ee9592a0c8bb10fb120ef26503 / . / library / ssl_srv.c
blob: 359f57f2ac0092d8b70d758affd87321f09de364 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 server-side functions
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
Manuel Pégourié-Gonnard085ab042015-01-23 11:06:27 +0000[diff] [blame]6 * This file is part of mbed TLS (https://www.polarssl.org)
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]23#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]24#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]25#else
26#include POLARSSL_CONFIG_FILE
27#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#include "polarssl/debug.h"
32#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]33#if defined(POLARSSL_ECP_C)
34#include "polarssl/ecp.h"
35#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]37#if defined(POLARSSL_PLATFORM_C)
38#include "polarssl/platform.h"
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]39#else
40#define polarssl_malloc malloc
41#define polarssl_free free
42#endif
43
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44#include <stdlib.h>
45#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]46
47#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]49#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]51#if defined(POLARSSL_SSL_SESSION_TICKETS)
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]52/* Implementation that should never be optimized out by the compiler */
53static void polarssl_zeroize( void *v, size_t n ) {
54 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
55}
56
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]57/*
58 * Serialize a session in the following format:
59 * 0 . n-1 session structure, n = sizeof(ssl_session)
60 * n . n+2 peer_cert length = m (0 if no certificate)
61 * n+3 . n+2+m peer cert ASN.1
62 *
63 * Assumes ticket is NULL (always true on server side).
64 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]65static int ssl_save_session( const ssl_session *session,
66 unsigned char *buf, size_t buf_len,
67 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]68{
69 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]70 size_t left = buf_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]71#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]72 size_t cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]73#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]74
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]75 if( left < sizeof( ssl_session ) )
76 return( -1 );
77
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]78 memcpy( p, session, sizeof( ssl_session ) );
79 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]80 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]81
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]82#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]83 if( session->peer_cert == NULL )
84 cert_len = 0;
85 else
86 cert_len = session->peer_cert->raw.len;
87
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]88 if( left < 3 + cert_len )
89 return( -1 );
90
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]91 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
92 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
93 *p++ = (unsigned char)( cert_len & 0xFF );
94
95 if( session->peer_cert != NULL )
96 memcpy( p, session->peer_cert->raw.p, cert_len );
97
98 p += cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]99#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]100
101 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]102
103 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]104}
105
106/*
107 * Unserialise session, see ssl_save_session()
108 */
109static int ssl_load_session( ssl_session *session,
110 const unsigned char *buf, size_t len )
111{
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]112 const unsigned char *p = buf;
113 const unsigned char * const end = buf + len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]114#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]115 size_t cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]116#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]117
118 if( p + sizeof( ssl_session ) > end )
119 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
120
121 memcpy( session, p, sizeof( ssl_session ) );
122 p += sizeof( ssl_session );
123
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]124#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]125 if( p + 3 > end )
126 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
127
128 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
129 p += 3;
130
131 if( cert_len == 0 )
132 {
133 session->peer_cert = NULL;
134 }
135 else
136 {
Paul Bakker2292d1f2013-09-15 17:06:49 +0200[diff] [blame]137 int ret;
138
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]139 if( p + cert_len > end )
140 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
141
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]142 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]143
144 if( session->peer_cert == NULL )
145 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
146
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]147 x509_crt_init( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]148
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200[diff] [blame]149 if( ( ret = x509_crt_parse_der( session->peer_cert,
150 p, cert_len ) ) != 0 )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]151 {
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]152 x509_crt_free( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]153 polarssl_free( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]154 session->peer_cert = NULL;
155 return( ret );
156 }
157
158 p += cert_len;
159 }
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]160#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]161
162 if( p != end )
163 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
164
165 return( 0 );
166}
167
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]168/*
169 * Create session ticket, secured as recommended in RFC 5077 section 4:
170 *
171 * struct {
172 * opaque key_name[16];
173 * opaque iv[16];
174 * opaque encrypted_state<0..2^16-1>;
175 * opaque mac[32];
176 * } ticket;
177 *
178 * (the internal state structure differs, however).
179 */
180static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
181{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]182 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]183 unsigned char * const start = ssl->out_msg + 10;
184 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]185 unsigned char *state;
186 unsigned char iv[16];
187 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]188
Manuel Pégourié-Gonnard0a201712013-08-23 16:25:16 +0200[diff] [blame]189 *tlen = 0;
190
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]191 if( ssl->ticket_keys == NULL )
192 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
193
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]194 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]195 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]196 p += 16;
197
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]198 /* Generate and write IV (with a copy for aes_crypt) */
199 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
200 return( ret );
201 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]202 p += 16;
203
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]204 /*
205 * Dump session state
206 *
207 * After the session state itself, we still need room for 16 bytes of
208 * padding and 32 bytes of MAC, so there's only so much room left
209 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]210 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]211 if( ssl_save_session( ssl->session_negotiate, state,
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]212 SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48,
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]213 &clear_len ) != 0 )
214 {
215 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
216 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]217 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]218
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]219 /* Apply PKCS padding */
220 pad_len = 16 - clear_len % 16;
221 enc_len = clear_len + pad_len;
222 for( i = clear_len; i < enc_len; i++ )
223 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]224
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]225 /* Encrypt */
226 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
227 enc_len, iv, state, state ) ) != 0 )
228 {
229 return( ret );
230 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]231
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]232 /* Write length */
233 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
234 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
235 p = state + enc_len;
236
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]237 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
238 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]239 p += 32;
240
241 *tlen = p - start;
242
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]243 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]244
245 return( 0 );
246}
247
248/*
249 * Load session ticket (see ssl_write_ticket for structure)
250 */
251static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]252 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]253 size_t len )
254{
255 int ret;
256 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]257 unsigned char *key_name = buf;
258 unsigned char *iv = buf + 16;
259 unsigned char *enc_len_p = iv + 16;
260 unsigned char *ticket = enc_len_p + 2;
261 unsigned char *mac;
Manuel Pégourié-Gonnard34ced2d2013-09-20 11:37:39 +0200[diff] [blame]262 unsigned char computed_mac[32];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]263 size_t enc_len, clear_len, i;
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]264 unsigned char pad_len, diff;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]265
266 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]267
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]268 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]269 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
270
271 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
272 mac = ticket + enc_len;
273
274 if( len != enc_len + 66 )
275 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
276
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]277 /* Check name, in constant time though it's not a big secret */
278 diff = 0;
279 for( i = 0; i < 16; i++ )
280 diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
281 /* don't return yet, check the MAC anyway */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]282
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]283 /* Check mac, with constant-time buffer comparison */
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]284 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
285 computed_mac, 0 );
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]286
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]287 for( i = 0; i < 32; i++ )
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]288 diff |= mac[i] ^ computed_mac[i];
289
290 /* Now return if ticket is not authentic, since we want to avoid
291 * decrypting arbitrary attacker-chosen data */
292 if( diff != 0 )
293 return( POLARSSL_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]294
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]295 /* Decrypt */
296 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
297 enc_len, iv, ticket, ticket ) ) != 0 )
298 {
299 return( ret );
300 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]301
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]302 /* Check PKCS padding */
303 pad_len = ticket[enc_len - 1];
304
305 ret = 0;
306 for( i = 2; i < pad_len; i++ )
307 if( ticket[enc_len - i] != pad_len )
308 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
309 if( ret != 0 )
310 return( ret );
311
312 clear_len = enc_len - pad_len;
313
314 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
315
316 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]317 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
318 {
319 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
Manuel Pégourié-Gonnardd701c9a2014-02-26 17:54:07 +0100[diff] [blame]320 ssl_session_free( &session );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]321 return( ret );
322 }
323
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]324#if defined(POLARSSL_HAVE_TIME)
325 /* Check if still valid */
326 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
327 {
328 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
Manuel Pégourié-Gonnardd701c9a2014-02-26 17:54:07 +0100[diff] [blame]329 ssl_session_free( &session );
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]330 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
331 }
332#endif
333
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]334 /*
335 * Keep the session ID sent by the client, since we MUST send it back to
336 * inform him we're accepting the ticket (RFC 5077 section 3.4)
337 */
338 session.length = ssl->session_negotiate->length;
339 memcpy( &session.id, ssl->session_negotiate->id, session.length );
340
341 ssl_session_free( ssl->session_negotiate );
342 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200[diff] [blame]343
344 /* Zeroize instead of free as we copied the content */
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]345 polarssl_zeroize( &session, sizeof( ssl_session ) );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]346
347 return( 0 );
348}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]349#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]350
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]351#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]352/*
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200[diff] [blame]353 * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
354 * making it act on ssl->hanshake->sni_key_cert instead.
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]355 */
356static int ssl_sni_wrapper( ssl_context *ssl,
357 const unsigned char* name, size_t len )
358{
359 int ret;
360 ssl_key_cert *key_cert_ori = ssl->key_cert;
361
362 ssl->key_cert = NULL;
363 ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200[diff] [blame]364 ssl->handshake->sni_key_cert = ssl->key_cert;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]365
366 ssl->key_cert = key_cert_ori;
367
368 return( ret );
369}
370
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]371static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]372 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]373 size_t len )
374{
375 int ret;
376 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]377 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]378
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]379 SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
380
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]381 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
382 if( servername_list_size + 2 != len )
383 {
384 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
385 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
386 }
387
388 p = buf + 2;
389 while( servername_list_size > 0 )
390 {
391 hostname_len = ( ( p[1] << 8 ) | p[2] );
392 if( hostname_len + 3 > servername_list_size )
393 {
394 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
395 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
396 }
397
398 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
399 {
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200[diff] [blame]400 ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]401 if( ret != 0 )
402 {
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]403 SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]404 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
405 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
406 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
407 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]408 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]409 }
410
411 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]412 p += hostname_len + 3;
413 }
414
415 if( servername_list_size != 0 )
416 {
417 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
418 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]419 }
420
421 return( 0 );
422}
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]423#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]424
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]425static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]426 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]427 size_t len )
428{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]429 int ret;
430
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]431#if defined(POLARSSL_SSL_RENEGOTIATION)
432 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
433 {
434 /* Check verify-data in constant-time. The length OTOH is no secret */
435 if( len != 1 + ssl->verify_data_len ||
436 buf[0] != ssl->verify_data_len ||
437 safer_memcmp( buf + 1, ssl->peer_verify_data,
438 ssl->verify_data_len ) != 0 )
439 {
440 SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
441
442 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
443 return( ret );
444
445 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
446 }
447 }
448 else
449#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]450 {
451 if( len != 1 || buf[0] != 0x0 )
452 {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]453 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]454
455 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
456 return( ret );
457
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]458 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
459 }
460
461 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
462 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]463
464 return( 0 );
465}
466
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]467#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
468 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]469static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
470 const unsigned char *buf,
471 size_t len )
472{
473 size_t sig_alg_list_size;
474 const unsigned char *p;
Manuel Pégourié-Gonnard08e81e02014-07-08 12:56:25 +0200[diff] [blame]475 const unsigned char *end = buf + len;
476 const int *md_cur;
477
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]478
479 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
480 if( sig_alg_list_size + 2 != len ||
Manuel Pégourié-Gonnard08e81e02014-07-08 12:56:25 +0200[diff] [blame]481 sig_alg_list_size % 2 != 0 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]482 {
483 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
484 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
485 }
486
Manuel Pégourié-Gonnard08e81e02014-07-08 12:56:25 +0200[diff] [blame]487 /*
488 * For now, ignore the SignatureAlgorithm part and rely on offered
489 * ciphersuites only for that part. To be fixed later.
490 *
491 * So, just look at the HashAlgorithm part.
492 */
493 for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
494 for( p = buf + 2; p < end; p += 2 ) {
495 if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
496 ssl->handshake->sig_alg = p[0];
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]497 goto have_sig_alg;
Manuel Pégourié-Gonnard08e81e02014-07-08 12:56:25 +0200[diff] [blame]498 }
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]499 }
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]500 }
501
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]502 /* Some key echanges do not need signatures at all */
503 SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
504 return( 0 );
505
506have_sig_alg:
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]507 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
508 ssl->handshake->sig_alg ) );
509
510 return( 0 );
511}
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]512#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
513 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]514
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]515#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]516static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
517 const unsigned char *buf,
518 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]519{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]520 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]521 const unsigned char *p;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]522 const ecp_curve_info *curve_info, **curves;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]523
524 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
525 if( list_size + 2 != len ||
526 list_size % 2 != 0 )
527 {
528 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
529 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
530 }
531
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]532 /* Should never happen unless client duplicates the extension */
533 if( ssl->handshake->curves != NULL )
534 {
535 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
536 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
537 }
538
Manuel Pégourié-Gonnardc3f6b622014-02-06 10:13:09 +0100[diff] [blame]539 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]540 * and leave room for a final 0 */
541 our_size = list_size / 2 + 1;
542 if( our_size > POLARSSL_ECP_DP_MAX )
543 our_size = POLARSSL_ECP_DP_MAX;
544
545 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
546 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
547
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]548 /* explicit void pointer cast for buggy MS compiler */
Paul Bakkerbeccd9f2013-10-11 15:20:27 +0200[diff] [blame]549 memset( (void *) curves, 0, our_size * sizeof( *curves ) );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]550 ssl->handshake->curves = curves;
551
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]552 p = buf + 2;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]553 while( list_size > 0 && our_size > 1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]554 {
Manuel Pégourié-Gonnardf24b4a72013-09-23 18:14:50 +0200[diff] [blame]555 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]556
Manuel Pégourié-Gonnardf24b4a72013-09-23 18:14:50 +0200[diff] [blame]557 if( curve_info != NULL )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]558 {
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]559 *curves++ = curve_info;
560 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]561 }
562
563 list_size -= 2;
564 p += 2;
565 }
566
567 return( 0 );
568}
569
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]570static int ssl_parse_supported_point_formats( ssl_context *ssl,
571 const unsigned char *buf,
572 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]573{
574 size_t list_size;
575 const unsigned char *p;
576
577 list_size = buf[0];
578 if( list_size + 1 != len )
579 {
580 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
581 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
582 }
583
584 p = buf + 2;
585 while( list_size > 0 )
586 {
587 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
588 p[0] == POLARSSL_ECP_PF_COMPRESSED )
589 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]590 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]591 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]592 return( 0 );
593 }
594
595 list_size--;
596 p++;
597 }
598
599 return( 0 );
600}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]601#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]602
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]603#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]604static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
605 const unsigned char *buf,
606 size_t len )
607{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]608 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]609 {
610 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
611 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
612 }
613
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]614 ssl->session_negotiate->mfl_code = buf[0];
615
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]616 return( 0 );
617}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]618#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]619
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]620#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]621static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
622 const unsigned char *buf,
623 size_t len )
624{
625 if( len != 0 )
626 {
627 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
628 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
629 }
630
631 ((void) buf);
632
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]633 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
634 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]635
636 return( 0 );
637}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]638#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]639
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]640#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
641static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl,
642 const unsigned char *buf,
643 size_t len )
644{
645 if( len != 0 )
646 {
647 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
648 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
649 }
650
651 ((void) buf);
652
653 if( ssl->encrypt_then_mac == SSL_ETM_ENABLED &&
654 ssl->minor_ver != SSL_MINOR_VERSION_0 )
655 {
656 ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED;
657 }
658
659 return( 0 );
660}
661#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
662
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]663#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
664static int ssl_parse_extended_ms_ext( ssl_context *ssl,
665 const unsigned char *buf,
666 size_t len )
667{
668 if( len != 0 )
669 {
670 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
671 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
672 }
673
674 ((void) buf);
675
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]676 if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED &&
677 ssl->minor_ver != SSL_MINOR_VERSION_0 )
678 {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]679 ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]680 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]681
682 return( 0 );
683}
684#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
685
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]686#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]687static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]688 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]689 size_t len )
690{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]691 int ret;
692
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]693 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
694 return( 0 );
695
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]696 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]697 ssl->handshake->new_session_ticket = 1;
698
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]699 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
700
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]701 if( len == 0 )
702 return( 0 );
703
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]704#if defined(POLARSSL_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]705 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
706 {
707 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
708 return( 0 );
709 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]710#endif /* POLARSSL_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]711
712 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]713 * Failures are ok: just ignore the ticket and proceed.
714 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]715 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
716 {
717 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]718 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]719 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]720
721 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
722
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]723 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]724
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]725 /* Don't send a new ticket after all, this one is OK */
726 ssl->handshake->new_session_ticket = 0;
727
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]728 return( 0 );
729}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]730#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]731
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]732#if defined(POLARSSL_SSL_ALPN)
733static int ssl_parse_alpn_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard14beb082014-07-08 13:50:35 +0200[diff] [blame]734 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]735{
Paul Bakker14b16c62014-05-28 11:33:54 +0200[diff] [blame]736 size_t list_len, cur_len, ours_len;
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]737 const unsigned char *theirs, *start, *end;
738 const char **ours;
739
740 /* If ALPN not configured, just ignore the extension */
741 if( ssl->alpn_list == NULL )
742 return( 0 );
743
744 /*
745 * opaque ProtocolName<1..2^8-1>;
746 *
747 * struct {
748 * ProtocolName protocol_name_list<2..2^16-1>
749 * } ProtocolNameList;
750 */
751
752 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
753 if( len < 4 )
754 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
755
756 list_len = ( buf[0] << 8 ) | buf[1];
757 if( list_len != len - 2 )
758 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
759
760 /*
761 * Use our order of preference
762 */
763 start = buf + 2;
764 end = buf + len;
765 for( ours = ssl->alpn_list; *ours != NULL; ours++ )
766 {
Paul Bakker14b16c62014-05-28 11:33:54 +0200[diff] [blame]767 ours_len = strlen( *ours );
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]768 for( theirs = start; theirs != end; theirs += cur_len )
769 {
770 /* If the list is well formed, we should get equality first */
771 if( theirs > end )
772 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
773
774 cur_len = *theirs++;
775
776 /* Empty strings MUST NOT be included */
777 if( cur_len == 0 )
778 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
779
Paul Bakker14b16c62014-05-28 11:33:54 +0200[diff] [blame]780 if( cur_len == ours_len &&
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]781 memcmp( theirs, *ours, cur_len ) == 0 )
782 {
783 ssl->alpn_chosen = *ours;
784 return( 0 );
785 }
786 }
787 }
788
789 /* If we get there, no match was found */
790 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
791 SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
792 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
793}
794#endif /* POLARSSL_SSL_ALPN */
795
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]796/*
797 * Auxiliary functions for ServerHello parsing and related actions
798 */
799
800#if defined(POLARSSL_X509_CRT_PARSE_C)
801/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]802 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]803 */
804#if defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]805static int ssl_check_key_curve( pk_context *pk,
806 const ecp_curve_info **curves )
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]807{
808 const ecp_curve_info **crv = curves;
809 ecp_group_id grp_id = pk_ec( *pk )->grp.id;
810
811 while( *crv != NULL )
812 {
813 if( (*crv)->grp_id == grp_id )
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]814 return( 0 );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]815 crv++;
816 }
817
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]818 return( -1 );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]819}
820#endif /* POLARSSL_ECDSA_C */
821
822/*
823 * Try picking a certificate for this ciphersuite,
824 * return 0 on success and -1 on failure.
825 */
826static int ssl_pick_cert( ssl_context *ssl,
827 const ssl_ciphersuite_t * ciphersuite_info )
828{
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]829 ssl_key_cert *cur, *list, *fallback = NULL;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]830 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
831
832#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
833 if( ssl->handshake->sni_key_cert != NULL )
834 list = ssl->handshake->sni_key_cert;
835 else
836#endif
837 list = ssl->handshake->key_cert;
838
839 if( pk_alg == POLARSSL_PK_NONE )
840 return( 0 );
841
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]842 SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
843
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]844 for( cur = list; cur != NULL; cur = cur->next )
845 {
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]846 SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
847 cur->cert );
848
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]849 if( ! pk_can_do( cur->key, pk_alg ) )
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]850 {
851 SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]852 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]853 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]854
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]855 /*
856 * This avoids sending the client a cert it'll reject based on
857 * keyUsage or other extensions.
858 *
859 * It also allows the user to provision different certificates for
860 * different uses based on keyUsage, eg if they want to avoid signing
861 * and decrypting with the same RSA key.
862 */
863 if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
864 SSL_IS_SERVER ) != 0 )
865 {
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]866 SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
867 "(extended) key usage extension" ) );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]868 continue;
869 }
870
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]871#if defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]872 if( pk_alg == POLARSSL_PK_ECDSA &&
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]873 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]874 {
875 SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]876 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]877 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]878#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]879
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]880 /*
881 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
882 * present them a SHA-higher cert rather than failing if it's the only
883 * one we got that satisfies the other conditions.
884 */
885 if( ssl->minor_ver < SSL_MINOR_VERSION_3 &&
886 cur->cert->sig_md != POLARSSL_MD_SHA1 )
887 {
888 if( fallback == NULL )
889 fallback = cur;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]890 {
891 SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
892 "sha-2 with pre-TLS 1.2 client" ) );
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]893 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]894 }
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]895 }
896
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]897 /* If we get there, we got a winner */
898 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]899 }
900
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]901 if( cur == NULL )
902 cur = fallback;
903
904
905 /* Do not update ssl->handshake->key_cert unless the is a match */
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]906 if( cur != NULL )
907 {
908 ssl->handshake->key_cert = cur;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]909 SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
910 ssl->handshake->key_cert->cert );
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]911 return( 0 );
912 }
913
914 return( -1 );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]915}
916#endif /* POLARSSL_X509_CRT_PARSE_C */
917
918/*
919 * Check if a given ciphersuite is suitable for use with our config/keys/etc
920 * Sets ciphersuite_info only if the suite matches.
921 */
922static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
923 const ssl_ciphersuite_t **ciphersuite_info )
924{
925 const ssl_ciphersuite_t *suite_info;
926
927 suite_info = ssl_ciphersuite_from_id( suite_id );
928 if( suite_info == NULL )
929 {
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]930 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
931 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]932 }
933
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]934 SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
935
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]936 if( suite_info->min_minor_ver > ssl->minor_ver ||
937 suite_info->max_minor_ver < ssl->minor_ver )
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]938 {
939 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]940 return( 0 );
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]941 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]942
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]943 if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
944 suite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]945 {
946 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]947 return( 0 );
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]948 }
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]949
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]950#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
951 if( ssl_ciphersuite_uses_ec( suite_info ) &&
952 ( ssl->handshake->curves == NULL ||
953 ssl->handshake->curves[0] == NULL ) )
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]954 {
955 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
956 "no common elliptic curve" ) );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]957 return( 0 );
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]958 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]959#endif
960
961#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
962 /* If the ciphersuite requires a pre-shared key and we don't
963 * have one, skip it now rather than failing later */
964 if( ssl_ciphersuite_uses_psk( suite_info ) &&
965 ssl->f_psk == NULL &&
966 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
967 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]968 {
969 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]970 return( 0 );
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]971 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]972#endif
973
974#if defined(POLARSSL_X509_CRT_PARSE_C)
975 /*
976 * Final check: if ciphersuite requires us to have a
977 * certificate/key of a particular type:
978 * - select the appropriate certificate if we have one, or
979 * - try the next ciphersuite if we don't
980 * This must be done last since we modify the key_cert list.
981 */
982 if( ssl_pick_cert( ssl, suite_info ) != 0 )
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]983 {
984 SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
985 "no suitable certificate" ) );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]986 return( 0 );
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]987 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]988#endif
989
990 *ciphersuite_info = suite_info;
991 return( 0 );
992}
993
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]994#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
995static int ssl_parse_client_hello_v2( ssl_context *ssl )
996{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]997 int ret, got_common_suite;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]998 unsigned int i, j;
999 size_t n;
1000 unsigned int ciph_len, sess_len, chal_len;
1001 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1002 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]1003 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1004
1005 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
1006
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1007#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1008 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
1009 {
1010 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
1011
1012 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1013 return( ret );
1014
1015 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1016 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1017#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1018
1019 buf = ssl->in_hdr;
1020
1021 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1022
1023 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
1024 buf[2] ) );
1025 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
1026 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
1027 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
1028 buf[3], buf[4] ) );
1029
1030 /*
1031 * SSLv2 Client Hello
1032 *
1033 * Record layer:
1034 * 0 . 1 message length
1035 *
1036 * SSL layer:
1037 * 2 . 2 message type
1038 * 3 . 4 protocol version
1039 */
1040 if( buf[2] != SSL_HS_CLIENT_HELLO ||
1041 buf[3] != SSL_MAJOR_VERSION_3 )
1042 {
1043 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1044 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1045 }
1046
1047 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
1048
1049 if( n < 17 || n > 512 )
1050 {
1051 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1052 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1053 }
1054
1055 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1056 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
1057 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1058
1059 if( ssl->minor_ver < ssl->min_minor_ver )
1060 {
1061 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1062 " [%d:%d] < [%d:%d]",
1063 ssl->major_ver, ssl->minor_ver,
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1064 ssl->min_major_ver, ssl->min_minor_ver ) );
1065
1066 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1067 SSL_ALERT_MSG_PROTOCOL_VERSION );
1068 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1069 }
1070
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1071 ssl->handshake->max_major_ver = buf[3];
1072 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1073
1074 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
1075 {
1076 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1077 return( ret );
1078 }
1079
1080 ssl->handshake->update_checksum( ssl, buf + 2, n );
1081
1082 buf = ssl->in_msg;
1083 n = ssl->in_left - 5;
1084
1085 /*
1086 * 0 . 1 ciphersuitelist length
1087 * 2 . 3 session id length
1088 * 4 . 5 challenge length
1089 * 6 . .. ciphersuitelist
1090 * .. . .. session id
1091 * .. . .. challenge
1092 */
1093 SSL_DEBUG_BUF( 4, "record contents", buf, n );
1094
1095 ciph_len = ( buf[0] << 8 ) | buf[1];
1096 sess_len = ( buf[2] << 8 ) | buf[3];
1097 chal_len = ( buf[4] << 8 ) | buf[5];
1098
1099 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
1100 ciph_len, sess_len, chal_len ) );
1101
1102 /*
1103 * Make sure each parameter length is valid
1104 */
1105 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
1106 {
1107 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1108 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1109 }
1110
1111 if( sess_len > 32 )
1112 {
1113 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1114 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1115 }
1116
1117 if( chal_len < 8 || chal_len > 32 )
1118 {
1119 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1120 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1121 }
1122
1123 if( n != 6 + ciph_len + sess_len + chal_len )
1124 {
1125 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1126 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1127 }
1128
1129 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1130 buf + 6, ciph_len );
1131 SSL_DEBUG_BUF( 3, "client hello, session id",
1132 buf + 6 + ciph_len, sess_len );
1133 SSL_DEBUG_BUF( 3, "client hello, challenge",
1134 buf + 6 + ciph_len + sess_len, chal_len );
1135
1136 p = buf + 6 + ciph_len;
1137 ssl->session_negotiate->length = sess_len;
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1138 memset( ssl->session_negotiate->id, 0,
1139 sizeof( ssl->session_negotiate->id ) );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1140 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
1141
1142 p += sess_len;
1143 memset( ssl->handshake->randbytes, 0, 64 );
1144 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1145
1146 /*
1147 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1148 */
1149 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1150 {
1151 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
1152 {
1153 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1154#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1155 if( ssl->renegotiation == SSL_RENEGOTIATION )
1156 {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1157 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1158 "during renegotiation" ) );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1159
1160 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1161 return( ret );
1162
1163 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1164 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1165#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1166 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1167 break;
1168 }
1169 }
1170
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1171#if defined(POLARSSL_SSL_FALLBACK_SCSV)
1172 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1173 {
1174 if( p[0] == 0 &&
1175 p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
1176 p[2] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) )
1177 {
1178 SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
1179
1180 if( ssl->minor_ver < ssl->max_minor_ver )
1181 {
1182 SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1183
1184 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1185 SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1186
1187 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1188 }
1189
1190 break;
1191 }
1192 }
1193#endif /* POLARSSL_SSL_FALLBACK_SCSV */
1194
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1195 got_common_suite = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1196 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1197 ciphersuite_info = NULL;
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +0100[diff] [blame]1198#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1199 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1200 {
1201 for( i = 0; ciphersuites[i] != 0; i++ )
1202#else
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1203 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1204 {
1205 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +0100[diff] [blame]1206#endif
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1207 {
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1208 if( p[0] != 0 ||
1209 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1210 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1211 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]1212
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1213 got_common_suite = 1;
1214
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1215 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1216 &ciphersuite_info ) ) != 0 )
1217 return( ret );
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]1218
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1219 if( ciphersuite_info != NULL )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1220 goto have_ciphersuite_v2;
1221 }
1222 }
1223
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1224 if( got_common_suite )
1225 {
1226 SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1227 "but none of them usable" ) );
1228 return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE );
1229 }
1230 else
1231 {
1232 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1233 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1234 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1235
1236have_ciphersuite_v2:
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]1237 SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
1238
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1239 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]1240 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1241 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1242
1243 /*
1244 * SSLv2 Client Hello relevant renegotiation security checks
1245 */
1246 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1247 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1248 {
1249 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1250
1251 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1252 return( ret );
1253
1254 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1255 }
1256
1257 ssl->in_left = 0;
1258 ssl->state++;
1259
1260 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1261
1262 return( 0 );
1263}
1264#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1265
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1266static int ssl_parse_client_hello( ssl_context *ssl )
1267{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1268 int ret, got_common_suite;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1269 unsigned int i, j;
1270 size_t n;
1271 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1272 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1273 unsigned int ext_len = 0;
1274 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1275#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1276 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1277#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1278 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1279 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1280 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1281
1282 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1283
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1284#if defined(POLARSSL_SSL_RENEGOTIATION)
1285 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
1286#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1287 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]1288 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1289 {
1290 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1291 return( ret );
1292 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293 }
1294
1295 buf = ssl->in_hdr;
1296
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]1297#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1298 if( ( buf[0] & 0x80 ) != 0 )
1299 return ssl_parse_client_hello_v2( ssl );
1300#endif
1301
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1302 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1303
1304 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1305 buf[0] ) );
1306 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1307 ( buf[3] << 8 ) | buf[4] ) );
1308 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1309 buf[1], buf[2] ) );
1310
1311 /*
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +0100[diff] [blame]1312 * SSLv3/TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1313 *
1314 * Record layer:
1315 * 0 . 0 message type
1316 * 1 . 2 protocol version
1317 * 3 . 4 message length
1318 */
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +0100[diff] [blame]1319
1320 /* According to RFC 5246 Appendix E.1, the version here is typically
1321 * "{03,00}, the lowest version number supported by the client, [or] the
1322 * value of ClientHello.client_version", so the only meaningful check here
1323 * is the major version shouldn't be less than 3 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1324 if( buf[0] != SSL_MSG_HANDSHAKE ||
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +0100[diff] [blame]1325 buf[1] < SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1327 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1328 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1329 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1331 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332
Paul Bakker4f42c112014-04-17 14:48:23 +0200[diff] [blame]1333 if( n < 45 || n > SSL_MAX_CONTENT_LEN )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1334 {
1335 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1336 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1337 }
1338
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1339#if defined(POLARSSL_SSL_RENEGOTIATION)
1340 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
1341#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1342 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]1343 if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1344 {
1345 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1346 return( ret );
1347 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1348 }
1349
1350 buf = ssl->in_msg;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1351#if defined(POLARSSL_SSL_RENEGOTIATION)
1352 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1353 n = ssl->in_msglen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1354 else
1355#endif
1356 n = ssl->in_left - 5;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1357
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1358 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1359
1360 /*
1361 * SSL layer:
1362 * 0 . 0 handshake type
1363 * 1 . 3 handshake length
1364 * 4 . 5 protocol version
1365 * 6 . 9 UNIX time()
1366 * 10 . 37 random bytes
1367 * 38 . 38 session id length
1368 * 39 . 38+x session id
1369 * 39+x . 40+x ciphersuitelist length
Paul Bakker0f651c72014-05-22 15:12:19 +0200[diff] [blame]1370 * 41+x . 40+y ciphersuitelist
1371 * 41+y . 41+y compression alg length
1372 * 42+y . 41+z compression algs
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1373 * .. . .. extensions
1374 */
1375 SSL_DEBUG_BUF( 4, "record contents", buf, n );
1376
1377 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1378 buf[0] ) );
1379 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1380 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1381 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1382 buf[4], buf[5] ) );
1383
1384 /*
1385 * Check the handshake type and protocol version
1386 */
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +0100[diff] [blame]1387 if( buf[0] != SSL_HS_CLIENT_HELLO )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1388 {
1389 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1390 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1391 }
1392
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +0100[diff] [blame]1393 ssl->major_ver = buf[4];
1394 ssl->minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1395
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +0100[diff] [blame]1396 ssl->handshake->max_major_ver = ssl->major_ver;
1397 ssl->handshake->max_minor_ver = ssl->minor_ver;
1398
1399 if( ssl->major_ver < ssl->min_major_ver ||
1400 ssl->minor_ver < ssl->min_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1401 {
1402 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +0100[diff] [blame]1403 " [%d:%d] < [%d:%d]",
1404 ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]1405 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1406
1407 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1408 SSL_ALERT_MSG_PROTOCOL_VERSION );
1409
1410 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1411 }
1412
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +0100[diff] [blame]1413 if( ssl->major_ver > ssl->max_major_ver )
1414 {
1415 ssl->major_ver = ssl->max_major_ver;
1416 ssl->minor_ver = ssl->max_minor_ver;
1417 }
1418 else if( ssl->minor_ver > ssl->max_minor_ver )
1419 ssl->minor_ver = ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1420
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1421 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1422
1423 /*
1424 * Check the handshake message length
1425 */
1426 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1427 {
1428 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1429 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1430 }
1431
1432 /*
1433 * Check the session length
1434 */
1435 sess_len = buf[38];
1436
Paul Bakker0f651c72014-05-22 15:12:19 +0200[diff] [blame]1437 if( sess_len > 32 || sess_len > n - 42 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1438 {
1439 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1440 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1441 }
1442
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1443 ssl->session_negotiate->length = sess_len;
1444 memset( ssl->session_negotiate->id, 0,
1445 sizeof( ssl->session_negotiate->id ) );
1446 memcpy( ssl->session_negotiate->id, buf + 39,
1447 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1448
1449 /*
1450 * Check the ciphersuitelist length
1451 */
1452 ciph_len = ( buf[39 + sess_len] << 8 )
1453 | ( buf[40 + sess_len] );
1454
Paul Bakker0f651c72014-05-22 15:12:19 +0200[diff] [blame]1455 if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1456 {
1457 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1458 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1459 }
1460
1461 /*
1462 * Check the compression algorithms length
1463 */
1464 comp_len = buf[41 + sess_len + ciph_len];
1465
Paul Bakker0f651c72014-05-22 15:12:19 +0200[diff] [blame]1466 if( comp_len < 1 || comp_len > 16 ||
1467 comp_len > n - 42 - sess_len - ciph_len )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1468 {
1469 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1470 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1471 }
1472
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1473 /*
1474 * Check the extension length
1475 */
1476 if( n > 42 + sess_len + ciph_len + comp_len )
1477 {
1478 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1479 | ( buf[43 + sess_len + ciph_len + comp_len] );
1480
1481 if( ( ext_len > 0 && ext_len < 4 ) ||
1482 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1483 {
1484 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1485 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1486 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1487 }
1488 }
1489
1490 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1491#if defined(POLARSSL_ZLIB_SUPPORT)
1492 for( i = 0; i < comp_len; ++i )
1493 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1494 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1495 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1496 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1497 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1498 }
1499 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1500#endif
1501
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1502 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1503 buf + 6, 32 );
1504 SSL_DEBUG_BUF( 3, "client hello, session id",
1505 buf + 38, sess_len );
1506 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1507 buf + 41 + sess_len, ciph_len );
1508 SSL_DEBUG_BUF( 3, "client hello, compression",
1509 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1511 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1512 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1513 */
1514 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1515 {
1516 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1517 {
1518 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1519#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1520 if( ssl->renegotiation == SSL_RENEGOTIATION )
1521 {
1522 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1523
1524 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1525 return( ret );
1526
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1527 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1528 }
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1529 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1530#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1531 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1532 break;
1533 }
1534 }
1535
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1536#if defined(POLARSSL_SSL_FALLBACK_SCSV)
1537 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1538 {
1539 if( p[0] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
1540 p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) )
1541 {
1542 SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) );
1543
1544 if( ssl->minor_ver < ssl->max_minor_ver )
1545 {
1546 SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) );
1547
1548 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1549 SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1550
1551 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1552 }
1553
1554 break;
1555 }
1556 }
1557#endif /* POLARSSL_SSL_FALLBACK_SCSV */
1558
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1559 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1560
1561 while( ext_len )
1562 {
1563 unsigned int ext_id = ( ( ext[0] << 8 )
1564 | ( ext[1] ) );
1565 unsigned int ext_size = ( ( ext[2] << 8 )
1566 | ( ext[3] ) );
1567
1568 if( ext_size + 4 > ext_len )
1569 {
1570 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1571 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1572 }
1573 switch( ext_id )
1574 {
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1575#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1576 case TLS_EXT_SERVERNAME:
1577 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1578 if( ssl->f_sni == NULL )
1579 break;
1580
1581 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1582 if( ret != 0 )
1583 return( ret );
1584 break;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1585#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1586
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1587 case TLS_EXT_RENEGOTIATION_INFO:
1588 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1589#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1590 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1591#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1592
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1593 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1594 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1595 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1596 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1597
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]1598#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
1599 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1600 case TLS_EXT_SIG_ALG:
1601 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1602#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1603 if( ssl->renegotiation == SSL_RENEGOTIATION )
1604 break;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1605#endif
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1606
1607 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1608 if( ret != 0 )
1609 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1610 break;
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]1611#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
1612 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1613
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1614#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1615 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1616 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1617
1618 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1619 if( ret != 0 )
1620 return( ret );
1621 break;
1622
1623 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1624 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1625 ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1626
1627 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1628 if( ret != 0 )
1629 return( ret );
1630 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1631#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1632
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1633#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1634 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1635 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1636
1637 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1638 if( ret != 0 )
1639 return( ret );
1640 break;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1641#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1642
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1643#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1644 case TLS_EXT_TRUNCATED_HMAC:
1645 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1646
1647 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1648 if( ret != 0 )
1649 return( ret );
1650 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1651#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1652
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1653#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
1654 case TLS_EXT_ENCRYPT_THEN_MAC:
1655 SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1656
1657 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
1658 if( ret != 0 )
1659 return( ret );
1660 break;
1661#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
1662
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1663#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
1664 case TLS_EXT_EXTENDED_MASTER_SECRET:
1665 SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1666
1667 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
1668 if( ret != 0 )
1669 return( ret );
1670 break;
1671#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
1672
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1673#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1674 case TLS_EXT_SESSION_TICKET:
1675 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1676
1677 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1678 if( ret != 0 )
1679 return( ret );
1680 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1681#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1682
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1683#if defined(POLARSSL_SSL_ALPN)
1684 case TLS_EXT_ALPN:
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1685 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1686
1687 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1688 if( ret != 0 )
1689 return( ret );
1690 break;
1691#endif /* POLARSSL_SSL_SESSION_TICKETS */
1692
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1693 default:
1694 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1695 ext_id ) );
1696 }
1697
1698 ext_len -= 4 + ext_size;
1699 ext += 4 + ext_size;
1700
1701 if( ext_len > 0 && ext_len < 4 )
1702 {
1703 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1704 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1705 }
1706 }
1707
1708 /*
1709 * Renegotiation security checks
1710 */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1711 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1712 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1713 {
1714 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1715 handshake_failure = 1;
1716 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1717#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1718 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1719 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1720 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1721 {
1722 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1723 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1724 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1725 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1726 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1727 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1728 {
1729 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1730 handshake_failure = 1;
1731 }
1732 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1733 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1734 renegotiation_info_seen == 1 )
1735 {
1736 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1737 handshake_failure = 1;
1738 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1739#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1740
1741 if( handshake_failure == 1 )
1742 {
1743 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1744 return( ret );
1745
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1746 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1747 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1748
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1749 /*
1750 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1751 * (At the end because we need information from the EC-based extensions
1752 * and certificate from the SNI callback triggered by the SNI extension.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1753 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1754 got_common_suite = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1755 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1756 ciphersuite_info = NULL;
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +0100[diff] [blame]1757#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1758 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1759 {
1760 for( i = 0; ciphersuites[i] != 0; i++ )
1761#else
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1762 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1763 {
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1764 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +0100[diff] [blame]1765#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1766 {
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1767 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1768 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1769 continue;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1770
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1771 got_common_suite = 1;
1772
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1773 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1774 &ciphersuite_info ) ) != 0 )
1775 return( ret );
1776
1777 if( ciphersuite_info != NULL )
1778 goto have_ciphersuite;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1779 }
1780 }
1781
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1782 if( got_common_suite )
1783 {
1784 SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1785 "but none of them usable" ) );
1786 ssl_send_fatal_handshake_failure( ssl );
1787 return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE );
1788 }
1789 else
1790 {
1791 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1792 ssl_send_fatal_handshake_failure( ssl );
1793 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1794 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1795
1796have_ciphersuite:
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame^]1797 SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
1798
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1799 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1800 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1801 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1802
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1803 ssl->in_left = 0;
1804 ssl->state++;
1805
1806 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1807
1808 return( 0 );
1809}
1810
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1811#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1812static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1813 unsigned char *buf,
1814 size_t *olen )
1815{
1816 unsigned char *p = buf;
1817
1818 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1819 {
1820 *olen = 0;
1821 return;
1822 }
1823
1824 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1825
1826 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1827 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1828
1829 *p++ = 0x00;
1830 *p++ = 0x00;
1831
1832 *olen = 4;
1833}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1834#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1835
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1836#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
1837static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
1838 unsigned char *buf,
1839 size_t *olen )
1840{
1841 unsigned char *p = buf;
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1842 const ssl_ciphersuite_t *suite = NULL;
1843 const cipher_info_t *cipher = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1844
1845 if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED ||
1846 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1847 {
1848 *olen = 0;
1849 return;
1850 }
1851
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1852 /*
1853 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1854 * from a client and then selects a stream or Authenticated Encryption
1855 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1856 * encrypt-then-MAC response extension back to the client."
1857 */
1858 if( ( suite = ssl_ciphersuite_from_id(
1859 ssl->session_negotiate->ciphersuite ) ) == NULL ||
1860 ( cipher = cipher_info_from_type( suite->cipher ) ) == NULL ||
1861 cipher->mode != POLARSSL_MODE_CBC )
1862 {
1863 *olen = 0;
1864 return;
1865 }
1866
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1867 SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
1868
1869 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
1870 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
1871
1872 *p++ = 0x00;
1873 *p++ = 0x00;
1874
1875 *olen = 4;
1876}
1877#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
1878
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1879#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
1880static void ssl_write_extended_ms_ext( ssl_context *ssl,
1881 unsigned char *buf,
1882 size_t *olen )
1883{
1884 unsigned char *p = buf;
1885
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1886 if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ||
1887 ssl->minor_ver == SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1888 {
1889 *olen = 0;
1890 return;
1891 }
1892
1893 SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
1894 "extension" ) );
1895
1896 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
1897 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
1898
1899 *p++ = 0x00;
1900 *p++ = 0x00;
1901
1902 *olen = 4;
1903}
1904#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
1905
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1906#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1907static void ssl_write_session_ticket_ext( ssl_context *ssl,
1908 unsigned char *buf,
1909 size_t *olen )
1910{
1911 unsigned char *p = buf;
1912
1913 if( ssl->handshake->new_session_ticket == 0 )
1914 {
1915 *olen = 0;
1916 return;
1917 }
1918
1919 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1920
1921 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1922 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1923
1924 *p++ = 0x00;
1925 *p++ = 0x00;
1926
1927 *olen = 4;
1928}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1929#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1930
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1931static void ssl_write_renegotiation_ext( ssl_context *ssl,
1932 unsigned char *buf,
1933 size_t *olen )
1934{
1935 unsigned char *p = buf;
1936
1937 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1938 {
1939 *olen = 0;
1940 return;
1941 }
1942
1943 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1944
1945 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1946 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1947
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1948#if defined(POLARSSL_SSL_RENEGOTIATION)
1949 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
1950 {
1951 *p++ = 0x00;
1952 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1953 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1954
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1955 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1956 p += ssl->verify_data_len;
1957 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1958 p += ssl->verify_data_len;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1959
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1960 *olen = 5 + ssl->verify_data_len * 2;
1961 }
1962 else
1963#endif /* POLARSSL_SSL_RENEGOTIATION */
1964 {
1965 *p++ = 0x00;
1966 *p++ = 0x01;
1967 *p++ = 0x00;
1968
1969 *olen = 5;
1970 }
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1971}
1972
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1973#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1974static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1975 unsigned char *buf,
1976 size_t *olen )
1977{
1978 unsigned char *p = buf;
1979
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1980 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1981 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1982 *olen = 0;
1983 return;
1984 }
1985
1986 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1987
1988 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1989 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1990
1991 *p++ = 0x00;
1992 *p++ = 1;
1993
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1994 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1995
1996 *olen = 5;
1997}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1998#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1999
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]2000#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2001static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
2002 unsigned char *buf,
2003 size_t *olen )
2004{
2005 unsigned char *p = buf;
2006 ((void) ssl);
2007
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]2008 if( ( ssl->handshake->cli_exts &
2009 TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
2010 {
2011 *olen = 0;
2012 return;
2013 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2014
2015 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2016
2017 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
2018 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
2019
2020 *p++ = 0x00;
2021 *p++ = 2;
2022
2023 *p++ = 1;
2024 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
2025
2026 *olen = 6;
2027}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]2028#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2029
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2030#if defined(POLARSSL_SSL_ALPN )
2031static void ssl_write_alpn_ext( ssl_context *ssl,
2032 unsigned char *buf, size_t *olen )
2033{
2034 if( ssl->alpn_chosen == NULL )
2035 {
2036 *olen = 0;
2037 return;
2038 }
2039
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2040 SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2041
2042 /*
2043 * 0 . 1 ext identifier
2044 * 2 . 3 ext length
2045 * 4 . 5 protocol list length
2046 * 6 . 6 protocol name length
2047 * 7 . 7+n protocol name
2048 */
2049 buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
2050 buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
2051
2052 *olen = 7 + strlen( ssl->alpn_chosen );
2053
2054 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
2055 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
2056
2057 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
2058 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
2059
2060 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
2061
2062 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
2063}
2064#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
2065
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2066static int ssl_write_server_hello( ssl_context *ssl )
2067{
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2068#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2069 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2070#endif
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2071 int ret;
2072 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2073 unsigned char *buf, *p;
2074
2075 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2076
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]2077 if( ssl->f_rng == NULL )
2078 {
2079 SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2080 return( POLARSSL_ERR_SSL_NO_RNG );
2081 }
2082
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2083 /*
2084 * 0 . 0 handshake type
2085 * 1 . 3 handshake length
2086 * 4 . 5 protocol version
2087 * 6 . 9 UNIX time()
2088 * 10 . 37 random bytes
2089 */
2090 buf = ssl->out_msg;
2091 p = buf + 4;
2092
2093 *p++ = (unsigned char) ssl->major_ver;
2094 *p++ = (unsigned char) ssl->minor_ver;
2095
2096 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2097 buf[4], buf[5] ) );
2098
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2099#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2100 t = time( NULL );
2101 *p++ = (unsigned char)( t >> 24 );
2102 *p++ = (unsigned char)( t >> 16 );
2103 *p++ = (unsigned char)( t >> 8 );
2104 *p++ = (unsigned char)( t );
2105
2106 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2107#else
2108 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
2109 return( ret );
2110
2111 p += 4;
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2112#endif /* POLARSSL_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2113
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2114 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
2115 return( ret );
2116
2117 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2118
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2119 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2120
2121 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
2122
2123 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2124 * Resume is 0 by default, see ssl_handshake_init().
2125 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2126 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2127 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2128 if( ssl->handshake->resume == 0 &&
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]2129#if defined(POLARSSL_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2130 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]2131#endif
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]2132 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2133 ssl->f_get_cache != NULL &&
2134 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
2135 {
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2136 SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2137 ssl->handshake->resume = 1;
2138 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2139
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2140 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2141 {
2142 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2143 * New session, create a new session id,
2144 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2145 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146 ssl->state++;
2147
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2148#if defined(POLARSSL_HAVE_TIME)
2149 ssl->session_negotiate->start = time( NULL );
2150#endif
2151
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2152#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2153 if( ssl->handshake->new_session_ticket != 0 )
2154 {
2155 ssl->session_negotiate->length = n = 0;
2156 memset( ssl->session_negotiate->id, 0, 32 );
2157 }
2158 else
2159#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2160 {
2161 ssl->session_negotiate->length = n = 32;
2162 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2163 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2164 return( ret );
2165 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2166 }
2167 else
2168 {
2169 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2170 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]2172 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2173 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2174
2175 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2176 {
2177 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2178 return( ret );
2179 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2180 }
2181
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2182 /*
2183 * 38 . 38 session id length
2184 * 39 . 38+n session id
2185 * 39+n . 40+n chosen ciphersuite
2186 * 41+n . 41+n chosen compression alg.
2187 * 42+n . 43+n extensions length
2188 * 44+n . 43+n+m extensions
2189 */
2190 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2191 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
2192 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2193
2194 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
2195 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
2196 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]2197 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2199 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
2200 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
2201 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2202
Manuel Pégourié-Gonnard51451f82013-09-17 12:06:25 +0200[diff] [blame]2203 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2204 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200[diff] [blame]2205 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2206 ssl->session_negotiate->compression ) );
2207
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2208 /*
2209 * First write extensions, then the total length
2210 */
2211 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
2212 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2213
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2214#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2215 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
2216 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2217#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2218
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]2219#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]2220 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
2221 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]2222#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]2223
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2224#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
2225 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
2226 ext_len += olen;
2227#endif
2228
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2229#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
2230 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
2231 ext_len += olen;
2232#endif
2233
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2234#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2235 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
2236 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2237#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2238
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]2239#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2240 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
2241 ext_len += olen;
2242#endif
2243
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2244#if defined(POLARSSL_SSL_ALPN)
2245 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
2246 ext_len += olen;
2247#endif
2248
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2249 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2250
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2251 if( ext_len > 0 )
2252 {
2253 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
2254 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
2255 p += ext_len;
2256 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257
2258 ssl->out_msglen = p - buf;
2259 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2260 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
2261
2262 ret = ssl_write_record( ssl );
2263
2264 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2265
2266 return( ret );
2267}
2268
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2269#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2270 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +0200[diff] [blame]2271 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2272 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2273static int ssl_write_certificate_request( ssl_context *ssl )
2274{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2275 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2276
2277 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2278
2279 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +0100[diff] [blame]2280 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]2281 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2282 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2283 {
2284 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2285 ssl->state++;
2286 return( 0 );
2287 }
2288
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]2289 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2290 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2291}
2292#else
2293static int ssl_write_certificate_request( ssl_context *ssl )
2294{
2295 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2296 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2297 size_t dn_size, total_dn_size; /* excluding length bytes */
2298 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2299 unsigned char *buf, *p;
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]2300 const x509_crt *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2301
2302 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2303
2304 ssl->state++;
2305
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2306 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +0100[diff] [blame]2307 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2308 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]2309 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2310 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2311 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2312 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2313 return( 0 );
2314 }
2315
2316 /*
2317 * 0 . 0 handshake type
2318 * 1 . 3 handshake length
2319 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2320 * 5 .. m-1 cert types
2321 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2322 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2323 * n .. n+1 length of all DNs
2324 * n+2 .. n+3 length of DN 1
2325 * n+4 .. ... Distinguished Name #1
2326 * ... .. ... length of DN 2, etc.
2327 */
2328 buf = ssl->out_msg;
2329 p = buf + 4;
2330
2331 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2332 * Supported certificate types
2333 *
2334 * ClientCertificateType certificate_types<1..2^8-1>;
2335 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2336 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2337 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2338
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2339#if defined(POLARSSL_RSA_C)
2340 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
2341#endif
2342#if defined(POLARSSL_ECDSA_C)
2343 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
2344#endif
2345
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2346 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2347 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2348
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2349 sa_len = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2350#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2351 /*
2352 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2353 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2354 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2355 *
2356 * struct {
2357 * HashAlgorithm hash;
2358 * SignatureAlgorithm signature;
2359 * } SignatureAndHashAlgorithm;
2360 *
2361 * enum { (255) } HashAlgorithm;
2362 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2363 */
Paul Bakker21dca692013-01-03 11:41:08 +0100[diff] [blame]2364 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2365 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2366 /*
2367 * Only use current running hash algorithm that is already required
2368 * for requested ciphersuite.
2369 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2370 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
2371
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]2372 if( ssl->transform_negotiate->ciphersuite_info->mac ==
2373 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2374 {
2375 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
2376 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2377
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2378 /*
2379 * Supported signature algorithms
2380 */
2381#if defined(POLARSSL_RSA_C)
2382 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2383 p[2 + sa_len++] = SSL_SIG_RSA;
2384#endif
2385#if defined(POLARSSL_ECDSA_C)
2386 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2387 p[2 + sa_len++] = SSL_SIG_ECDSA;
2388#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2389
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2390 p[0] = (unsigned char)( sa_len >> 8 );
2391 p[1] = (unsigned char)( sa_len );
2392 sa_len += 2;
2393 p += sa_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2394 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2395#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2396
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2397 /*
2398 * DistinguishedName certificate_authorities<0..2^16-1>;
2399 * opaque DistinguishedName<1..2^16-1>;
2400 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2401 p += 2;
2402 crt = ssl->ca_chain;
2403
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2404 total_dn_size = 0;
Paul Bakkerc70e4252014-04-18 13:47:38 +0200[diff] [blame]2405 while( crt != NULL && crt->version != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2406 {
2407 if( p - buf > 4096 )
2408 break;
2409
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2410 dn_size = crt->subject_raw.len;
2411 *p++ = (unsigned char)( dn_size >> 8 );
2412 *p++ = (unsigned char)( dn_size );
2413 memcpy( p, crt->subject_raw.p, dn_size );
2414 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2415
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2416 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
2417
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2418 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2419 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2420 }
2421
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2422 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2423 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2424 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2425 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2426 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2427
2428 ret = ssl_write_record( ssl );
2429
2430 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2431
2432 return( ret );
2433}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2434#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2435 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2436 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2437 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2438
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2439#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2440 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2441static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
2442{
2443 int ret;
2444
2445 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
2446 {
2447 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2448 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
2449 }
2450
2451 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
2452 pk_ec( *ssl_own_key( ssl ) ),
2453 POLARSSL_ECDH_OURS ) ) != 0 )
2454 {
2455 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
2456 return( ret );
2457 }
2458
2459 return( 0 );
2460}
2461#endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2462 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2463
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2464static int ssl_write_server_key_exchange( ssl_context *ssl )
2465{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2466 int ret;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +0200[diff] [blame]2467 size_t n = 0;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2468 const ssl_ciphersuite_t *ciphersuite_info =
2469 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker2292d1f2013-09-15 17:06:49 +0200[diff] [blame]2470
2471#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2472 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2473 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200[diff] [blame]2474 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Paul Bakker2292d1f2013-09-15 17:06:49 +0200[diff] [blame]2475 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +0200[diff] [blame]2476 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2477 unsigned char *dig_signed = p;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +0200[diff] [blame]2478 size_t dig_signed_len = 0, len;
Paul Bakker2292d1f2013-09-15 17:06:49 +0200[diff] [blame]2479 ((void) dig_signed);
2480 ((void) dig_signed_len);
2481#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2482
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2483 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2484
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2485#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2486 defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2487 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2488 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
2489 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2490 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2491 {
2492 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2493 ssl->state++;
2494 return( 0 );
2495 }
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2496#endif
2497
2498#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2499 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2500 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2501 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2502 {
2503 ssl_get_ecdh_params_from_cert( ssl );
2504
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2505 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2506 ssl->state++;
2507 return( 0 );
2508 }
2509#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]2511#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2512 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2513 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2514 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2515 {
2516 /* TODO: Support identity hints */
2517 *(p++) = 0x00;
2518 *(p++) = 0x00;
2519
2520 n += 2;
2521 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]2522#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2523 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2524
2525#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2526 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2527 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2528 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2529 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2530 /*
2531 * Ephemeral DH parameters:
2532 *
2533 * struct {
2534 * opaque dh_p<1..2^16-1>;
2535 * opaque dh_g<1..2^16-1>;
2536 * opaque dh_Ys<1..2^16-1>;
2537 * } ServerDHParams;
2538 */
2539 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
2540 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
2541 {
2542 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2543 return( ret );
2544 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2545
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2546 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]2547 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2548 p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2549 {
2550 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2551 return( ret );
2552 }
2553
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2554 dig_signed = p;
2555 dig_signed_len = len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2556
2557 p += len;
2558 n += len;
2559
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2560 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2561 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2562 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2563 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2564 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2565#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2566 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2567
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2568#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2569 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]2570 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2571 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2572 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2573 /*
2574 * Ephemeral ECDH parameters:
2575 *
2576 * struct {
2577 * ECParameters curve_params;
2578 * ECPoint public;
2579 * } ServerECDHParams;
2580 */
Paul Bakkerd893aef2014-04-17 14:45:17 +0200[diff] [blame]2581 const ecp_curve_info **curve = NULL;
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2582#if defined(POLARSSL_SSL_SET_CURVES)
Manuel Pégourié-Gonnardc3f6b622014-02-06 10:13:09 +0100[diff] [blame]2583 const ecp_group_id *gid;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2584
Manuel Pégourié-Gonnardc3f6b622014-02-06 10:13:09 +0100[diff] [blame]2585 /* Match our preference list against the offered curves */
2586 for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
2587 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
2588 if( (*curve)->grp_id == *gid )
2589 goto curve_matching_done;
2590
2591curve_matching_done:
2592#else
2593 curve = ssl->handshake->curves;
2594#endif
2595
2596 if( *curve == NULL )
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2597 {
Manuel Pégourié-Gonnardc3f6b622014-02-06 10:13:09 +0100[diff] [blame]2598 SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2599 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2600 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2601
Manuel Pégourié-Gonnardc3f6b622014-02-06 10:13:09 +0100[diff] [blame]2602 SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2603
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2604 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
Manuel Pégourié-Gonnardc3f6b622014-02-06 10:13:09 +0100[diff] [blame]2605 (*curve)->grp_id ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2606 {
2607 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2608 return( ret );
2609 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2610
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]2611 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2612 p, SSL_MAX_CONTENT_LEN - n,
2613 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2614 {
2615 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2616 return( ret );
2617 }
2618
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2619 dig_signed = p;
2620 dig_signed_len = len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2621
2622 p += len;
2623 n += len;
2624
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2625 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2626 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2627#endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2628
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2629#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2630 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2631 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2632 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2633 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2634 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2635 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2636 size_t signature_len = 0;
Paul Bakker2292d1f2013-09-15 17:06:49 +0200[diff] [blame]2637 unsigned int hashlen = 0;
2638 unsigned char hash[64];
2639 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2640
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2641 /*
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2642 * Choose hash algorithm. NONE means MD5 + SHA1 here.
2643 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2644#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2645 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2646 {
2647 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2648
2649 if( md_alg == POLARSSL_MD_NONE )
2650 {
2651 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]2652 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2653 }
2654 }
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2655 else
Paul Bakkerdb20c102014-06-17 14:34:44 +0200[diff] [blame]2656#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2657#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2658 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2659 if( ciphersuite_info->key_exchange ==
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2660 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2661 {
2662 md_alg = POLARSSL_MD_SHA1;
2663 }
2664 else
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2665#endif
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2666 {
2667 md_alg = POLARSSL_MD_NONE;
2668 }
2669
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2670 /*
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2671 * Compute the hash to be signed
2672 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2673#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2674 defined(POLARSSL_SSL_PROTO_TLS1_1)
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2675 if( md_alg == POLARSSL_MD_NONE )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2676 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2677 md5_context md5;
2678 sha1_context sha1;
2679
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]2680 md5_init( &md5 );
2681 sha1_init( &sha1 );
2682
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2683 /*
2684 * digitally-signed struct {
2685 * opaque md5_hash[16];
2686 * opaque sha_hash[20];
2687 * };
2688 *
2689 * md5_hash
2690 * MD5(ClientHello.random + ServerHello.random
2691 * + ServerParams);
2692 * sha_hash
2693 * SHA(ClientHello.random + ServerHello.random
2694 * + ServerParams);
2695 */
2696 md5_starts( &md5 );
2697 md5_update( &md5, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2698 md5_update( &md5, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2699 md5_finish( &md5, hash );
2700
2701 sha1_starts( &sha1 );
2702 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2703 sha1_update( &sha1, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2704 sha1_finish( &sha1, hash + 16 );
2705
2706 hashlen = 36;
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]2707
2708 md5_free( &md5 );
2709 sha1_free( &sha1 );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2710 }
2711 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2712#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2713 POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2714#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2715 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2716 if( md_alg != POLARSSL_MD_NONE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2717 {
2718 md_context_t ctx;
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2719 const md_info_t *md_info = md_info_from_type( md_alg );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2720
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]2721 md_init( &ctx );
2722
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]2723 /* Info from md_alg will be used instead */
2724 hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2725
2726 /*
2727 * digitally-signed struct {
2728 * opaque client_random[32];
2729 * opaque server_random[32];
2730 * ServerDHParams params;
2731 * };
2732 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]2733 if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2734 {
2735 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2736 return( ret );
2737 }
2738
2739 md_starts( &ctx );
2740 md_update( &ctx, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2741 md_update( &ctx, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2742 md_finish( &ctx, hash );
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]2743 md_free( &ctx );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2744 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2745 else
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2746#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2747 POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2748 {
2749 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]2750 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2751 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2752
Manuel Pégourié-Gonnard9cc6f5c2013-08-27 14:29:44 +0200[diff] [blame]2753 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2754 (unsigned int) ( md_info_from_type( md_alg ) )->size );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2755
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2756 /*
2757 * Make the signature
2758 */
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]2759 if( ssl_own_key( ssl ) == NULL )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2760 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2761 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2762 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2763 }
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2764
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2765#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2766 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2767 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2768 *(p++) = ssl->handshake->sig_alg;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]2769 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2770
2771 n += 2;
2772 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2773#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2774
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]2775 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]2776 p + 2 , &signature_len,
2777 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2778 {
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]2779 SSL_DEBUG_RET( 1, "pk_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2780 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2781 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2782
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2783 *(p++) = (unsigned char)( signature_len >> 8 );
2784 *(p++) = (unsigned char)( signature_len );
Paul Bakkerbf63b362012-04-12 20:44:34 +0000[diff] [blame]2785 n += 2;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2786
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2787 SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2788
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2789 p += signature_len;
2790 n += signature_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2791 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2792#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2793 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2794 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2795
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2796 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2797 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2798 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2799
2800 ssl->state++;
2801
2802 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2803 {
2804 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2805 return( ret );
2806 }
2807
2808 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2809
2810 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2811}
2812
2813static int ssl_write_server_hello_done( ssl_context *ssl )
2814{
2815 int ret;
2816
2817 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2818
2819 ssl->out_msglen = 4;
2820 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2821 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2822
2823 ssl->state++;
2824
2825 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2826 {
2827 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2828 return( ret );
2829 }
2830
2831 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2832
2833 return( 0 );
2834}
2835
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2836#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2837 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2838static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2839 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2840{
2841 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2842 size_t n;
2843
2844 /*
2845 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2846 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2847 if( *p + 2 > end )
2848 {
2849 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2850 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2851 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2852
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2853 n = ( (*p)[0] << 8 ) | (*p)[1];
2854 *p += 2;
2855
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]2856 if( *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2857 {
2858 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2859 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2860 }
2861
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]2862 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2863 {
2864 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2865 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2866 }
2867
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]2868 *p += n;
2869
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2870 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2871
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2872 return( ret );
2873}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2874#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2875 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2876
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2877#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2878 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2879static int ssl_parse_encrypted_pms( ssl_context *ssl,
2880 const unsigned char *p,
2881 const unsigned char *end,
2882 size_t pms_offset )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2883{
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2884 int ret;
2885 size_t len = pk_get_len( ssl_own_key( ssl ) );
2886 unsigned char *pms = ssl->handshake->premaster + pms_offset;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2887
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +0200[diff] [blame]2888 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2889 {
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +0200[diff] [blame]2890 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2891 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2892 }
2893
2894 /*
2895 * Decrypt the premaster using own private RSA key
2896 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2897#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2898 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2899 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2900 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2901 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2902 *p++ != ( ( len ) & 0xFF ) )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2903 {
2904 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2905 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2906 }
2907 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2908#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2909
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2910 if( p + len != end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2911 {
2912 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2913 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2914 }
2915
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2916 ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2917 pms, &ssl->handshake->pmslen,
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +0100[diff] [blame]2918 sizeof( ssl->handshake->premaster ) - pms_offset,
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +0200[diff] [blame]2919 ssl->f_rng, ssl->p_rng );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2920
2921 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2922 pms[0] != ssl->handshake->max_major_ver ||
2923 pms[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2924 {
2925 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2926
2927 /*
2928 * Protection against Bleichenbacher's attack:
2929 * invalid PKCS#1 v1.5 padding must not cause
2930 * the connection to end immediately; instead,
2931 * send a bad_record_mac later in the handshake.
2932 */
2933 ssl->handshake->pmslen = 48;
2934
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2935 ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2936 if( ret != 0 )
2937 return( ret );
2938 }
2939
2940 return( ret );
2941}
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2942#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2943 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2944
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +0200[diff] [blame]2945#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2946static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2947 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2948{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]2949 int ret = 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2950 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2951
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]2952 if( ssl->f_psk == NULL &&
2953 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2954 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2955 {
2956 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2957 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2958 }
2959
2960 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2961 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2962 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2963 if( *p + 2 > end )
2964 {
2965 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2966 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2967 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2968
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2969 n = ( (*p)[0] << 8 ) | (*p)[1];
2970 *p += 2;
2971
2972 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2973 {
2974 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2975 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2976 }
2977
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]2978 if( ssl->f_psk != NULL )
2979 {
Manuel Pégourié-Gonnardd27680b2014-07-08 14:15:55 +0200[diff] [blame]2980 if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 )
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]2981 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2982 }
Manuel Pégourié-Gonnardd27680b2014-07-08 14:15:55 +0200[diff] [blame]2983 else
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]2984 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]2985 /* Identity is not a big secret since clients send it in the clear,
2986 * but treat it carefully anyway, just in case */
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]2987 if( n != ssl->psk_identity_len ||
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]2988 safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]2989 {
2990 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2991 }
2992 }
2993
2994 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2995 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2996 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]2997 if( ( ret = ssl_send_alert_message( ssl,
2998 SSL_ALERT_LEVEL_FATAL,
2999 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
3000 {
3001 return( ret );
3002 }
3003
3004 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3005 }
3006
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3007 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3008
Manuel Pégourié-Gonnardd27680b2014-07-08 14:15:55 +0200[diff] [blame]3009 return( 0 );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3010}
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +0200[diff] [blame]3011#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3012
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3013static int ssl_parse_client_key_exchange( ssl_context *ssl )
3014{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3015 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3016 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3017
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3018 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3019
3020 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3021
3022 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3023 {
3024 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3025 return( ret );
3026 }
3027
3028 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3029 {
3030 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3031 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3032 }
3033
3034 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
3035 {
3036 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3037 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3038 }
3039
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3040#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3041 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3042 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +0200[diff] [blame]3043 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3044 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +0200[diff] [blame]3045
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3046 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3047 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3048 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3049 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3050 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3051
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3052 if( p != end )
3053 {
3054 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3055 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3056 }
3057
Manuel Pégourié-Gonnarddd0c0f32014-06-23 18:07:11 +0200[diff] [blame]3058 ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3059
3060 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
3061 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +0200[diff] [blame]3062 &ssl->handshake->pmslen,
Manuel Pégourié-Gonnard15d5de12013-09-17 11:34:11 +0200[diff] [blame]3063 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3064 {
3065 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
3066 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3067 }
3068
3069 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3070 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3071 else
3072#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3073#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]3074 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3075 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3076 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3077 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]3078 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
3079 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
3080 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3081 {
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3082 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]3083 ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 )
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3084 {
3085 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
3086 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3087 }
3088
3089 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
3090
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3091 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3092 &ssl->handshake->pmslen,
3093 ssl->handshake->premaster,
Manuel Pégourié-Gonnarde09d2f82013-09-02 14:29:09 +0200[diff] [blame]3094 POLARSSL_MPI_MAX_SIZE,
3095 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3096 {
3097 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
3098 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3099 }
3100
3101 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3102 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3103 else
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3104#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]3105 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3106 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3107 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3108#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
3109 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3110 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +0200[diff] [blame]3111 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3112 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +0200[diff] [blame]3113
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3114 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3115 {
3116 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3117 return( ret );
3118 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3119
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3120 if( p != end )
3121 {
3122 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3123 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3124 }
3125
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3126 if( ( ret = ssl_psk_derive_premaster( ssl,
3127 ciphersuite_info->key_exchange ) ) != 0 )
3128 {
3129 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
3130 return( ret );
3131 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3132 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3133 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3134#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3135#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
3136 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
3137 {
3138 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3139 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3140
3141 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3142 {
3143 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3144 return( ret );
3145 }
3146
3147 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
3148 {
3149 SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
3150 return( ret );
3151 }
3152
3153 if( ( ret = ssl_psk_derive_premaster( ssl,
3154 ciphersuite_info->key_exchange ) ) != 0 )
3155 {
3156 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
3157 return( ret );
3158 }
3159 }
3160 else
3161#endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3162#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
3163 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
3164 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +0200[diff] [blame]3165 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3166 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3167
3168 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3169 {
3170 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3171 return( ret );
3172 }
3173 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3174 {
3175 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3176 return( ret );
3177 }
3178
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3179 if( p != end )
3180 {
3181 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3182 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3183 }
3184
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3185 if( ( ret = ssl_psk_derive_premaster( ssl,
3186 ciphersuite_info->key_exchange ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3187 {
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3188 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
3189 return( ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3190 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3191 }
3192 else
3193#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3194#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3195 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
3196 {
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3197 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3198 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3199
3200 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3201 {
3202 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3203 return( ret );
3204 }
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3205
3206 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
3207 p, end - p ) ) != 0 )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3208 {
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3209 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
3210 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3211 }
3212
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3213 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
3214
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3215 if( ( ret = ssl_psk_derive_premaster( ssl,
3216 ciphersuite_info->key_exchange ) ) != 0 )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3217 {
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3218 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3219 return( ret );
3220 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3221 }
3222 else
3223#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3224#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
3225 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3226 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3227 if( ( ret = ssl_parse_encrypted_pms( ssl,
3228 ssl->in_msg + 4,
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3229 ssl->in_msg + ssl->in_hslen,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3230 0 ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3231 {
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3232 SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3233 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3234 }
3235 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3236 else
3237#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
3238 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3239 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]3240 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3241 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3242
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3243 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
3244 {
3245 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
3246 return( ret );
3247 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3248
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3249 ssl->state++;
3250
3251 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
3252
3253 return( 0 );
3254}
3255
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3256#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
3257 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +0200[diff] [blame]3258 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3259 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3260static int ssl_parse_certificate_verify( ssl_context *ssl )
3261{
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3262 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3263
3264 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3265
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3266 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +0100[diff] [blame]3267 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200[diff] [blame]3268 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3269 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3270 {
3271 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3272 ssl->state++;
3273 return( 0 );
3274 }
3275
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]3276 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3277 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3278}
3279#else
3280static int ssl_parse_certificate_verify( ssl_context *ssl )
3281{
3282 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3283 size_t sa_len, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3284 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3285 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3286 size_t hashlen;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3287#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3288 pk_type_t pk_alg;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3289#endif
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3290 md_type_t md_alg;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3291 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
3292
3293 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3294
3295 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +0100[diff] [blame]3296 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200[diff] [blame]3297 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3298 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
3299 {
3300 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3301 ssl->state++;
3302 return( 0 );
3303 }
3304
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3305 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3306 {
3307 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3308 ssl->state++;
3309 return( 0 );
3310 }
3311
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3312 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3313
3314 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3315 {
3316 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3317 return( ret );
3318 }
3319
3320 ssl->state++;
3321
3322 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3323 {
3324 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3325 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3326 }
3327
3328 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
3329 {
3330 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3331 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3332 }
3333
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3334 /*
3335 * 0 . 0 handshake type
3336 * 1 . 3 handshake length
3337 * 4 . 5 sig alg (TLS 1.2 only)
3338 * 4+n . 5+n signature length (n = sa_len)
3339 * 6+n . 6+n+m signature (m = sig_len)
3340 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3341
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3342#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3343 defined(POLARSSL_SSL_PROTO_TLS1_1)
3344 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3345 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3346 sa_len = 0;
3347
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3348 md_alg = POLARSSL_MD_NONE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3349 hashlen = 36;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3350
3351 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3352 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
3353 POLARSSL_PK_ECDSA ) )
3354 {
3355 hash_start += 16;
3356 hashlen -= 16;
3357 md_alg = POLARSSL_MD_SHA1;
3358 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3359 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3360 else
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]3361#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 ||
3362 POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3363#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3364 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]3365 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3366 sa_len = 2;
3367
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3368 /*
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]3369 * Hash
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3370 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3371 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3372 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3373 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3374 " for verify message" ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3375 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3376 }
3377
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]3378 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3379
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]3380 /* Info from md_alg will be used instead */
3381 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3382
3383 /*
3384 * Signature
3385 */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]3386 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
3387 == POLARSSL_PK_NONE )
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3388 {
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]3389 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3390 " for verify message" ) );
3391 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3392 }
3393
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3394 /*
3395 * Check the certificate's key type matches the signature alg
3396 */
3397 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
3398 {
3399 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3400 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3401 }
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3402 }
3403 else
3404#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3405 {
3406 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200[diff] [blame]3407 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]3408 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3409
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3410 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3411
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3412 if( sa_len + sig_len + 6 != ssl->in_hslen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3413 {
3414 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3415 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3416 }
3417
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]3418 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3419 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]3420 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3421 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3422 SSL_DEBUG_RET( 1, "pk_verify", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3423 return( ret );
3424 }
3425
3426 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3427
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3428 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3429}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3430#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
3431 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3432 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3433
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3434#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3435static int ssl_write_new_session_ticket( ssl_context *ssl )
3436{
3437 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3438 size_t tlen;
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]3439 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3440
3441 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3442
3443 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
3444 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
3445
3446 /*
3447 * struct {
3448 * uint32 ticket_lifetime_hint;
3449 * opaque ticket<0..2^16-1>;
3450 * } NewSessionTicket;
3451 *
3452 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3453 * 8 . 9 ticket_len (n)
3454 * 10 . 9+n ticket content
3455 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]3456
3457 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
3458 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
3459 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
3460 ssl->out_msg[7] = ( lifetime ) & 0xFF;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3461
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]3462 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
3463 {
3464 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
3465 tlen = 0;
3466 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3467
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3468 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
3469 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3470
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3471 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3472
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]3473 /*
3474 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3475 * ChangeCipherSpec share the same state.
3476 */
3477 ssl->handshake->new_session_ticket = 0;
3478
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3479 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3480 {
3481 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3482 return( ret );
3483 }
3484
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3485 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3486
3487 return( 0 );
3488}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3489#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3490
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3491/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3492 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3493 */
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3494int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3495{
3496 int ret = 0;
3497
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3498 if( ssl->state == SSL_HANDSHAKE_OVER )
3499 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3500
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3501 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
3502
3503 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3504 return( ret );
3505
3506 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3507 {
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3508 case SSL_HELLO_REQUEST:
3509 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3510 break;
3511
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3512 /*
3513 * <== ClientHello
3514 */
3515 case SSL_CLIENT_HELLO:
3516 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3517 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3518
3519 /*
3520 * ==> ServerHello
3521 * Certificate
3522 * ( ServerKeyExchange )
3523 * ( CertificateRequest )
3524 * ServerHelloDone
3525 */
3526 case SSL_SERVER_HELLO:
3527 ret = ssl_write_server_hello( ssl );
3528 break;
3529
3530 case SSL_SERVER_CERTIFICATE:
3531 ret = ssl_write_certificate( ssl );
3532 break;
3533
3534 case SSL_SERVER_KEY_EXCHANGE:
3535 ret = ssl_write_server_key_exchange( ssl );
3536 break;
3537
3538 case SSL_CERTIFICATE_REQUEST:
3539 ret = ssl_write_certificate_request( ssl );
3540 break;
3541
3542 case SSL_SERVER_HELLO_DONE:
3543 ret = ssl_write_server_hello_done( ssl );
3544 break;
3545
3546 /*
3547 * <== ( Certificate/Alert )
3548 * ClientKeyExchange
3549 * ( CertificateVerify )
3550 * ChangeCipherSpec
3551 * Finished
3552 */
3553 case SSL_CLIENT_CERTIFICATE:
3554 ret = ssl_parse_certificate( ssl );
3555 break;
3556
3557 case SSL_CLIENT_KEY_EXCHANGE:
3558 ret = ssl_parse_client_key_exchange( ssl );
3559 break;
3560
3561 case SSL_CERTIFICATE_VERIFY:
3562 ret = ssl_parse_certificate_verify( ssl );
3563 break;
3564
3565 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
3566 ret = ssl_parse_change_cipher_spec( ssl );
3567 break;
3568
3569 case SSL_CLIENT_FINISHED:
3570 ret = ssl_parse_finished( ssl );
3571 break;
3572
3573 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3574 * ==> ( NewSessionTicket )
3575 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3576 * Finished
3577 */
3578 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3579#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3580 if( ssl->handshake->new_session_ticket != 0 )
3581 ret = ssl_write_new_session_ticket( ssl );
3582 else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3583#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3584 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3585 break;
3586
3587 case SSL_SERVER_FINISHED:
3588 ret = ssl_write_finished( ssl );
3589 break;
3590
3591 case SSL_FLUSH_BUFFERS:
3592 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3593 ssl->state = SSL_HANDSHAKE_WRAPUP;
3594 break;
3595
3596 case SSL_HANDSHAKE_WRAPUP:
3597 ssl_handshake_wrapup( ssl );
3598 break;
3599
3600 default:
3601 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3602 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3603 }
3604
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3605 return( ret );
3606}
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]3607#endif /* POLARSSL_SSL_SRV_C */