TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 936539ad4b64ba9200a7fe004d4edd6c4a5946f5 / . / library / ssl_srv.c
blob: 0dbcdb5edac258ffca2f2bb9c55f75bcc0f0da1e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]26#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]32#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]36#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]50#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]51/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
59static void ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t *olen )
61{
62 unsigned char *p = buf;
63#if defined(POLARSSL_X509_PARSE_C)
64 size_t cert_len;
65#endif /* POLARSSL_X509_PARSE_C */
66
67 memcpy( p, session, sizeof( ssl_session ) );
68 p += sizeof( ssl_session );
69
70#if defined(POLARSSL_X509_PARSE_C)
71 ((ssl_session *) buf)->peer_cert = NULL;
72
73 if( session->peer_cert == NULL )
74 cert_len = 0;
75 else
76 cert_len = session->peer_cert->raw.len;
77
78 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
79 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
80 *p++ = (unsigned char)( cert_len & 0xFF );
81
82 if( session->peer_cert != NULL )
83 memcpy( p, session->peer_cert->raw.p, cert_len );
84
85 p += cert_len;
86#endif /* POLARSSL_X509_PARSE_C */
87
88 *olen = p - buf;
89}
90
91/*
92 * Unserialise session, see ssl_save_session()
93 */
94static int ssl_load_session( ssl_session *session,
95 const unsigned char *buf, size_t len )
96{
97 int ret;
98 const unsigned char *p = buf;
99 const unsigned char * const end = buf + len;
100#if defined(POLARSSL_X509_PARSE_C)
101 size_t cert_len;
102#endif /* POLARSSL_X509_PARSE_C */
103
104 if( p + sizeof( ssl_session ) > end )
105 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
106
107 memcpy( session, p, sizeof( ssl_session ) );
108 p += sizeof( ssl_session );
109
110#if defined(POLARSSL_X509_PARSE_C)
111 if( p + 3 > end )
112 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
113
114 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
115 p += 3;
116
117 if( cert_len == 0 )
118 {
119 session->peer_cert = NULL;
120 }
121 else
122 {
123 if( p + cert_len > end )
124 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
125
126 session->peer_cert = polarssl_malloc( cert_len );
127
128 if( session->peer_cert == NULL )
129 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
130
131 memset( session->peer_cert, 0, sizeof( x509_cert ) );
132
133 if( ( ret = x509parse_crt( session->peer_cert, p, cert_len ) ) != 0 )
134 {
135 polarssl_free( session->peer_cert );
136 free( session->peer_cert );
137 session->peer_cert = NULL;
138 return( ret );
139 }
140
141 p += cert_len;
142 }
143#endif /* POLARSSL_X509_PARSE_C */
144
145 if( p != end )
146 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
147
148 return( 0 );
149}
150
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]151/*
152 * Create session ticket, secured as recommended in RFC 5077 section 4:
153 *
154 * struct {
155 * opaque key_name[16];
156 * opaque iv[16];
157 * opaque encrypted_state<0..2^16-1>;
158 * opaque mac[32];
159 * } ticket;
160 *
161 * (the internal state structure differs, however).
162 */
163static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
164{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]165 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]166 unsigned char * const start = ssl->out_msg + 10;
167 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]168 unsigned char *state;
169 unsigned char iv[16];
170 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]171
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]172 if( ssl->ticket_keys == NULL )
173 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
174
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]175 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]176 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]177 p += 16;
178
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]179 /* Generate and write IV (with a copy for aes_crypt) */
180 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
181 return( ret );
182 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]183 p += 16;
184
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]185 /* Dump session state */
186 state = p + 2;
187 ssl_save_session( ssl->session_negotiate, state, &clear_len );
188 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]189
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]190 /* Apply PKCS padding */
191 pad_len = 16 - clear_len % 16;
192 enc_len = clear_len + pad_len;
193 for( i = clear_len; i < enc_len; i++ )
194 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]195
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]196 /* Encrypt */
197 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
198 enc_len, iv, state, state ) ) != 0 )
199 {
200 return( ret );
201 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]202
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]203 /* Write length */
204 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
205 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
206 p = state + enc_len;
207
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]208 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
209 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]210 p += 32;
211
212 *tlen = p - start;
213
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]214 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]215
216 return( 0 );
217}
218
219/*
220 * Load session ticket (see ssl_write_ticket for structure)
221 */
222static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]223 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]224 size_t len )
225{
226 int ret;
227 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]228 unsigned char *key_name = buf;
229 unsigned char *iv = buf + 16;
230 unsigned char *enc_len_p = iv + 16;
231 unsigned char *ticket = enc_len_p + 2;
232 unsigned char *mac;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]233 unsigned char computed_mac[16];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]234 size_t enc_len, clear_len, i;
235 unsigned char pad_len;
236
237 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]238
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]239 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]240 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
241
242 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
243 mac = ticket + enc_len;
244
245 if( len != enc_len + 66 )
246 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
247
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]248 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]249 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
250 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]251
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]252 /* Check mac */
253 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
254 computed_mac, 0 );
255 ret = 0;
256 for( i = 0; i < 32; i++ )
257 if( mac[i] != computed_mac[i] )
258 ret = POLARSSL_ERR_SSL_INVALID_MAC;
259 if( ret != 0 )
260 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]261
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]262 /* Decrypt */
263 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
264 enc_len, iv, ticket, ticket ) ) != 0 )
265 {
266 return( ret );
267 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]268
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]269 /* Check PKCS padding */
270 pad_len = ticket[enc_len - 1];
271
272 ret = 0;
273 for( i = 2; i < pad_len; i++ )
274 if( ticket[enc_len - i] != pad_len )
275 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
276 if( ret != 0 )
277 return( ret );
278
279 clear_len = enc_len - pad_len;
280
281 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
282
283 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]284 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
285 {
286 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
287 memset( &session, 0, sizeof( ssl_session ) );
288 return( ret );
289 }
290
291 /*
292 * Keep the session ID sent by the client, since we MUST send it back to
293 * inform him we're accepting the ticket (RFC 5077 section 3.4)
294 */
295 session.length = ssl->session_negotiate->length;
296 memcpy( &session.id, ssl->session_negotiate->id, session.length );
297
298 ssl_session_free( ssl->session_negotiate );
299 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
300 memset( &session, 0, sizeof( ssl_session ) );
301
302 return( 0 );
303}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]304#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]305
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]306static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]307 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]308 size_t len )
309{
310 int ret;
311 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]312 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]313
314 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
315 if( servername_list_size + 2 != len )
316 {
317 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
318 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
319 }
320
321 p = buf + 2;
322 while( servername_list_size > 0 )
323 {
324 hostname_len = ( ( p[1] << 8 ) | p[2] );
325 if( hostname_len + 3 > servername_list_size )
326 {
327 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
328 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
329 }
330
331 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
332 {
333 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
334 if( ret != 0 )
335 {
336 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
337 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
338 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
339 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]340 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]341 }
342
343 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]344 p += hostname_len + 3;
345 }
346
347 if( servername_list_size != 0 )
348 {
349 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
350 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]351 }
352
353 return( 0 );
354}
355
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]356static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]357 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]358 size_t len )
359{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]360 int ret;
361
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]362 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
363 {
364 if( len != 1 || buf[0] != 0x0 )
365 {
366 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]367
368 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
369 return( ret );
370
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]371 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
372 }
373
374 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
375 }
376 else
377 {
378 if( len != 1 + ssl->verify_data_len ||
379 buf[0] != ssl->verify_data_len ||
380 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
381 {
382 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]383
384 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
385 return( ret );
386
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]387 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
388 }
389 }
390
391 return( 0 );
392}
393
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]394static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
395 const unsigned char *buf,
396 size_t len )
397{
398 size_t sig_alg_list_size;
399 const unsigned char *p;
400
401 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
402 if( sig_alg_list_size + 2 != len ||
403 sig_alg_list_size %2 != 0 )
404 {
405 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
406 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
407 }
408
409 p = buf + 2;
410 while( sig_alg_list_size > 0 )
411 {
412 if( p[1] != SSL_SIG_RSA )
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]413 {
414 sig_alg_list_size -= 2;
415 p += 2;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]416 continue;
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]417 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]418#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]419 if( p[0] == SSL_HASH_SHA512 )
420 {
421 ssl->handshake->sig_alg = SSL_HASH_SHA512;
422 break;
423 }
424 if( p[0] == SSL_HASH_SHA384 )
425 {
426 ssl->handshake->sig_alg = SSL_HASH_SHA384;
427 break;
428 }
429#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]430#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]431 if( p[0] == SSL_HASH_SHA256 )
432 {
433 ssl->handshake->sig_alg = SSL_HASH_SHA256;
434 break;
435 }
436 if( p[0] == SSL_HASH_SHA224 )
437 {
438 ssl->handshake->sig_alg = SSL_HASH_SHA224;
439 break;
440 }
441#endif
442 if( p[0] == SSL_HASH_SHA1 )
443 {
444 ssl->handshake->sig_alg = SSL_HASH_SHA1;
445 break;
446 }
447 if( p[0] == SSL_HASH_MD5 )
448 {
449 ssl->handshake->sig_alg = SSL_HASH_MD5;
450 break;
451 }
452
453 sig_alg_list_size -= 2;
454 p += 2;
455 }
456
457 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
458 ssl->handshake->sig_alg ) );
459
460 return( 0 );
461}
462
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]463#if defined(POLARSSL_ECP_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]464static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
465 const unsigned char *buf,
466 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]467{
468 size_t list_size;
469 const unsigned char *p;
470
471 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
472 if( list_size + 2 != len ||
473 list_size % 2 != 0 )
474 {
475 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
476 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
477 }
478
479 p = buf + 2;
480 while( list_size > 0 )
481 {
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]482#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
483 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP192R1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]484 {
485 ssl->handshake->ec_curve = p[1];
486 return( 0 );
487 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]488#endif
489#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
490 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP224R1 )
491 {
492 ssl->handshake->ec_curve = p[1];
493 return( 0 );
494 }
495#endif
496#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
497 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP256R1 )
498 {
499 ssl->handshake->ec_curve = p[1];
500 return( 0 );
501 }
502#endif
503#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
504 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP384R1 )
505 {
506 ssl->handshake->ec_curve = p[1];
507 return( 0 );
508 }
509#endif
510#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
511 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP521R1 )
512 {
513 ssl->handshake->ec_curve = p[1];
514 return( 0 );
515 }
516#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]517
518 list_size -= 2;
519 p += 2;
520 }
521
522 return( 0 );
523}
524
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]525static int ssl_parse_supported_point_formats( ssl_context *ssl,
526 const unsigned char *buf,
527 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]528{
529 size_t list_size;
530 const unsigned char *p;
531
532 list_size = buf[0];
533 if( list_size + 1 != len )
534 {
535 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
536 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
537 }
538
539 p = buf + 2;
540 while( list_size > 0 )
541 {
542 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
543 p[0] == POLARSSL_ECP_PF_COMPRESSED )
544 {
545 ssl->handshake->ec_point_format = p[0];
546 return( 0 );
547 }
548
549 list_size--;
550 p++;
551 }
552
553 return( 0 );
554}
555#endif /* POLARSSL_ECP_C */
556
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]557static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
558 const unsigned char *buf,
559 size_t len )
560{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]561 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]562 {
563 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
564 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
565 }
566
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]567 ssl->session_negotiate->mfl_code = buf[0];
568
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]569 return( 0 );
570}
571
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]572static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
573 const unsigned char *buf,
574 size_t len )
575{
576 if( len != 0 )
577 {
578 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
579 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
580 }
581
582 ((void) buf);
583
584 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
585
586 return( 0 );
587}
588
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]589#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]590static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]591 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]592 size_t len )
593{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]594 int ret;
595
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]596 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
597 return( 0 );
598
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]599 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]600 ssl->handshake->new_session_ticket = 1;
601
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]602 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
603
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]604 if( len == 0 )
605 return( 0 );
606
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]607 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
608 {
609 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
610 return( 0 );
611 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]612
613 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]614 * Failures are ok: just ignore the ticket and proceed.
615 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]616 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
617 {
618 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]619 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]620 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]621
622 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
623
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]624 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]625
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]626 /* Don't send a new ticket after all, this one is OK */
627 ssl->handshake->new_session_ticket = 0;
628
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]629 return( 0 );
630}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]631#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]632
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]633#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
634static int ssl_parse_client_hello_v2( ssl_context *ssl )
635{
636 int ret;
637 unsigned int i, j;
638 size_t n;
639 unsigned int ciph_len, sess_len, chal_len;
640 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]641 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]642 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]643
644 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
645
646 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
647 {
648 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
649
650 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
651 return( ret );
652
653 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
654 }
655
656 buf = ssl->in_hdr;
657
658 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
659
660 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
661 buf[2] ) );
662 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
663 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
664 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
665 buf[3], buf[4] ) );
666
667 /*
668 * SSLv2 Client Hello
669 *
670 * Record layer:
671 * 0 . 1 message length
672 *
673 * SSL layer:
674 * 2 . 2 message type
675 * 3 . 4 protocol version
676 */
677 if( buf[2] != SSL_HS_CLIENT_HELLO ||
678 buf[3] != SSL_MAJOR_VERSION_3 )
679 {
680 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
681 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
682 }
683
684 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
685
686 if( n < 17 || n > 512 )
687 {
688 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
689 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
690 }
691
692 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]693 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
694 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]695
696 if( ssl->minor_ver < ssl->min_minor_ver )
697 {
698 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
699 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
700 ssl->min_major_ver, ssl->min_minor_ver ) );
701
702 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
703 SSL_ALERT_MSG_PROTOCOL_VERSION );
704 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
705 }
706
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]707 ssl->handshake->max_major_ver = buf[3];
708 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]709
710 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
711 {
712 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
713 return( ret );
714 }
715
716 ssl->handshake->update_checksum( ssl, buf + 2, n );
717
718 buf = ssl->in_msg;
719 n = ssl->in_left - 5;
720
721 /*
722 * 0 . 1 ciphersuitelist length
723 * 2 . 3 session id length
724 * 4 . 5 challenge length
725 * 6 . .. ciphersuitelist
726 * .. . .. session id
727 * .. . .. challenge
728 */
729 SSL_DEBUG_BUF( 4, "record contents", buf, n );
730
731 ciph_len = ( buf[0] << 8 ) | buf[1];
732 sess_len = ( buf[2] << 8 ) | buf[3];
733 chal_len = ( buf[4] << 8 ) | buf[5];
734
735 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
736 ciph_len, sess_len, chal_len ) );
737
738 /*
739 * Make sure each parameter length is valid
740 */
741 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
742 {
743 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
744 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
745 }
746
747 if( sess_len > 32 )
748 {
749 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
750 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
751 }
752
753 if( chal_len < 8 || chal_len > 32 )
754 {
755 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
756 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
757 }
758
759 if( n != 6 + ciph_len + sess_len + chal_len )
760 {
761 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
762 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
763 }
764
765 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
766 buf + 6, ciph_len );
767 SSL_DEBUG_BUF( 3, "client hello, session id",
768 buf + 6 + ciph_len, sess_len );
769 SSL_DEBUG_BUF( 3, "client hello, challenge",
770 buf + 6 + ciph_len + sess_len, chal_len );
771
772 p = buf + 6 + ciph_len;
773 ssl->session_negotiate->length = sess_len;
774 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
775 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
776
777 p += sess_len;
778 memset( ssl->handshake->randbytes, 0, 64 );
779 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
780
781 /*
782 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
783 */
784 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
785 {
786 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
787 {
788 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
789 if( ssl->renegotiation == SSL_RENEGOTIATION )
790 {
791 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
792
793 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
794 return( ret );
795
796 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
797 }
798 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
799 break;
800 }
801 }
802
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]803 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
804 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]805 {
806 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
807 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]808 // Only allow non-ECC ciphersuites as we do not have extensions
809 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]810 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]811 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
812 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]813 {
814 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
815
816 if( ciphersuite_info == NULL )
817 {
818 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
819 ciphersuites[i] ) );
820 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
821 }
822
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]823 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
824 ciphersuite_info->max_minor_ver < ssl->minor_ver )
825 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]826
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]827 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]828 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]829 }
830 }
831
832 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
833
834 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
835
836have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]837 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]838 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]839 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]840
841 /*
842 * SSLv2 Client Hello relevant renegotiation security checks
843 */
844 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
845 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
846 {
847 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
848
849 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
850 return( ret );
851
852 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
853 }
854
855 ssl->in_left = 0;
856 ssl->state++;
857
858 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
859
860 return( 0 );
861}
862#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
863
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864static int ssl_parse_client_hello( ssl_context *ssl )
865{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]866 int ret;
867 unsigned int i, j;
868 size_t n;
869 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]870 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]871 unsigned int ext_len = 0;
872 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]873 int renegotiation_info_seen = 0;
874 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]875 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]876 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]877
878 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
879
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]880 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
881 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]882 {
883 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
884 return( ret );
885 }
886
887 buf = ssl->in_hdr;
888
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]889#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
890 if( ( buf[0] & 0x80 ) != 0 )
891 return ssl_parse_client_hello_v2( ssl );
892#endif
893
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]894 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
895
896 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
897 buf[0] ) );
898 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
899 ( buf[3] << 8 ) | buf[4] ) );
900 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
901 buf[1], buf[2] ) );
902
903 /*
904 * SSLv3 Client Hello
905 *
906 * Record layer:
907 * 0 . 0 message type
908 * 1 . 2 protocol version
909 * 3 . 4 message length
910 */
911 if( buf[0] != SSL_MSG_HANDSHAKE ||
912 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]913 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]914 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
915 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
916 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]917
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]918 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]919
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +0200[diff] [blame]920 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]921 {
922 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
923 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
924 }
925
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]926 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
927 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]928 {
929 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
930 return( ret );
931 }
932
933 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]934 if( !ssl->renegotiation )
935 n = ssl->in_left - 5;
936 else
937 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]938
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]939 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]940
941 /*
942 * SSL layer:
943 * 0 . 0 handshake type
944 * 1 . 3 handshake length
945 * 4 . 5 protocol version
946 * 6 . 9 UNIX time()
947 * 10 . 37 random bytes
948 * 38 . 38 session id length
949 * 39 . 38+x session id
950 * 39+x . 40+x ciphersuitelist length
951 * 41+x . .. ciphersuitelist
952 * .. . .. compression alg.
953 * .. . .. extensions
954 */
955 SSL_DEBUG_BUF( 4, "record contents", buf, n );
956
957 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
958 buf[0] ) );
959 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
960 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
961 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
962 buf[4], buf[5] ) );
963
964 /*
965 * Check the handshake type and protocol version
966 */
967 if( buf[0] != SSL_HS_CLIENT_HELLO ||
968 buf[4] != SSL_MAJOR_VERSION_3 )
969 {
970 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
971 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
972 }
973
974 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]975 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
976 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]977
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]978 if( ssl->minor_ver < ssl->min_minor_ver )
979 {
980 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
981 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]982 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]983
984 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
985 SSL_ALERT_MSG_PROTOCOL_VERSION );
986
987 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
988 }
989
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]990 ssl->handshake->max_major_ver = buf[4];
991 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]992
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]993 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]994
995 /*
996 * Check the handshake message length
997 */
998 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
999 {
1000 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1001 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1002 }
1003
1004 /*
1005 * Check the session length
1006 */
1007 sess_len = buf[38];
1008
1009 if( sess_len > 32 )
1010 {
1011 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1012 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1013 }
1014
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1015 ssl->session_negotiate->length = sess_len;
1016 memset( ssl->session_negotiate->id, 0,
1017 sizeof( ssl->session_negotiate->id ) );
1018 memcpy( ssl->session_negotiate->id, buf + 39,
1019 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1020
1021 /*
1022 * Check the ciphersuitelist length
1023 */
1024 ciph_len = ( buf[39 + sess_len] << 8 )
1025 | ( buf[40 + sess_len] );
1026
1027 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1028 {
1029 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1030 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1031 }
1032
1033 /*
1034 * Check the compression algorithms length
1035 */
1036 comp_len = buf[41 + sess_len + ciph_len];
1037
1038 if( comp_len < 1 || comp_len > 16 )
1039 {
1040 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1041 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1042 }
1043
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1044 /*
1045 * Check the extension length
1046 */
1047 if( n > 42 + sess_len + ciph_len + comp_len )
1048 {
1049 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1050 | ( buf[43 + sess_len + ciph_len + comp_len] );
1051
1052 if( ( ext_len > 0 && ext_len < 4 ) ||
1053 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1054 {
1055 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1056 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1057 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1058 }
1059 }
1060
1061 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1062#if defined(POLARSSL_ZLIB_SUPPORT)
1063 for( i = 0; i < comp_len; ++i )
1064 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1065 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1067 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1068 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069 }
1070 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1071#endif
1072
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1073 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1074 buf + 6, 32 );
1075 SSL_DEBUG_BUF( 3, "client hello, session id",
1076 buf + 38, sess_len );
1077 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1078 buf + 41 + sess_len, ciph_len );
1079 SSL_DEBUG_BUF( 3, "client hello, compression",
1080 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1082 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1083 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1084 */
1085 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1086 {
1087 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1088 {
1089 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1090 if( ssl->renegotiation == SSL_RENEGOTIATION )
1091 {
1092 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1093
1094 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1095 return( ret );
1096
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1097 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1098 }
1099 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1100 break;
1101 }
1102 }
1103
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1104 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1105
1106 while( ext_len )
1107 {
1108 unsigned int ext_id = ( ( ext[0] << 8 )
1109 | ( ext[1] ) );
1110 unsigned int ext_size = ( ( ext[2] << 8 )
1111 | ( ext[3] ) );
1112
1113 if( ext_size + 4 > ext_len )
1114 {
1115 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1116 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1117 }
1118 switch( ext_id )
1119 {
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1120 case TLS_EXT_SERVERNAME:
1121 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1122 if( ssl->f_sni == NULL )
1123 break;
1124
1125 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1126 if( ret != 0 )
1127 return( ret );
1128 break;
1129
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1130 case TLS_EXT_RENEGOTIATION_INFO:
1131 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1132 renegotiation_info_seen = 1;
1133
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1134 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1135 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1136 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1137 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1138
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1139 case TLS_EXT_SIG_ALG:
1140 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1141 if( ssl->renegotiation == SSL_RENEGOTIATION )
1142 break;
1143
1144 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1145 if( ret != 0 )
1146 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1147 break;
1148
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1149#if defined(POLARSSL_ECP_C)
1150 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1151 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1152
1153 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1154 if( ret != 0 )
1155 return( ret );
1156 break;
1157
1158 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1159 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1160
1161 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1162 if( ret != 0 )
1163 return( ret );
1164 break;
1165#endif /* POLARSSL_ECP_C */
1166
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1167 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1168 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1169
1170 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1171 if( ret != 0 )
1172 return( ret );
1173 break;
1174
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1175 case TLS_EXT_TRUNCATED_HMAC:
1176 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1177
1178 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1179 if( ret != 0 )
1180 return( ret );
1181 break;
1182
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1183#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1184 case TLS_EXT_SESSION_TICKET:
1185 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1186
1187 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1188 if( ret != 0 )
1189 return( ret );
1190 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1191#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1192
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1193 default:
1194 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1195 ext_id ) );
1196 }
1197
1198 ext_len -= 4 + ext_size;
1199 ext += 4 + ext_size;
1200
1201 if( ext_len > 0 && ext_len < 4 )
1202 {
1203 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1204 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1205 }
1206 }
1207
1208 /*
1209 * Renegotiation security checks
1210 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1211 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1212 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1213 {
1214 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1215 handshake_failure = 1;
1216 }
1217 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1218 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1219 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1220 {
1221 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1222 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1223 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1224 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1225 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1226 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1227 {
1228 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1229 handshake_failure = 1;
1230 }
1231 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1232 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1233 renegotiation_info_seen == 1 )
1234 {
1235 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1236 handshake_failure = 1;
1237 }
1238
1239 if( handshake_failure == 1 )
1240 {
1241 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1242 return( ret );
1243
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1244 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1245 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1246
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1247 /*
1248 * Search for a matching ciphersuite
1249 * (At the end because we need information from the EC-based extensions)
1250 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1251 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1252 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1253 {
1254 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1255 j += 2, p += 2 )
1256 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1257 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1258 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1259 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1260 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1261
1262 if( ciphersuite_info == NULL )
1263 {
1264 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1265 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1266 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1267 }
1268
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1269 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1270 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1271 continue;
1272
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1273 if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
1274 ssl->handshake->ec_curve == 0 )
1275 continue;
1276
1277 goto have_ciphersuite;
1278 }
1279 }
1280 }
1281
1282 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1283
1284 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1285 return( ret );
1286
1287 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1288
1289have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1290 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1291 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1292 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1293
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1294 ssl->in_left = 0;
1295 ssl->state++;
1296
1297 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1298
1299 return( 0 );
1300}
1301
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1302static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1303 unsigned char *buf,
1304 size_t *olen )
1305{
1306 unsigned char *p = buf;
1307
1308 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1309 {
1310 *olen = 0;
1311 return;
1312 }
1313
1314 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1315
1316 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1317 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1318
1319 *p++ = 0x00;
1320 *p++ = 0x00;
1321
1322 *olen = 4;
1323}
1324
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1325#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1326static void ssl_write_session_ticket_ext( ssl_context *ssl,
1327 unsigned char *buf,
1328 size_t *olen )
1329{
1330 unsigned char *p = buf;
1331
1332 if( ssl->handshake->new_session_ticket == 0 )
1333 {
1334 *olen = 0;
1335 return;
1336 }
1337
1338 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1339
1340 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1341 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1342
1343 *p++ = 0x00;
1344 *p++ = 0x00;
1345
1346 *olen = 4;
1347}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1348#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1349
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1350static void ssl_write_renegotiation_ext( ssl_context *ssl,
1351 unsigned char *buf,
1352 size_t *olen )
1353{
1354 unsigned char *p = buf;
1355
1356 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1357 {
1358 *olen = 0;
1359 return;
1360 }
1361
1362 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1363
1364 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1365 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1366
1367 *p++ = 0x00;
1368 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1369 *p++ = ssl->verify_data_len * 2 & 0xFF;
1370
1371 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1372 p += ssl->verify_data_len;
1373 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1374 p += ssl->verify_data_len;
1375
1376 *olen = 5 + ssl->verify_data_len * 2;
1377}
1378
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1379static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1380 unsigned char *buf,
1381 size_t *olen )
1382{
1383 unsigned char *p = buf;
1384
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1385 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1386 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1387 *olen = 0;
1388 return;
1389 }
1390
1391 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1392
1393 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1394 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1395
1396 *p++ = 0x00;
1397 *p++ = 1;
1398
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1399 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1400
1401 *olen = 5;
1402}
1403
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1404static int ssl_write_server_hello( ssl_context *ssl )
1405{
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1406#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1407 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1408#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1409 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1410 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1411 unsigned char *buf, *p;
1412
1413 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1414
1415 /*
1416 * 0 . 0 handshake type
1417 * 1 . 3 handshake length
1418 * 4 . 5 protocol version
1419 * 6 . 9 UNIX time()
1420 * 10 . 37 random bytes
1421 */
1422 buf = ssl->out_msg;
1423 p = buf + 4;
1424
1425 *p++ = (unsigned char) ssl->major_ver;
1426 *p++ = (unsigned char) ssl->minor_ver;
1427
1428 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1429 buf[4], buf[5] ) );
1430
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1431#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1432 t = time( NULL );
1433 *p++ = (unsigned char)( t >> 24 );
1434 *p++ = (unsigned char)( t >> 16 );
1435 *p++ = (unsigned char)( t >> 8 );
1436 *p++ = (unsigned char)( t );
1437
1438 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1439#else
1440 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1441 return( ret );
1442
1443 p += 4;
1444#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1445
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1446 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1447 return( ret );
1448
1449 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1451 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1452
1453 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1454
1455 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1456 * Resume is 0 by default, see ssl_handshake_init().
1457 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1458 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1459 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1460 if( ssl->handshake->resume == 0 &&
1461 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]1462 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1463 ssl->f_get_cache != NULL &&
1464 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1465 {
1466 ssl->handshake->resume = 1;
1467 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1468
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1469 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1470 {
1471 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1472 * New session, create a new session id,
1473 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1475 ssl->state++;
1476
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1477#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1478 if( ssl->handshake->new_session_ticket == 0 )
1479 {
1480 ssl->session_negotiate->length = n = 32;
1481 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1482 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1483 return( ret );
1484 }
1485 else
1486 {
1487 ssl->session_negotiate->length = 0;
1488 memset( ssl->session_negotiate->id, 0, 32 );
1489 }
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1490#else
1491 ssl->session_negotiate->length = n = 32;
1492 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1493 n ) ) != 0 )
1494 return( ret );
1495#endif /* POLARSSL_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1496 }
1497 else
1498 {
1499 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1500 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1501 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1502 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1503
1504 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1505 {
1506 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1507 return( ret );
1508 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1509 }
1510
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1511 /*
1512 * 38 . 38 session id length
1513 * 39 . 38+n session id
1514 * 39+n . 40+n chosen ciphersuite
1515 * 41+n . 41+n chosen compression alg.
1516 * 42+n . 43+n extensions length
1517 * 44+n . 43+n+m extensions
1518 */
1519 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1520 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1521 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522
1523 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1524 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1525 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1526 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1527
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1528 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1529 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1530 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1531
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1532 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1533 ssl->session_negotiate->ciphersuite ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1534 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1535 ssl->session_negotiate->compression ) );
1536
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1537 /*
1538 * First write extensions, then the total length
1539 */
1540 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1541 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1542
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1543 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1544 ext_len += olen;
1545
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1546 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1547 ext_len += olen;
1548
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1549#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1550 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1551 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1552#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1553
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1554 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1555
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1556 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1557 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1558 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1559
1560 ssl->out_msglen = p - buf;
1561 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1562 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1563
1564 ret = ssl_write_record( ssl );
1565
1566 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1567
1568 return( ret );
1569}
1570
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1571#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1572 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1573 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1574static int ssl_write_certificate_request( ssl_context *ssl )
1575{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]1576 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1577 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1578
1579 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1580
1581 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1582 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1583 {
1584 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1585 ssl->state++;
1586 return( 0 );
1587 }
1588
1589 return( ret );
1590}
1591#else
1592static int ssl_write_certificate_request( ssl_context *ssl )
1593{
1594 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1595 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1596 size_t n = 0, dn_size, total_dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1597 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1598 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1599
1600 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1601
1602 ssl->state++;
1603
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1604 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1605 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1606 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1607 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1608 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1609 return( 0 );
1610 }
1611
1612 /*
1613 * 0 . 0 handshake type
1614 * 1 . 3 handshake length
1615 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1616 * 5 .. m-1 cert types
1617 * m .. m+1 sig alg length (TLS 1.2 only)
1618 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1619 * n .. n+1 length of all DNs
1620 * n+2 .. n+3 length of DN 1
1621 * n+4 .. ... Distinguished Name #1
1622 * ... .. ... length of DN 2, etc.
1623 */
1624 buf = ssl->out_msg;
1625 p = buf + 4;
1626
1627 /*
1628 * At the moment, only RSA certificates are supported
1629 */
1630 *p++ = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1631 *p++ = SSL_CERT_TYPE_RSA_SIGN;
1632
1633 /*
1634 * Add signature_algorithms for verify (TLS 1.2)
1635 * Only add current running algorithm that is already required for
1636 * requested ciphersuite.
1637 *
1638 * Length is always 2
1639 */
Paul Bakker21dca692013-01-03 11:41:08 +0100[diff] [blame]1640 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1641 {
1642 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1643
1644 *p++ = 0;
1645 *p++ = 2;
1646
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]1647 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1648 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1649 {
1650 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1651 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1652
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1653 *p++ = ssl->handshake->verify_sig_alg;
1654 *p++ = SSL_SIG_RSA;
1655
1656 n += 4;
1657 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1658
1659 p += 2;
1660 crt = ssl->ca_chain;
1661
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1662 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1663 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1664 {
1665 if( p - buf > 4096 )
1666 break;
1667
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1668 dn_size = crt->subject_raw.len;
1669 *p++ = (unsigned char)( dn_size >> 8 );
1670 *p++ = (unsigned char)( dn_size );
1671 memcpy( p, crt->subject_raw.p, dn_size );
1672 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1673
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1674 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1675
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1676 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1677 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678 }
1679
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1680 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1681 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1682 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1683 ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
1684 ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1685
1686 ret = ssl_write_record( ssl );
1687
1688 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1689
1690 return( ret );
1691}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1692#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1693 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1694 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1695
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1696static int ssl_write_server_key_exchange( ssl_context *ssl )
1697{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1698 int ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1699 size_t n = 0, len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1700 unsigned char hash[64];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1701 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker35a7fe52012-10-31 09:07:14 +0000[diff] [blame]1702 unsigned int hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1703 unsigned char *p = ssl->out_msg + 4;
1704 unsigned char *dig_sig = p;
1705 size_t dig_sig_len = 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1706
1707 const ssl_ciphersuite_t *ciphersuite_info;
1708 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1709
1710 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1711
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1712 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1713 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
1714 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1715 {
1716 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1717 ssl->state++;
1718 return( 0 );
1719 }
1720
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1721#if defined(POLARSSL_RSA_C)
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1722 if( ssl->rsa_key == NULL )
1723 {
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]1724 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1725 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1726 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1727#endif /* POLARSSL_RSA_C */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1728
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1729#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1730 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1731 {
1732 /* TODO: Support identity hints */
1733 *(p++) = 0x00;
1734 *(p++) = 0x00;
1735
1736 n += 2;
1737 }
1738#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1739
1740#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1741 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1742 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1743 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1744 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1745 /*
1746 * Ephemeral DH parameters:
1747 *
1748 * struct {
1749 * opaque dh_p<1..2^16-1>;
1750 * opaque dh_g<1..2^16-1>;
1751 * opaque dh_Ys<1..2^16-1>;
1752 * } ServerDHParams;
1753 */
1754 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1755 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1756 {
1757 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1758 return( ret );
1759 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1760
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1761 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1762 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1763 p,
1764 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1765 {
1766 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1767 return( ret );
1768 }
1769
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1770 dig_sig = p;
1771 dig_sig_len = len;
1772
1773 p += len;
1774 n += len;
1775
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1776 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1777 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1778 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1779 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1780 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1781#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1782 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1783
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1784#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1785 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1787 /*
1788 * Ephemeral ECDH parameters:
1789 *
1790 * struct {
1791 * ECParameters curve_params;
1792 * ECPoint public;
1793 * } ServerECDHParams;
1794 */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1795 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
1796 ssl->handshake->ec_curve ) ) != 0 )
1797 {
1798 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1799 return( ret );
1800 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1801
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1802 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1803 &len,
1804 p,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1805 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1806 {
1807 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1808 return( ret );
1809 }
1810
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1811 dig_sig = p;
1812 dig_sig_len = len;
1813
1814 p += len;
1815 n += len;
1816
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1817 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
1818 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1819#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1821#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1822 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
1823 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1824 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1825 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1826 size_t rsa_key_len = 0;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1827
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1828 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1829 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1830 md5_context md5;
1831 sha1_context sha1;
1832
1833 /*
1834 * digitally-signed struct {
1835 * opaque md5_hash[16];
1836 * opaque sha_hash[20];
1837 * };
1838 *
1839 * md5_hash
1840 * MD5(ClientHello.random + ServerHello.random
1841 * + ServerParams);
1842 * sha_hash
1843 * SHA(ClientHello.random + ServerHello.random
1844 * + ServerParams);
1845 */
1846 md5_starts( &md5 );
1847 md5_update( &md5, ssl->handshake->randbytes, 64 );
1848 md5_update( &md5, dig_sig, dig_sig_len );
1849 md5_finish( &md5, hash );
1850
1851 sha1_starts( &sha1 );
1852 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1853 sha1_update( &sha1, dig_sig, dig_sig_len );
1854 sha1_finish( &sha1, hash + 16 );
1855
1856 hashlen = 36;
1857 md_alg = POLARSSL_MD_NONE;
1858 }
1859 else
1860 {
1861 md_context_t ctx;
1862
1863 /*
1864 * digitally-signed struct {
1865 * opaque client_random[32];
1866 * opaque server_random[32];
1867 * ServerDHParams params;
1868 * };
1869 */
1870 switch( ssl->handshake->sig_alg )
1871 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1872#if defined(POLARSSL_MD5_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1873 case SSL_HASH_MD5:
1874 md_alg = POLARSSL_MD_MD5;
1875 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1876#endif
1877#if defined(POLARSSL_SHA1_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1878 case SSL_HASH_SHA1:
1879 md_alg = POLARSSL_MD_SHA1;
1880 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1881#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1882#if defined(POLARSSL_SHA256_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1883 case SSL_HASH_SHA224:
1884 md_alg = POLARSSL_MD_SHA224;
1885 break;
1886 case SSL_HASH_SHA256:
1887 md_alg = POLARSSL_MD_SHA256;
1888 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1889#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1890#if defined(POLARSSL_SHA512_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1891 case SSL_HASH_SHA384:
1892 md_alg = POLARSSL_MD_SHA384;
1893 break;
1894 case SSL_HASH_SHA512:
1895 md_alg = POLARSSL_MD_SHA512;
1896 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1897#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1898 default:
1899 /* Should never happen */
1900 return( -1 );
1901 }
1902
1903 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1904 {
1905 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1906 return( ret );
1907 }
1908
1909 md_starts( &ctx );
1910 md_update( &ctx, ssl->handshake->randbytes, 64 );
1911 md_update( &ctx, dig_sig, dig_sig_len );
1912 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]1913
1914 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
1915 {
1916 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
1917 return( ret );
1918 }
1919
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1920 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1921
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1922 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
1923
1924 if ( ssl->rsa_key )
1925 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
1926
1927 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1928 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1929 *(p++) = ssl->handshake->sig_alg;
1930 *(p++) = SSL_SIG_RSA;
1931
1932 n += 2;
1933 }
1934
1935 *(p++) = (unsigned char)( rsa_key_len >> 8 );
1936 *(p++) = (unsigned char)( rsa_key_len );
1937 n += 2;
1938
1939 if ( ssl->rsa_key )
1940 {
1941 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1942 RSA_PRIVATE, md_alg, hashlen, hash, p );
1943 }
1944
1945 if( ret != 0 )
1946 {
1947 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1948 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1949 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1950
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1951 SSL_DEBUG_BUF( 3, "my RSA sig", p, rsa_key_len );
1952
1953 p += rsa_key_len;
1954 n += rsa_key_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1955 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1956#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
1957 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1958
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1959 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1961 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
1962
1963 ssl->state++;
1964
1965 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1966 {
1967 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1968 return( ret );
1969 }
1970
1971 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
1972
1973 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1974}
1975
1976static int ssl_write_server_hello_done( ssl_context *ssl )
1977{
1978 int ret;
1979
1980 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
1981
1982 ssl->out_msglen = 4;
1983 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1984 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
1985
1986 ssl->state++;
1987
1988 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1989 {
1990 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1991 return( ret );
1992 }
1993
1994 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
1995
1996 return( 0 );
1997}
1998
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1999#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2000 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2001static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2002 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2003{
2004 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2005 size_t n;
2006
2007 /*
2008 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2009 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2010 if( *p + 2 > end )
2011 {
2012 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2013 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2014 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2015
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2016 n = ( (*p)[0] << 8 ) | (*p)[1];
2017 *p += 2;
2018
2019 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2020 {
2021 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2022 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2023 }
2024
2025 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2026 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2027 {
2028 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2029 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2030 }
2031
2032 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2033
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2034 return( ret );
2035}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2036#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2037 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2038
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2039#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2040static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2041{
2042 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2043 size_t n;
2044
2045 /*
2046 * Receive client public key and calculate premaster
2047 */
2048 n = ssl->in_msg[3];
2049
2050 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2051 n + 4 != ssl->in_hslen )
2052 {
2053 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2054 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2055 }
2056
2057 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2058 ssl->in_msg + 4, n ) ) != 0 )
2059 {
2060 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2061 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2062 }
2063
2064 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2065
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2066 return( ret );
2067}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2068#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2069
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2070#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2071static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2072{
2073 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2074 size_t i, n = 0;
2075
2076 if( ssl->rsa_key == NULL )
2077 {
2078 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2079 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2080 }
2081
2082 /*
2083 * Decrypt the premaster using own private RSA key
2084 */
2085 i = 4;
2086 if( ssl->rsa_key )
2087 n = ssl->rsa_key_len( ssl->rsa_key );
2088 ssl->handshake->pmslen = 48;
2089
2090 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2091 {
2092 i += 2;
2093 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2094 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2095 {
2096 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2097 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2098 }
2099 }
2100
2101 if( ssl->in_hslen != i + n )
2102 {
2103 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2104 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2105 }
2106
2107 if( ssl->rsa_key ) {
2108 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
2109 &ssl->handshake->pmslen,
2110 ssl->in_msg + i,
2111 ssl->handshake->premaster,
2112 sizeof(ssl->handshake->premaster) );
2113 }
2114
2115 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]2116 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2117 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2118 {
2119 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2120
2121 /*
2122 * Protection against Bleichenbacher's attack:
2123 * invalid PKCS#1 v1.5 padding must not cause
2124 * the connection to end immediately; instead,
2125 * send a bad_record_mac later in the handshake.
2126 */
2127 ssl->handshake->pmslen = 48;
2128
2129 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2130 ssl->handshake->pmslen );
2131 if( ret != 0 )
2132 return( ret );
2133 }
2134
2135 return( ret );
2136}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2137#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2138
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2139#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2140 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2141static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2142 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2143{
2144 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2145 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2146
2147 if( ssl->psk == NULL || ssl->psk_identity == NULL ||
2148 ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
2149 {
2150 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2151 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2152 }
2153
2154 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2155 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2156 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2157 if( *p + 2 > end )
2158 {
2159 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2160 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2161 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2162
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2163 n = ( (*p)[0] << 8 ) | (*p)[1];
2164 *p += 2;
2165
2166 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2167 {
2168 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2169 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2170 }
2171
2172 if( n != ssl->psk_identity_len ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2173 memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2174 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2175 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2176 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2177 }
2178
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2179 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2180 ret = 0;
2181
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2182 return( ret );
2183}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2184#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2185 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2186
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2187static int ssl_parse_client_key_exchange( ssl_context *ssl )
2188{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2189 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2190 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2191 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2192
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2193 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2194
2195 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2196
2197 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2198 {
2199 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2200 return( ret );
2201 }
2202
2203 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2204 {
2205 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2206 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2207 }
2208
2209 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2210 {
2211 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2212 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2213 }
2214
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2215 p = ssl->in_msg + 4;
2216 end = ssl->in_msg + ssl->in_msglen;
2217
2218#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2219 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2220 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2221 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2222 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2223 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2224 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2225 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2226
2227 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2228
2229 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2230 ssl->handshake->premaster,
2231 &ssl->handshake->pmslen ) ) != 0 )
2232 {
2233 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2234 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2235 }
2236
2237 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2238 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2239 else
2240#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2241#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
2242 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2243 {
2244 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2245 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2246 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2247 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2248 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2249
2250 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2251 &ssl->handshake->pmslen,
2252 ssl->handshake->premaster,
2253 POLARSSL_MPI_MAX_SIZE ) ) != 0 )
2254 {
2255 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2256 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2257 }
2258
2259 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2261 else
2262#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2263#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2264 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2265 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2266 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2267 {
2268 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2269 return( ret );
2270 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2271
2272 // Set up the premaster secret
2273 //
2274 p = ssl->handshake->premaster;
2275 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2276 *(p++) = (unsigned char)( ssl->psk_len );
2277 p += ssl->psk_len;
2278
2279 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2280 *(p++) = (unsigned char)( ssl->psk_len );
2281 memcpy( p, ssl->psk, ssl->psk_len );
2282 p += ssl->psk_len;
2283
2284 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2285 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2286 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2287#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2288#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2289 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2290 {
2291 size_t n;
2292
2293 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2294 {
2295 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2296 return( ret );
2297 }
2298 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2299 {
2300 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2301 return( ret );
2302 }
2303
2304 // Set up the premaster secret
2305 //
2306 p = ssl->handshake->premaster;
2307 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2308 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2309
2310 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2311 p, &n ) ) != 0 )
2312 {
2313 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2314 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2315 }
2316
2317 if( n != ssl->handshake->dhm_ctx.len )
2318 {
2319 SSL_DEBUG_MSG( 1, ( "dhm_calc_secret result smaller than DHM" ) );
2320 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2321 }
2322
2323 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2324
2325 p += ssl->handshake->dhm_ctx.len;
2326
2327 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2328 *(p++) = (unsigned char)( ssl->psk_len );
2329 memcpy( p, ssl->psk, ssl->psk_len );
2330 p += ssl->psk_len;
2331
2332 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2333 }
2334 else
2335#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2336#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2337 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2338 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2339 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2340 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2341 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2342 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2343 }
2344 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2345 else
2346#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2347 {
2348 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2349 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2350
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2351 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2352 {
2353 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2354 return( ret );
2355 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2356
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2357 ssl->state++;
2358
2359 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2360
2361 return( 0 );
2362}
2363
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2364#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2365 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2366 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2367static int ssl_parse_certificate_verify( ssl_context *ssl )
2368{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2369 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2370 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2371
2372 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2373
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2374 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2375 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2376 {
2377 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2378 ssl->state++;
2379 return( 0 );
2380 }
2381
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2382 return( ret );
2383}
2384#else
2385static int ssl_parse_certificate_verify( ssl_context *ssl )
2386{
2387 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2388 size_t n = 0, n1, n2;
2389 unsigned char hash[48];
2390 md_type_t md_alg = POLARSSL_MD_NONE;
2391 unsigned int hashlen = 0;
2392 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2393
2394 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2395
2396 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2397 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2398 {
2399 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2400 ssl->state++;
2401 return( 0 );
2402 }
2403
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2404 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2405 {
2406 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2407 ssl->state++;
2408 return( 0 );
2409 }
2410
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2411 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2412
2413 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2414 {
2415 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2416 return( ret );
2417 }
2418
2419 ssl->state++;
2420
2421 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2422 {
2423 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2424 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2425 }
2426
2427 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2428 {
2429 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2430 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2431 }
2432
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2433 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2434 {
2435 /*
2436 * As server we know we either have SSL_HASH_SHA384 or
2437 * SSL_HASH_SHA256
2438 */
2439 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
2440 ssl->in_msg[5] != SSL_SIG_RSA )
2441 {
2442 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
2443 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2444 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2445
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2446 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2447 md_alg = POLARSSL_MD_SHA384;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2448 else
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2449 md_alg = POLARSSL_MD_SHA256;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2450
2451 n += 2;
2452 }
2453 else
2454 {
2455 hashlen = 36;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2456 md_alg = POLARSSL_MD_NONE;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2457 }
2458
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2459 /* EC NOT IMPLEMENTED YET */
2460 if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA )
2461 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2462
2463 n1 = pk_rsa( ssl->session_negotiate->peer_cert->pk )->len;
Paul Bakker78ce5072012-11-23 14:23:53 +0100[diff] [blame]2464 n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2465
2466 if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2467 {
2468 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2469 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2470 }
2471
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2472 ret = rsa_pkcs1_verify( pk_rsa( ssl->session_negotiate->peer_cert->pk ),
2473 RSA_PUBLIC, md_alg, hashlen, hash,
2474 ssl->in_msg + 6 + n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2475 if( ret != 0 )
2476 {
2477 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
2478 return( ret );
2479 }
2480
2481 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2482
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2483 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2484}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2485#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2486 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2487 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2488
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2489#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2490static int ssl_write_new_session_ticket( ssl_context *ssl )
2491{
2492 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2493 size_t tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2494
2495 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2496
2497 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2498 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2499
2500 /*
2501 * struct {
2502 * uint32 ticket_lifetime_hint;
2503 * opaque ticket<0..2^16-1>;
2504 * } NewSessionTicket;
2505 *
2506 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2507 * 8 . 9 ticket_len (n)
2508 * 10 . 9+n ticket content
2509 */
2510 ssl->out_msg[4] = 0x00;
2511 ssl->out_msg[5] = 0x00;
2512 ssl->out_msg[6] = 0x00;
2513 ssl->out_msg[7] = 0x00;
2514
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]2515 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2516 {
2517 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2518 tlen = 0;
2519 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2520
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2521 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2522 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2523
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2524 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2525
2526 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2527 {
2528 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2529 return( ret );
2530 }
2531
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2532 /* No need to remember writing a NewSessionTicket any more */
2533 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2534
2535 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2536
2537 return( 0 );
2538}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2539#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2540
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2541/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2542 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2543 */
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2544int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2545{
2546 int ret = 0;
2547
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2548 if( ssl->state == SSL_HANDSHAKE_OVER )
2549 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2550
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2551 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2552
2553 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2554 return( ret );
2555
2556 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2557 {
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2558 case SSL_HELLO_REQUEST:
2559 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2560 break;
2561
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2562 /*
2563 * <== ClientHello
2564 */
2565 case SSL_CLIENT_HELLO:
2566 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2567 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2568
2569 /*
2570 * ==> ServerHello
2571 * Certificate
2572 * ( ServerKeyExchange )
2573 * ( CertificateRequest )
2574 * ServerHelloDone
2575 */
2576 case SSL_SERVER_HELLO:
2577 ret = ssl_write_server_hello( ssl );
2578 break;
2579
2580 case SSL_SERVER_CERTIFICATE:
2581 ret = ssl_write_certificate( ssl );
2582 break;
2583
2584 case SSL_SERVER_KEY_EXCHANGE:
2585 ret = ssl_write_server_key_exchange( ssl );
2586 break;
2587
2588 case SSL_CERTIFICATE_REQUEST:
2589 ret = ssl_write_certificate_request( ssl );
2590 break;
2591
2592 case SSL_SERVER_HELLO_DONE:
2593 ret = ssl_write_server_hello_done( ssl );
2594 break;
2595
2596 /*
2597 * <== ( Certificate/Alert )
2598 * ClientKeyExchange
2599 * ( CertificateVerify )
2600 * ChangeCipherSpec
2601 * Finished
2602 */
2603 case SSL_CLIENT_CERTIFICATE:
2604 ret = ssl_parse_certificate( ssl );
2605 break;
2606
2607 case SSL_CLIENT_KEY_EXCHANGE:
2608 ret = ssl_parse_client_key_exchange( ssl );
2609 break;
2610
2611 case SSL_CERTIFICATE_VERIFY:
2612 ret = ssl_parse_certificate_verify( ssl );
2613 break;
2614
2615 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2616 ret = ssl_parse_change_cipher_spec( ssl );
2617 break;
2618
2619 case SSL_CLIENT_FINISHED:
2620 ret = ssl_parse_finished( ssl );
2621 break;
2622
2623 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2624 * ==> ( NewSessionTicket )
2625 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2626 * Finished
2627 */
2628 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2629#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2630 if( ssl->handshake->new_session_ticket != 0 )
2631 ret = ssl_write_new_session_ticket( ssl );
2632 else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2633#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2634 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2635 break;
2636
2637 case SSL_SERVER_FINISHED:
2638 ret = ssl_write_finished( ssl );
2639 break;
2640
2641 case SSL_FLUSH_BUFFERS:
2642 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2643 ssl->state = SSL_HANDSHAKE_WRAPUP;
2644 break;
2645
2646 case SSL_HANDSHAKE_WRAPUP:
2647 ssl_handshake_wrapup( ssl );
2648 break;
2649
2650 default:
2651 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2652 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2653 }
2654
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2655 return( ret );
2656}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2657#endif