blob: df7709bd47b2b4b5773be136f5a9f68b90f6e98d [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +01004 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +000026#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000027
Paul Bakker40e46942009-01-03 21:51:57 +000028#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000029
Paul Bakker40e46942009-01-03 21:51:57 +000030#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +010032#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000035
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020036#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +000043#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020045
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +000047#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020048#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000049
Paul Bakkera503a632013-08-14 13:48:06 +020050#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020051/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020059static int ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t buf_len,
61 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020062{
63 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020064 size_t left = buf_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +020065#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020066 size_t cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +020067#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020068
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020069 if( left < sizeof( ssl_session ) )
70 return( -1 );
71
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020072 memcpy( p, session, sizeof( ssl_session ) );
73 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020074 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020075
Paul Bakker7c6b2c32013-09-16 13:49:26 +020076#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020077 ((ssl_session *) buf)->peer_cert = NULL;
78
79 if( session->peer_cert == NULL )
80 cert_len = 0;
81 else
82 cert_len = session->peer_cert->raw.len;
83
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020084 if( left < 3 + cert_len )
85 return( -1 );
86
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020087 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
88 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
89 *p++ = (unsigned char)( cert_len & 0xFF );
90
91 if( session->peer_cert != NULL )
92 memcpy( p, session->peer_cert->raw.p, cert_len );
93
94 p += cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +020095#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020096
97 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020098
99 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200100}
101
102/*
103 * Unserialise session, see ssl_save_session()
104 */
105static int ssl_load_session( ssl_session *session,
106 const unsigned char *buf, size_t len )
107{
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200108 const unsigned char *p = buf;
109 const unsigned char * const end = buf + len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200110#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200111 size_t cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200112#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200113
114 if( p + sizeof( ssl_session ) > end )
115 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
116
117 memcpy( session, p, sizeof( ssl_session ) );
118 p += sizeof( ssl_session );
119
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200120#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200121 if( p + 3 > end )
122 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
123
124 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
125 p += 3;
126
127 if( cert_len == 0 )
128 {
129 session->peer_cert = NULL;
130 }
131 else
132 {
Paul Bakker2292d1f2013-09-15 17:06:49 +0200133 int ret;
134
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200135 if( p + cert_len > end )
136 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
137
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200138 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200139
140 if( session->peer_cert == NULL )
141 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
142
Paul Bakkerb6b09562013-09-18 14:17:41 +0200143 x509_crt_init( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200144
Paul Bakkerddf26b42013-09-18 13:46:23 +0200145 if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200146 {
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200147 x509_crt_free( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200148 polarssl_free( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200149 session->peer_cert = NULL;
150 return( ret );
151 }
152
153 p += cert_len;
154 }
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200155#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200156
157 if( p != end )
158 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
159
160 return( 0 );
161}
162
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200163/*
164 * Create session ticket, secured as recommended in RFC 5077 section 4:
165 *
166 * struct {
167 * opaque key_name[16];
168 * opaque iv[16];
169 * opaque encrypted_state<0..2^16-1>;
170 * opaque mac[32];
171 * } ticket;
172 *
173 * (the internal state structure differs, however).
174 */
175static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
176{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200177 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200178 unsigned char * const start = ssl->out_msg + 10;
179 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200180 unsigned char *state;
181 unsigned char iv[16];
182 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200183
Manuel Pégourié-Gonnard0a201712013-08-23 16:25:16 +0200184 *tlen = 0;
185
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200186 if( ssl->ticket_keys == NULL )
187 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
188
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200189 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200190 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200191 p += 16;
192
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200193 /* Generate and write IV (with a copy for aes_crypt) */
194 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
195 return( ret );
196 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200197 p += 16;
198
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200199 /*
200 * Dump session state
201 *
202 * After the session state itself, we still need room for 16 bytes of
203 * padding and 32 bytes of MAC, so there's only so much room left
204 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200205 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200206 if( ssl_save_session( ssl->session_negotiate, state,
207 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
208 &clear_len ) != 0 )
209 {
210 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
211 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200212 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200213
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200214 /* Apply PKCS padding */
215 pad_len = 16 - clear_len % 16;
216 enc_len = clear_len + pad_len;
217 for( i = clear_len; i < enc_len; i++ )
218 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200219
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200220 /* Encrypt */
221 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
222 enc_len, iv, state, state ) ) != 0 )
223 {
224 return( ret );
225 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200226
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200227 /* Write length */
228 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
229 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
230 p = state + enc_len;
231
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200232 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
233 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200234 p += 32;
235
236 *tlen = p - start;
237
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200238 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200239
240 return( 0 );
241}
242
243/*
244 * Load session ticket (see ssl_write_ticket for structure)
245 */
246static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200247 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200248 size_t len )
249{
250 int ret;
251 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200252 unsigned char *key_name = buf;
253 unsigned char *iv = buf + 16;
254 unsigned char *enc_len_p = iv + 16;
255 unsigned char *ticket = enc_len_p + 2;
256 unsigned char *mac;
Manuel Pégourié-Gonnard34ced2d2013-09-20 11:37:39 +0200257 unsigned char computed_mac[32];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200258 size_t enc_len, clear_len, i;
259 unsigned char pad_len;
260
261 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200262
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200263 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200264 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
265
266 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
267 mac = ticket + enc_len;
268
269 if( len != enc_len + 66 )
270 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
271
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200272 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200273 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
274 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200275
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200276 /* Check mac */
277 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
278 computed_mac, 0 );
279 ret = 0;
280 for( i = 0; i < 32; i++ )
281 if( mac[i] != computed_mac[i] )
282 ret = POLARSSL_ERR_SSL_INVALID_MAC;
283 if( ret != 0 )
284 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200285
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200286 /* Decrypt */
287 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
288 enc_len, iv, ticket, ticket ) ) != 0 )
289 {
290 return( ret );
291 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200292
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200293 /* Check PKCS padding */
294 pad_len = ticket[enc_len - 1];
295
296 ret = 0;
297 for( i = 2; i < pad_len; i++ )
298 if( ticket[enc_len - i] != pad_len )
299 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
300 if( ret != 0 )
301 return( ret );
302
303 clear_len = enc_len - pad_len;
304
305 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
306
307 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200308 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
309 {
310 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
311 memset( &session, 0, sizeof( ssl_session ) );
312 return( ret );
313 }
314
Paul Bakker606b4ba2013-08-14 16:52:14 +0200315#if defined(POLARSSL_HAVE_TIME)
316 /* Check if still valid */
317 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
318 {
319 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
320 memset( &session, 0, sizeof( ssl_session ) );
321 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
322 }
323#endif
324
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200325 /*
326 * Keep the session ID sent by the client, since we MUST send it back to
327 * inform him we're accepting the ticket (RFC 5077 section 3.4)
328 */
329 session.length = ssl->session_negotiate->length;
330 memcpy( &session.id, ssl->session_negotiate->id, session.length );
331
332 ssl_session_free( ssl->session_negotiate );
333 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
334 memset( &session, 0, sizeof( ssl_session ) );
335
336 return( 0 );
337}
Paul Bakkera503a632013-08-14 13:48:06 +0200338#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200339
Paul Bakker0be444a2013-08-27 21:55:01 +0200340#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakker5701cdc2012-09-27 21:49:42 +0000341static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000342 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000343 size_t len )
344{
345 int ret;
346 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000347 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000348
349 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
350 if( servername_list_size + 2 != len )
351 {
352 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
353 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
354 }
355
356 p = buf + 2;
357 while( servername_list_size > 0 )
358 {
359 hostname_len = ( ( p[1] << 8 ) | p[2] );
360 if( hostname_len + 3 > servername_list_size )
361 {
362 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
363 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
364 }
365
366 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
367 {
368 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
369 if( ret != 0 )
370 {
371 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
372 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
373 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
374 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000375 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000376 }
377
378 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000379 p += hostname_len + 3;
380 }
381
382 if( servername_list_size != 0 )
383 {
384 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
385 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000386 }
387
388 return( 0 );
389}
Paul Bakker0be444a2013-08-27 21:55:01 +0200390#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000391
Paul Bakker48916f92012-09-16 19:57:18 +0000392static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000393 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000394 size_t len )
395{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000396 int ret;
397
Paul Bakker48916f92012-09-16 19:57:18 +0000398 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
399 {
400 if( len != 1 || buf[0] != 0x0 )
401 {
402 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000403
404 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
405 return( ret );
406
Paul Bakker48916f92012-09-16 19:57:18 +0000407 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
408 }
409
410 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
411 }
412 else
413 {
414 if( len != 1 + ssl->verify_data_len ||
415 buf[0] != ssl->verify_data_len ||
416 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
417 {
418 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000419
420 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
421 return( ret );
422
Paul Bakker48916f92012-09-16 19:57:18 +0000423 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
424 }
425 }
426
427 return( 0 );
428}
429
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200430#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +0000431static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
432 const unsigned char *buf,
433 size_t len )
434{
435 size_t sig_alg_list_size;
436 const unsigned char *p;
437
438 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
439 if( sig_alg_list_size + 2 != len ||
440 sig_alg_list_size %2 != 0 )
441 {
442 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
443 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
444 }
445
446 p = buf + 2;
447 while( sig_alg_list_size > 0 )
448 {
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200449 /*
450 * For now, just ignore signature algorithm and rely on offered
451 * ciphersuites only. To be fixed later.
452 */
Paul Bakker9e36f042013-06-30 14:34:05 +0200453#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000454 if( p[0] == SSL_HASH_SHA512 )
455 {
456 ssl->handshake->sig_alg = SSL_HASH_SHA512;
457 break;
458 }
459 if( p[0] == SSL_HASH_SHA384 )
460 {
461 ssl->handshake->sig_alg = SSL_HASH_SHA384;
462 break;
463 }
464#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200465#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000466 if( p[0] == SSL_HASH_SHA256 )
467 {
468 ssl->handshake->sig_alg = SSL_HASH_SHA256;
469 break;
470 }
471 if( p[0] == SSL_HASH_SHA224 )
472 {
473 ssl->handshake->sig_alg = SSL_HASH_SHA224;
474 break;
475 }
476#endif
477 if( p[0] == SSL_HASH_SHA1 )
478 {
479 ssl->handshake->sig_alg = SSL_HASH_SHA1;
480 break;
481 }
482 if( p[0] == SSL_HASH_MD5 )
483 {
484 ssl->handshake->sig_alg = SSL_HASH_MD5;
485 break;
486 }
487
488 sig_alg_list_size -= 2;
489 p += 2;
490 }
491
492 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
493 ssl->handshake->sig_alg ) );
494
495 return( 0 );
496}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200497#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker23f36802012-09-28 14:15:14 +0000498
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200499#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200500static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
501 const unsigned char *buf,
502 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100503{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200504 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100505 const unsigned char *p;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200506 const ecp_curve_info *curve_info, **curves;
Paul Bakker41c83d32013-03-20 14:39:14 +0100507
508 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
509 if( list_size + 2 != len ||
510 list_size % 2 != 0 )
511 {
512 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
513 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
514 }
515
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200516 /* Don't allow our peer to make use allocated too much memory,
517 * and leave room for a final 0 */
518 our_size = list_size / 2 + 1;
519 if( our_size > POLARSSL_ECP_DP_MAX )
520 our_size = POLARSSL_ECP_DP_MAX;
521
522 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
523 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
524
525 memset( curves, 0, our_size * sizeof( *curves ) );
526 ssl->handshake->curves = curves;
527
Paul Bakker41c83d32013-03-20 14:39:14 +0100528 p = buf + 2;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200529 while( list_size > 0 && our_size > 1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100530 {
Manuel Pégourié-Gonnardf24b4a72013-09-23 18:14:50 +0200531 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200532
Manuel Pégourié-Gonnardf24b4a72013-09-23 18:14:50 +0200533 if( curve_info != NULL )
Paul Bakker41c83d32013-03-20 14:39:14 +0100534 {
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200535 *curves++ = curve_info;
536 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100537 }
538
539 list_size -= 2;
540 p += 2;
541 }
542
543 return( 0 );
544}
545
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200546static int ssl_parse_supported_point_formats( ssl_context *ssl,
547 const unsigned char *buf,
548 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100549{
550 size_t list_size;
551 const unsigned char *p;
552
553 list_size = buf[0];
554 if( list_size + 1 != len )
555 {
556 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
557 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
558 }
559
560 p = buf + 2;
561 while( list_size > 0 )
562 {
563 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
564 p[0] == POLARSSL_ECP_PF_COMPRESSED )
565 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200566 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200567 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100568 return( 0 );
569 }
570
571 list_size--;
572 p++;
573 }
574
575 return( 0 );
576}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200577#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100578
Paul Bakker05decb22013-08-15 13:33:48 +0200579#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200580static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
581 const unsigned char *buf,
582 size_t len )
583{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200584 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200585 {
586 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
587 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
588 }
589
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200590 ssl->session_negotiate->mfl_code = buf[0];
591
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200592 return( 0 );
593}
Paul Bakker05decb22013-08-15 13:33:48 +0200594#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200595
Paul Bakker1f2bc622013-08-15 13:45:55 +0200596#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200597static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
598 const unsigned char *buf,
599 size_t len )
600{
601 if( len != 0 )
602 {
603 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
604 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
605 }
606
607 ((void) buf);
608
609 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
610
611 return( 0 );
612}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200613#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200614
Paul Bakkera503a632013-08-14 13:48:06 +0200615#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200616static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200617 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200618 size_t len )
619{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200620 int ret;
621
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200622 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
623 return( 0 );
624
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200625 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200626 ssl->handshake->new_session_ticket = 1;
627
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200628 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
629
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200630 if( len == 0 )
631 return( 0 );
632
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200633 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
634 {
635 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
636 return( 0 );
637 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200638
639 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200640 * Failures are ok: just ignore the ticket and proceed.
641 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200642 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
643 {
644 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200645 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200646 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200647
648 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
649
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200650 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200651
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200652 /* Don't send a new ticket after all, this one is OK */
653 ssl->handshake->new_session_ticket = 0;
654
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200655 return( 0 );
656}
Paul Bakkera503a632013-08-14 13:48:06 +0200657#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200658
Paul Bakker78a8c712013-03-06 17:01:52 +0100659#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
660static int ssl_parse_client_hello_v2( ssl_context *ssl )
661{
662 int ret;
663 unsigned int i, j;
664 size_t n;
665 unsigned int ciph_len, sess_len, chal_len;
666 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200667 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200668 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100669
670 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
671
672 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
673 {
674 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
675
676 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
677 return( ret );
678
679 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
680 }
681
682 buf = ssl->in_hdr;
683
684 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
685
686 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
687 buf[2] ) );
688 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
689 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
690 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
691 buf[3], buf[4] ) );
692
693 /*
694 * SSLv2 Client Hello
695 *
696 * Record layer:
697 * 0 . 1 message length
698 *
699 * SSL layer:
700 * 2 . 2 message type
701 * 3 . 4 protocol version
702 */
703 if( buf[2] != SSL_HS_CLIENT_HELLO ||
704 buf[3] != SSL_MAJOR_VERSION_3 )
705 {
706 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
707 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
708 }
709
710 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
711
712 if( n < 17 || n > 512 )
713 {
714 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
715 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
716 }
717
718 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200719 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
720 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100721
722 if( ssl->minor_ver < ssl->min_minor_ver )
723 {
724 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
725 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
726 ssl->min_major_ver, ssl->min_minor_ver ) );
727
728 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
729 SSL_ALERT_MSG_PROTOCOL_VERSION );
730 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
731 }
732
Paul Bakker2fbefde2013-06-29 16:01:15 +0200733 ssl->handshake->max_major_ver = buf[3];
734 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100735
736 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
737 {
738 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
739 return( ret );
740 }
741
742 ssl->handshake->update_checksum( ssl, buf + 2, n );
743
744 buf = ssl->in_msg;
745 n = ssl->in_left - 5;
746
747 /*
748 * 0 . 1 ciphersuitelist length
749 * 2 . 3 session id length
750 * 4 . 5 challenge length
751 * 6 . .. ciphersuitelist
752 * .. . .. session id
753 * .. . .. challenge
754 */
755 SSL_DEBUG_BUF( 4, "record contents", buf, n );
756
757 ciph_len = ( buf[0] << 8 ) | buf[1];
758 sess_len = ( buf[2] << 8 ) | buf[3];
759 chal_len = ( buf[4] << 8 ) | buf[5];
760
761 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
762 ciph_len, sess_len, chal_len ) );
763
764 /*
765 * Make sure each parameter length is valid
766 */
767 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
768 {
769 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
770 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
771 }
772
773 if( sess_len > 32 )
774 {
775 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
776 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
777 }
778
779 if( chal_len < 8 || chal_len > 32 )
780 {
781 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
782 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
783 }
784
785 if( n != 6 + ciph_len + sess_len + chal_len )
786 {
787 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
788 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
789 }
790
791 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
792 buf + 6, ciph_len );
793 SSL_DEBUG_BUF( 3, "client hello, session id",
794 buf + 6 + ciph_len, sess_len );
795 SSL_DEBUG_BUF( 3, "client hello, challenge",
796 buf + 6 + ciph_len + sess_len, chal_len );
797
798 p = buf + 6 + ciph_len;
799 ssl->session_negotiate->length = sess_len;
800 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
801 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
802
803 p += sess_len;
804 memset( ssl->handshake->randbytes, 0, 64 );
805 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
806
807 /*
808 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
809 */
810 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
811 {
812 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
813 {
814 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
815 if( ssl->renegotiation == SSL_RENEGOTIATION )
816 {
817 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
818
819 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
820 return( ret );
821
822 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
823 }
824 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
825 break;
826 }
827 }
828
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200829 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
830 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100831 {
832 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
833 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100834 // Only allow non-ECC ciphersuites as we do not have extensions
835 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200836 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200837 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
838 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200839 {
840 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
841
842 if( ciphersuite_info == NULL )
843 {
844 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
845 ciphersuites[i] ) );
846 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
847 }
848
Paul Bakker2fbefde2013-06-29 16:01:15 +0200849 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
850 ciphersuite_info->max_minor_ver < ssl->minor_ver )
851 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200852
Paul Bakker78a8c712013-03-06 17:01:52 +0100853 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200854 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100855 }
856 }
857
858 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
859
860 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
861
862have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200863 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200864 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100865 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100866
867 /*
868 * SSLv2 Client Hello relevant renegotiation security checks
869 */
870 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
871 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
872 {
873 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
874
875 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
876 return( ret );
877
878 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
879 }
880
881 ssl->in_left = 0;
882 ssl->state++;
883
884 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
885
886 return( 0 );
887}
888#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
889
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200890#if defined(POLARSSL_X509_CRT_PARSE_C)
891#if defined(POLARSSL_ECDSA_C)
892static int ssl_key_matches_curves( pk_context *pk,
893 const ecp_curve_info **curves )
894{
895 const ecp_curve_info **crv = curves;
896 ecp_group_id grp_id = pk_ec( *pk )->grp.id;
897
898 while( *crv != NULL )
899 {
900 if( (*crv)->grp_id == grp_id )
901 return( 1 );
902 crv++;
903 }
904
905 return( 0 );
906}
907#endif /* POLARSSL_ECDSA_C */
908
909/*
910 * Try picking a certificate for this ciphersuite,
911 * return 0 on success and -1 on failure.
912 */
913static int ssl_pick_cert( ssl_context *ssl,
914 const ssl_ciphersuite_t * ciphersuite_info )
915{
916 ssl_key_cert *cur;
917 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
918
919 if( pk_alg == POLARSSL_PK_NONE )
920 return( 0 );
921
922 for( cur = ssl->key_cert; cur != NULL; cur = cur->next )
923 {
924 if( ! pk_can_do( cur->key, pk_alg ) )
925 continue;
926
927#if defined(POLARSSL_ECDSA_C)
928 if( pk_alg == POLARSSL_PK_ECDSA )
929 {
930 if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
931 break;
932 }
933 else
934#endif
935 break;
936 }
937
938 if( cur == NULL )
939 return( -1 );
940
941 ssl->handshake->key_cert = cur;
942 return( 0 );
943}
944#endif /* POLARSSL_X509_CRT_PARSE_C */
945
Paul Bakker5121ce52009-01-03 21:22:43 +0000946static int ssl_parse_client_hello( ssl_context *ssl )
947{
Paul Bakker23986e52011-04-24 08:57:21 +0000948 int ret;
949 unsigned int i, j;
950 size_t n;
951 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000952 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000953 unsigned int ext_len = 0;
954 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000955 int renegotiation_info_seen = 0;
956 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200957 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100958 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000959
960 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
961
Paul Bakker48916f92012-09-16 19:57:18 +0000962 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
963 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000964 {
965 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
966 return( ret );
967 }
968
969 buf = ssl->in_hdr;
970
Paul Bakker78a8c712013-03-06 17:01:52 +0100971#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
972 if( ( buf[0] & 0x80 ) != 0 )
973 return ssl_parse_client_hello_v2( ssl );
974#endif
975
Paul Bakkerec636f32012-09-09 19:17:02 +0000976 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
977
978 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
979 buf[0] ) );
980 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
981 ( buf[3] << 8 ) | buf[4] ) );
982 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
983 buf[1], buf[2] ) );
984
985 /*
986 * SSLv3 Client Hello
987 *
988 * Record layer:
989 * 0 . 0 message type
990 * 1 . 2 protocol version
991 * 3 . 4 message length
992 */
993 if( buf[0] != SSL_MSG_HANDSHAKE ||
994 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000995 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000996 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
997 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
998 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000999
Paul Bakkerec636f32012-09-09 19:17:02 +00001000 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +00001001
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +02001002 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +00001003 {
1004 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1005 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1006 }
1007
Paul Bakker48916f92012-09-16 19:57:18 +00001008 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1009 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +00001010 {
1011 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1012 return( ret );
1013 }
1014
1015 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +00001016 if( !ssl->renegotiation )
1017 n = ssl->in_left - 5;
1018 else
1019 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +00001020
Paul Bakker48916f92012-09-16 19:57:18 +00001021 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +00001022
1023 /*
1024 * SSL layer:
1025 * 0 . 0 handshake type
1026 * 1 . 3 handshake length
1027 * 4 . 5 protocol version
1028 * 6 . 9 UNIX time()
1029 * 10 . 37 random bytes
1030 * 38 . 38 session id length
1031 * 39 . 38+x session id
1032 * 39+x . 40+x ciphersuitelist length
1033 * 41+x . .. ciphersuitelist
1034 * .. . .. compression alg.
1035 * .. . .. extensions
1036 */
1037 SSL_DEBUG_BUF( 4, "record contents", buf, n );
1038
1039 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1040 buf[0] ) );
1041 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1042 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1043 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1044 buf[4], buf[5] ) );
1045
1046 /*
1047 * Check the handshake type and protocol version
1048 */
1049 if( buf[0] != SSL_HS_CLIENT_HELLO ||
1050 buf[4] != SSL_MAJOR_VERSION_3 )
1051 {
1052 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1053 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1054 }
1055
1056 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +02001057 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1058 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +00001059
Paul Bakker1d29fb52012-09-28 13:28:45 +00001060 if( ssl->minor_ver < ssl->min_minor_ver )
1061 {
1062 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1063 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +00001064 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +00001065
1066 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1067 SSL_ALERT_MSG_PROTOCOL_VERSION );
1068
1069 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1070 }
1071
Paul Bakker2fbefde2013-06-29 16:01:15 +02001072 ssl->handshake->max_major_ver = buf[4];
1073 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +00001074
Paul Bakker48916f92012-09-16 19:57:18 +00001075 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +00001076
1077 /*
1078 * Check the handshake message length
1079 */
1080 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1081 {
1082 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1083 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1084 }
1085
1086 /*
1087 * Check the session length
1088 */
1089 sess_len = buf[38];
1090
1091 if( sess_len > 32 )
1092 {
1093 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1094 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1095 }
1096
Paul Bakker48916f92012-09-16 19:57:18 +00001097 ssl->session_negotiate->length = sess_len;
1098 memset( ssl->session_negotiate->id, 0,
1099 sizeof( ssl->session_negotiate->id ) );
1100 memcpy( ssl->session_negotiate->id, buf + 39,
1101 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +00001102
1103 /*
1104 * Check the ciphersuitelist length
1105 */
1106 ciph_len = ( buf[39 + sess_len] << 8 )
1107 | ( buf[40 + sess_len] );
1108
1109 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1110 {
1111 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1112 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1113 }
1114
1115 /*
1116 * Check the compression algorithms length
1117 */
1118 comp_len = buf[41 + sess_len + ciph_len];
1119
1120 if( comp_len < 1 || comp_len > 16 )
1121 {
1122 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1123 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1124 }
1125
Paul Bakker48916f92012-09-16 19:57:18 +00001126 /*
1127 * Check the extension length
1128 */
1129 if( n > 42 + sess_len + ciph_len + comp_len )
1130 {
1131 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1132 | ( buf[43 + sess_len + ciph_len + comp_len] );
1133
1134 if( ( ext_len > 0 && ext_len < 4 ) ||
1135 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1136 {
1137 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1138 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1139 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1140 }
1141 }
1142
1143 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +00001144#if defined(POLARSSL_ZLIB_SUPPORT)
1145 for( i = 0; i < comp_len; ++i )
1146 {
Paul Bakker48916f92012-09-16 19:57:18 +00001147 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001148 {
Paul Bakker48916f92012-09-16 19:57:18 +00001149 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +00001150 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00001151 }
1152 }
Paul Bakker2770fbd2012-07-03 13:30:23 +00001153#endif
1154
Paul Bakkerec636f32012-09-09 19:17:02 +00001155 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1156 buf + 6, 32 );
1157 SSL_DEBUG_BUF( 3, "client hello, session id",
1158 buf + 38, sess_len );
1159 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1160 buf + 41 + sess_len, ciph_len );
1161 SSL_DEBUG_BUF( 3, "client hello, compression",
1162 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001163
Paul Bakkerec636f32012-09-09 19:17:02 +00001164 /*
Paul Bakker48916f92012-09-16 19:57:18 +00001165 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1166 */
1167 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1168 {
1169 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1170 {
1171 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1172 if( ssl->renegotiation == SSL_RENEGOTIATION )
1173 {
1174 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001175
1176 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1177 return( ret );
1178
Paul Bakker48916f92012-09-16 19:57:18 +00001179 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1180 }
1181 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1182 break;
1183 }
1184 }
1185
Paul Bakker48916f92012-09-16 19:57:18 +00001186 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +00001187
1188 while( ext_len )
1189 {
1190 unsigned int ext_id = ( ( ext[0] << 8 )
1191 | ( ext[1] ) );
1192 unsigned int ext_size = ( ( ext[2] << 8 )
1193 | ( ext[3] ) );
1194
1195 if( ext_size + 4 > ext_len )
1196 {
1197 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1198 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1199 }
1200 switch( ext_id )
1201 {
Paul Bakker0be444a2013-08-27 21:55:01 +02001202#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakker5701cdc2012-09-27 21:49:42 +00001203 case TLS_EXT_SERVERNAME:
1204 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1205 if( ssl->f_sni == NULL )
1206 break;
1207
1208 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1209 if( ret != 0 )
1210 return( ret );
1211 break;
Paul Bakker0be444a2013-08-27 21:55:01 +02001212#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00001213
Paul Bakker48916f92012-09-16 19:57:18 +00001214 case TLS_EXT_RENEGOTIATION_INFO:
1215 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1216 renegotiation_info_seen = 1;
1217
Paul Bakker23f36802012-09-28 14:15:14 +00001218 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1219 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001220 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +00001221 break;
Paul Bakker48916f92012-09-16 19:57:18 +00001222
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001223#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +00001224 case TLS_EXT_SIG_ALG:
1225 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1226 if( ssl->renegotiation == SSL_RENEGOTIATION )
1227 break;
1228
1229 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1230 if( ret != 0 )
1231 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00001232 break;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001233#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker48916f92012-09-16 19:57:18 +00001234
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001235#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +01001236 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1237 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1238
1239 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1240 if( ret != 0 )
1241 return( ret );
1242 break;
1243
1244 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1245 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1246
1247 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1248 if( ret != 0 )
1249 return( ret );
1250 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001251#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +01001252
Paul Bakker05decb22013-08-15 13:33:48 +02001253#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +02001254 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1255 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1256
1257 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1258 if( ret != 0 )
1259 return( ret );
1260 break;
Paul Bakker05decb22013-08-15 13:33:48 +02001261#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +02001262
Paul Bakker1f2bc622013-08-15 13:45:55 +02001263#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001264 case TLS_EXT_TRUNCATED_HMAC:
1265 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1266
1267 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1268 if( ret != 0 )
1269 return( ret );
1270 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001271#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001272
Paul Bakkera503a632013-08-14 13:48:06 +02001273#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001274 case TLS_EXT_SESSION_TICKET:
1275 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1276
1277 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1278 if( ret != 0 )
1279 return( ret );
1280 break;
Paul Bakkera503a632013-08-14 13:48:06 +02001281#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001282
Paul Bakker48916f92012-09-16 19:57:18 +00001283 default:
1284 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1285 ext_id ) );
1286 }
1287
1288 ext_len -= 4 + ext_size;
1289 ext += 4 + ext_size;
1290
1291 if( ext_len > 0 && ext_len < 4 )
1292 {
1293 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1294 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1295 }
1296 }
1297
1298 /*
1299 * Renegotiation security checks
1300 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001301 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1302 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1303 {
1304 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1305 handshake_failure = 1;
1306 }
1307 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1308 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1309 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001310 {
1311 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001312 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +00001313 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001314 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1315 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1316 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +00001317 {
1318 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001319 handshake_failure = 1;
1320 }
1321 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1322 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1323 renegotiation_info_seen == 1 )
1324 {
1325 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1326 handshake_failure = 1;
1327 }
1328
1329 if( handshake_failure == 1 )
1330 {
1331 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1332 return( ret );
1333
Paul Bakker48916f92012-09-16 19:57:18 +00001334 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1335 }
Paul Bakker380da532012-04-18 16:10:25 +00001336
Paul Bakker41c83d32013-03-20 14:39:14 +01001337 /*
1338 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +02001339 * (At the end because we need information from the EC-based extensions
1340 * and certificate from the SNI callback triggered by the SNI extension.)
Paul Bakker41c83d32013-03-20 14:39:14 +01001341 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001342 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1343 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +01001344 {
1345 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1346 j += 2, p += 2 )
1347 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001348 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1349 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +01001350 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001351 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +01001352
1353 if( ciphersuite_info == NULL )
1354 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02001355 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001356 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +01001357 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1358 }
1359
Paul Bakker2fbefde2013-06-29 16:01:15 +02001360 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1361 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1362 continue;
1363
Paul Bakker5fd49172013-08-19 13:29:26 +02001364#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard51451f82013-09-17 12:06:25 +02001365 if( ssl_ciphersuite_uses_ec( ciphersuite_info ) &&
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02001366 ssl->handshake->curves[0] == NULL )
Paul Bakker41c83d32013-03-20 14:39:14 +01001367 continue;
Paul Bakker5fd49172013-08-19 13:29:26 +02001368#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01001369
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +02001370#if defined(POLARSSL_X509_CRT_PARSE_C)
1371 /*
1372 * Final check: if ciphersuite requires us to have a
1373 * certificate/key of a particular type:
1374 * - select the appropriate certificate if we have one, or
1375 * - try the next ciphersuite if we don't
1376 * This must be done last since we modify the key_cert list.
1377 */
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02001378 if( ssl_pick_cert( ssl, ciphersuite_info ) != 0 )
1379 continue;
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02001380#endif
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +02001381
Paul Bakker41c83d32013-03-20 14:39:14 +01001382 goto have_ciphersuite;
1383 }
1384 }
1385 }
1386
1387 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1388
1389 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1390 return( ret );
1391
1392 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1393
1394have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001395 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +01001396 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1397 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1398
Paul Bakker5121ce52009-01-03 21:22:43 +00001399 ssl->in_left = 0;
1400 ssl->state++;
1401
1402 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1403
1404 return( 0 );
1405}
1406
Paul Bakker1f2bc622013-08-15 13:45:55 +02001407#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001408static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1409 unsigned char *buf,
1410 size_t *olen )
1411{
1412 unsigned char *p = buf;
1413
1414 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1415 {
1416 *olen = 0;
1417 return;
1418 }
1419
1420 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1421
1422 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1423 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1424
1425 *p++ = 0x00;
1426 *p++ = 0x00;
1427
1428 *olen = 4;
1429}
Paul Bakker1f2bc622013-08-15 13:45:55 +02001430#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001431
Paul Bakkera503a632013-08-14 13:48:06 +02001432#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001433static void ssl_write_session_ticket_ext( ssl_context *ssl,
1434 unsigned char *buf,
1435 size_t *olen )
1436{
1437 unsigned char *p = buf;
1438
1439 if( ssl->handshake->new_session_ticket == 0 )
1440 {
1441 *olen = 0;
1442 return;
1443 }
1444
1445 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1446
1447 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1448 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1449
1450 *p++ = 0x00;
1451 *p++ = 0x00;
1452
1453 *olen = 4;
1454}
Paul Bakkera503a632013-08-14 13:48:06 +02001455#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001456
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001457static void ssl_write_renegotiation_ext( ssl_context *ssl,
1458 unsigned char *buf,
1459 size_t *olen )
1460{
1461 unsigned char *p = buf;
1462
1463 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1464 {
1465 *olen = 0;
1466 return;
1467 }
1468
1469 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1470
1471 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1472 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1473
1474 *p++ = 0x00;
1475 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1476 *p++ = ssl->verify_data_len * 2 & 0xFF;
1477
1478 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1479 p += ssl->verify_data_len;
1480 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1481 p += ssl->verify_data_len;
1482
1483 *olen = 5 + ssl->verify_data_len * 2;
1484}
1485
Paul Bakker05decb22013-08-15 13:33:48 +02001486#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001487static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1488 unsigned char *buf,
1489 size_t *olen )
1490{
1491 unsigned char *p = buf;
1492
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +02001493 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1494 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001495 *olen = 0;
1496 return;
1497 }
1498
1499 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1500
1501 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1502 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1503
1504 *p++ = 0x00;
1505 *p++ = 1;
1506
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02001507 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001508
1509 *olen = 5;
1510}
Paul Bakker05decb22013-08-15 13:33:48 +02001511#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001512
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001513#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001514static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1515 unsigned char *buf,
1516 size_t *olen )
1517{
1518 unsigned char *p = buf;
1519 ((void) ssl);
1520
1521 *olen = 0;
1522
1523 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1524
1525 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1526 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1527
1528 *p++ = 0x00;
1529 *p++ = 2;
1530
1531 *p++ = 1;
1532 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1533
1534 *olen = 6;
1535}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001536#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001537
Paul Bakker5121ce52009-01-03 21:22:43 +00001538static int ssl_write_server_hello( ssl_context *ssl )
1539{
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001540#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +00001541 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001542#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +00001543 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001544 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001545 unsigned char *buf, *p;
1546
1547 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1548
1549 /*
1550 * 0 . 0 handshake type
1551 * 1 . 3 handshake length
1552 * 4 . 5 protocol version
1553 * 6 . 9 UNIX time()
1554 * 10 . 37 random bytes
1555 */
1556 buf = ssl->out_msg;
1557 p = buf + 4;
1558
1559 *p++ = (unsigned char) ssl->major_ver;
1560 *p++ = (unsigned char) ssl->minor_ver;
1561
1562 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1563 buf[4], buf[5] ) );
1564
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001565#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +00001566 t = time( NULL );
1567 *p++ = (unsigned char)( t >> 24 );
1568 *p++ = (unsigned char)( t >> 16 );
1569 *p++ = (unsigned char)( t >> 8 );
1570 *p++ = (unsigned char)( t );
1571
1572 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001573#else
1574 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1575 return( ret );
1576
1577 p += 4;
1578#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001579
Paul Bakkera3d195c2011-11-27 21:07:34 +00001580 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1581 return( ret );
1582
1583 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +00001584
Paul Bakker48916f92012-09-16 19:57:18 +00001585 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001586
1587 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1588
1589 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001590 * Resume is 0 by default, see ssl_handshake_init().
1591 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1592 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +00001593 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001594 if( ssl->handshake->resume == 0 &&
1595 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02001596 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001597 ssl->f_get_cache != NULL &&
1598 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1599 {
1600 ssl->handshake->resume = 1;
1601 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001602
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001603 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001604 {
1605 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001606 * New session, create a new session id,
1607 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +00001608 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001609 ssl->state++;
1610
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02001611#if defined(POLARSSL_HAVE_TIME)
1612 ssl->session_negotiate->start = time( NULL );
1613#endif
1614
Paul Bakkera503a632013-08-14 13:48:06 +02001615#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02001616 if( ssl->handshake->new_session_ticket != 0 )
1617 {
1618 ssl->session_negotiate->length = n = 0;
1619 memset( ssl->session_negotiate->id, 0, 32 );
1620 }
1621 else
1622#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001623 {
1624 ssl->session_negotiate->length = n = 32;
1625 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +02001626 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001627 return( ret );
1628 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001629 }
1630 else
1631 {
1632 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001633 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +00001634 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +02001635 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +00001636 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +00001637
1638 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1639 {
1640 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1641 return( ret );
1642 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001643 }
1644
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001645 /*
1646 * 38 . 38 session id length
1647 * 39 . 38+n session id
1648 * 39+n . 40+n chosen ciphersuite
1649 * 41+n . 41+n chosen compression alg.
1650 * 42+n . 43+n extensions length
1651 * 44+n . 43+n+m extensions
1652 */
1653 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +00001654 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1655 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +00001656
1657 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1658 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1659 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +00001660 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001661
Paul Bakker48916f92012-09-16 19:57:18 +00001662 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1663 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1664 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +00001665
Manuel Pégourié-Gonnard51451f82013-09-17 12:06:25 +02001666 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1667 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +02001668 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
Paul Bakker48916f92012-09-16 19:57:18 +00001669 ssl->session_negotiate->compression ) );
1670
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001671 /*
1672 * First write extensions, then the total length
1673 */
1674 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1675 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +00001676
Paul Bakker05decb22013-08-15 13:33:48 +02001677#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001678 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1679 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +02001680#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001681
Paul Bakker1f2bc622013-08-15 13:45:55 +02001682#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001683 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1684 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001685#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001686
Paul Bakkera503a632013-08-14 13:48:06 +02001687#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001688 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1689 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +02001690#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001691
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001692#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001693 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1694 ext_len += olen;
1695#endif
1696
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001697 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +00001698
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001699 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1700 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1701 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00001702
1703 ssl->out_msglen = p - buf;
1704 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1705 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1706
1707 ret = ssl_write_record( ssl );
1708
1709 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1710
1711 return( ret );
1712}
1713
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001714#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1715 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02001716 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1717 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00001718static int ssl_write_certificate_request( ssl_context *ssl )
1719{
Paul Bakkered27a042013-04-18 22:46:23 +02001720 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1721 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001722
1723 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1724
1725 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1726 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1727 {
1728 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1729 ssl->state++;
1730 return( 0 );
1731 }
1732
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02001733 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001734 return( ret );
1735}
1736#else
1737static int ssl_write_certificate_request( ssl_context *ssl )
1738{
1739 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1740 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001741 size_t dn_size, total_dn_size; /* excluding length bytes */
1742 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +00001743 unsigned char *buf, *p;
Paul Bakkerc559c7a2013-09-18 14:13:26 +02001744 const x509_crt *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +00001745
1746 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1747
1748 ssl->state++;
1749
Paul Bakkerfbb17802013-04-17 19:10:21 +02001750 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001751 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +02001752 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001753 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001754 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001755 return( 0 );
1756 }
1757
1758 /*
1759 * 0 . 0 handshake type
1760 * 1 . 3 handshake length
1761 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +01001762 * 5 .. m-1 cert types
1763 * m .. m+1 sig alg length (TLS 1.2 only)
1764 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +00001765 * n .. n+1 length of all DNs
1766 * n+2 .. n+3 length of DN 1
1767 * n+4 .. ... Distinguished Name #1
1768 * ... .. ... length of DN 2, etc.
1769 */
1770 buf = ssl->out_msg;
1771 p = buf + 4;
1772
1773 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001774 * Supported certificate types
1775 *
1776 * ClientCertificateType certificate_types<1..2^8-1>;
1777 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +00001778 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001779 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +01001780
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001781#if defined(POLARSSL_RSA_C)
1782 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
1783#endif
1784#if defined(POLARSSL_ECDSA_C)
1785 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
1786#endif
1787
1788 p[0] = ct_len++;
1789 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +01001790
Paul Bakker577e0062013-08-28 11:57:20 +02001791 sa_len = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001792#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker926af752012-11-23 13:38:07 +01001793 /*
1794 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +01001795 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001796 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
1797 *
1798 * struct {
1799 * HashAlgorithm hash;
1800 * SignatureAlgorithm signature;
1801 * } SignatureAndHashAlgorithm;
1802 *
1803 * enum { (255) } HashAlgorithm;
1804 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +01001805 */
Paul Bakker21dca692013-01-03 11:41:08 +01001806 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01001807 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001808 /*
1809 * Only use current running hash algorithm that is already required
1810 * for requested ciphersuite.
1811 */
Paul Bakker926af752012-11-23 13:38:07 +01001812 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1813
Paul Bakkerb7149bc2013-03-20 15:30:09 +01001814 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1815 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +01001816 {
1817 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1818 }
Paul Bakkerf7abd422013-04-16 13:15:56 +02001819
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001820 /*
1821 * Supported signature algorithms
1822 */
1823#if defined(POLARSSL_RSA_C)
1824 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1825 p[2 + sa_len++] = SSL_SIG_RSA;
1826#endif
1827#if defined(POLARSSL_ECDSA_C)
1828 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1829 p[2 + sa_len++] = SSL_SIG_ECDSA;
1830#endif
Paul Bakker926af752012-11-23 13:38:07 +01001831
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001832 p[0] = (unsigned char)( sa_len >> 8 );
1833 p[1] = (unsigned char)( sa_len );
1834 sa_len += 2;
1835 p += sa_len;
Paul Bakker926af752012-11-23 13:38:07 +01001836 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001837#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001838
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001839 /*
1840 * DistinguishedName certificate_authorities<0..2^16-1>;
1841 * opaque DistinguishedName<1..2^16-1>;
1842 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001843 p += 2;
1844 crt = ssl->ca_chain;
1845
Paul Bakkerbc3d9842012-11-26 16:12:02 +01001846 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +00001847 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001848 {
1849 if( p - buf > 4096 )
1850 break;
1851
Paul Bakker926af752012-11-23 13:38:07 +01001852 dn_size = crt->subject_raw.len;
1853 *p++ = (unsigned char)( dn_size >> 8 );
1854 *p++ = (unsigned char)( dn_size );
1855 memcpy( p, crt->subject_raw.p, dn_size );
1856 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +00001857
Paul Bakker926af752012-11-23 13:38:07 +01001858 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1859
Paul Bakkerbc3d9842012-11-26 16:12:02 +01001860 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +01001861 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +00001862 }
1863
Paul Bakker926af752012-11-23 13:38:07 +01001864 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +00001865 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1866 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001867 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
1868 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +00001869
1870 ret = ssl_write_record( ssl );
1871
1872 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1873
1874 return( ret );
1875}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001876#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1877 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1878 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00001879
Paul Bakker41c83d32013-03-20 14:39:14 +01001880static int ssl_write_server_key_exchange( ssl_context *ssl )
1881{
Paul Bakker23986e52011-04-24 08:57:21 +00001882 int ret;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02001883 size_t n = 0;
Paul Bakker2292d1f2013-09-15 17:06:49 +02001884 const ssl_ciphersuite_t *ciphersuite_info;
1885
1886#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1887 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
1888 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1889 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02001890 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02001891 unsigned char *dig_signed = p;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02001892 size_t dig_signed_len = 0, len;
Paul Bakker2292d1f2013-09-15 17:06:49 +02001893 ((void) dig_signed);
1894 ((void) dig_signed_len);
1895#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01001896
Paul Bakker41c83d32013-03-20 14:39:14 +01001897 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001898
1899 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1900
Paul Bakker41c83d32013-03-20 14:39:14 +01001901 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001902 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02001903 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001904 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +00001905 {
1906 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1907 ssl->state++;
1908 return( 0 );
1909 }
1910
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001911#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1912 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1913 {
1914 /* TODO: Support identity hints */
1915 *(p++) = 0x00;
1916 *(p++) = 0x00;
1917
1918 n += 2;
1919 }
1920#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1921
1922#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1923 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1924 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1925 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +00001926 {
Paul Bakker41c83d32013-03-20 14:39:14 +01001927 /*
1928 * Ephemeral DH parameters:
1929 *
1930 * struct {
1931 * opaque dh_p<1..2^16-1>;
1932 * opaque dh_g<1..2^16-1>;
1933 * opaque dh_Ys<1..2^16-1>;
1934 * } ServerDHParams;
1935 */
1936 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1937 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1938 {
1939 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1940 return( ret );
1941 }
Paul Bakker48916f92012-09-16 19:57:18 +00001942
Paul Bakker41c83d32013-03-20 14:39:14 +01001943 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1944 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001945 p,
1946 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01001947 {
1948 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1949 return( ret );
1950 }
1951
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02001952 dig_signed = p;
1953 dig_signed_len = len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001954
1955 p += len;
1956 n += len;
1957
Paul Bakker41c83d32013-03-20 14:39:14 +01001958 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1959 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1960 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1961 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1962 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001963#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1964 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +01001965
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02001966#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1967 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1968 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
1969 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00001970 {
Paul Bakker41c83d32013-03-20 14:39:14 +01001971 /*
1972 * Ephemeral ECDH parameters:
1973 *
1974 * struct {
1975 * ECParameters curve_params;
1976 * ECPoint public;
1977 * } ServerECDHParams;
1978 */
Paul Bakker41c83d32013-03-20 14:39:14 +01001979 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02001980 ssl->handshake->curves[0]->grp_id ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01001981 {
1982 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1983 return( ret );
1984 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001985
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +02001986 SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
1987 (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
1988
Paul Bakker41c83d32013-03-20 14:39:14 +01001989 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001990 &len,
1991 p,
Paul Bakker41c83d32013-03-20 14:39:14 +01001992 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1993 {
1994 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1995 return( ret );
1996 }
1997
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02001998 dig_signed = p;
1999 dig_signed_len = len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002000
2001 p += len;
2002 n += len;
2003
Paul Bakker41c83d32013-03-20 14:39:14 +01002004 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2005 }
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002006#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2007 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002008
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002009#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002010 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2011 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002012 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002013 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2014 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002015 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002016 size_t signature_len = 0;
Paul Bakker2292d1f2013-09-15 17:06:49 +02002017 unsigned int hashlen = 0;
2018 unsigned char hash[64];
2019 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker23f36802012-09-28 14:15:14 +00002020
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002021 /*
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002022 * Choose hash algorithm. NONE means MD5 + SHA1 here.
2023 */
Paul Bakker577e0062013-08-28 11:57:20 +02002024#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002025 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2026 {
2027 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2028
2029 if( md_alg == POLARSSL_MD_NONE )
2030 {
2031 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2032 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2033 }
2034 }
Paul Bakker577e0062013-08-28 11:57:20 +02002035 else
2036#endif
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002037#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2038 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker577e0062013-08-28 11:57:20 +02002039 if ( ciphersuite_info->key_exchange ==
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002040 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2041 {
2042 md_alg = POLARSSL_MD_SHA1;
2043 }
2044 else
Paul Bakker577e0062013-08-28 11:57:20 +02002045#endif
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002046 {
2047 md_alg = POLARSSL_MD_NONE;
2048 }
2049
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002050 /*
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002051 * Compute the hash to be signed
2052 */
Paul Bakker577e0062013-08-28 11:57:20 +02002053#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2054 defined(POLARSSL_SSL_PROTO_TLS1_1)
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002055 if( md_alg == POLARSSL_MD_NONE )
Paul Bakker23f36802012-09-28 14:15:14 +00002056 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002057 md5_context md5;
2058 sha1_context sha1;
2059
2060 /*
2061 * digitally-signed struct {
2062 * opaque md5_hash[16];
2063 * opaque sha_hash[20];
2064 * };
2065 *
2066 * md5_hash
2067 * MD5(ClientHello.random + ServerHello.random
2068 * + ServerParams);
2069 * sha_hash
2070 * SHA(ClientHello.random + ServerHello.random
2071 * + ServerParams);
2072 */
2073 md5_starts( &md5 );
2074 md5_update( &md5, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002075 md5_update( &md5, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002076 md5_finish( &md5, hash );
2077
2078 sha1_starts( &sha1 );
2079 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002080 sha1_update( &sha1, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002081 sha1_finish( &sha1, hash + 16 );
2082
2083 hashlen = 36;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002084 }
2085 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002086#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2087 POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker9659dae2013-08-28 16:21:34 +02002088#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2089 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker577e0062013-08-28 11:57:20 +02002090 if( md_alg != POLARSSL_MD_NONE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002091 {
2092 md_context_t ctx;
2093
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02002094 /* Info from md_alg will be used instead */
2095 hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002096
2097 /*
2098 * digitally-signed struct {
2099 * opaque client_random[32];
2100 * opaque server_random[32];
2101 * ServerDHParams params;
2102 * };
2103 */
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02002104 if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002105 {
2106 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2107 return( ret );
2108 }
2109
2110 md_starts( &ctx );
2111 md_update( &ctx, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002112 md_update( &ctx, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002113 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +02002114
2115 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2116 {
2117 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2118 return( ret );
2119 }
2120
Paul Bakker23f36802012-09-28 14:15:14 +00002121 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002122 else
Paul Bakker9659dae2013-08-28 16:21:34 +02002123#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2124 POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02002125 {
2126 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002127 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker577e0062013-08-28 11:57:20 +02002128 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002129
Manuel Pégourié-Gonnard9cc6f5c2013-08-27 14:29:44 +02002130 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2131 (unsigned int) ( md_info_from_type( md_alg ) )->size );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002132
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002133 /*
2134 * Make the signature
2135 */
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002136 if( ssl_own_key( ssl ) == NULL )
Paul Bakker23f36802012-09-28 14:15:14 +00002137 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002138 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2139 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002140 }
Paul Bakker23f36802012-09-28 14:15:14 +00002141
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002142#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +00002143 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2144 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002145 *(p++) = ssl->handshake->sig_alg;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002146 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002147
2148 n += 2;
2149 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002150#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002151
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002152 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02002153 p + 2 , &signature_len,
2154 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002155 {
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02002156 SSL_DEBUG_RET( 1, "pk_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +02002157 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +00002158 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002159
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002160 *(p++) = (unsigned char)( signature_len >> 8 );
2161 *(p++) = (unsigned char)( signature_len );
Paul Bakkerbf63b362012-04-12 20:44:34 +00002162 n += 2;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002163
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002164 SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
Paul Bakker48916f92012-09-16 19:57:18 +00002165
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002166 p += signature_len;
2167 n += signature_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002168 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002169#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002170 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2171 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002172
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002173 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +00002174 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2175 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2176
2177 ssl->state++;
2178
2179 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2180 {
2181 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2182 return( ret );
2183 }
2184
2185 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2186
2187 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002188}
2189
2190static int ssl_write_server_hello_done( ssl_context *ssl )
2191{
2192 int ret;
2193
2194 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2195
2196 ssl->out_msglen = 4;
2197 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2198 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2199
2200 ssl->state++;
2201
2202 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2203 {
2204 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2205 return( ret );
2206 }
2207
2208 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2209
2210 return( 0 );
2211}
2212
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002213#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2214 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2215static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2216 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002217{
2218 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002219 size_t n;
2220
2221 /*
2222 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2223 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002224 if( *p + 2 > end )
2225 {
2226 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2227 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2228 }
Paul Bakker70df2fb2013-04-17 17:19:09 +02002229
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002230 n = ( (*p)[0] << 8 ) | (*p)[1];
2231 *p += 2;
2232
2233 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002234 {
2235 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2236 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2237 }
2238
2239 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002240 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002241 {
2242 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2243 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2244 }
2245
2246 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2247
Paul Bakker70df2fb2013-04-17 17:19:09 +02002248 return( ret );
2249}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002250#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2251 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002252
Manuel Pégourié-Gonnarde511ffc2013-08-22 17:33:21 +02002253#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2254 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +02002255static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2256{
2257 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002258 size_t n;
2259
2260 /*
2261 * Receive client public key and calculate premaster
2262 */
2263 n = ssl->in_msg[3];
2264
2265 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2266 n + 4 != ssl->in_hslen )
2267 {
2268 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2269 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2270 }
2271
2272 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2273 ssl->in_msg + 4, n ) ) != 0 )
2274 {
2275 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2276 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2277 }
2278
2279 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2280
Paul Bakker70df2fb2013-04-17 17:19:09 +02002281 return( ret );
2282}
Manuel Pégourié-Gonnarde511ffc2013-08-22 17:33:21 +02002283#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2284 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002285
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002286#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +02002287static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2288{
2289 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2290 size_t i, n = 0;
2291
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002292 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002293 {
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02002294 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002295 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2296 }
2297
2298 /*
2299 * Decrypt the premaster using own private RSA key
2300 */
2301 i = 4;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002302 n = pk_get_len( ssl_own_key( ssl ) );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002303 ssl->handshake->pmslen = 48;
2304
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002305#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2306 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker70df2fb2013-04-17 17:19:09 +02002307 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2308 {
2309 i += 2;
2310 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2311 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2312 {
2313 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2314 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2315 }
2316 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002317#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +02002318
2319 if( ssl->in_hslen != i + n )
2320 {
2321 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2322 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2323 }
2324
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002325 ret = pk_decrypt( ssl_own_key( ssl ),
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02002326 ssl->in_msg + i, n,
2327 ssl->handshake->premaster, &ssl->handshake->pmslen,
2328 sizeof(ssl->handshake->premaster),
2329 ssl->f_rng, ssl->p_rng );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002330
2331 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +02002332 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2333 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002334 {
2335 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2336
2337 /*
2338 * Protection against Bleichenbacher's attack:
2339 * invalid PKCS#1 v1.5 padding must not cause
2340 * the connection to end immediately; instead,
2341 * send a bad_record_mac later in the handshake.
2342 */
2343 ssl->handshake->pmslen = 48;
2344
2345 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2346 ssl->handshake->pmslen );
2347 if( ret != 0 )
2348 return( ret );
2349 }
2350
2351 return( ret );
2352}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002353#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002354
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002355#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2356 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2357static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2358 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002359{
Paul Bakker6db455e2013-09-18 17:29:31 +02002360 int ret = 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002361 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002362
Paul Bakker6db455e2013-09-18 17:29:31 +02002363 if( ssl->f_psk == NULL &&
2364 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2365 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002366 {
2367 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2368 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2369 }
2370
2371 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002372 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +02002373 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002374 if( *p + 2 > end )
2375 {
2376 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2377 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2378 }
Paul Bakkerfbb17802013-04-17 19:10:21 +02002379
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002380 n = ( (*p)[0] << 8 ) | (*p)[1];
2381 *p += 2;
2382
2383 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002384 {
2385 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2386 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2387 }
2388
Paul Bakker6db455e2013-09-18 17:29:31 +02002389 if( ssl->f_psk != NULL )
2390 {
2391 if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
2392 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2393 }
2394
2395 if( ret == 0 )
2396 {
2397 if( n != ssl->psk_identity_len ||
2398 memcmp( ssl->psk_identity, *p, n ) != 0 )
2399 {
2400 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2401 }
2402 }
2403
2404 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002405 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002406 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakker6db455e2013-09-18 17:29:31 +02002407 if( ( ret = ssl_send_alert_message( ssl,
2408 SSL_ALERT_LEVEL_FATAL,
2409 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
2410 {
2411 return( ret );
2412 }
2413
2414 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
Paul Bakkerfbb17802013-04-17 19:10:21 +02002415 }
2416
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002417 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002418 ret = 0;
2419
Paul Bakkerfbb17802013-04-17 19:10:21 +02002420 return( ret );
2421}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002422#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2423 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +02002424
Paul Bakker5121ce52009-01-03 21:22:43 +00002425static int ssl_parse_client_key_exchange( ssl_context *ssl )
2426{
Paul Bakker23986e52011-04-24 08:57:21 +00002427 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +01002428 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002429
Paul Bakker41c83d32013-03-20 14:39:14 +01002430 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002431
2432 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2433
2434 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2435 {
2436 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2437 return( ret );
2438 }
2439
2440 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2441 {
2442 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002443 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002444 }
2445
2446 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2447 {
2448 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002449 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002450 }
2451
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002452#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +01002453 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00002454 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002455 unsigned char *p = ssl->in_msg + 4;
2456 unsigned char *end = ssl->in_msg + ssl->in_msglen;
2457
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002458 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002459 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002460 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2461 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002462 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002463
2464 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2465
Manuel Pégourié-Gonnard032c34e2013-09-07 13:06:27 +02002466 /* No blinding needed for DHE, but will be needed for fixed DH! */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002467 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2468 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +02002469 &ssl->handshake->pmslen,
Manuel Pégourié-Gonnard15d5de12013-09-17 11:34:11 +02002470 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002471 {
2472 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2473 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2474 }
2475
2476 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002477 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002478 else
2479#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002480#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2481 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2482 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2483 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002484 {
2485 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002486 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002487 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2488 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002489 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002490
2491 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2492 &ssl->handshake->pmslen,
2493 ssl->handshake->premaster,
Manuel Pégourié-Gonnarde09d2f82013-09-02 14:29:09 +02002494 POLARSSL_MPI_MAX_SIZE,
2495 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002496 {
2497 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2498 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2499 }
2500
2501 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +00002502 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002503 else
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002504#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2505 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002506#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2507 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002508 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002509 unsigned char *p = ssl->in_msg + 4;
2510 unsigned char *end = ssl->in_msg + ssl->in_msglen;
2511
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002512 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002513 {
2514 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2515 return( ret );
2516 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002517
2518 // Set up the premaster secret
2519 //
2520 p = ssl->handshake->premaster;
2521 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2522 *(p++) = (unsigned char)( ssl->psk_len );
2523 p += ssl->psk_len;
2524
2525 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2526 *(p++) = (unsigned char)( ssl->psk_len );
2527 memcpy( p, ssl->psk, ssl->psk_len );
2528 p += ssl->psk_len;
2529
2530 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002531 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002532 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002533#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2534#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2535 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2536 {
2537 size_t n;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002538 unsigned char *p = ssl->in_msg + 4;
2539 unsigned char *end = ssl->in_msg + ssl->in_msglen;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002540
2541 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2542 {
2543 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2544 return( ret );
2545 }
2546 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2547 {
2548 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2549 return( ret );
2550 }
2551
2552 // Set up the premaster secret
2553 //
2554 p = ssl->handshake->premaster;
2555 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2556 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2557
Paul Bakker577e0062013-08-28 11:57:20 +02002558 n = ssl->handshake->dhm_ctx.len;
2559
Manuel Pégourié-Gonnard032c34e2013-09-07 13:06:27 +02002560 /* No blinding needed since this is ephemeral DHM */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002561 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard15d5de12013-09-17 11:34:11 +02002562 p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002563 {
2564 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2565 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2566 }
2567
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002568 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2569
2570 p += ssl->handshake->dhm_ctx.len;
2571
2572 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2573 *(p++) = (unsigned char)( ssl->psk_len );
2574 memcpy( p, ssl->psk, ssl->psk_len );
2575 p += ssl->psk_len;
2576
2577 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2578 }
2579 else
2580#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2581#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2582 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +01002583 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002584 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002585 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002586 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2587 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002588 }
2589 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002590 else
2591#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2592 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002593 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002594 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2595 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002596
Paul Bakkerff60ee62010-03-16 21:09:09 +00002597 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2598 {
2599 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2600 return( ret );
2601 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002602
Paul Bakker5121ce52009-01-03 21:22:43 +00002603 ssl->state++;
2604
2605 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2606
2607 return( 0 );
2608}
2609
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002610#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2611 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02002612 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2613 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00002614static int ssl_parse_certificate_verify( ssl_context *ssl )
2615{
Paul Bakkered27a042013-04-18 22:46:23 +02002616 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002617 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002618
2619 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2620
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002621 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2622 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +02002623 {
2624 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2625 ssl->state++;
2626 return( 0 );
2627 }
2628
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02002629 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002630 return( ret );
2631}
2632#else
2633static int ssl_parse_certificate_verify( ssl_context *ssl )
2634{
2635 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002636 size_t sa_len, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002637 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002638 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002639 size_t hashlen;
Paul Bakker577e0062013-08-28 11:57:20 +02002640#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002641 pk_type_t pk_alg;
Paul Bakker577e0062013-08-28 11:57:20 +02002642#endif
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002643 md_type_t md_alg;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002644 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2645
2646 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2647
2648 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2649 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2650 {
2651 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2652 ssl->state++;
2653 return( 0 );
2654 }
2655
Paul Bakkered27a042013-04-18 22:46:23 +02002656 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002657 {
2658 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2659 ssl->state++;
2660 return( 0 );
2661 }
2662
Paul Bakker48916f92012-09-16 19:57:18 +00002663 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00002664
2665 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2666 {
2667 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2668 return( ret );
2669 }
2670
2671 ssl->state++;
2672
2673 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2674 {
2675 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002676 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002677 }
2678
2679 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2680 {
2681 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002682 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002683 }
2684
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002685 /*
2686 * 0 . 0 handshake type
2687 * 1 . 3 handshake length
2688 * 4 . 5 sig alg (TLS 1.2 only)
2689 * 4+n . 5+n signature length (n = sa_len)
2690 * 6+n . 6+n+m signature (m = sig_len)
2691 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002692
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002693#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2694 defined(POLARSSL_SSL_PROTO_TLS1_1)
2695 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01002696 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002697 sa_len = 0;
2698
Paul Bakkerc70b9822013-04-07 22:00:46 +02002699 md_alg = POLARSSL_MD_NONE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002700 hashlen = 36;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002701
2702 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
2703 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2704 POLARSSL_PK_ECDSA ) )
2705 {
2706 hash_start += 16;
2707 hashlen -= 16;
2708 md_alg = POLARSSL_MD_SHA1;
2709 }
Paul Bakker926af752012-11-23 13:38:07 +01002710 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002711 else
2712#endif
Paul Bakker577e0062013-08-28 11:57:20 +02002713#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2714 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02002715 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002716 sa_len = 2;
2717
Paul Bakker5121ce52009-01-03 21:22:43 +00002718 /*
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002719 * Hash
Paul Bakker5121ce52009-01-03 21:22:43 +00002720 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002721 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
Paul Bakker5121ce52009-01-03 21:22:43 +00002722 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002723 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2724 " for verify message" ) );
Paul Bakker926af752012-11-23 13:38:07 +01002725 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2726 }
2727
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002728 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
Paul Bakker926af752012-11-23 13:38:07 +01002729
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02002730 /* Info from md_alg will be used instead */
2731 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002732
2733 /*
2734 * Signature
2735 */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002736 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
2737 == POLARSSL_PK_NONE )
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002738 {
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002739 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2740 " for verify message" ) );
2741 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002742 }
2743
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002744 /*
2745 * Check the certificate's key type matches the signature alg
2746 */
2747 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2748 {
2749 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
2750 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2751 }
Paul Bakker577e0062013-08-28 11:57:20 +02002752 }
2753 else
2754#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2755 {
2756 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +02002757 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02002758 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +02002759
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002760 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
Paul Bakker926af752012-11-23 13:38:07 +01002761
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002762 if( sa_len + sig_len + 6 != ssl->in_hslen )
Paul Bakker5121ce52009-01-03 21:22:43 +00002763 {
2764 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002765 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002766 }
2767
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002768 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002769 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002770 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002771 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002772 SSL_DEBUG_RET( 1, "pk_verify", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002773 return( ret );
2774 }
2775
2776 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2777
Paul Bakkered27a042013-04-18 22:46:23 +02002778 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002779}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002780#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2781 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2782 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002783
Paul Bakkera503a632013-08-14 13:48:06 +02002784#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002785static int ssl_write_new_session_ticket( ssl_context *ssl )
2786{
2787 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002788 size_t tlen;
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02002789 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002790
2791 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2792
2793 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2794 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2795
2796 /*
2797 * struct {
2798 * uint32 ticket_lifetime_hint;
2799 * opaque ticket<0..2^16-1>;
2800 * } NewSessionTicket;
2801 *
2802 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2803 * 8 . 9 ticket_len (n)
2804 * 10 . 9+n ticket content
2805 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02002806
2807 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
2808 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
2809 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
2810 ssl->out_msg[7] = ( lifetime ) & 0xFF;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002811
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +02002812 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2813 {
2814 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2815 tlen = 0;
2816 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002817
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002818 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2819 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002820
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002821 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002822
2823 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2824 {
2825 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2826 return( ret );
2827 }
2828
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02002829 /* No need to remember writing a NewSessionTicket any more */
2830 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002831
2832 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2833
2834 return( 0 );
2835}
Paul Bakkera503a632013-08-14 13:48:06 +02002836#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002837
Paul Bakker5121ce52009-01-03 21:22:43 +00002838/*
Paul Bakker1961b702013-01-25 14:49:24 +01002839 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +00002840 */
Paul Bakker1961b702013-01-25 14:49:24 +01002841int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002842{
2843 int ret = 0;
2844
Paul Bakker1961b702013-01-25 14:49:24 +01002845 if( ssl->state == SSL_HANDSHAKE_OVER )
2846 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00002847
Paul Bakker1961b702013-01-25 14:49:24 +01002848 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2849
2850 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2851 return( ret );
2852
2853 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +00002854 {
Paul Bakker1961b702013-01-25 14:49:24 +01002855 case SSL_HELLO_REQUEST:
2856 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +00002857 break;
2858
Paul Bakker1961b702013-01-25 14:49:24 +01002859 /*
2860 * <== ClientHello
2861 */
2862 case SSL_CLIENT_HELLO:
2863 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00002864 break;
Paul Bakker1961b702013-01-25 14:49:24 +01002865
2866 /*
2867 * ==> ServerHello
2868 * Certificate
2869 * ( ServerKeyExchange )
2870 * ( CertificateRequest )
2871 * ServerHelloDone
2872 */
2873 case SSL_SERVER_HELLO:
2874 ret = ssl_write_server_hello( ssl );
2875 break;
2876
2877 case SSL_SERVER_CERTIFICATE:
2878 ret = ssl_write_certificate( ssl );
2879 break;
2880
2881 case SSL_SERVER_KEY_EXCHANGE:
2882 ret = ssl_write_server_key_exchange( ssl );
2883 break;
2884
2885 case SSL_CERTIFICATE_REQUEST:
2886 ret = ssl_write_certificate_request( ssl );
2887 break;
2888
2889 case SSL_SERVER_HELLO_DONE:
2890 ret = ssl_write_server_hello_done( ssl );
2891 break;
2892
2893 /*
2894 * <== ( Certificate/Alert )
2895 * ClientKeyExchange
2896 * ( CertificateVerify )
2897 * ChangeCipherSpec
2898 * Finished
2899 */
2900 case SSL_CLIENT_CERTIFICATE:
2901 ret = ssl_parse_certificate( ssl );
2902 break;
2903
2904 case SSL_CLIENT_KEY_EXCHANGE:
2905 ret = ssl_parse_client_key_exchange( ssl );
2906 break;
2907
2908 case SSL_CERTIFICATE_VERIFY:
2909 ret = ssl_parse_certificate_verify( ssl );
2910 break;
2911
2912 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2913 ret = ssl_parse_change_cipher_spec( ssl );
2914 break;
2915
2916 case SSL_CLIENT_FINISHED:
2917 ret = ssl_parse_finished( ssl );
2918 break;
2919
2920 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002921 * ==> ( NewSessionTicket )
2922 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +01002923 * Finished
2924 */
2925 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +02002926#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02002927 if( ssl->handshake->new_session_ticket != 0 )
2928 ret = ssl_write_new_session_ticket( ssl );
2929 else
Paul Bakkera503a632013-08-14 13:48:06 +02002930#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02002931 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01002932 break;
2933
2934 case SSL_SERVER_FINISHED:
2935 ret = ssl_write_finished( ssl );
2936 break;
2937
2938 case SSL_FLUSH_BUFFERS:
2939 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2940 ssl->state = SSL_HANDSHAKE_WRAPUP;
2941 break;
2942
2943 case SSL_HANDSHAKE_WRAPUP:
2944 ssl_handshake_wrapup( ssl );
2945 break;
2946
2947 default:
2948 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2949 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00002950 }
2951
Paul Bakker5121ce52009-01-03 21:22:43 +00002952 return( ret );
2953}
Paul Bakker5121ce52009-01-03 21:22:43 +00002954#endif