TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / c6554aab3d59b0204b3a79fe4133f00778a953c3 / . / library / ssl_srv.c
blob: bb3fec42555330fb8a3aaf2fabc79d3f444bb188 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]26#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]32#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]36#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]50#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]51/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame^]59static int ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t buf_len,
61 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]62{
63 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame^]64 size_t left = buf_len;
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]65#if defined(POLARSSL_X509_PARSE_C)
66 size_t cert_len;
67#endif /* POLARSSL_X509_PARSE_C */
68
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame^]69 if( left < sizeof( ssl_session ) )
70 return( -1 );
71
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]72 memcpy( p, session, sizeof( ssl_session ) );
73 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame^]74 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]75
76#if defined(POLARSSL_X509_PARSE_C)
77 ((ssl_session *) buf)->peer_cert = NULL;
78
79 if( session->peer_cert == NULL )
80 cert_len = 0;
81 else
82 cert_len = session->peer_cert->raw.len;
83
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame^]84 if( left < 3 + cert_len )
85 return( -1 );
86
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]87 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
88 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
89 *p++ = (unsigned char)( cert_len & 0xFF );
90
91 if( session->peer_cert != NULL )
92 memcpy( p, session->peer_cert->raw.p, cert_len );
93
94 p += cert_len;
95#endif /* POLARSSL_X509_PARSE_C */
96
97 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame^]98
99 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]100}
101
102/*
103 * Unserialise session, see ssl_save_session()
104 */
105static int ssl_load_session( ssl_session *session,
106 const unsigned char *buf, size_t len )
107{
108 int ret;
109 const unsigned char *p = buf;
110 const unsigned char * const end = buf + len;
111#if defined(POLARSSL_X509_PARSE_C)
112 size_t cert_len;
113#endif /* POLARSSL_X509_PARSE_C */
114
115 if( p + sizeof( ssl_session ) > end )
116 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
117
118 memcpy( session, p, sizeof( ssl_session ) );
119 p += sizeof( ssl_session );
120
121#if defined(POLARSSL_X509_PARSE_C)
122 if( p + 3 > end )
123 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
124
125 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
126 p += 3;
127
128 if( cert_len == 0 )
129 {
130 session->peer_cert = NULL;
131 }
132 else
133 {
134 if( p + cert_len > end )
135 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
136
137 session->peer_cert = polarssl_malloc( cert_len );
138
139 if( session->peer_cert == NULL )
140 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
141
142 memset( session->peer_cert, 0, sizeof( x509_cert ) );
143
144 if( ( ret = x509parse_crt( session->peer_cert, p, cert_len ) ) != 0 )
145 {
146 polarssl_free( session->peer_cert );
147 free( session->peer_cert );
148 session->peer_cert = NULL;
149 return( ret );
150 }
151
152 p += cert_len;
153 }
154#endif /* POLARSSL_X509_PARSE_C */
155
156 if( p != end )
157 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
158
159 return( 0 );
160}
161
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]162/*
163 * Create session ticket, secured as recommended in RFC 5077 section 4:
164 *
165 * struct {
166 * opaque key_name[16];
167 * opaque iv[16];
168 * opaque encrypted_state<0..2^16-1>;
169 * opaque mac[32];
170 * } ticket;
171 *
172 * (the internal state structure differs, however).
173 */
174static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
175{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]176 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]177 unsigned char * const start = ssl->out_msg + 10;
178 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]179 unsigned char *state;
180 unsigned char iv[16];
181 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]182
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]183 if( ssl->ticket_keys == NULL )
184 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
185
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]186 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]187 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]188 p += 16;
189
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]190 /* Generate and write IV (with a copy for aes_crypt) */
191 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
192 return( ret );
193 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]194 p += 16;
195
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame^]196 /*
197 * Dump session state
198 *
199 * After the session state itself, we still need room for 16 bytes of
200 * padding and 32 bytes of MAC, so there's only so much room left
201 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]202 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame^]203 if( ssl_save_session( ssl->session_negotiate, state,
204 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
205 &clear_len ) != 0 )
206 {
207 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
208 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]209 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]210
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]211 /* Apply PKCS padding */
212 pad_len = 16 - clear_len % 16;
213 enc_len = clear_len + pad_len;
214 for( i = clear_len; i < enc_len; i++ )
215 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]216
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]217 /* Encrypt */
218 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
219 enc_len, iv, state, state ) ) != 0 )
220 {
221 return( ret );
222 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]223
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]224 /* Write length */
225 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
226 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
227 p = state + enc_len;
228
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]229 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
230 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]231 p += 32;
232
233 *tlen = p - start;
234
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]235 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]236
237 return( 0 );
238}
239
240/*
241 * Load session ticket (see ssl_write_ticket for structure)
242 */
243static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]244 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]245 size_t len )
246{
247 int ret;
248 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]249 unsigned char *key_name = buf;
250 unsigned char *iv = buf + 16;
251 unsigned char *enc_len_p = iv + 16;
252 unsigned char *ticket = enc_len_p + 2;
253 unsigned char *mac;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]254 unsigned char computed_mac[16];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]255 size_t enc_len, clear_len, i;
256 unsigned char pad_len;
257
258 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]259
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]260 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]261 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
262
263 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
264 mac = ticket + enc_len;
265
266 if( len != enc_len + 66 )
267 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
268
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]269 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]270 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
271 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]272
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]273 /* Check mac */
274 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
275 computed_mac, 0 );
276 ret = 0;
277 for( i = 0; i < 32; i++ )
278 if( mac[i] != computed_mac[i] )
279 ret = POLARSSL_ERR_SSL_INVALID_MAC;
280 if( ret != 0 )
281 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]282
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]283 /* Decrypt */
284 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
285 enc_len, iv, ticket, ticket ) ) != 0 )
286 {
287 return( ret );
288 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]289
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]290 /* Check PKCS padding */
291 pad_len = ticket[enc_len - 1];
292
293 ret = 0;
294 for( i = 2; i < pad_len; i++ )
295 if( ticket[enc_len - i] != pad_len )
296 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
297 if( ret != 0 )
298 return( ret );
299
300 clear_len = enc_len - pad_len;
301
302 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
303
304 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]305 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
306 {
307 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
308 memset( &session, 0, sizeof( ssl_session ) );
309 return( ret );
310 }
311
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]312#if defined(POLARSSL_HAVE_TIME)
313 /* Check if still valid */
314 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
315 {
316 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
317 memset( &session, 0, sizeof( ssl_session ) );
318 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
319 }
320#endif
321
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]322 /*
323 * Keep the session ID sent by the client, since we MUST send it back to
324 * inform him we're accepting the ticket (RFC 5077 section 3.4)
325 */
326 session.length = ssl->session_negotiate->length;
327 memcpy( &session.id, ssl->session_negotiate->id, session.length );
328
329 ssl_session_free( ssl->session_negotiate );
330 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
331 memset( &session, 0, sizeof( ssl_session ) );
332
333 return( 0 );
334}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]335#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]336
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]337static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]338 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]339 size_t len )
340{
341 int ret;
342 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]343 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]344
345 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
346 if( servername_list_size + 2 != len )
347 {
348 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
349 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
350 }
351
352 p = buf + 2;
353 while( servername_list_size > 0 )
354 {
355 hostname_len = ( ( p[1] << 8 ) | p[2] );
356 if( hostname_len + 3 > servername_list_size )
357 {
358 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
359 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
360 }
361
362 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
363 {
364 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
365 if( ret != 0 )
366 {
367 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
368 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
369 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
370 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]371 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]372 }
373
374 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]375 p += hostname_len + 3;
376 }
377
378 if( servername_list_size != 0 )
379 {
380 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
381 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]382 }
383
384 return( 0 );
385}
386
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]387static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]388 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]389 size_t len )
390{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]391 int ret;
392
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]393 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
394 {
395 if( len != 1 || buf[0] != 0x0 )
396 {
397 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]398
399 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
400 return( ret );
401
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]402 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
403 }
404
405 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
406 }
407 else
408 {
409 if( len != 1 + ssl->verify_data_len ||
410 buf[0] != ssl->verify_data_len ||
411 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
412 {
413 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]414
415 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
416 return( ret );
417
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]418 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
419 }
420 }
421
422 return( 0 );
423}
424
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]425static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
426 const unsigned char *buf,
427 size_t len )
428{
429 size_t sig_alg_list_size;
430 const unsigned char *p;
431
432 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
433 if( sig_alg_list_size + 2 != len ||
434 sig_alg_list_size %2 != 0 )
435 {
436 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
437 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
438 }
439
440 p = buf + 2;
441 while( sig_alg_list_size > 0 )
442 {
443 if( p[1] != SSL_SIG_RSA )
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]444 {
445 sig_alg_list_size -= 2;
446 p += 2;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]447 continue;
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]448 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]449#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]450 if( p[0] == SSL_HASH_SHA512 )
451 {
452 ssl->handshake->sig_alg = SSL_HASH_SHA512;
453 break;
454 }
455 if( p[0] == SSL_HASH_SHA384 )
456 {
457 ssl->handshake->sig_alg = SSL_HASH_SHA384;
458 break;
459 }
460#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]461#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]462 if( p[0] == SSL_HASH_SHA256 )
463 {
464 ssl->handshake->sig_alg = SSL_HASH_SHA256;
465 break;
466 }
467 if( p[0] == SSL_HASH_SHA224 )
468 {
469 ssl->handshake->sig_alg = SSL_HASH_SHA224;
470 break;
471 }
472#endif
473 if( p[0] == SSL_HASH_SHA1 )
474 {
475 ssl->handshake->sig_alg = SSL_HASH_SHA1;
476 break;
477 }
478 if( p[0] == SSL_HASH_MD5 )
479 {
480 ssl->handshake->sig_alg = SSL_HASH_MD5;
481 break;
482 }
483
484 sig_alg_list_size -= 2;
485 p += 2;
486 }
487
488 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
489 ssl->handshake->sig_alg ) );
490
491 return( 0 );
492}
493
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]494#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]495static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
496 const unsigned char *buf,
497 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]498{
499 size_t list_size;
500 const unsigned char *p;
501
502 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
503 if( list_size + 2 != len ||
504 list_size % 2 != 0 )
505 {
506 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
507 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
508 }
509
510 p = buf + 2;
511 while( list_size > 0 )
512 {
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]513#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
514 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP192R1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]515 {
516 ssl->handshake->ec_curve = p[1];
517 return( 0 );
518 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]519#endif
520#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
521 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP224R1 )
522 {
523 ssl->handshake->ec_curve = p[1];
524 return( 0 );
525 }
526#endif
527#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
528 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP256R1 )
529 {
530 ssl->handshake->ec_curve = p[1];
531 return( 0 );
532 }
533#endif
534#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
535 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP384R1 )
536 {
537 ssl->handshake->ec_curve = p[1];
538 return( 0 );
539 }
540#endif
541#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
542 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP521R1 )
543 {
544 ssl->handshake->ec_curve = p[1];
545 return( 0 );
546 }
547#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]548
549 list_size -= 2;
550 p += 2;
551 }
552
553 return( 0 );
554}
555
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]556static int ssl_parse_supported_point_formats( ssl_context *ssl,
557 const unsigned char *buf,
558 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]559{
560 size_t list_size;
561 const unsigned char *p;
562
563 list_size = buf[0];
564 if( list_size + 1 != len )
565 {
566 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
567 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
568 }
569
570 p = buf + 2;
571 while( list_size > 0 )
572 {
573 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
574 p[0] == POLARSSL_ECP_PF_COMPRESSED )
575 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]576 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]577 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]578 return( 0 );
579 }
580
581 list_size--;
582 p++;
583 }
584
585 return( 0 );
586}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]587#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]588
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]589#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]590static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
591 const unsigned char *buf,
592 size_t len )
593{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]594 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]595 {
596 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
597 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
598 }
599
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]600 ssl->session_negotiate->mfl_code = buf[0];
601
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]602 return( 0 );
603}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]604#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]605
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]606#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]607static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
608 const unsigned char *buf,
609 size_t len )
610{
611 if( len != 0 )
612 {
613 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
614 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
615 }
616
617 ((void) buf);
618
619 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
620
621 return( 0 );
622}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]623#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]624
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]625#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]626static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]627 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]628 size_t len )
629{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]630 int ret;
631
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]632 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
633 return( 0 );
634
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]635 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]636 ssl->handshake->new_session_ticket = 1;
637
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]638 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
639
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]640 if( len == 0 )
641 return( 0 );
642
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]643 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
644 {
645 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
646 return( 0 );
647 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]648
649 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]650 * Failures are ok: just ignore the ticket and proceed.
651 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]652 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
653 {
654 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]655 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]656 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]657
658 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
659
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]660 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]661
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]662 /* Don't send a new ticket after all, this one is OK */
663 ssl->handshake->new_session_ticket = 0;
664
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]665 return( 0 );
666}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]667#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]668
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]669#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
670static int ssl_parse_client_hello_v2( ssl_context *ssl )
671{
672 int ret;
673 unsigned int i, j;
674 size_t n;
675 unsigned int ciph_len, sess_len, chal_len;
676 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]677 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]678 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]679
680 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
681
682 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
683 {
684 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
685
686 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
687 return( ret );
688
689 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
690 }
691
692 buf = ssl->in_hdr;
693
694 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
695
696 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
697 buf[2] ) );
698 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
699 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
700 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
701 buf[3], buf[4] ) );
702
703 /*
704 * SSLv2 Client Hello
705 *
706 * Record layer:
707 * 0 . 1 message length
708 *
709 * SSL layer:
710 * 2 . 2 message type
711 * 3 . 4 protocol version
712 */
713 if( buf[2] != SSL_HS_CLIENT_HELLO ||
714 buf[3] != SSL_MAJOR_VERSION_3 )
715 {
716 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
717 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
718 }
719
720 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
721
722 if( n < 17 || n > 512 )
723 {
724 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
725 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
726 }
727
728 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]729 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
730 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]731
732 if( ssl->minor_ver < ssl->min_minor_ver )
733 {
734 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
735 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
736 ssl->min_major_ver, ssl->min_minor_ver ) );
737
738 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
739 SSL_ALERT_MSG_PROTOCOL_VERSION );
740 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
741 }
742
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]743 ssl->handshake->max_major_ver = buf[3];
744 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]745
746 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
747 {
748 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
749 return( ret );
750 }
751
752 ssl->handshake->update_checksum( ssl, buf + 2, n );
753
754 buf = ssl->in_msg;
755 n = ssl->in_left - 5;
756
757 /*
758 * 0 . 1 ciphersuitelist length
759 * 2 . 3 session id length
760 * 4 . 5 challenge length
761 * 6 . .. ciphersuitelist
762 * .. . .. session id
763 * .. . .. challenge
764 */
765 SSL_DEBUG_BUF( 4, "record contents", buf, n );
766
767 ciph_len = ( buf[0] << 8 ) | buf[1];
768 sess_len = ( buf[2] << 8 ) | buf[3];
769 chal_len = ( buf[4] << 8 ) | buf[5];
770
771 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
772 ciph_len, sess_len, chal_len ) );
773
774 /*
775 * Make sure each parameter length is valid
776 */
777 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
778 {
779 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
780 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
781 }
782
783 if( sess_len > 32 )
784 {
785 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
786 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
787 }
788
789 if( chal_len < 8 || chal_len > 32 )
790 {
791 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
792 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
793 }
794
795 if( n != 6 + ciph_len + sess_len + chal_len )
796 {
797 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
798 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
799 }
800
801 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
802 buf + 6, ciph_len );
803 SSL_DEBUG_BUF( 3, "client hello, session id",
804 buf + 6 + ciph_len, sess_len );
805 SSL_DEBUG_BUF( 3, "client hello, challenge",
806 buf + 6 + ciph_len + sess_len, chal_len );
807
808 p = buf + 6 + ciph_len;
809 ssl->session_negotiate->length = sess_len;
810 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
811 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
812
813 p += sess_len;
814 memset( ssl->handshake->randbytes, 0, 64 );
815 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
816
817 /*
818 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
819 */
820 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
821 {
822 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
823 {
824 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
825 if( ssl->renegotiation == SSL_RENEGOTIATION )
826 {
827 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
828
829 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
830 return( ret );
831
832 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
833 }
834 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
835 break;
836 }
837 }
838
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]839 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
840 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]841 {
842 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
843 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]844 // Only allow non-ECC ciphersuites as we do not have extensions
845 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]846 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]847 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
848 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]849 {
850 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
851
852 if( ciphersuite_info == NULL )
853 {
854 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
855 ciphersuites[i] ) );
856 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
857 }
858
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]859 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
860 ciphersuite_info->max_minor_ver < ssl->minor_ver )
861 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]862
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]863 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]864 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]865 }
866 }
867
868 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
869
870 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
871
872have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]873 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]874 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]875 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]876
877 /*
878 * SSLv2 Client Hello relevant renegotiation security checks
879 */
880 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
881 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
882 {
883 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
884
885 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
886 return( ret );
887
888 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
889 }
890
891 ssl->in_left = 0;
892 ssl->state++;
893
894 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
895
896 return( 0 );
897}
898#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
899
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]900static int ssl_parse_client_hello( ssl_context *ssl )
901{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]902 int ret;
903 unsigned int i, j;
904 size_t n;
905 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]906 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]907 unsigned int ext_len = 0;
908 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]909 int renegotiation_info_seen = 0;
910 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]911 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]912 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]913
914 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
915
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]916 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
917 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]918 {
919 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
920 return( ret );
921 }
922
923 buf = ssl->in_hdr;
924
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]925#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
926 if( ( buf[0] & 0x80 ) != 0 )
927 return ssl_parse_client_hello_v2( ssl );
928#endif
929
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]930 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
931
932 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
933 buf[0] ) );
934 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
935 ( buf[3] << 8 ) | buf[4] ) );
936 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
937 buf[1], buf[2] ) );
938
939 /*
940 * SSLv3 Client Hello
941 *
942 * Record layer:
943 * 0 . 0 message type
944 * 1 . 2 protocol version
945 * 3 . 4 message length
946 */
947 if( buf[0] != SSL_MSG_HANDSHAKE ||
948 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]949 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]950 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
951 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
952 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]953
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]954 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +0200[diff] [blame]956 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]957 {
958 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
959 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
960 }
961
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]962 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
963 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]964 {
965 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
966 return( ret );
967 }
968
969 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]970 if( !ssl->renegotiation )
971 n = ssl->in_left - 5;
972 else
973 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]974
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]975 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]976
977 /*
978 * SSL layer:
979 * 0 . 0 handshake type
980 * 1 . 3 handshake length
981 * 4 . 5 protocol version
982 * 6 . 9 UNIX time()
983 * 10 . 37 random bytes
984 * 38 . 38 session id length
985 * 39 . 38+x session id
986 * 39+x . 40+x ciphersuitelist length
987 * 41+x . .. ciphersuitelist
988 * .. . .. compression alg.
989 * .. . .. extensions
990 */
991 SSL_DEBUG_BUF( 4, "record contents", buf, n );
992
993 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
994 buf[0] ) );
995 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
996 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
997 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
998 buf[4], buf[5] ) );
999
1000 /*
1001 * Check the handshake type and protocol version
1002 */
1003 if( buf[0] != SSL_HS_CLIENT_HELLO ||
1004 buf[4] != SSL_MAJOR_VERSION_3 )
1005 {
1006 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1007 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1008 }
1009
1010 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1011 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1012 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1013
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1014 if( ssl->minor_ver < ssl->min_minor_ver )
1015 {
1016 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1017 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]1018 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1019
1020 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1021 SSL_ALERT_MSG_PROTOCOL_VERSION );
1022
1023 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1024 }
1025
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1026 ssl->handshake->max_major_ver = buf[4];
1027 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1028
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1029 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1030
1031 /*
1032 * Check the handshake message length
1033 */
1034 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1035 {
1036 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1037 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1038 }
1039
1040 /*
1041 * Check the session length
1042 */
1043 sess_len = buf[38];
1044
1045 if( sess_len > 32 )
1046 {
1047 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1048 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1049 }
1050
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1051 ssl->session_negotiate->length = sess_len;
1052 memset( ssl->session_negotiate->id, 0,
1053 sizeof( ssl->session_negotiate->id ) );
1054 memcpy( ssl->session_negotiate->id, buf + 39,
1055 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1056
1057 /*
1058 * Check the ciphersuitelist length
1059 */
1060 ciph_len = ( buf[39 + sess_len] << 8 )
1061 | ( buf[40 + sess_len] );
1062
1063 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1064 {
1065 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1066 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1067 }
1068
1069 /*
1070 * Check the compression algorithms length
1071 */
1072 comp_len = buf[41 + sess_len + ciph_len];
1073
1074 if( comp_len < 1 || comp_len > 16 )
1075 {
1076 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1077 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1078 }
1079
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1080 /*
1081 * Check the extension length
1082 */
1083 if( n > 42 + sess_len + ciph_len + comp_len )
1084 {
1085 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1086 | ( buf[43 + sess_len + ciph_len + comp_len] );
1087
1088 if( ( ext_len > 0 && ext_len < 4 ) ||
1089 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1090 {
1091 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1092 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1093 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1094 }
1095 }
1096
1097 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1098#if defined(POLARSSL_ZLIB_SUPPORT)
1099 for( i = 0; i < comp_len; ++i )
1100 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1101 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1103 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1104 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1105 }
1106 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1107#endif
1108
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1109 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1110 buf + 6, 32 );
1111 SSL_DEBUG_BUF( 3, "client hello, session id",
1112 buf + 38, sess_len );
1113 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1114 buf + 41 + sess_len, ciph_len );
1115 SSL_DEBUG_BUF( 3, "client hello, compression",
1116 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1117
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1118 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1119 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1120 */
1121 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1122 {
1123 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1124 {
1125 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1126 if( ssl->renegotiation == SSL_RENEGOTIATION )
1127 {
1128 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1129
1130 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1131 return( ret );
1132
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1133 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1134 }
1135 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1136 break;
1137 }
1138 }
1139
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1140 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1141
1142 while( ext_len )
1143 {
1144 unsigned int ext_id = ( ( ext[0] << 8 )
1145 | ( ext[1] ) );
1146 unsigned int ext_size = ( ( ext[2] << 8 )
1147 | ( ext[3] ) );
1148
1149 if( ext_size + 4 > ext_len )
1150 {
1151 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1152 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1153 }
1154 switch( ext_id )
1155 {
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1156 case TLS_EXT_SERVERNAME:
1157 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1158 if( ssl->f_sni == NULL )
1159 break;
1160
1161 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1162 if( ret != 0 )
1163 return( ret );
1164 break;
1165
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1166 case TLS_EXT_RENEGOTIATION_INFO:
1167 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1168 renegotiation_info_seen = 1;
1169
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1170 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1171 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1172 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1173 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1174
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1175 case TLS_EXT_SIG_ALG:
1176 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1177 if( ssl->renegotiation == SSL_RENEGOTIATION )
1178 break;
1179
1180 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1181 if( ret != 0 )
1182 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1183 break;
1184
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1185#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1186 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1187 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1188
1189 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1190 if( ret != 0 )
1191 return( ret );
1192 break;
1193
1194 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1195 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1196
1197 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1198 if( ret != 0 )
1199 return( ret );
1200 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1201#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1202
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1203#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1204 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1205 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1206
1207 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1208 if( ret != 0 )
1209 return( ret );
1210 break;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1211#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1212
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1213#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1214 case TLS_EXT_TRUNCATED_HMAC:
1215 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1216
1217 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1218 if( ret != 0 )
1219 return( ret );
1220 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1221#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1222
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1223#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1224 case TLS_EXT_SESSION_TICKET:
1225 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1226
1227 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1228 if( ret != 0 )
1229 return( ret );
1230 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1231#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1232
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1233 default:
1234 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1235 ext_id ) );
1236 }
1237
1238 ext_len -= 4 + ext_size;
1239 ext += 4 + ext_size;
1240
1241 if( ext_len > 0 && ext_len < 4 )
1242 {
1243 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1244 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1245 }
1246 }
1247
1248 /*
1249 * Renegotiation security checks
1250 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1251 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1252 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1253 {
1254 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1255 handshake_failure = 1;
1256 }
1257 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1258 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1259 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1260 {
1261 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1262 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1263 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1264 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1265 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1266 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1267 {
1268 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1269 handshake_failure = 1;
1270 }
1271 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1272 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1273 renegotiation_info_seen == 1 )
1274 {
1275 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1276 handshake_failure = 1;
1277 }
1278
1279 if( handshake_failure == 1 )
1280 {
1281 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1282 return( ret );
1283
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1284 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1285 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1286
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1287 /*
1288 * Search for a matching ciphersuite
1289 * (At the end because we need information from the EC-based extensions)
1290 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1291 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1292 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1293 {
1294 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1295 j += 2, p += 2 )
1296 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1297 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1298 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1299 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1300 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1301
1302 if( ciphersuite_info == NULL )
1303 {
1304 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1305 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1306 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1307 }
1308
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1309 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1310 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1311 continue;
1312
Paul Bakker5fd49172013-08-19 13:29:26 +0200[diff] [blame]1313#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1314 if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
1315 ssl->handshake->ec_curve == 0 )
1316 continue;
Paul Bakker5fd49172013-08-19 13:29:26 +0200[diff] [blame]1317#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1318
1319 goto have_ciphersuite;
1320 }
1321 }
1322 }
1323
1324 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1325
1326 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1327 return( ret );
1328
1329 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1330
1331have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1332 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1333 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1334 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1335
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336 ssl->in_left = 0;
1337 ssl->state++;
1338
1339 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1340
1341 return( 0 );
1342}
1343
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1344#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1345static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1346 unsigned char *buf,
1347 size_t *olen )
1348{
1349 unsigned char *p = buf;
1350
1351 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1352 {
1353 *olen = 0;
1354 return;
1355 }
1356
1357 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1358
1359 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1360 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1361
1362 *p++ = 0x00;
1363 *p++ = 0x00;
1364
1365 *olen = 4;
1366}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1367#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1368
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1369#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1370static void ssl_write_session_ticket_ext( ssl_context *ssl,
1371 unsigned char *buf,
1372 size_t *olen )
1373{
1374 unsigned char *p = buf;
1375
1376 if( ssl->handshake->new_session_ticket == 0 )
1377 {
1378 *olen = 0;
1379 return;
1380 }
1381
1382 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1383
1384 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1385 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1386
1387 *p++ = 0x00;
1388 *p++ = 0x00;
1389
1390 *olen = 4;
1391}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1392#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1393
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1394static void ssl_write_renegotiation_ext( ssl_context *ssl,
1395 unsigned char *buf,
1396 size_t *olen )
1397{
1398 unsigned char *p = buf;
1399
1400 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1401 {
1402 *olen = 0;
1403 return;
1404 }
1405
1406 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1407
1408 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1409 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1410
1411 *p++ = 0x00;
1412 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1413 *p++ = ssl->verify_data_len * 2 & 0xFF;
1414
1415 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1416 p += ssl->verify_data_len;
1417 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1418 p += ssl->verify_data_len;
1419
1420 *olen = 5 + ssl->verify_data_len * 2;
1421}
1422
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1423#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1424static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1425 unsigned char *buf,
1426 size_t *olen )
1427{
1428 unsigned char *p = buf;
1429
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1430 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1431 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1432 *olen = 0;
1433 return;
1434 }
1435
1436 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1437
1438 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1439 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1440
1441 *p++ = 0x00;
1442 *p++ = 1;
1443
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1444 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1445
1446 *olen = 5;
1447}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1448#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1449
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1450#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1451static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1452 unsigned char *buf,
1453 size_t *olen )
1454{
1455 unsigned char *p = buf;
1456 ((void) ssl);
1457
1458 *olen = 0;
1459
1460 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1461
1462 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1463 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1464
1465 *p++ = 0x00;
1466 *p++ = 2;
1467
1468 *p++ = 1;
1469 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1470
1471 *olen = 6;
1472}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1473#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1474
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1475static int ssl_write_server_hello( ssl_context *ssl )
1476{
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1477#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1478 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1479#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1480 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1481 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1482 unsigned char *buf, *p;
1483
1484 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1485
1486 /*
1487 * 0 . 0 handshake type
1488 * 1 . 3 handshake length
1489 * 4 . 5 protocol version
1490 * 6 . 9 UNIX time()
1491 * 10 . 37 random bytes
1492 */
1493 buf = ssl->out_msg;
1494 p = buf + 4;
1495
1496 *p++ = (unsigned char) ssl->major_ver;
1497 *p++ = (unsigned char) ssl->minor_ver;
1498
1499 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1500 buf[4], buf[5] ) );
1501
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1502#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1503 t = time( NULL );
1504 *p++ = (unsigned char)( t >> 24 );
1505 *p++ = (unsigned char)( t >> 16 );
1506 *p++ = (unsigned char)( t >> 8 );
1507 *p++ = (unsigned char)( t );
1508
1509 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1510#else
1511 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1512 return( ret );
1513
1514 p += 4;
1515#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1516
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1517 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1518 return( ret );
1519
1520 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1521
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1522 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1523
1524 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1525
1526 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1527 * Resume is 0 by default, see ssl_handshake_init().
1528 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1529 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1530 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1531 if( ssl->handshake->resume == 0 &&
1532 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]1533 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1534 ssl->f_get_cache != NULL &&
1535 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1536 {
1537 ssl->handshake->resume = 1;
1538 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1539
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1540 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1541 {
1542 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1543 * New session, create a new session id,
1544 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1545 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1546 ssl->state++;
1547
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1548#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1549 if( ssl->handshake->new_session_ticket == 0 )
1550 {
1551 ssl->session_negotiate->length = n = 32;
1552 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1553 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1554 return( ret );
1555 }
1556 else
1557 {
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1558 ssl->session_negotiate->length = n = 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1559 memset( ssl->session_negotiate->id, 0, 32 );
1560 }
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1561#else
1562 ssl->session_negotiate->length = n = 32;
1563 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1564 n ) ) != 0 )
1565 return( ret );
1566#endif /* POLARSSL_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1567 }
1568 else
1569 {
1570 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1571 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1572 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1573 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1574 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1575
1576 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1577 {
1578 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1579 return( ret );
1580 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1581 }
1582
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1583 /*
1584 * 38 . 38 session id length
1585 * 39 . 38+n session id
1586 * 39+n . 40+n chosen ciphersuite
1587 * 41+n . 41+n chosen compression alg.
1588 * 42+n . 43+n extensions length
1589 * 44+n . 43+n+m extensions
1590 */
1591 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1592 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1593 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1594
1595 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1596 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1597 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1598 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1599
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1600 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1601 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1602 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1603
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1604 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1605 ssl->session_negotiate->ciphersuite ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1606 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1607 ssl->session_negotiate->compression ) );
1608
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1609 /*
1610 * First write extensions, then the total length
1611 */
1612 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1613 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1614
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1615#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1616 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1617 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1618#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1619
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1620#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1621 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1622 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1623#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1624
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1625#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1626 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1627 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1628#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1629
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1630#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1631 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1632 ext_len += olen;
1633#endif
1634
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1635 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1636
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1637 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1638 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1639 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1640
1641 ssl->out_msglen = p - buf;
1642 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1643 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1644
1645 ret = ssl_write_record( ssl );
1646
1647 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1648
1649 return( ret );
1650}
1651
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1652#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1653 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1654 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1655static int ssl_write_certificate_request( ssl_context *ssl )
1656{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]1657 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1658 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1659
1660 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1661
1662 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1663 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1664 {
1665 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1666 ssl->state++;
1667 return( 0 );
1668 }
1669
1670 return( ret );
1671}
1672#else
1673static int ssl_write_certificate_request( ssl_context *ssl )
1674{
1675 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1676 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1677 size_t n = 0, dn_size, total_dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1679 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1680
1681 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1682
1683 ssl->state++;
1684
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1685 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1686 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1687 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1688 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1689 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690 return( 0 );
1691 }
1692
1693 /*
1694 * 0 . 0 handshake type
1695 * 1 . 3 handshake length
1696 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1697 * 5 .. m-1 cert types
1698 * m .. m+1 sig alg length (TLS 1.2 only)
1699 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700 * n .. n+1 length of all DNs
1701 * n+2 .. n+3 length of DN 1
1702 * n+4 .. ... Distinguished Name #1
1703 * ... .. ... length of DN 2, etc.
1704 */
1705 buf = ssl->out_msg;
1706 p = buf + 4;
1707
1708 /*
1709 * At the moment, only RSA certificates are supported
1710 */
1711 *p++ = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1712 *p++ = SSL_CERT_TYPE_RSA_SIGN;
1713
1714 /*
1715 * Add signature_algorithms for verify (TLS 1.2)
1716 * Only add current running algorithm that is already required for
1717 * requested ciphersuite.
1718 *
1719 * Length is always 2
1720 */
Paul Bakker21dca692013-01-03 11:41:08 +0100[diff] [blame]1721 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1722 {
1723 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1724
1725 *p++ = 0;
1726 *p++ = 2;
1727
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]1728 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1729 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1730 {
1731 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1732 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1733
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1734 *p++ = ssl->handshake->verify_sig_alg;
1735 *p++ = SSL_SIG_RSA;
1736
1737 n += 4;
1738 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1739
1740 p += 2;
1741 crt = ssl->ca_chain;
1742
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1743 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1744 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1745 {
1746 if( p - buf > 4096 )
1747 break;
1748
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1749 dn_size = crt->subject_raw.len;
1750 *p++ = (unsigned char)( dn_size >> 8 );
1751 *p++ = (unsigned char)( dn_size );
1752 memcpy( p, crt->subject_raw.p, dn_size );
1753 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1754
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1755 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1756
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1757 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1758 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1759 }
1760
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1761 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1763 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1764 ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
1765 ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1766
1767 ret = ssl_write_record( ssl );
1768
1769 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1770
1771 return( ret );
1772}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1773#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1774 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1775 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1776
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1777static int ssl_write_server_key_exchange( ssl_context *ssl )
1778{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1779 int ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1780 size_t n = 0, len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1781 unsigned char hash[64];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1782 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker35a7fe52012-10-31 09:07:14 +0000[diff] [blame]1783 unsigned int hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1784 unsigned char *p = ssl->out_msg + 4;
1785 unsigned char *dig_sig = p;
1786 size_t dig_sig_len = 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1787
1788 const ssl_ciphersuite_t *ciphersuite_info;
1789 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790
1791 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1792
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1793 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1794 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
1795 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1796 {
1797 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1798 ssl->state++;
1799 return( 0 );
1800 }
1801
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1802#if defined(POLARSSL_RSA_C)
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1803 if( ssl->rsa_key == NULL )
1804 {
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]1805 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1806 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1807 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1808#endif /* POLARSSL_RSA_C */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1809
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1810#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1811 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1812 {
1813 /* TODO: Support identity hints */
1814 *(p++) = 0x00;
1815 *(p++) = 0x00;
1816
1817 n += 2;
1818 }
1819#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1820
1821#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1822 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1823 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1824 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1825 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1826 /*
1827 * Ephemeral DH parameters:
1828 *
1829 * struct {
1830 * opaque dh_p<1..2^16-1>;
1831 * opaque dh_g<1..2^16-1>;
1832 * opaque dh_Ys<1..2^16-1>;
1833 * } ServerDHParams;
1834 */
1835 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1836 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1837 {
1838 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1839 return( ret );
1840 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1841
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1842 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1843 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1844 p,
1845 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1846 {
1847 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1848 return( ret );
1849 }
1850
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1851 dig_sig = p;
1852 dig_sig_len = len;
1853
1854 p += len;
1855 n += len;
1856
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1857 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1858 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1859 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1860 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1861 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1862#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1863 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1864
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1865#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1866 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1868 /*
1869 * Ephemeral ECDH parameters:
1870 *
1871 * struct {
1872 * ECParameters curve_params;
1873 * ECPoint public;
1874 * } ServerECDHParams;
1875 */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1876 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
1877 ssl->handshake->ec_curve ) ) != 0 )
1878 {
1879 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1880 return( ret );
1881 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1883 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1884 &len,
1885 p,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1886 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1887 {
1888 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1889 return( ret );
1890 }
1891
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1892 dig_sig = p;
1893 dig_sig_len = len;
1894
1895 p += len;
1896 n += len;
1897
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1898 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
1899 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1900#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1902#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1903 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
1904 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1905 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1906 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1907 size_t rsa_key_len = 0;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1908
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1909 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1910 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1911 md5_context md5;
1912 sha1_context sha1;
1913
1914 /*
1915 * digitally-signed struct {
1916 * opaque md5_hash[16];
1917 * opaque sha_hash[20];
1918 * };
1919 *
1920 * md5_hash
1921 * MD5(ClientHello.random + ServerHello.random
1922 * + ServerParams);
1923 * sha_hash
1924 * SHA(ClientHello.random + ServerHello.random
1925 * + ServerParams);
1926 */
1927 md5_starts( &md5 );
1928 md5_update( &md5, ssl->handshake->randbytes, 64 );
1929 md5_update( &md5, dig_sig, dig_sig_len );
1930 md5_finish( &md5, hash );
1931
1932 sha1_starts( &sha1 );
1933 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1934 sha1_update( &sha1, dig_sig, dig_sig_len );
1935 sha1_finish( &sha1, hash + 16 );
1936
1937 hashlen = 36;
1938 md_alg = POLARSSL_MD_NONE;
1939 }
1940 else
1941 {
1942 md_context_t ctx;
1943
1944 /*
1945 * digitally-signed struct {
1946 * opaque client_random[32];
1947 * opaque server_random[32];
1948 * ServerDHParams params;
1949 * };
1950 */
1951 switch( ssl->handshake->sig_alg )
1952 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1953#if defined(POLARSSL_MD5_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1954 case SSL_HASH_MD5:
1955 md_alg = POLARSSL_MD_MD5;
1956 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1957#endif
1958#if defined(POLARSSL_SHA1_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1959 case SSL_HASH_SHA1:
1960 md_alg = POLARSSL_MD_SHA1;
1961 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1962#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1963#if defined(POLARSSL_SHA256_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1964 case SSL_HASH_SHA224:
1965 md_alg = POLARSSL_MD_SHA224;
1966 break;
1967 case SSL_HASH_SHA256:
1968 md_alg = POLARSSL_MD_SHA256;
1969 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1970#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1971#if defined(POLARSSL_SHA512_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1972 case SSL_HASH_SHA384:
1973 md_alg = POLARSSL_MD_SHA384;
1974 break;
1975 case SSL_HASH_SHA512:
1976 md_alg = POLARSSL_MD_SHA512;
1977 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1978#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1979 default:
1980 /* Should never happen */
1981 return( -1 );
1982 }
1983
1984 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1985 {
1986 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1987 return( ret );
1988 }
1989
1990 md_starts( &ctx );
1991 md_update( &ctx, ssl->handshake->randbytes, 64 );
1992 md_update( &ctx, dig_sig, dig_sig_len );
1993 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]1994
1995 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
1996 {
1997 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
1998 return( ret );
1999 }
2000
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2001 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2002
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2003 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2004
2005 if ( ssl->rsa_key )
2006 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
2007
2008 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2009 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2010 *(p++) = ssl->handshake->sig_alg;
2011 *(p++) = SSL_SIG_RSA;
2012
2013 n += 2;
2014 }
2015
2016 *(p++) = (unsigned char)( rsa_key_len >> 8 );
2017 *(p++) = (unsigned char)( rsa_key_len );
2018 n += 2;
2019
2020 if ( ssl->rsa_key )
2021 {
2022 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
2023 RSA_PRIVATE, md_alg, hashlen, hash, p );
2024 }
2025
2026 if( ret != 0 )
2027 {
2028 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2029 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2030 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2031
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2032 SSL_DEBUG_BUF( 3, "my RSA sig", p, rsa_key_len );
2033
2034 p += rsa_key_len;
2035 n += rsa_key_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2036 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2037#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2038 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2039
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2040 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2041 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2042 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2043
2044 ssl->state++;
2045
2046 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2047 {
2048 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2049 return( ret );
2050 }
2051
2052 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2053
2054 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2055}
2056
2057static int ssl_write_server_hello_done( ssl_context *ssl )
2058{
2059 int ret;
2060
2061 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2062
2063 ssl->out_msglen = 4;
2064 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2065 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2066
2067 ssl->state++;
2068
2069 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2070 {
2071 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2072 return( ret );
2073 }
2074
2075 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2076
2077 return( 0 );
2078}
2079
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2080#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2081 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2082static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2083 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2084{
2085 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2086 size_t n;
2087
2088 /*
2089 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2090 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2091 if( *p + 2 > end )
2092 {
2093 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2094 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2095 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2096
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2097 n = ( (*p)[0] << 8 ) | (*p)[1];
2098 *p += 2;
2099
2100 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2101 {
2102 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2103 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2104 }
2105
2106 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2107 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2108 {
2109 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2110 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2111 }
2112
2113 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2114
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2115 return( ret );
2116}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2117#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2118 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2119
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2120#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2121static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2122{
2123 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2124 size_t n;
2125
2126 /*
2127 * Receive client public key and calculate premaster
2128 */
2129 n = ssl->in_msg[3];
2130
2131 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2132 n + 4 != ssl->in_hslen )
2133 {
2134 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2135 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2136 }
2137
2138 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2139 ssl->in_msg + 4, n ) ) != 0 )
2140 {
2141 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2142 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2143 }
2144
2145 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2146
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2147 return( ret );
2148}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2149#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2150
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2151#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2152static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2153{
2154 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2155 size_t i, n = 0;
2156
2157 if( ssl->rsa_key == NULL )
2158 {
2159 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2160 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2161 }
2162
2163 /*
2164 * Decrypt the premaster using own private RSA key
2165 */
2166 i = 4;
2167 if( ssl->rsa_key )
2168 n = ssl->rsa_key_len( ssl->rsa_key );
2169 ssl->handshake->pmslen = 48;
2170
2171 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2172 {
2173 i += 2;
2174 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2175 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2176 {
2177 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2178 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2179 }
2180 }
2181
2182 if( ssl->in_hslen != i + n )
2183 {
2184 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2185 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2186 }
2187
2188 if( ssl->rsa_key ) {
2189 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
2190 &ssl->handshake->pmslen,
2191 ssl->in_msg + i,
2192 ssl->handshake->premaster,
2193 sizeof(ssl->handshake->premaster) );
2194 }
2195
2196 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]2197 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2198 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2199 {
2200 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2201
2202 /*
2203 * Protection against Bleichenbacher's attack:
2204 * invalid PKCS#1 v1.5 padding must not cause
2205 * the connection to end immediately; instead,
2206 * send a bad_record_mac later in the handshake.
2207 */
2208 ssl->handshake->pmslen = 48;
2209
2210 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2211 ssl->handshake->pmslen );
2212 if( ret != 0 )
2213 return( ret );
2214 }
2215
2216 return( ret );
2217}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2218#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2219
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2220#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2221 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2222static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2223 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2224{
2225 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2226 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2227
2228 if( ssl->psk == NULL || ssl->psk_identity == NULL ||
2229 ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
2230 {
2231 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2232 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2233 }
2234
2235 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2236 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2237 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2238 if( *p + 2 > end )
2239 {
2240 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2241 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2242 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2243
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2244 n = ( (*p)[0] << 8 ) | (*p)[1];
2245 *p += 2;
2246
2247 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2248 {
2249 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2250 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2251 }
2252
2253 if( n != ssl->psk_identity_len ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2254 memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2255 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2256 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2257 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2258 }
2259
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2260 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2261 ret = 0;
2262
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2263 return( ret );
2264}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2265#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2266 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2267
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2268static int ssl_parse_client_key_exchange( ssl_context *ssl )
2269{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2270 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2271 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2272 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2273
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2274 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2275
2276 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2277
2278 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2279 {
2280 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2281 return( ret );
2282 }
2283
2284 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2285 {
2286 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2287 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2288 }
2289
2290 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2291 {
2292 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2293 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2294 }
2295
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2296 p = ssl->in_msg + 4;
2297 end = ssl->in_msg + ssl->in_msglen;
2298
2299#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2300 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2301 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2302 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2303 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2304 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2305 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2306 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2307
2308 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2309
2310 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2311 ssl->handshake->premaster,
2312 &ssl->handshake->pmslen ) ) != 0 )
2313 {
2314 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2315 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2316 }
2317
2318 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2319 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2320 else
2321#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2322#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
2323 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2324 {
2325 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2326 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2327 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2328 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2329 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2330
2331 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2332 &ssl->handshake->pmslen,
2333 ssl->handshake->premaster,
2334 POLARSSL_MPI_MAX_SIZE ) ) != 0 )
2335 {
2336 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2337 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2338 }
2339
2340 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2341 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2342 else
2343#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2344#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2345 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2346 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2347 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2348 {
2349 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2350 return( ret );
2351 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2352
2353 // Set up the premaster secret
2354 //
2355 p = ssl->handshake->premaster;
2356 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2357 *(p++) = (unsigned char)( ssl->psk_len );
2358 p += ssl->psk_len;
2359
2360 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2361 *(p++) = (unsigned char)( ssl->psk_len );
2362 memcpy( p, ssl->psk, ssl->psk_len );
2363 p += ssl->psk_len;
2364
2365 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2366 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2367 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2368#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2369#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2370 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2371 {
2372 size_t n;
2373
2374 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2375 {
2376 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2377 return( ret );
2378 }
2379 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2380 {
2381 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2382 return( ret );
2383 }
2384
2385 // Set up the premaster secret
2386 //
2387 p = ssl->handshake->premaster;
2388 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2389 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2390
2391 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2392 p, &n ) ) != 0 )
2393 {
2394 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2395 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2396 }
2397
2398 if( n != ssl->handshake->dhm_ctx.len )
2399 {
2400 SSL_DEBUG_MSG( 1, ( "dhm_calc_secret result smaller than DHM" ) );
2401 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2402 }
2403
2404 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2405
2406 p += ssl->handshake->dhm_ctx.len;
2407
2408 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2409 *(p++) = (unsigned char)( ssl->psk_len );
2410 memcpy( p, ssl->psk, ssl->psk_len );
2411 p += ssl->psk_len;
2412
2413 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2414 }
2415 else
2416#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2417#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2418 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2419 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2420 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2421 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2422 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2423 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2424 }
2425 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2426 else
2427#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2428 {
2429 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2430 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2431
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2432 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2433 {
2434 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2435 return( ret );
2436 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2437
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2438 ssl->state++;
2439
2440 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2441
2442 return( 0 );
2443}
2444
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2445#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2446 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2447 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2448static int ssl_parse_certificate_verify( ssl_context *ssl )
2449{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2450 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2451 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2452
2453 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2454
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2455 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2456 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2457 {
2458 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2459 ssl->state++;
2460 return( 0 );
2461 }
2462
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2463 return( ret );
2464}
2465#else
2466static int ssl_parse_certificate_verify( ssl_context *ssl )
2467{
2468 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2469 size_t n = 0, n1, n2;
2470 unsigned char hash[48];
2471 md_type_t md_alg = POLARSSL_MD_NONE;
2472 unsigned int hashlen = 0;
2473 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2474
2475 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2476
2477 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2478 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2479 {
2480 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2481 ssl->state++;
2482 return( 0 );
2483 }
2484
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2485 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2486 {
2487 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2488 ssl->state++;
2489 return( 0 );
2490 }
2491
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2492 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2493
2494 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2495 {
2496 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2497 return( ret );
2498 }
2499
2500 ssl->state++;
2501
2502 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2503 {
2504 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2505 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2506 }
2507
2508 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2509 {
2510 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2511 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2512 }
2513
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2514 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2515 {
2516 /*
2517 * As server we know we either have SSL_HASH_SHA384 or
2518 * SSL_HASH_SHA256
2519 */
2520 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
2521 ssl->in_msg[5] != SSL_SIG_RSA )
2522 {
2523 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
2524 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2525 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2526
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2527 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2528 md_alg = POLARSSL_MD_SHA384;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2529 else
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2530 md_alg = POLARSSL_MD_SHA256;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2531
2532 n += 2;
2533 }
2534 else
2535 {
2536 hashlen = 36;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2537 md_alg = POLARSSL_MD_NONE;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2538 }
2539
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2540 /* EC NOT IMPLEMENTED YET */
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2541 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2542 POLARSSL_PK_RSA ) )
2543 {
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2544 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2545 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2546
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2547 n1 = pk_get_size( &ssl->session_negotiate->peer_cert->pk ) / 8;
Paul Bakker78ce5072012-11-23 14:23:53 +0100[diff] [blame]2548 n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2549
2550 if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2551 {
2552 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2553 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2554 }
2555
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2556 ret = rsa_pkcs1_verify( pk_rsa( ssl->session_negotiate->peer_cert->pk ),
2557 RSA_PUBLIC, md_alg, hashlen, hash,
2558 ssl->in_msg + 6 + n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2559 if( ret != 0 )
2560 {
2561 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
2562 return( ret );
2563 }
2564
2565 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2566
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2567 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2568}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2569#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2570 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2571 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2572
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2573#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2574static int ssl_write_new_session_ticket( ssl_context *ssl )
2575{
2576 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2577 size_t tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2578
2579 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2580
2581 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2582 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2583
2584 /*
2585 * struct {
2586 * uint32 ticket_lifetime_hint;
2587 * opaque ticket<0..2^16-1>;
2588 * } NewSessionTicket;
2589 *
2590 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2591 * 8 . 9 ticket_len (n)
2592 * 10 . 9+n ticket content
2593 */
2594 ssl->out_msg[4] = 0x00;
2595 ssl->out_msg[5] = 0x00;
2596 ssl->out_msg[6] = 0x00;
2597 ssl->out_msg[7] = 0x00;
2598
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]2599 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2600 {
2601 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2602 tlen = 0;
2603 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2604
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2605 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2606 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2607
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2608 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2609
2610 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2611 {
2612 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2613 return( ret );
2614 }
2615
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2616 /* No need to remember writing a NewSessionTicket any more */
2617 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2618
2619 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2620
2621 return( 0 );
2622}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2623#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2624
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2625/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2626 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2627 */
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2628int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2629{
2630 int ret = 0;
2631
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2632 if( ssl->state == SSL_HANDSHAKE_OVER )
2633 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2634
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2635 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2636
2637 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2638 return( ret );
2639
2640 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2641 {
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2642 case SSL_HELLO_REQUEST:
2643 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2644 break;
2645
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2646 /*
2647 * <== ClientHello
2648 */
2649 case SSL_CLIENT_HELLO:
2650 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2651 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2652
2653 /*
2654 * ==> ServerHello
2655 * Certificate
2656 * ( ServerKeyExchange )
2657 * ( CertificateRequest )
2658 * ServerHelloDone
2659 */
2660 case SSL_SERVER_HELLO:
2661 ret = ssl_write_server_hello( ssl );
2662 break;
2663
2664 case SSL_SERVER_CERTIFICATE:
2665 ret = ssl_write_certificate( ssl );
2666 break;
2667
2668 case SSL_SERVER_KEY_EXCHANGE:
2669 ret = ssl_write_server_key_exchange( ssl );
2670 break;
2671
2672 case SSL_CERTIFICATE_REQUEST:
2673 ret = ssl_write_certificate_request( ssl );
2674 break;
2675
2676 case SSL_SERVER_HELLO_DONE:
2677 ret = ssl_write_server_hello_done( ssl );
2678 break;
2679
2680 /*
2681 * <== ( Certificate/Alert )
2682 * ClientKeyExchange
2683 * ( CertificateVerify )
2684 * ChangeCipherSpec
2685 * Finished
2686 */
2687 case SSL_CLIENT_CERTIFICATE:
2688 ret = ssl_parse_certificate( ssl );
2689 break;
2690
2691 case SSL_CLIENT_KEY_EXCHANGE:
2692 ret = ssl_parse_client_key_exchange( ssl );
2693 break;
2694
2695 case SSL_CERTIFICATE_VERIFY:
2696 ret = ssl_parse_certificate_verify( ssl );
2697 break;
2698
2699 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2700 ret = ssl_parse_change_cipher_spec( ssl );
2701 break;
2702
2703 case SSL_CLIENT_FINISHED:
2704 ret = ssl_parse_finished( ssl );
2705 break;
2706
2707 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2708 * ==> ( NewSessionTicket )
2709 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2710 * Finished
2711 */
2712 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2713#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2714 if( ssl->handshake->new_session_ticket != 0 )
2715 ret = ssl_write_new_session_ticket( ssl );
2716 else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2717#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2718 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2719 break;
2720
2721 case SSL_SERVER_FINISHED:
2722 ret = ssl_write_finished( ssl );
2723 break;
2724
2725 case SSL_FLUSH_BUFFERS:
2726 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2727 ssl->state = SSL_HANDSHAKE_WRAPUP;
2728 break;
2729
2730 case SSL_HANDSHAKE_WRAPUP:
2731 ssl_handshake_wrapup( ssl );
2732 break;
2733
2734 default:
2735 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2736 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2737 }
2738
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2739 return( ret );
2740}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2741#endif