TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ac75523593dc7ac638f75142c75284c6ff22b61a / . / library / ssl_srv.c
blob: 17b23f1ab2d829f55d0fcd633e0a748fac365246 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]26#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]32#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]36#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]50#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]51/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]59static int ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t buf_len,
61 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]62{
63 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]64 size_t left = buf_len;
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]65#if defined(POLARSSL_X509_PARSE_C)
66 size_t cert_len;
67#endif /* POLARSSL_X509_PARSE_C */
68
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]69 if( left < sizeof( ssl_session ) )
70 return( -1 );
71
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]72 memcpy( p, session, sizeof( ssl_session ) );
73 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]74 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]75
76#if defined(POLARSSL_X509_PARSE_C)
77 ((ssl_session *) buf)->peer_cert = NULL;
78
79 if( session->peer_cert == NULL )
80 cert_len = 0;
81 else
82 cert_len = session->peer_cert->raw.len;
83
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]84 if( left < 3 + cert_len )
85 return( -1 );
86
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]87 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
88 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
89 *p++ = (unsigned char)( cert_len & 0xFF );
90
91 if( session->peer_cert != NULL )
92 memcpy( p, session->peer_cert->raw.p, cert_len );
93
94 p += cert_len;
95#endif /* POLARSSL_X509_PARSE_C */
96
97 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]98
99 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]100}
101
102/*
103 * Unserialise session, see ssl_save_session()
104 */
105static int ssl_load_session( ssl_session *session,
106 const unsigned char *buf, size_t len )
107{
108 int ret;
109 const unsigned char *p = buf;
110 const unsigned char * const end = buf + len;
111#if defined(POLARSSL_X509_PARSE_C)
112 size_t cert_len;
113#endif /* POLARSSL_X509_PARSE_C */
114
115 if( p + sizeof( ssl_session ) > end )
116 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
117
118 memcpy( session, p, sizeof( ssl_session ) );
119 p += sizeof( ssl_session );
120
121#if defined(POLARSSL_X509_PARSE_C)
122 if( p + 3 > end )
123 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
124
125 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
126 p += 3;
127
128 if( cert_len == 0 )
129 {
130 session->peer_cert = NULL;
131 }
132 else
133 {
134 if( p + cert_len > end )
135 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
136
137 session->peer_cert = polarssl_malloc( cert_len );
138
139 if( session->peer_cert == NULL )
140 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
141
142 memset( session->peer_cert, 0, sizeof( x509_cert ) );
143
144 if( ( ret = x509parse_crt( session->peer_cert, p, cert_len ) ) != 0 )
145 {
146 polarssl_free( session->peer_cert );
147 free( session->peer_cert );
148 session->peer_cert = NULL;
149 return( ret );
150 }
151
152 p += cert_len;
153 }
154#endif /* POLARSSL_X509_PARSE_C */
155
156 if( p != end )
157 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
158
159 return( 0 );
160}
161
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]162/*
163 * Create session ticket, secured as recommended in RFC 5077 section 4:
164 *
165 * struct {
166 * opaque key_name[16];
167 * opaque iv[16];
168 * opaque encrypted_state<0..2^16-1>;
169 * opaque mac[32];
170 * } ticket;
171 *
172 * (the internal state structure differs, however).
173 */
174static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
175{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]176 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]177 unsigned char * const start = ssl->out_msg + 10;
178 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]179 unsigned char *state;
180 unsigned char iv[16];
181 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]182
Manuel Pégourié-Gonnard0a201712013-08-23 16:25:16 +0200[diff] [blame]183 *tlen = 0;
184
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]185 if( ssl->ticket_keys == NULL )
186 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
187
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]188 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]189 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]190 p += 16;
191
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]192 /* Generate and write IV (with a copy for aes_crypt) */
193 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
194 return( ret );
195 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]196 p += 16;
197
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]198 /*
199 * Dump session state
200 *
201 * After the session state itself, we still need room for 16 bytes of
202 * padding and 32 bytes of MAC, so there's only so much room left
203 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]204 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]205 if( ssl_save_session( ssl->session_negotiate, state,
206 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
207 &clear_len ) != 0 )
208 {
209 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
210 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]211 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]212
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]213 /* Apply PKCS padding */
214 pad_len = 16 - clear_len % 16;
215 enc_len = clear_len + pad_len;
216 for( i = clear_len; i < enc_len; i++ )
217 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]218
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]219 /* Encrypt */
220 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
221 enc_len, iv, state, state ) ) != 0 )
222 {
223 return( ret );
224 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]225
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]226 /* Write length */
227 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
228 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
229 p = state + enc_len;
230
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]231 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
232 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]233 p += 32;
234
235 *tlen = p - start;
236
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]237 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]238
239 return( 0 );
240}
241
242/*
243 * Load session ticket (see ssl_write_ticket for structure)
244 */
245static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]246 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]247 size_t len )
248{
249 int ret;
250 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]251 unsigned char *key_name = buf;
252 unsigned char *iv = buf + 16;
253 unsigned char *enc_len_p = iv + 16;
254 unsigned char *ticket = enc_len_p + 2;
255 unsigned char *mac;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]256 unsigned char computed_mac[16];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]257 size_t enc_len, clear_len, i;
258 unsigned char pad_len;
259
260 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]261
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]262 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]263 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
264
265 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
266 mac = ticket + enc_len;
267
268 if( len != enc_len + 66 )
269 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
270
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]271 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]272 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
273 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]274
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]275 /* Check mac */
276 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
277 computed_mac, 0 );
278 ret = 0;
279 for( i = 0; i < 32; i++ )
280 if( mac[i] != computed_mac[i] )
281 ret = POLARSSL_ERR_SSL_INVALID_MAC;
282 if( ret != 0 )
283 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]284
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]285 /* Decrypt */
286 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
287 enc_len, iv, ticket, ticket ) ) != 0 )
288 {
289 return( ret );
290 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]291
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]292 /* Check PKCS padding */
293 pad_len = ticket[enc_len - 1];
294
295 ret = 0;
296 for( i = 2; i < pad_len; i++ )
297 if( ticket[enc_len - i] != pad_len )
298 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
299 if( ret != 0 )
300 return( ret );
301
302 clear_len = enc_len - pad_len;
303
304 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
305
306 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]307 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
308 {
309 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
310 memset( &session, 0, sizeof( ssl_session ) );
311 return( ret );
312 }
313
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]314#if defined(POLARSSL_HAVE_TIME)
315 /* Check if still valid */
316 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
317 {
318 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
319 memset( &session, 0, sizeof( ssl_session ) );
320 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
321 }
322#endif
323
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]324 /*
325 * Keep the session ID sent by the client, since we MUST send it back to
326 * inform him we're accepting the ticket (RFC 5077 section 3.4)
327 */
328 session.length = ssl->session_negotiate->length;
329 memcpy( &session.id, ssl->session_negotiate->id, session.length );
330
331 ssl_session_free( ssl->session_negotiate );
332 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
333 memset( &session, 0, sizeof( ssl_session ) );
334
335 return( 0 );
336}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]337#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]338
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]339static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]340 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]341 size_t len )
342{
343 int ret;
344 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]345 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]346
347 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
348 if( servername_list_size + 2 != len )
349 {
350 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
351 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
352 }
353
354 p = buf + 2;
355 while( servername_list_size > 0 )
356 {
357 hostname_len = ( ( p[1] << 8 ) | p[2] );
358 if( hostname_len + 3 > servername_list_size )
359 {
360 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
361 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
362 }
363
364 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
365 {
366 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
367 if( ret != 0 )
368 {
369 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
370 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
371 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
372 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]373 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]374 }
375
376 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]377 p += hostname_len + 3;
378 }
379
380 if( servername_list_size != 0 )
381 {
382 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
383 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]384 }
385
386 return( 0 );
387}
388
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]389static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]390 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]391 size_t len )
392{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]393 int ret;
394
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]395 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
396 {
397 if( len != 1 || buf[0] != 0x0 )
398 {
399 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]400
401 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
402 return( ret );
403
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]404 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
405 }
406
407 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
408 }
409 else
410 {
411 if( len != 1 + ssl->verify_data_len ||
412 buf[0] != ssl->verify_data_len ||
413 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
414 {
415 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]416
417 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
418 return( ret );
419
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]420 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
421 }
422 }
423
424 return( 0 );
425}
426
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]427static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
428 const unsigned char *buf,
429 size_t len )
430{
431 size_t sig_alg_list_size;
432 const unsigned char *p;
433
434 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
435 if( sig_alg_list_size + 2 != len ||
436 sig_alg_list_size %2 != 0 )
437 {
438 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
439 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
440 }
441
442 p = buf + 2;
443 while( sig_alg_list_size > 0 )
444 {
445 if( p[1] != SSL_SIG_RSA )
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]446 {
447 sig_alg_list_size -= 2;
448 p += 2;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]449 continue;
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]450 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]451#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]452 if( p[0] == SSL_HASH_SHA512 )
453 {
454 ssl->handshake->sig_alg = SSL_HASH_SHA512;
455 break;
456 }
457 if( p[0] == SSL_HASH_SHA384 )
458 {
459 ssl->handshake->sig_alg = SSL_HASH_SHA384;
460 break;
461 }
462#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]463#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]464 if( p[0] == SSL_HASH_SHA256 )
465 {
466 ssl->handshake->sig_alg = SSL_HASH_SHA256;
467 break;
468 }
469 if( p[0] == SSL_HASH_SHA224 )
470 {
471 ssl->handshake->sig_alg = SSL_HASH_SHA224;
472 break;
473 }
474#endif
475 if( p[0] == SSL_HASH_SHA1 )
476 {
477 ssl->handshake->sig_alg = SSL_HASH_SHA1;
478 break;
479 }
480 if( p[0] == SSL_HASH_MD5 )
481 {
482 ssl->handshake->sig_alg = SSL_HASH_MD5;
483 break;
484 }
485
486 sig_alg_list_size -= 2;
487 p += 2;
488 }
489
490 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
491 ssl->handshake->sig_alg ) );
492
493 return( 0 );
494}
495
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]496#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]497static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
498 const unsigned char *buf,
499 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]500{
501 size_t list_size;
502 const unsigned char *p;
503
504 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
505 if( list_size + 2 != len ||
506 list_size % 2 != 0 )
507 {
508 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
509 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
510 }
511
512 p = buf + 2;
513 while( list_size > 0 )
514 {
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]515#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
516 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP192R1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]517 {
518 ssl->handshake->ec_curve = p[1];
519 return( 0 );
520 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]521#endif
522#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
523 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP224R1 )
524 {
525 ssl->handshake->ec_curve = p[1];
526 return( 0 );
527 }
528#endif
529#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
530 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP256R1 )
531 {
532 ssl->handshake->ec_curve = p[1];
533 return( 0 );
534 }
535#endif
536#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
537 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP384R1 )
538 {
539 ssl->handshake->ec_curve = p[1];
540 return( 0 );
541 }
542#endif
543#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
544 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP521R1 )
545 {
546 ssl->handshake->ec_curve = p[1];
547 return( 0 );
548 }
549#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]550
551 list_size -= 2;
552 p += 2;
553 }
554
555 return( 0 );
556}
557
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]558static int ssl_parse_supported_point_formats( ssl_context *ssl,
559 const unsigned char *buf,
560 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]561{
562 size_t list_size;
563 const unsigned char *p;
564
565 list_size = buf[0];
566 if( list_size + 1 != len )
567 {
568 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
569 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
570 }
571
572 p = buf + 2;
573 while( list_size > 0 )
574 {
575 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
576 p[0] == POLARSSL_ECP_PF_COMPRESSED )
577 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]578 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]579 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]580 return( 0 );
581 }
582
583 list_size--;
584 p++;
585 }
586
587 return( 0 );
588}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]589#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]590
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]591#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]592static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
593 const unsigned char *buf,
594 size_t len )
595{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]596 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]597 {
598 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
599 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
600 }
601
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]602 ssl->session_negotiate->mfl_code = buf[0];
603
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]604 return( 0 );
605}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]606#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]607
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]608#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]609static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
610 const unsigned char *buf,
611 size_t len )
612{
613 if( len != 0 )
614 {
615 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
616 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
617 }
618
619 ((void) buf);
620
621 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
622
623 return( 0 );
624}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]625#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]626
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]627#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]628static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]629 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]630 size_t len )
631{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]632 int ret;
633
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]634 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
635 return( 0 );
636
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]637 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]638 ssl->handshake->new_session_ticket = 1;
639
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]640 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
641
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]642 if( len == 0 )
643 return( 0 );
644
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]645 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
646 {
647 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
648 return( 0 );
649 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]650
651 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]652 * Failures are ok: just ignore the ticket and proceed.
653 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]654 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
655 {
656 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]657 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]658 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]659
660 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
661
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]662 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]663
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]664 /* Don't send a new ticket after all, this one is OK */
665 ssl->handshake->new_session_ticket = 0;
666
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]667 return( 0 );
668}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]669#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]670
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]671#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
672static int ssl_parse_client_hello_v2( ssl_context *ssl )
673{
674 int ret;
675 unsigned int i, j;
676 size_t n;
677 unsigned int ciph_len, sess_len, chal_len;
678 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]679 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]680 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]681
682 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
683
684 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
685 {
686 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
687
688 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
689 return( ret );
690
691 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
692 }
693
694 buf = ssl->in_hdr;
695
696 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
697
698 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
699 buf[2] ) );
700 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
701 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
702 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
703 buf[3], buf[4] ) );
704
705 /*
706 * SSLv2 Client Hello
707 *
708 * Record layer:
709 * 0 . 1 message length
710 *
711 * SSL layer:
712 * 2 . 2 message type
713 * 3 . 4 protocol version
714 */
715 if( buf[2] != SSL_HS_CLIENT_HELLO ||
716 buf[3] != SSL_MAJOR_VERSION_3 )
717 {
718 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
719 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
720 }
721
722 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
723
724 if( n < 17 || n > 512 )
725 {
726 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
727 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
728 }
729
730 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]731 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
732 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]733
734 if( ssl->minor_ver < ssl->min_minor_ver )
735 {
736 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
737 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
738 ssl->min_major_ver, ssl->min_minor_ver ) );
739
740 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
741 SSL_ALERT_MSG_PROTOCOL_VERSION );
742 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
743 }
744
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]745 ssl->handshake->max_major_ver = buf[3];
746 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]747
748 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
749 {
750 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
751 return( ret );
752 }
753
754 ssl->handshake->update_checksum( ssl, buf + 2, n );
755
756 buf = ssl->in_msg;
757 n = ssl->in_left - 5;
758
759 /*
760 * 0 . 1 ciphersuitelist length
761 * 2 . 3 session id length
762 * 4 . 5 challenge length
763 * 6 . .. ciphersuitelist
764 * .. . .. session id
765 * .. . .. challenge
766 */
767 SSL_DEBUG_BUF( 4, "record contents", buf, n );
768
769 ciph_len = ( buf[0] << 8 ) | buf[1];
770 sess_len = ( buf[2] << 8 ) | buf[3];
771 chal_len = ( buf[4] << 8 ) | buf[5];
772
773 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
774 ciph_len, sess_len, chal_len ) );
775
776 /*
777 * Make sure each parameter length is valid
778 */
779 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
780 {
781 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
782 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
783 }
784
785 if( sess_len > 32 )
786 {
787 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
788 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
789 }
790
791 if( chal_len < 8 || chal_len > 32 )
792 {
793 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
794 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
795 }
796
797 if( n != 6 + ciph_len + sess_len + chal_len )
798 {
799 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
800 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
801 }
802
803 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
804 buf + 6, ciph_len );
805 SSL_DEBUG_BUF( 3, "client hello, session id",
806 buf + 6 + ciph_len, sess_len );
807 SSL_DEBUG_BUF( 3, "client hello, challenge",
808 buf + 6 + ciph_len + sess_len, chal_len );
809
810 p = buf + 6 + ciph_len;
811 ssl->session_negotiate->length = sess_len;
812 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
813 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
814
815 p += sess_len;
816 memset( ssl->handshake->randbytes, 0, 64 );
817 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
818
819 /*
820 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
821 */
822 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
823 {
824 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
825 {
826 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
827 if( ssl->renegotiation == SSL_RENEGOTIATION )
828 {
829 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
830
831 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
832 return( ret );
833
834 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
835 }
836 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
837 break;
838 }
839 }
840
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]841 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
842 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]843 {
844 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
845 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]846 // Only allow non-ECC ciphersuites as we do not have extensions
847 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]848 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]849 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
850 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]851 {
852 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
853
854 if( ciphersuite_info == NULL )
855 {
856 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
857 ciphersuites[i] ) );
858 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
859 }
860
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]861 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
862 ciphersuite_info->max_minor_ver < ssl->minor_ver )
863 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]864
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]865 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]866 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]867 }
868 }
869
870 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
871
872 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
873
874have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]875 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]876 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]877 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]878
879 /*
880 * SSLv2 Client Hello relevant renegotiation security checks
881 */
882 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
883 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
884 {
885 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
886
887 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
888 return( ret );
889
890 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
891 }
892
893 ssl->in_left = 0;
894 ssl->state++;
895
896 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
897
898 return( 0 );
899}
900#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
901
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]902static int ssl_parse_client_hello( ssl_context *ssl )
903{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]904 int ret;
905 unsigned int i, j;
906 size_t n;
907 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]908 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]909 unsigned int ext_len = 0;
910 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]911 int renegotiation_info_seen = 0;
912 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]913 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]914 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]915
916 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
917
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]918 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
919 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]920 {
921 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
922 return( ret );
923 }
924
925 buf = ssl->in_hdr;
926
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]927#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
928 if( ( buf[0] & 0x80 ) != 0 )
929 return ssl_parse_client_hello_v2( ssl );
930#endif
931
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]932 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
933
934 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
935 buf[0] ) );
936 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
937 ( buf[3] << 8 ) | buf[4] ) );
938 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
939 buf[1], buf[2] ) );
940
941 /*
942 * SSLv3 Client Hello
943 *
944 * Record layer:
945 * 0 . 0 message type
946 * 1 . 2 protocol version
947 * 3 . 4 message length
948 */
949 if( buf[0] != SSL_MSG_HANDSHAKE ||
950 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]951 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]952 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
953 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
954 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]956 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +0200[diff] [blame]958 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]959 {
960 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
961 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
962 }
963
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]964 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
965 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]966 {
967 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
968 return( ret );
969 }
970
971 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]972 if( !ssl->renegotiation )
973 n = ssl->in_left - 5;
974 else
975 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]976
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]977 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]978
979 /*
980 * SSL layer:
981 * 0 . 0 handshake type
982 * 1 . 3 handshake length
983 * 4 . 5 protocol version
984 * 6 . 9 UNIX time()
985 * 10 . 37 random bytes
986 * 38 . 38 session id length
987 * 39 . 38+x session id
988 * 39+x . 40+x ciphersuitelist length
989 * 41+x . .. ciphersuitelist
990 * .. . .. compression alg.
991 * .. . .. extensions
992 */
993 SSL_DEBUG_BUF( 4, "record contents", buf, n );
994
995 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
996 buf[0] ) );
997 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
998 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
999 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1000 buf[4], buf[5] ) );
1001
1002 /*
1003 * Check the handshake type and protocol version
1004 */
1005 if( buf[0] != SSL_HS_CLIENT_HELLO ||
1006 buf[4] != SSL_MAJOR_VERSION_3 )
1007 {
1008 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1009 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1010 }
1011
1012 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1013 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1014 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1015
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1016 if( ssl->minor_ver < ssl->min_minor_ver )
1017 {
1018 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1019 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]1020 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1021
1022 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1023 SSL_ALERT_MSG_PROTOCOL_VERSION );
1024
1025 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1026 }
1027
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1028 ssl->handshake->max_major_ver = buf[4];
1029 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1030
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1031 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1032
1033 /*
1034 * Check the handshake message length
1035 */
1036 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1037 {
1038 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1039 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1040 }
1041
1042 /*
1043 * Check the session length
1044 */
1045 sess_len = buf[38];
1046
1047 if( sess_len > 32 )
1048 {
1049 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1050 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1051 }
1052
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1053 ssl->session_negotiate->length = sess_len;
1054 memset( ssl->session_negotiate->id, 0,
1055 sizeof( ssl->session_negotiate->id ) );
1056 memcpy( ssl->session_negotiate->id, buf + 39,
1057 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1058
1059 /*
1060 * Check the ciphersuitelist length
1061 */
1062 ciph_len = ( buf[39 + sess_len] << 8 )
1063 | ( buf[40 + sess_len] );
1064
1065 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1066 {
1067 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1068 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1069 }
1070
1071 /*
1072 * Check the compression algorithms length
1073 */
1074 comp_len = buf[41 + sess_len + ciph_len];
1075
1076 if( comp_len < 1 || comp_len > 16 )
1077 {
1078 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1079 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1080 }
1081
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1082 /*
1083 * Check the extension length
1084 */
1085 if( n > 42 + sess_len + ciph_len + comp_len )
1086 {
1087 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1088 | ( buf[43 + sess_len + ciph_len + comp_len] );
1089
1090 if( ( ext_len > 0 && ext_len < 4 ) ||
1091 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1092 {
1093 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1094 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1095 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1096 }
1097 }
1098
1099 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1100#if defined(POLARSSL_ZLIB_SUPPORT)
1101 for( i = 0; i < comp_len; ++i )
1102 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1103 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1105 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1106 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107 }
1108 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1109#endif
1110
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1111 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1112 buf + 6, 32 );
1113 SSL_DEBUG_BUF( 3, "client hello, session id",
1114 buf + 38, sess_len );
1115 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1116 buf + 41 + sess_len, ciph_len );
1117 SSL_DEBUG_BUF( 3, "client hello, compression",
1118 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1120 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1121 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1122 */
1123 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1124 {
1125 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1126 {
1127 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1128 if( ssl->renegotiation == SSL_RENEGOTIATION )
1129 {
1130 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1131
1132 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1133 return( ret );
1134
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1135 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1136 }
1137 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1138 break;
1139 }
1140 }
1141
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1142 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1143
1144 while( ext_len )
1145 {
1146 unsigned int ext_id = ( ( ext[0] << 8 )
1147 | ( ext[1] ) );
1148 unsigned int ext_size = ( ( ext[2] << 8 )
1149 | ( ext[3] ) );
1150
1151 if( ext_size + 4 > ext_len )
1152 {
1153 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1154 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1155 }
1156 switch( ext_id )
1157 {
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1158 case TLS_EXT_SERVERNAME:
1159 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1160 if( ssl->f_sni == NULL )
1161 break;
1162
1163 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1164 if( ret != 0 )
1165 return( ret );
1166 break;
1167
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1168 case TLS_EXT_RENEGOTIATION_INFO:
1169 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1170 renegotiation_info_seen = 1;
1171
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1172 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1173 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1174 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1175 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1176
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1177 case TLS_EXT_SIG_ALG:
1178 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1179 if( ssl->renegotiation == SSL_RENEGOTIATION )
1180 break;
1181
1182 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1183 if( ret != 0 )
1184 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1185 break;
1186
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1187#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1188 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1189 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1190
1191 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1192 if( ret != 0 )
1193 return( ret );
1194 break;
1195
1196 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1197 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1198
1199 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1200 if( ret != 0 )
1201 return( ret );
1202 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1203#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1204
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1205#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1206 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1207 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1208
1209 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1210 if( ret != 0 )
1211 return( ret );
1212 break;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1213#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1214
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1215#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1216 case TLS_EXT_TRUNCATED_HMAC:
1217 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1218
1219 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1220 if( ret != 0 )
1221 return( ret );
1222 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1223#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1224
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1225#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1226 case TLS_EXT_SESSION_TICKET:
1227 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1228
1229 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1230 if( ret != 0 )
1231 return( ret );
1232 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1233#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1234
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1235 default:
1236 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1237 ext_id ) );
1238 }
1239
1240 ext_len -= 4 + ext_size;
1241 ext += 4 + ext_size;
1242
1243 if( ext_len > 0 && ext_len < 4 )
1244 {
1245 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1246 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1247 }
1248 }
1249
1250 /*
1251 * Renegotiation security checks
1252 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1253 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1254 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1255 {
1256 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1257 handshake_failure = 1;
1258 }
1259 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1260 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1261 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1262 {
1263 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1264 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1265 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1266 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1267 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1268 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1269 {
1270 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1271 handshake_failure = 1;
1272 }
1273 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1274 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1275 renegotiation_info_seen == 1 )
1276 {
1277 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1278 handshake_failure = 1;
1279 }
1280
1281 if( handshake_failure == 1 )
1282 {
1283 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1284 return( ret );
1285
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1286 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1287 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1288
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1289 /*
1290 * Search for a matching ciphersuite
1291 * (At the end because we need information from the EC-based extensions)
1292 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1293 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1294 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1295 {
1296 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1297 j += 2, p += 2 )
1298 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1299 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1300 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1301 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1302 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1303
1304 if( ciphersuite_info == NULL )
1305 {
1306 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1307 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1308 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1309 }
1310
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1311 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1312 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1313 continue;
1314
Paul Bakker5fd49172013-08-19 13:29:26 +0200[diff] [blame]1315#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1316 if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
1317 ssl->handshake->ec_curve == 0 )
1318 continue;
Paul Bakker5fd49172013-08-19 13:29:26 +0200[diff] [blame]1319#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1320
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200[diff] [blame]1321 if( ciphersuite_info->key_exchange ==
1322 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
1323 continue;
1324
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1325 goto have_ciphersuite;
1326 }
1327 }
1328 }
1329
1330 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1331
1332 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1333 return( ret );
1334
1335 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1336
1337have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1338 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1339 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1340 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1341
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342 ssl->in_left = 0;
1343 ssl->state++;
1344
1345 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1346
1347 return( 0 );
1348}
1349
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1350#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1351static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1352 unsigned char *buf,
1353 size_t *olen )
1354{
1355 unsigned char *p = buf;
1356
1357 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1358 {
1359 *olen = 0;
1360 return;
1361 }
1362
1363 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1364
1365 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1366 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1367
1368 *p++ = 0x00;
1369 *p++ = 0x00;
1370
1371 *olen = 4;
1372}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1373#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1374
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1375#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1376static void ssl_write_session_ticket_ext( ssl_context *ssl,
1377 unsigned char *buf,
1378 size_t *olen )
1379{
1380 unsigned char *p = buf;
1381
1382 if( ssl->handshake->new_session_ticket == 0 )
1383 {
1384 *olen = 0;
1385 return;
1386 }
1387
1388 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1389
1390 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1391 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1392
1393 *p++ = 0x00;
1394 *p++ = 0x00;
1395
1396 *olen = 4;
1397}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1398#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1399
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1400static void ssl_write_renegotiation_ext( ssl_context *ssl,
1401 unsigned char *buf,
1402 size_t *olen )
1403{
1404 unsigned char *p = buf;
1405
1406 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1407 {
1408 *olen = 0;
1409 return;
1410 }
1411
1412 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1413
1414 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1415 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1416
1417 *p++ = 0x00;
1418 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1419 *p++ = ssl->verify_data_len * 2 & 0xFF;
1420
1421 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1422 p += ssl->verify_data_len;
1423 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1424 p += ssl->verify_data_len;
1425
1426 *olen = 5 + ssl->verify_data_len * 2;
1427}
1428
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1429#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1430static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1431 unsigned char *buf,
1432 size_t *olen )
1433{
1434 unsigned char *p = buf;
1435
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1436 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1437 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1438 *olen = 0;
1439 return;
1440 }
1441
1442 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1443
1444 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1445 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1446
1447 *p++ = 0x00;
1448 *p++ = 1;
1449
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1450 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1451
1452 *olen = 5;
1453}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1454#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1455
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1456#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1457static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1458 unsigned char *buf,
1459 size_t *olen )
1460{
1461 unsigned char *p = buf;
1462 ((void) ssl);
1463
1464 *olen = 0;
1465
1466 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1467
1468 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1469 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1470
1471 *p++ = 0x00;
1472 *p++ = 2;
1473
1474 *p++ = 1;
1475 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1476
1477 *olen = 6;
1478}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1479#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1480
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1481static int ssl_write_server_hello( ssl_context *ssl )
1482{
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1483#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1485#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1486 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1487 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1488 unsigned char *buf, *p;
1489
1490 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1491
1492 /*
1493 * 0 . 0 handshake type
1494 * 1 . 3 handshake length
1495 * 4 . 5 protocol version
1496 * 6 . 9 UNIX time()
1497 * 10 . 37 random bytes
1498 */
1499 buf = ssl->out_msg;
1500 p = buf + 4;
1501
1502 *p++ = (unsigned char) ssl->major_ver;
1503 *p++ = (unsigned char) ssl->minor_ver;
1504
1505 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1506 buf[4], buf[5] ) );
1507
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1508#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1509 t = time( NULL );
1510 *p++ = (unsigned char)( t >> 24 );
1511 *p++ = (unsigned char)( t >> 16 );
1512 *p++ = (unsigned char)( t >> 8 );
1513 *p++ = (unsigned char)( t );
1514
1515 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1516#else
1517 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1518 return( ret );
1519
1520 p += 4;
1521#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1523 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1524 return( ret );
1525
1526 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1527
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1528 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1529
1530 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1531
1532 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1533 * Resume is 0 by default, see ssl_handshake_init().
1534 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1535 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1536 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1537 if( ssl->handshake->resume == 0 &&
1538 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]1539 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1540 ssl->f_get_cache != NULL &&
1541 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1542 {
1543 ssl->handshake->resume = 1;
1544 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1545
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1546 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1547 {
1548 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1549 * New session, create a new session id,
1550 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1551 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1552 ssl->state++;
1553
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1554#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1555 if( ssl->handshake->new_session_ticket == 0 )
1556 {
1557 ssl->session_negotiate->length = n = 32;
1558 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1559 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1560 return( ret );
1561 }
1562 else
1563 {
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1564 ssl->session_negotiate->length = n = 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1565 memset( ssl->session_negotiate->id, 0, 32 );
1566 }
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1567#else
1568 ssl->session_negotiate->length = n = 32;
1569 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1570 n ) ) != 0 )
1571 return( ret );
1572#endif /* POLARSSL_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1573 }
1574 else
1575 {
1576 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1577 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1578 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1579 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1580 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1581
1582 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1583 {
1584 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1585 return( ret );
1586 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1587 }
1588
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1589 /*
1590 * 38 . 38 session id length
1591 * 39 . 38+n session id
1592 * 39+n . 40+n chosen ciphersuite
1593 * 41+n . 41+n chosen compression alg.
1594 * 42+n . 43+n extensions length
1595 * 44+n . 43+n+m extensions
1596 */
1597 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1598 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1599 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1600
1601 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1602 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1603 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1604 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1605
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1606 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1607 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1608 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1609
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200[diff] [blame]1610 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: 0x%04X",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1611 ssl->session_negotiate->ciphersuite ) );
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200[diff] [blame]1612 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1613 ssl->session_negotiate->compression ) );
1614
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1615 /*
1616 * First write extensions, then the total length
1617 */
1618 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1619 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1620
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1621#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1622 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1623 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1624#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1625
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1626#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1627 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1628 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1629#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1630
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1631#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1632 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1633 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1634#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1635
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1636#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1637 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1638 ext_len += olen;
1639#endif
1640
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1641 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1642
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1643 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1644 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1645 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1646
1647 ssl->out_msglen = p - buf;
1648 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1649 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1650
1651 ret = ssl_write_record( ssl );
1652
1653 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1654
1655 return( ret );
1656}
1657
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1658#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1659 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1660 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1661static int ssl_write_certificate_request( ssl_context *ssl )
1662{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]1663 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1664 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1665
1666 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1667
1668 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1669 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1670 {
1671 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1672 ssl->state++;
1673 return( 0 );
1674 }
1675
1676 return( ret );
1677}
1678#else
1679static int ssl_write_certificate_request( ssl_context *ssl )
1680{
1681 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1682 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1683 size_t dn_size, total_dn_size; /* excluding length bytes */
1684 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1685 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1686 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1687
1688 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1689
1690 ssl->state++;
1691
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1692 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1693 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1694 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1695 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1696 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1697 return( 0 );
1698 }
1699
1700 /*
1701 * 0 . 0 handshake type
1702 * 1 . 3 handshake length
1703 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1704 * 5 .. m-1 cert types
1705 * m .. m+1 sig alg length (TLS 1.2 only)
1706 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1707 * n .. n+1 length of all DNs
1708 * n+2 .. n+3 length of DN 1
1709 * n+4 .. ... Distinguished Name #1
1710 * ... .. ... length of DN 2, etc.
1711 */
1712 buf = ssl->out_msg;
1713 p = buf + 4;
1714
1715 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1716 * Supported certificate types
1717 *
1718 * ClientCertificateType certificate_types<1..2^8-1>;
1719 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1720 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1721 ct_len = 0;
1722
1723#if defined(POLARSSL_RSA_C)
1724 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
1725#endif
1726#if defined(POLARSSL_ECDSA_C)
1727 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
1728#endif
1729
1730 p[0] = ct_len++;
1731 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1732
1733 /*
1734 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1735 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1736 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
1737 *
1738 * struct {
1739 * HashAlgorithm hash;
1740 * SignatureAlgorithm signature;
1741 * } SignatureAndHashAlgorithm;
1742 *
1743 * enum { (255) } HashAlgorithm;
1744 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1745 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1746 sa_len = 0;
Paul Bakker21dca692013-01-03 11:41:08 +0100[diff] [blame]1747 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1748 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1749 /*
1750 * Only use current running hash algorithm that is already required
1751 * for requested ciphersuite.
1752 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1753 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1754
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]1755 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1756 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1757 {
1758 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1759 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1760
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1761 /*
1762 * Supported signature algorithms
1763 */
1764#if defined(POLARSSL_RSA_C)
1765 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1766 p[2 + sa_len++] = SSL_SIG_RSA;
1767#endif
1768#if defined(POLARSSL_ECDSA_C)
1769 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1770 p[2 + sa_len++] = SSL_SIG_ECDSA;
1771#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1772
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1773 p[0] = (unsigned char)( sa_len >> 8 );
1774 p[1] = (unsigned char)( sa_len );
1775 sa_len += 2;
1776 p += sa_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1777 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1779 /*
1780 * DistinguishedName certificate_authorities<0..2^16-1>;
1781 * opaque DistinguishedName<1..2^16-1>;
1782 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1783 p += 2;
1784 crt = ssl->ca_chain;
1785
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1786 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1787 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788 {
1789 if( p - buf > 4096 )
1790 break;
1791
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1792 dn_size = crt->subject_raw.len;
1793 *p++ = (unsigned char)( dn_size >> 8 );
1794 *p++ = (unsigned char)( dn_size );
1795 memcpy( p, crt->subject_raw.p, dn_size );
1796 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1798 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1799
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1800 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1801 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1802 }
1803
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1804 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1805 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1806 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]1807 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
1808 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809
1810 ret = ssl_write_record( ssl );
1811
1812 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1813
1814 return( ret );
1815}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1816#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1817 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1818 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1820static int ssl_write_server_key_exchange( ssl_context *ssl )
1821{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1822 int ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1823 size_t n = 0, len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1824 unsigned char hash[64];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1825 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker35a7fe52012-10-31 09:07:14 +0000[diff] [blame]1826 unsigned int hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1827 unsigned char *p = ssl->out_msg + 4;
1828 unsigned char *dig_sig = p;
1829 size_t dig_sig_len = 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1830
1831 const ssl_ciphersuite_t *ciphersuite_info;
1832 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833
1834 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1835
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1836 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1837 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
1838 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839 {
1840 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1841 ssl->state++;
1842 return( 0 );
1843 }
1844
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1845#if defined(POLARSSL_RSA_C)
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1846 if( ssl->rsa_key == NULL )
1847 {
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]1848 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1849 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1850 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1851#endif /* POLARSSL_RSA_C */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1852
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1853#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1854 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1855 {
1856 /* TODO: Support identity hints */
1857 *(p++) = 0x00;
1858 *(p++) = 0x00;
1859
1860 n += 2;
1861 }
1862#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1863
1864#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1865 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1866 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1867 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1868 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1869 /*
1870 * Ephemeral DH parameters:
1871 *
1872 * struct {
1873 * opaque dh_p<1..2^16-1>;
1874 * opaque dh_g<1..2^16-1>;
1875 * opaque dh_Ys<1..2^16-1>;
1876 * } ServerDHParams;
1877 */
1878 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1879 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1880 {
1881 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1882 return( ret );
1883 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1884
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1885 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1886 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1887 p,
1888 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1889 {
1890 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1891 return( ret );
1892 }
1893
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1894 dig_sig = p;
1895 dig_sig_len = len;
1896
1897 p += len;
1898 n += len;
1899
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1900 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1901 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1902 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1903 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1904 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1905#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1906 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1907
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1908#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1909 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1910 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1911 /*
1912 * Ephemeral ECDH parameters:
1913 *
1914 * struct {
1915 * ECParameters curve_params;
1916 * ECPoint public;
1917 * } ServerECDHParams;
1918 */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1919 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
1920 ssl->handshake->ec_curve ) ) != 0 )
1921 {
1922 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1923 return( ret );
1924 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1925
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1926 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1927 &len,
1928 p,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1929 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1930 {
1931 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1932 return( ret );
1933 }
1934
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1935 dig_sig = p;
1936 dig_sig_len = len;
1937
1938 p += len;
1939 n += len;
1940
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1941 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
1942 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1943#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1944
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1945#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1946 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
1947 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1948 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1949 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1950 size_t rsa_key_len = 0;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1951
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1952 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1953 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1954 md5_context md5;
1955 sha1_context sha1;
1956
1957 /*
1958 * digitally-signed struct {
1959 * opaque md5_hash[16];
1960 * opaque sha_hash[20];
1961 * };
1962 *
1963 * md5_hash
1964 * MD5(ClientHello.random + ServerHello.random
1965 * + ServerParams);
1966 * sha_hash
1967 * SHA(ClientHello.random + ServerHello.random
1968 * + ServerParams);
1969 */
1970 md5_starts( &md5 );
1971 md5_update( &md5, ssl->handshake->randbytes, 64 );
1972 md5_update( &md5, dig_sig, dig_sig_len );
1973 md5_finish( &md5, hash );
1974
1975 sha1_starts( &sha1 );
1976 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1977 sha1_update( &sha1, dig_sig, dig_sig_len );
1978 sha1_finish( &sha1, hash + 16 );
1979
1980 hashlen = 36;
1981 md_alg = POLARSSL_MD_NONE;
1982 }
1983 else
1984 {
1985 md_context_t ctx;
1986
1987 /*
1988 * digitally-signed struct {
1989 * opaque client_random[32];
1990 * opaque server_random[32];
1991 * ServerDHParams params;
1992 * };
1993 */
1994 switch( ssl->handshake->sig_alg )
1995 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1996#if defined(POLARSSL_MD5_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1997 case SSL_HASH_MD5:
1998 md_alg = POLARSSL_MD_MD5;
1999 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2000#endif
2001#if defined(POLARSSL_SHA1_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2002 case SSL_HASH_SHA1:
2003 md_alg = POLARSSL_MD_SHA1;
2004 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2005#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]2006#if defined(POLARSSL_SHA256_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2007 case SSL_HASH_SHA224:
2008 md_alg = POLARSSL_MD_SHA224;
2009 break;
2010 case SSL_HASH_SHA256:
2011 md_alg = POLARSSL_MD_SHA256;
2012 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2013#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]2014#if defined(POLARSSL_SHA512_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2015 case SSL_HASH_SHA384:
2016 md_alg = POLARSSL_MD_SHA384;
2017 break;
2018 case SSL_HASH_SHA512:
2019 md_alg = POLARSSL_MD_SHA512;
2020 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2021#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2022 default:
2023 /* Should never happen */
2024 return( -1 );
2025 }
2026
2027 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
2028 {
2029 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2030 return( ret );
2031 }
2032
2033 md_starts( &ctx );
2034 md_update( &ctx, ssl->handshake->randbytes, 64 );
2035 md_update( &ctx, dig_sig, dig_sig_len );
2036 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]2037
2038 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2039 {
2040 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2041 return( ret );
2042 }
2043
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2044 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2045
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2046 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2047
2048 if ( ssl->rsa_key )
2049 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
2050
2051 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2052 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2053 *(p++) = ssl->handshake->sig_alg;
2054 *(p++) = SSL_SIG_RSA;
2055
2056 n += 2;
2057 }
2058
2059 *(p++) = (unsigned char)( rsa_key_len >> 8 );
2060 *(p++) = (unsigned char)( rsa_key_len );
2061 n += 2;
2062
2063 if ( ssl->rsa_key )
2064 {
2065 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
2066 RSA_PRIVATE, md_alg, hashlen, hash, p );
2067 }
2068
2069 if( ret != 0 )
2070 {
2071 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2072 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2073 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2074
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2075 SSL_DEBUG_BUF( 3, "my RSA sig", p, rsa_key_len );
2076
2077 p += rsa_key_len;
2078 n += rsa_key_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2079 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2080#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2081 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2082
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2083 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2084 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2085 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2086
2087 ssl->state++;
2088
2089 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2090 {
2091 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2092 return( ret );
2093 }
2094
2095 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2096
2097 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2098}
2099
2100static int ssl_write_server_hello_done( ssl_context *ssl )
2101{
2102 int ret;
2103
2104 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2105
2106 ssl->out_msglen = 4;
2107 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2108 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2109
2110 ssl->state++;
2111
2112 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2113 {
2114 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2115 return( ret );
2116 }
2117
2118 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2119
2120 return( 0 );
2121}
2122
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2123#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2124 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2125static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2126 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2127{
2128 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2129 size_t n;
2130
2131 /*
2132 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2133 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2134 if( *p + 2 > end )
2135 {
2136 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2137 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2138 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2139
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2140 n = ( (*p)[0] << 8 ) | (*p)[1];
2141 *p += 2;
2142
2143 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2144 {
2145 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2146 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2147 }
2148
2149 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2150 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2151 {
2152 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2153 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2154 }
2155
2156 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2157
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2158 return( ret );
2159}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2160#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2161 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2162
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2163#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2164static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2165{
2166 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2167 size_t n;
2168
2169 /*
2170 * Receive client public key and calculate premaster
2171 */
2172 n = ssl->in_msg[3];
2173
2174 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2175 n + 4 != ssl->in_hslen )
2176 {
2177 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2178 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2179 }
2180
2181 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2182 ssl->in_msg + 4, n ) ) != 0 )
2183 {
2184 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2185 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2186 }
2187
2188 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2189
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2190 return( ret );
2191}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2192#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2193
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2194#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2195static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2196{
2197 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2198 size_t i, n = 0;
2199
2200 if( ssl->rsa_key == NULL )
2201 {
2202 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2203 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2204 }
2205
2206 /*
2207 * Decrypt the premaster using own private RSA key
2208 */
2209 i = 4;
2210 if( ssl->rsa_key )
2211 n = ssl->rsa_key_len( ssl->rsa_key );
2212 ssl->handshake->pmslen = 48;
2213
2214 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2215 {
2216 i += 2;
2217 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2218 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2219 {
2220 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2221 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2222 }
2223 }
2224
2225 if( ssl->in_hslen != i + n )
2226 {
2227 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2228 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2229 }
2230
2231 if( ssl->rsa_key ) {
2232 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
2233 &ssl->handshake->pmslen,
2234 ssl->in_msg + i,
2235 ssl->handshake->premaster,
2236 sizeof(ssl->handshake->premaster) );
2237 }
2238
2239 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]2240 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2241 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2242 {
2243 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2244
2245 /*
2246 * Protection against Bleichenbacher's attack:
2247 * invalid PKCS#1 v1.5 padding must not cause
2248 * the connection to end immediately; instead,
2249 * send a bad_record_mac later in the handshake.
2250 */
2251 ssl->handshake->pmslen = 48;
2252
2253 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2254 ssl->handshake->pmslen );
2255 if( ret != 0 )
2256 return( ret );
2257 }
2258
2259 return( ret );
2260}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2261#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2262
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2263#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2264 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2265static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2266 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2267{
2268 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2269 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2270
2271 if( ssl->psk == NULL || ssl->psk_identity == NULL ||
2272 ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
2273 {
2274 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2275 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2276 }
2277
2278 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2279 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2280 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2281 if( *p + 2 > end )
2282 {
2283 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2284 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2285 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2286
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2287 n = ( (*p)[0] << 8 ) | (*p)[1];
2288 *p += 2;
2289
2290 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2291 {
2292 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2293 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2294 }
2295
2296 if( n != ssl->psk_identity_len ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2297 memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2298 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2299 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2300 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2301 }
2302
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2303 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2304 ret = 0;
2305
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2306 return( ret );
2307}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2308#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2309 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2310
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2311static int ssl_parse_client_key_exchange( ssl_context *ssl )
2312{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2313 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2314 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2315 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2316
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2317 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2318
2319 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2320
2321 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2322 {
2323 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2324 return( ret );
2325 }
2326
2327 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2328 {
2329 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2330 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2331 }
2332
2333 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2334 {
2335 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2336 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2337 }
2338
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2339 p = ssl->in_msg + 4;
2340 end = ssl->in_msg + ssl->in_msglen;
2341
2342#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2343 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2344 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2345 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2346 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2347 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2348 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2349 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2350
2351 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2352
2353 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2354 ssl->handshake->premaster,
2355 &ssl->handshake->pmslen ) ) != 0 )
2356 {
2357 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2358 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2359 }
2360
2361 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2362 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2363 else
2364#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2365#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
2366 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2367 {
2368 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2369 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2370 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2371 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2372 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2373
2374 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2375 &ssl->handshake->pmslen,
2376 ssl->handshake->premaster,
2377 POLARSSL_MPI_MAX_SIZE ) ) != 0 )
2378 {
2379 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2380 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2381 }
2382
2383 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2384 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2385 else
2386#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2387#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2388 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2389 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2390 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2391 {
2392 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2393 return( ret );
2394 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2395
2396 // Set up the premaster secret
2397 //
2398 p = ssl->handshake->premaster;
2399 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2400 *(p++) = (unsigned char)( ssl->psk_len );
2401 p += ssl->psk_len;
2402
2403 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2404 *(p++) = (unsigned char)( ssl->psk_len );
2405 memcpy( p, ssl->psk, ssl->psk_len );
2406 p += ssl->psk_len;
2407
2408 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2409 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2410 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2411#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2412#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2413 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2414 {
2415 size_t n;
2416
2417 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2418 {
2419 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2420 return( ret );
2421 }
2422 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2423 {
2424 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2425 return( ret );
2426 }
2427
2428 // Set up the premaster secret
2429 //
2430 p = ssl->handshake->premaster;
2431 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2432 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2433
2434 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2435 p, &n ) ) != 0 )
2436 {
2437 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2438 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2439 }
2440
2441 if( n != ssl->handshake->dhm_ctx.len )
2442 {
2443 SSL_DEBUG_MSG( 1, ( "dhm_calc_secret result smaller than DHM" ) );
2444 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2445 }
2446
2447 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2448
2449 p += ssl->handshake->dhm_ctx.len;
2450
2451 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2452 *(p++) = (unsigned char)( ssl->psk_len );
2453 memcpy( p, ssl->psk, ssl->psk_len );
2454 p += ssl->psk_len;
2455
2456 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2457 }
2458 else
2459#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2460#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2461 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2462 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2463 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2464 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2465 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2466 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2467 }
2468 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2469 else
2470#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2471 {
2472 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2473 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2474
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2475 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2476 {
2477 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2478 return( ret );
2479 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2480
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2481 ssl->state++;
2482
2483 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2484
2485 return( 0 );
2486}
2487
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2488#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2489 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2490 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2491static int ssl_parse_certificate_verify( ssl_context *ssl )
2492{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2493 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2494 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2495
2496 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2497
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2498 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2499 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2500 {
2501 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2502 ssl->state++;
2503 return( 0 );
2504 }
2505
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2506 return( ret );
2507}
2508#else
2509static int ssl_parse_certificate_verify( ssl_context *ssl )
2510{
2511 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2512 size_t sa_len, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2513 unsigned char hash[48];
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2514 size_t hashlen;
2515 pk_type_t pk_alg;
2516 md_type_t md_alg;
2517 const md_info_t *md_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2518 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2519
2520 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2521
2522 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2523 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2524 {
2525 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2526 ssl->state++;
2527 return( 0 );
2528 }
2529
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2530 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2531 {
2532 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2533 ssl->state++;
2534 return( 0 );
2535 }
2536
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2537 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2538
2539 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2540 {
2541 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2542 return( ret );
2543 }
2544
2545 ssl->state++;
2546
2547 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2548 {
2549 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2550 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2551 }
2552
2553 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2554 {
2555 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2556 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2557 }
2558
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2559 /*
2560 * 0 . 0 handshake type
2561 * 1 . 3 handshake length
2562 * 4 . 5 sig alg (TLS 1.2 only)
2563 * 4+n . 5+n signature length (n = sa_len)
2564 * 6+n . 6+n+m signature (m = sig_len)
2565 */
2566
2567 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2568 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2569 sa_len = 0;
2570
2571 md_alg = POLARSSL_MD_NONE;
2572 hashlen = 36;
2573 }
2574 else
2575 {
2576 sa_len = 2;
2577
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2578 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2579 * Hash: as server we know we either have SSL_HASH_SHA384 or
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2580 * SSL_HASH_SHA256
2581 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2582 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2583 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2584 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2585 " for verify message" ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2586 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2587 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2588
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2589 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2590 md_alg = POLARSSL_MD_SHA384;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2591 else
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2592 md_alg = POLARSSL_MD_SHA256;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2593
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2594 /*
2595 * Get hashlen from MD
2596 */
2597 if( ( md_info = md_info_from_type( md_alg ) ) == NULL )
2598 {
2599 SSL_DEBUG_MSG( 1, ( "requested hash not available " ) );
2600 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2601 }
2602 hashlen = md_info->size;
2603
2604 /*
2605 * Signature
2606 */
2607 switch( ssl->in_msg[5] )
2608 {
2609#if defined(POLARSSL_RSA_C)
2610 case SSL_SIG_RSA:
2611 pk_alg = POLARSSL_PK_RSA;
2612 break;
2613#endif
2614
2615#if defined(POLARSSL_ECDSA_C)
2616 case SSL_SIG_ECDSA:
2617 pk_alg = POLARSSL_PK_ECDSA;
2618 break;
2619#endif
2620
2621 default:
2622 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2623 " for verify message" ) );
2624 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2625 }
2626
2627
2628 /*
2629 * Check the certificate's key type matches the signature alg
2630 */
2631 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2632 {
2633 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
2634 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2635 }
2636
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2637 }
2638
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2639 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2640
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2641 if( sa_len + sig_len + 6 != ssl->in_hslen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2642 {
2643 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2644 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2645 }
2646
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2647 ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
2648 md_alg, hash, hashlen,
2649 ssl->in_msg + 6 + sa_len, sig_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2650 if( ret != 0 )
2651 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2652 SSL_DEBUG_RET( 1, "pk_verify", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2653 return( ret );
2654 }
2655
2656 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2657
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2658 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2659}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2660#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2661 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2662 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2663
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2664#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2665static int ssl_write_new_session_ticket( ssl_context *ssl )
2666{
2667 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2668 size_t tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2669
2670 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2671
2672 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2673 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2674
2675 /*
2676 * struct {
2677 * uint32 ticket_lifetime_hint;
2678 * opaque ticket<0..2^16-1>;
2679 * } NewSessionTicket;
2680 *
2681 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2682 * 8 . 9 ticket_len (n)
2683 * 10 . 9+n ticket content
2684 */
2685 ssl->out_msg[4] = 0x00;
2686 ssl->out_msg[5] = 0x00;
2687 ssl->out_msg[6] = 0x00;
2688 ssl->out_msg[7] = 0x00;
2689
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]2690 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2691 {
2692 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2693 tlen = 0;
2694 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2695
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2696 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2697 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2698
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2699 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2700
2701 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2702 {
2703 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2704 return( ret );
2705 }
2706
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2707 /* No need to remember writing a NewSessionTicket any more */
2708 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2709
2710 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2711
2712 return( 0 );
2713}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2714#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2715
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2716/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2717 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2718 */
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2719int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2720{
2721 int ret = 0;
2722
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2723 if( ssl->state == SSL_HANDSHAKE_OVER )
2724 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2725
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2726 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2727
2728 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2729 return( ret );
2730
2731 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2732 {
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2733 case SSL_HELLO_REQUEST:
2734 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2735 break;
2736
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2737 /*
2738 * <== ClientHello
2739 */
2740 case SSL_CLIENT_HELLO:
2741 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2742 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2743
2744 /*
2745 * ==> ServerHello
2746 * Certificate
2747 * ( ServerKeyExchange )
2748 * ( CertificateRequest )
2749 * ServerHelloDone
2750 */
2751 case SSL_SERVER_HELLO:
2752 ret = ssl_write_server_hello( ssl );
2753 break;
2754
2755 case SSL_SERVER_CERTIFICATE:
2756 ret = ssl_write_certificate( ssl );
2757 break;
2758
2759 case SSL_SERVER_KEY_EXCHANGE:
2760 ret = ssl_write_server_key_exchange( ssl );
2761 break;
2762
2763 case SSL_CERTIFICATE_REQUEST:
2764 ret = ssl_write_certificate_request( ssl );
2765 break;
2766
2767 case SSL_SERVER_HELLO_DONE:
2768 ret = ssl_write_server_hello_done( ssl );
2769 break;
2770
2771 /*
2772 * <== ( Certificate/Alert )
2773 * ClientKeyExchange
2774 * ( CertificateVerify )
2775 * ChangeCipherSpec
2776 * Finished
2777 */
2778 case SSL_CLIENT_CERTIFICATE:
2779 ret = ssl_parse_certificate( ssl );
2780 break;
2781
2782 case SSL_CLIENT_KEY_EXCHANGE:
2783 ret = ssl_parse_client_key_exchange( ssl );
2784 break;
2785
2786 case SSL_CERTIFICATE_VERIFY:
2787 ret = ssl_parse_certificate_verify( ssl );
2788 break;
2789
2790 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2791 ret = ssl_parse_change_cipher_spec( ssl );
2792 break;
2793
2794 case SSL_CLIENT_FINISHED:
2795 ret = ssl_parse_finished( ssl );
2796 break;
2797
2798 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2799 * ==> ( NewSessionTicket )
2800 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2801 * Finished
2802 */
2803 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2804#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2805 if( ssl->handshake->new_session_ticket != 0 )
2806 ret = ssl_write_new_session_ticket( ssl );
2807 else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2808#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2809 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2810 break;
2811
2812 case SSL_SERVER_FINISHED:
2813 ret = ssl_write_finished( ssl );
2814 break;
2815
2816 case SSL_FLUSH_BUFFERS:
2817 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2818 ssl->state = SSL_HANDSHAKE_WRAPUP;
2819 break;
2820
2821 case SSL_HANDSHAKE_WRAPUP:
2822 ssl_handshake_wrapup( ssl );
2823 break;
2824
2825 default:
2826 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2827 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2828 }
2829
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2830 return( ret );
2831}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2832#endif