TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fb08fd2e23536bf60ab92fd87717b52edc86d1fc / . / library / ssl_srv.c
blob: bfbf2cbb7c74de980adbbab2c1ff70e9af403028 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]26#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]32#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]36#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]50#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]51/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]59static int ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t buf_len,
61 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]62{
63 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]64 size_t left = buf_len;
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]65#if defined(POLARSSL_X509_PARSE_C)
66 size_t cert_len;
67#endif /* POLARSSL_X509_PARSE_C */
68
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]69 if( left < sizeof( ssl_session ) )
70 return( -1 );
71
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]72 memcpy( p, session, sizeof( ssl_session ) );
73 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]74 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]75
76#if defined(POLARSSL_X509_PARSE_C)
77 ((ssl_session *) buf)->peer_cert = NULL;
78
79 if( session->peer_cert == NULL )
80 cert_len = 0;
81 else
82 cert_len = session->peer_cert->raw.len;
83
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]84 if( left < 3 + cert_len )
85 return( -1 );
86
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]87 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
88 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
89 *p++ = (unsigned char)( cert_len & 0xFF );
90
91 if( session->peer_cert != NULL )
92 memcpy( p, session->peer_cert->raw.p, cert_len );
93
94 p += cert_len;
95#endif /* POLARSSL_X509_PARSE_C */
96
97 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]98
99 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]100}
101
102/*
103 * Unserialise session, see ssl_save_session()
104 */
105static int ssl_load_session( ssl_session *session,
106 const unsigned char *buf, size_t len )
107{
108 int ret;
109 const unsigned char *p = buf;
110 const unsigned char * const end = buf + len;
111#if defined(POLARSSL_X509_PARSE_C)
112 size_t cert_len;
113#endif /* POLARSSL_X509_PARSE_C */
114
115 if( p + sizeof( ssl_session ) > end )
116 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
117
118 memcpy( session, p, sizeof( ssl_session ) );
119 p += sizeof( ssl_session );
120
121#if defined(POLARSSL_X509_PARSE_C)
122 if( p + 3 > end )
123 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
124
125 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
126 p += 3;
127
128 if( cert_len == 0 )
129 {
130 session->peer_cert = NULL;
131 }
132 else
133 {
134 if( p + cert_len > end )
135 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
136
137 session->peer_cert = polarssl_malloc( cert_len );
138
139 if( session->peer_cert == NULL )
140 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
141
142 memset( session->peer_cert, 0, sizeof( x509_cert ) );
143
144 if( ( ret = x509parse_crt( session->peer_cert, p, cert_len ) ) != 0 )
145 {
146 polarssl_free( session->peer_cert );
147 free( session->peer_cert );
148 session->peer_cert = NULL;
149 return( ret );
150 }
151
152 p += cert_len;
153 }
154#endif /* POLARSSL_X509_PARSE_C */
155
156 if( p != end )
157 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
158
159 return( 0 );
160}
161
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]162/*
163 * Create session ticket, secured as recommended in RFC 5077 section 4:
164 *
165 * struct {
166 * opaque key_name[16];
167 * opaque iv[16];
168 * opaque encrypted_state<0..2^16-1>;
169 * opaque mac[32];
170 * } ticket;
171 *
172 * (the internal state structure differs, however).
173 */
174static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
175{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]176 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]177 unsigned char * const start = ssl->out_msg + 10;
178 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]179 unsigned char *state;
180 unsigned char iv[16];
181 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]182
Manuel Pégourié-Gonnard0a201712013-08-23 16:25:16 +0200[diff] [blame]183 *tlen = 0;
184
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]185 if( ssl->ticket_keys == NULL )
186 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
187
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]188 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]189 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]190 p += 16;
191
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]192 /* Generate and write IV (with a copy for aes_crypt) */
193 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
194 return( ret );
195 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]196 p += 16;
197
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]198 /*
199 * Dump session state
200 *
201 * After the session state itself, we still need room for 16 bytes of
202 * padding and 32 bytes of MAC, so there's only so much room left
203 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]204 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200[diff] [blame]205 if( ssl_save_session( ssl->session_negotiate, state,
206 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
207 &clear_len ) != 0 )
208 {
209 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
210 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]211 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]212
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]213 /* Apply PKCS padding */
214 pad_len = 16 - clear_len % 16;
215 enc_len = clear_len + pad_len;
216 for( i = clear_len; i < enc_len; i++ )
217 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]218
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]219 /* Encrypt */
220 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
221 enc_len, iv, state, state ) ) != 0 )
222 {
223 return( ret );
224 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]225
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]226 /* Write length */
227 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
228 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
229 p = state + enc_len;
230
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]231 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
232 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]233 p += 32;
234
235 *tlen = p - start;
236
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]237 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]238
239 return( 0 );
240}
241
242/*
243 * Load session ticket (see ssl_write_ticket for structure)
244 */
245static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]246 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]247 size_t len )
248{
249 int ret;
250 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]251 unsigned char *key_name = buf;
252 unsigned char *iv = buf + 16;
253 unsigned char *enc_len_p = iv + 16;
254 unsigned char *ticket = enc_len_p + 2;
255 unsigned char *mac;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]256 unsigned char computed_mac[16];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]257 size_t enc_len, clear_len, i;
258 unsigned char pad_len;
259
260 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]261
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]262 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]263 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
264
265 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
266 mac = ticket + enc_len;
267
268 if( len != enc_len + 66 )
269 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
270
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]271 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]272 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
273 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]274
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]275 /* Check mac */
276 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
277 computed_mac, 0 );
278 ret = 0;
279 for( i = 0; i < 32; i++ )
280 if( mac[i] != computed_mac[i] )
281 ret = POLARSSL_ERR_SSL_INVALID_MAC;
282 if( ret != 0 )
283 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]284
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]285 /* Decrypt */
286 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
287 enc_len, iv, ticket, ticket ) ) != 0 )
288 {
289 return( ret );
290 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]291
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]292 /* Check PKCS padding */
293 pad_len = ticket[enc_len - 1];
294
295 ret = 0;
296 for( i = 2; i < pad_len; i++ )
297 if( ticket[enc_len - i] != pad_len )
298 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
299 if( ret != 0 )
300 return( ret );
301
302 clear_len = enc_len - pad_len;
303
304 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
305
306 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]307 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
308 {
309 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
310 memset( &session, 0, sizeof( ssl_session ) );
311 return( ret );
312 }
313
Paul Bakker606b4ba2013-08-14 16:52:14 +0200[diff] [blame]314#if defined(POLARSSL_HAVE_TIME)
315 /* Check if still valid */
316 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
317 {
318 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
319 memset( &session, 0, sizeof( ssl_session ) );
320 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
321 }
322#endif
323
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]324 /*
325 * Keep the session ID sent by the client, since we MUST send it back to
326 * inform him we're accepting the ticket (RFC 5077 section 3.4)
327 */
328 session.length = ssl->session_negotiate->length;
329 memcpy( &session.id, ssl->session_negotiate->id, session.length );
330
331 ssl_session_free( ssl->session_negotiate );
332 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
333 memset( &session, 0, sizeof( ssl_session ) );
334
335 return( 0 );
336}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]337#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]338
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]339static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]340 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]341 size_t len )
342{
343 int ret;
344 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]345 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]346
347 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
348 if( servername_list_size + 2 != len )
349 {
350 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
351 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
352 }
353
354 p = buf + 2;
355 while( servername_list_size > 0 )
356 {
357 hostname_len = ( ( p[1] << 8 ) | p[2] );
358 if( hostname_len + 3 > servername_list_size )
359 {
360 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
361 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
362 }
363
364 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
365 {
366 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
367 if( ret != 0 )
368 {
369 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
370 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
371 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
372 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]373 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]374 }
375
376 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]377 p += hostname_len + 3;
378 }
379
380 if( servername_list_size != 0 )
381 {
382 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
383 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]384 }
385
386 return( 0 );
387}
388
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]389static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]390 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]391 size_t len )
392{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]393 int ret;
394
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]395 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
396 {
397 if( len != 1 || buf[0] != 0x0 )
398 {
399 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]400
401 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
402 return( ret );
403
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]404 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
405 }
406
407 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
408 }
409 else
410 {
411 if( len != 1 + ssl->verify_data_len ||
412 buf[0] != ssl->verify_data_len ||
413 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
414 {
415 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]416
417 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
418 return( ret );
419
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]420 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
421 }
422 }
423
424 return( 0 );
425}
426
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]427static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
428 const unsigned char *buf,
429 size_t len )
430{
431 size_t sig_alg_list_size;
432 const unsigned char *p;
433
434 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
435 if( sig_alg_list_size + 2 != len ||
436 sig_alg_list_size %2 != 0 )
437 {
438 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
439 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
440 }
441
442 p = buf + 2;
443 while( sig_alg_list_size > 0 )
444 {
445 if( p[1] != SSL_SIG_RSA )
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]446 {
447 sig_alg_list_size -= 2;
448 p += 2;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]449 continue;
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]450 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]451#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]452 if( p[0] == SSL_HASH_SHA512 )
453 {
454 ssl->handshake->sig_alg = SSL_HASH_SHA512;
455 break;
456 }
457 if( p[0] == SSL_HASH_SHA384 )
458 {
459 ssl->handshake->sig_alg = SSL_HASH_SHA384;
460 break;
461 }
462#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]463#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]464 if( p[0] == SSL_HASH_SHA256 )
465 {
466 ssl->handshake->sig_alg = SSL_HASH_SHA256;
467 break;
468 }
469 if( p[0] == SSL_HASH_SHA224 )
470 {
471 ssl->handshake->sig_alg = SSL_HASH_SHA224;
472 break;
473 }
474#endif
475 if( p[0] == SSL_HASH_SHA1 )
476 {
477 ssl->handshake->sig_alg = SSL_HASH_SHA1;
478 break;
479 }
480 if( p[0] == SSL_HASH_MD5 )
481 {
482 ssl->handshake->sig_alg = SSL_HASH_MD5;
483 break;
484 }
485
486 sig_alg_list_size -= 2;
487 p += 2;
488 }
489
490 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
491 ssl->handshake->sig_alg ) );
492
493 return( 0 );
494}
495
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]496#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]497static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
498 const unsigned char *buf,
499 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]500{
501 size_t list_size;
502 const unsigned char *p;
503
504 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
505 if( list_size + 2 != len ||
506 list_size % 2 != 0 )
507 {
508 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
509 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
510 }
511
512 p = buf + 2;
513 while( list_size > 0 )
514 {
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]515#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
516 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP192R1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]517 {
518 ssl->handshake->ec_curve = p[1];
519 return( 0 );
520 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]521#endif
522#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
523 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP224R1 )
524 {
525 ssl->handshake->ec_curve = p[1];
526 return( 0 );
527 }
528#endif
529#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
530 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP256R1 )
531 {
532 ssl->handshake->ec_curve = p[1];
533 return( 0 );
534 }
535#endif
536#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
537 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP384R1 )
538 {
539 ssl->handshake->ec_curve = p[1];
540 return( 0 );
541 }
542#endif
543#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
544 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP521R1 )
545 {
546 ssl->handshake->ec_curve = p[1];
547 return( 0 );
548 }
549#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]550
551 list_size -= 2;
552 p += 2;
553 }
554
555 return( 0 );
556}
557
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]558static int ssl_parse_supported_point_formats( ssl_context *ssl,
559 const unsigned char *buf,
560 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]561{
562 size_t list_size;
563 const unsigned char *p;
564
565 list_size = buf[0];
566 if( list_size + 1 != len )
567 {
568 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
569 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
570 }
571
572 p = buf + 2;
573 while( list_size > 0 )
574 {
575 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
576 p[0] == POLARSSL_ECP_PF_COMPRESSED )
577 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]578 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]579 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]580 return( 0 );
581 }
582
583 list_size--;
584 p++;
585 }
586
587 return( 0 );
588}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]589#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]590
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]591#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]592static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
593 const unsigned char *buf,
594 size_t len )
595{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]596 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]597 {
598 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
599 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
600 }
601
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]602 ssl->session_negotiate->mfl_code = buf[0];
603
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]604 return( 0 );
605}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]606#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]607
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]608#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]609static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
610 const unsigned char *buf,
611 size_t len )
612{
613 if( len != 0 )
614 {
615 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
616 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
617 }
618
619 ((void) buf);
620
621 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
622
623 return( 0 );
624}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]625#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]626
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]627#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]628static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]629 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]630 size_t len )
631{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]632 int ret;
633
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]634 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
635 return( 0 );
636
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]637 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]638 ssl->handshake->new_session_ticket = 1;
639
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]640 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
641
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]642 if( len == 0 )
643 return( 0 );
644
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]645 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
646 {
647 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
648 return( 0 );
649 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]650
651 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]652 * Failures are ok: just ignore the ticket and proceed.
653 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]654 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
655 {
656 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]657 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]658 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]659
660 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
661
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]662 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]663
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]664 /* Don't send a new ticket after all, this one is OK */
665 ssl->handshake->new_session_ticket = 0;
666
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]667 return( 0 );
668}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]669#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]670
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]671#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
672static int ssl_parse_client_hello_v2( ssl_context *ssl )
673{
674 int ret;
675 unsigned int i, j;
676 size_t n;
677 unsigned int ciph_len, sess_len, chal_len;
678 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]679 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]680 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]681
682 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
683
684 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
685 {
686 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
687
688 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
689 return( ret );
690
691 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
692 }
693
694 buf = ssl->in_hdr;
695
696 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
697
698 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
699 buf[2] ) );
700 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
701 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
702 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
703 buf[3], buf[4] ) );
704
705 /*
706 * SSLv2 Client Hello
707 *
708 * Record layer:
709 * 0 . 1 message length
710 *
711 * SSL layer:
712 * 2 . 2 message type
713 * 3 . 4 protocol version
714 */
715 if( buf[2] != SSL_HS_CLIENT_HELLO ||
716 buf[3] != SSL_MAJOR_VERSION_3 )
717 {
718 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
719 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
720 }
721
722 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
723
724 if( n < 17 || n > 512 )
725 {
726 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
727 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
728 }
729
730 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]731 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
732 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]733
734 if( ssl->minor_ver < ssl->min_minor_ver )
735 {
736 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
737 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
738 ssl->min_major_ver, ssl->min_minor_ver ) );
739
740 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
741 SSL_ALERT_MSG_PROTOCOL_VERSION );
742 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
743 }
744
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]745 ssl->handshake->max_major_ver = buf[3];
746 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]747
748 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
749 {
750 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
751 return( ret );
752 }
753
754 ssl->handshake->update_checksum( ssl, buf + 2, n );
755
756 buf = ssl->in_msg;
757 n = ssl->in_left - 5;
758
759 /*
760 * 0 . 1 ciphersuitelist length
761 * 2 . 3 session id length
762 * 4 . 5 challenge length
763 * 6 . .. ciphersuitelist
764 * .. . .. session id
765 * .. . .. challenge
766 */
767 SSL_DEBUG_BUF( 4, "record contents", buf, n );
768
769 ciph_len = ( buf[0] << 8 ) | buf[1];
770 sess_len = ( buf[2] << 8 ) | buf[3];
771 chal_len = ( buf[4] << 8 ) | buf[5];
772
773 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
774 ciph_len, sess_len, chal_len ) );
775
776 /*
777 * Make sure each parameter length is valid
778 */
779 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
780 {
781 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
782 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
783 }
784
785 if( sess_len > 32 )
786 {
787 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
788 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
789 }
790
791 if( chal_len < 8 || chal_len > 32 )
792 {
793 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
794 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
795 }
796
797 if( n != 6 + ciph_len + sess_len + chal_len )
798 {
799 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
800 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
801 }
802
803 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
804 buf + 6, ciph_len );
805 SSL_DEBUG_BUF( 3, "client hello, session id",
806 buf + 6 + ciph_len, sess_len );
807 SSL_DEBUG_BUF( 3, "client hello, challenge",
808 buf + 6 + ciph_len + sess_len, chal_len );
809
810 p = buf + 6 + ciph_len;
811 ssl->session_negotiate->length = sess_len;
812 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
813 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
814
815 p += sess_len;
816 memset( ssl->handshake->randbytes, 0, 64 );
817 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
818
819 /*
820 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
821 */
822 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
823 {
824 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
825 {
826 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
827 if( ssl->renegotiation == SSL_RENEGOTIATION )
828 {
829 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
830
831 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
832 return( ret );
833
834 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
835 }
836 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
837 break;
838 }
839 }
840
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]841 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
842 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]843 {
844 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
845 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]846 // Only allow non-ECC ciphersuites as we do not have extensions
847 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]848 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]849 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
850 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]851 {
852 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
853
854 if( ciphersuite_info == NULL )
855 {
856 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
857 ciphersuites[i] ) );
858 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
859 }
860
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]861 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
862 ciphersuite_info->max_minor_ver < ssl->minor_ver )
863 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]864
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]865 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]866 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]867 }
868 }
869
870 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
871
872 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
873
874have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]875 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]876 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]877 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]878
879 /*
880 * SSLv2 Client Hello relevant renegotiation security checks
881 */
882 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
883 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
884 {
885 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
886
887 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
888 return( ret );
889
890 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
891 }
892
893 ssl->in_left = 0;
894 ssl->state++;
895
896 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
897
898 return( 0 );
899}
900#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
901
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]902static int ssl_parse_client_hello( ssl_context *ssl )
903{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]904 int ret;
905 unsigned int i, j;
906 size_t n;
907 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]908 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]909 unsigned int ext_len = 0;
910 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]911 int renegotiation_info_seen = 0;
912 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]913 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]914 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]915
916 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
917
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]918 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
919 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]920 {
921 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
922 return( ret );
923 }
924
925 buf = ssl->in_hdr;
926
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]927#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
928 if( ( buf[0] & 0x80 ) != 0 )
929 return ssl_parse_client_hello_v2( ssl );
930#endif
931
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]932 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
933
934 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
935 buf[0] ) );
936 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
937 ( buf[3] << 8 ) | buf[4] ) );
938 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
939 buf[1], buf[2] ) );
940
941 /*
942 * SSLv3 Client Hello
943 *
944 * Record layer:
945 * 0 . 0 message type
946 * 1 . 2 protocol version
947 * 3 . 4 message length
948 */
949 if( buf[0] != SSL_MSG_HANDSHAKE ||
950 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]951 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]952 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
953 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
954 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]956 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +0200[diff] [blame]958 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]959 {
960 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
961 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
962 }
963
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]964 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
965 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]966 {
967 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
968 return( ret );
969 }
970
971 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]972 if( !ssl->renegotiation )
973 n = ssl->in_left - 5;
974 else
975 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]976
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]977 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]978
979 /*
980 * SSL layer:
981 * 0 . 0 handshake type
982 * 1 . 3 handshake length
983 * 4 . 5 protocol version
984 * 6 . 9 UNIX time()
985 * 10 . 37 random bytes
986 * 38 . 38 session id length
987 * 39 . 38+x session id
988 * 39+x . 40+x ciphersuitelist length
989 * 41+x . .. ciphersuitelist
990 * .. . .. compression alg.
991 * .. . .. extensions
992 */
993 SSL_DEBUG_BUF( 4, "record contents", buf, n );
994
995 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
996 buf[0] ) );
997 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
998 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
999 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1000 buf[4], buf[5] ) );
1001
1002 /*
1003 * Check the handshake type and protocol version
1004 */
1005 if( buf[0] != SSL_HS_CLIENT_HELLO ||
1006 buf[4] != SSL_MAJOR_VERSION_3 )
1007 {
1008 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1009 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1010 }
1011
1012 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1013 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1014 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1015
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1016 if( ssl->minor_ver < ssl->min_minor_ver )
1017 {
1018 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1019 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]1020 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1021
1022 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1023 SSL_ALERT_MSG_PROTOCOL_VERSION );
1024
1025 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1026 }
1027
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1028 ssl->handshake->max_major_ver = buf[4];
1029 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1030
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1031 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1032
1033 /*
1034 * Check the handshake message length
1035 */
1036 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1037 {
1038 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1039 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1040 }
1041
1042 /*
1043 * Check the session length
1044 */
1045 sess_len = buf[38];
1046
1047 if( sess_len > 32 )
1048 {
1049 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1050 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1051 }
1052
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1053 ssl->session_negotiate->length = sess_len;
1054 memset( ssl->session_negotiate->id, 0,
1055 sizeof( ssl->session_negotiate->id ) );
1056 memcpy( ssl->session_negotiate->id, buf + 39,
1057 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1058
1059 /*
1060 * Check the ciphersuitelist length
1061 */
1062 ciph_len = ( buf[39 + sess_len] << 8 )
1063 | ( buf[40 + sess_len] );
1064
1065 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1066 {
1067 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1068 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1069 }
1070
1071 /*
1072 * Check the compression algorithms length
1073 */
1074 comp_len = buf[41 + sess_len + ciph_len];
1075
1076 if( comp_len < 1 || comp_len > 16 )
1077 {
1078 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1079 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1080 }
1081
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1082 /*
1083 * Check the extension length
1084 */
1085 if( n > 42 + sess_len + ciph_len + comp_len )
1086 {
1087 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1088 | ( buf[43 + sess_len + ciph_len + comp_len] );
1089
1090 if( ( ext_len > 0 && ext_len < 4 ) ||
1091 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1092 {
1093 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1094 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1095 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1096 }
1097 }
1098
1099 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1100#if defined(POLARSSL_ZLIB_SUPPORT)
1101 for( i = 0; i < comp_len; ++i )
1102 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1103 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1105 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1106 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107 }
1108 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1109#endif
1110
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1111 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1112 buf + 6, 32 );
1113 SSL_DEBUG_BUF( 3, "client hello, session id",
1114 buf + 38, sess_len );
1115 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1116 buf + 41 + sess_len, ciph_len );
1117 SSL_DEBUG_BUF( 3, "client hello, compression",
1118 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1120 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1121 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1122 */
1123 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1124 {
1125 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1126 {
1127 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1128 if( ssl->renegotiation == SSL_RENEGOTIATION )
1129 {
1130 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1131
1132 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1133 return( ret );
1134
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1135 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1136 }
1137 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1138 break;
1139 }
1140 }
1141
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1142 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1143
1144 while( ext_len )
1145 {
1146 unsigned int ext_id = ( ( ext[0] << 8 )
1147 | ( ext[1] ) );
1148 unsigned int ext_size = ( ( ext[2] << 8 )
1149 | ( ext[3] ) );
1150
1151 if( ext_size + 4 > ext_len )
1152 {
1153 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1154 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1155 }
1156 switch( ext_id )
1157 {
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1158 case TLS_EXT_SERVERNAME:
1159 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1160 if( ssl->f_sni == NULL )
1161 break;
1162
1163 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1164 if( ret != 0 )
1165 return( ret );
1166 break;
1167
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1168 case TLS_EXT_RENEGOTIATION_INFO:
1169 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1170 renegotiation_info_seen = 1;
1171
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1172 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1173 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1174 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1175 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1176
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1177 case TLS_EXT_SIG_ALG:
1178 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1179 if( ssl->renegotiation == SSL_RENEGOTIATION )
1180 break;
1181
1182 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1183 if( ret != 0 )
1184 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1185 break;
1186
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1187#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1188 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1189 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1190
1191 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1192 if( ret != 0 )
1193 return( ret );
1194 break;
1195
1196 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1197 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1198
1199 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1200 if( ret != 0 )
1201 return( ret );
1202 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1203#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1204
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1205#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1206 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1207 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1208
1209 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1210 if( ret != 0 )
1211 return( ret );
1212 break;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1213#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1214
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1215#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1216 case TLS_EXT_TRUNCATED_HMAC:
1217 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1218
1219 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1220 if( ret != 0 )
1221 return( ret );
1222 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1223#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1224
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1225#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1226 case TLS_EXT_SESSION_TICKET:
1227 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1228
1229 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1230 if( ret != 0 )
1231 return( ret );
1232 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1233#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1234
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1235 default:
1236 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1237 ext_id ) );
1238 }
1239
1240 ext_len -= 4 + ext_size;
1241 ext += 4 + ext_size;
1242
1243 if( ext_len > 0 && ext_len < 4 )
1244 {
1245 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1246 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1247 }
1248 }
1249
1250 /*
1251 * Renegotiation security checks
1252 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1253 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1254 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1255 {
1256 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1257 handshake_failure = 1;
1258 }
1259 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1260 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1261 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1262 {
1263 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1264 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1265 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1266 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1267 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1268 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1269 {
1270 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1271 handshake_failure = 1;
1272 }
1273 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1274 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1275 renegotiation_info_seen == 1 )
1276 {
1277 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1278 handshake_failure = 1;
1279 }
1280
1281 if( handshake_failure == 1 )
1282 {
1283 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1284 return( ret );
1285
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1286 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1287 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1288
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1289 /*
1290 * Search for a matching ciphersuite
1291 * (At the end because we need information from the EC-based extensions)
1292 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1293 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1294 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1295 {
1296 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1297 j += 2, p += 2 )
1298 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1299 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1300 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1301 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1302 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1303
1304 if( ciphersuite_info == NULL )
1305 {
1306 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1307 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1308 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1309 }
1310
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1311 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1312 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1313 continue;
1314
Paul Bakker5fd49172013-08-19 13:29:26 +0200[diff] [blame]1315#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1316 if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
1317 ssl->handshake->ec_curve == 0 )
1318 continue;
Paul Bakker5fd49172013-08-19 13:29:26 +0200[diff] [blame]1319#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1320
1321 goto have_ciphersuite;
1322 }
1323 }
1324 }
1325
1326 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1327
1328 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1329 return( ret );
1330
1331 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1332
1333have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1334 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1335 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1336 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1337
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1338 ssl->in_left = 0;
1339 ssl->state++;
1340
1341 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1342
1343 return( 0 );
1344}
1345
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1346#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1347static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1348 unsigned char *buf,
1349 size_t *olen )
1350{
1351 unsigned char *p = buf;
1352
1353 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1354 {
1355 *olen = 0;
1356 return;
1357 }
1358
1359 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1360
1361 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1362 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1363
1364 *p++ = 0x00;
1365 *p++ = 0x00;
1366
1367 *olen = 4;
1368}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1369#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1370
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1371#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1372static void ssl_write_session_ticket_ext( ssl_context *ssl,
1373 unsigned char *buf,
1374 size_t *olen )
1375{
1376 unsigned char *p = buf;
1377
1378 if( ssl->handshake->new_session_ticket == 0 )
1379 {
1380 *olen = 0;
1381 return;
1382 }
1383
1384 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1385
1386 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1387 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1388
1389 *p++ = 0x00;
1390 *p++ = 0x00;
1391
1392 *olen = 4;
1393}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1394#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1395
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1396static void ssl_write_renegotiation_ext( ssl_context *ssl,
1397 unsigned char *buf,
1398 size_t *olen )
1399{
1400 unsigned char *p = buf;
1401
1402 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1403 {
1404 *olen = 0;
1405 return;
1406 }
1407
1408 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1409
1410 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1411 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1412
1413 *p++ = 0x00;
1414 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1415 *p++ = ssl->verify_data_len * 2 & 0xFF;
1416
1417 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1418 p += ssl->verify_data_len;
1419 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1420 p += ssl->verify_data_len;
1421
1422 *olen = 5 + ssl->verify_data_len * 2;
1423}
1424
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1425#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1426static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1427 unsigned char *buf,
1428 size_t *olen )
1429{
1430 unsigned char *p = buf;
1431
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1432 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1433 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1434 *olen = 0;
1435 return;
1436 }
1437
1438 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1439
1440 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1441 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1442
1443 *p++ = 0x00;
1444 *p++ = 1;
1445
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1446 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1447
1448 *olen = 5;
1449}
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1450#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1451
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1452#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1453static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1454 unsigned char *buf,
1455 size_t *olen )
1456{
1457 unsigned char *p = buf;
1458 ((void) ssl);
1459
1460 *olen = 0;
1461
1462 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1463
1464 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1465 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1466
1467 *p++ = 0x00;
1468 *p++ = 2;
1469
1470 *p++ = 1;
1471 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1472
1473 *olen = 6;
1474}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1475#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1476
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1477static int ssl_write_server_hello( ssl_context *ssl )
1478{
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1479#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1480 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1481#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1482 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1483 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484 unsigned char *buf, *p;
1485
1486 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1487
1488 /*
1489 * 0 . 0 handshake type
1490 * 1 . 3 handshake length
1491 * 4 . 5 protocol version
1492 * 6 . 9 UNIX time()
1493 * 10 . 37 random bytes
1494 */
1495 buf = ssl->out_msg;
1496 p = buf + 4;
1497
1498 *p++ = (unsigned char) ssl->major_ver;
1499 *p++ = (unsigned char) ssl->minor_ver;
1500
1501 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1502 buf[4], buf[5] ) );
1503
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1504#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1505 t = time( NULL );
1506 *p++ = (unsigned char)( t >> 24 );
1507 *p++ = (unsigned char)( t >> 16 );
1508 *p++ = (unsigned char)( t >> 8 );
1509 *p++ = (unsigned char)( t );
1510
1511 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1512#else
1513 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1514 return( ret );
1515
1516 p += 4;
1517#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1518
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1519 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1520 return( ret );
1521
1522 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1523
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1524 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1525
1526 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1527
1528 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1529 * Resume is 0 by default, see ssl_handshake_init().
1530 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1531 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1532 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1533 if( ssl->handshake->resume == 0 &&
1534 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]1535 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1536 ssl->f_get_cache != NULL &&
1537 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1538 {
1539 ssl->handshake->resume = 1;
1540 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1541
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1542 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1543 {
1544 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1545 * New session, create a new session id,
1546 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1547 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1548 ssl->state++;
1549
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1550#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1551 if( ssl->handshake->new_session_ticket == 0 )
1552 {
1553 ssl->session_negotiate->length = n = 32;
1554 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1555 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1556 return( ret );
1557 }
1558 else
1559 {
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1560 ssl->session_negotiate->length = n = 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1561 memset( ssl->session_negotiate->id, 0, 32 );
1562 }
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1563#else
1564 ssl->session_negotiate->length = n = 32;
1565 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1566 n ) ) != 0 )
1567 return( ret );
1568#endif /* POLARSSL_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1569 }
1570 else
1571 {
1572 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1573 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1574 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame]1575 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1576 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1577
1578 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1579 {
1580 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1581 return( ret );
1582 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1583 }
1584
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1585 /*
1586 * 38 . 38 session id length
1587 * 39 . 38+n session id
1588 * 39+n . 40+n chosen ciphersuite
1589 * 41+n . 41+n chosen compression alg.
1590 * 42+n . 43+n extensions length
1591 * 44+n . 43+n+m extensions
1592 */
1593 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1594 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1595 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1596
1597 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1598 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1599 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1600 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1601
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1602 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1603 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1604 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1605
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1606 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1607 ssl->session_negotiate->ciphersuite ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1608 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1609 ssl->session_negotiate->compression ) );
1610
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1611 /*
1612 * First write extensions, then the total length
1613 */
1614 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1615 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1616
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1617#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1618 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1619 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1620#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1621
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1622#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1623 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1624 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1625#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1626
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1627#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1628 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1629 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1630#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1631
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200[diff] [blame]1632#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1633 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1634 ext_len += olen;
1635#endif
1636
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1637 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1638
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1639 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1640 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1641 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1642
1643 ssl->out_msglen = p - buf;
1644 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1645 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1646
1647 ret = ssl_write_record( ssl );
1648
1649 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1650
1651 return( ret );
1652}
1653
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1654#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1655 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1656 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1657static int ssl_write_certificate_request( ssl_context *ssl )
1658{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]1659 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1660 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1661
1662 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1663
1664 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1665 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1666 {
1667 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1668 ssl->state++;
1669 return( 0 );
1670 }
1671
1672 return( ret );
1673}
1674#else
1675static int ssl_write_certificate_request( ssl_context *ssl )
1676{
1677 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1678 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1679 size_t n = 0, dn_size, total_dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1680 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1681 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1682
1683 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1684
1685 ssl->state++;
1686
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1687 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1688 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1689 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1691 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1692 return( 0 );
1693 }
1694
1695 /*
1696 * 0 . 0 handshake type
1697 * 1 . 3 handshake length
1698 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1699 * 5 .. m-1 cert types
1700 * m .. m+1 sig alg length (TLS 1.2 only)
1701 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1702 * n .. n+1 length of all DNs
1703 * n+2 .. n+3 length of DN 1
1704 * n+4 .. ... Distinguished Name #1
1705 * ... .. ... length of DN 2, etc.
1706 */
1707 buf = ssl->out_msg;
1708 p = buf + 4;
1709
1710 /*
1711 * At the moment, only RSA certificates are supported
1712 */
1713 *p++ = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1714 *p++ = SSL_CERT_TYPE_RSA_SIGN;
1715
1716 /*
1717 * Add signature_algorithms for verify (TLS 1.2)
1718 * Only add current running algorithm that is already required for
1719 * requested ciphersuite.
1720 *
1721 * Length is always 2
1722 */
Paul Bakker21dca692013-01-03 11:41:08 +0100[diff] [blame]1723 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1724 {
1725 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1726
1727 *p++ = 0;
1728 *p++ = 2;
1729
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]1730 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1731 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1732 {
1733 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1734 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1735
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1736 *p++ = ssl->handshake->verify_sig_alg;
1737 *p++ = SSL_SIG_RSA;
1738
1739 n += 4;
1740 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1741
1742 p += 2;
1743 crt = ssl->ca_chain;
1744
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1745 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1746 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747 {
1748 if( p - buf > 4096 )
1749 break;
1750
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1751 dn_size = crt->subject_raw.len;
1752 *p++ = (unsigned char)( dn_size >> 8 );
1753 *p++ = (unsigned char)( dn_size );
1754 memcpy( p, crt->subject_raw.p, dn_size );
1755 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1756
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1757 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1758
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1759 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1760 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1761 }
1762
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1763 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1764 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1765 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1766 ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
1767 ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768
1769 ret = ssl_write_record( ssl );
1770
1771 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1772
1773 return( ret );
1774}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1775#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1776 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1777 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1779static int ssl_write_server_key_exchange( ssl_context *ssl )
1780{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1781 int ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1782 size_t n = 0, len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1783 unsigned char hash[64];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1784 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker35a7fe52012-10-31 09:07:14 +0000[diff] [blame]1785 unsigned int hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1786 unsigned char *p = ssl->out_msg + 4;
1787 unsigned char *dig_sig = p;
1788 size_t dig_sig_len = 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1789
1790 const ssl_ciphersuite_t *ciphersuite_info;
1791 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1792
1793 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1794
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1795 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1796 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
1797 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798 {
1799 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1800 ssl->state++;
1801 return( 0 );
1802 }
1803
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1804#if defined(POLARSSL_RSA_C)
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1805 if( ssl->rsa_key == NULL )
1806 {
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]1807 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1808 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1809 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1810#endif /* POLARSSL_RSA_C */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1811
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1812#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1813 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1814 {
1815 /* TODO: Support identity hints */
1816 *(p++) = 0x00;
1817 *(p++) = 0x00;
1818
1819 n += 2;
1820 }
1821#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1822
1823#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1824 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1825 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1826 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1827 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1828 /*
1829 * Ephemeral DH parameters:
1830 *
1831 * struct {
1832 * opaque dh_p<1..2^16-1>;
1833 * opaque dh_g<1..2^16-1>;
1834 * opaque dh_Ys<1..2^16-1>;
1835 * } ServerDHParams;
1836 */
1837 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1838 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1839 {
1840 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1841 return( ret );
1842 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1843
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1844 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1845 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1846 p,
1847 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1848 {
1849 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1850 return( ret );
1851 }
1852
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1853 dig_sig = p;
1854 dig_sig_len = len;
1855
1856 p += len;
1857 n += len;
1858
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1859 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1860 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1861 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1862 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1863 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1864#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1865 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1866
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1867#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1868 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1869 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1870 /*
1871 * Ephemeral ECDH parameters:
1872 *
1873 * struct {
1874 * ECParameters curve_params;
1875 * ECPoint public;
1876 * } ServerECDHParams;
1877 */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1878 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
1879 ssl->handshake->ec_curve ) ) != 0 )
1880 {
1881 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1882 return( ret );
1883 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1884
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1885 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1886 &len,
1887 p,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1888 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1889 {
1890 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1891 return( ret );
1892 }
1893
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1894 dig_sig = p;
1895 dig_sig_len = len;
1896
1897 p += len;
1898 n += len;
1899
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1900 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
1901 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1902#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1904#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1905 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
1906 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1907 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1908 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1909 size_t rsa_key_len = 0;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1910
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1911 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1912 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1913 md5_context md5;
1914 sha1_context sha1;
1915
1916 /*
1917 * digitally-signed struct {
1918 * opaque md5_hash[16];
1919 * opaque sha_hash[20];
1920 * };
1921 *
1922 * md5_hash
1923 * MD5(ClientHello.random + ServerHello.random
1924 * + ServerParams);
1925 * sha_hash
1926 * SHA(ClientHello.random + ServerHello.random
1927 * + ServerParams);
1928 */
1929 md5_starts( &md5 );
1930 md5_update( &md5, ssl->handshake->randbytes, 64 );
1931 md5_update( &md5, dig_sig, dig_sig_len );
1932 md5_finish( &md5, hash );
1933
1934 sha1_starts( &sha1 );
1935 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1936 sha1_update( &sha1, dig_sig, dig_sig_len );
1937 sha1_finish( &sha1, hash + 16 );
1938
1939 hashlen = 36;
1940 md_alg = POLARSSL_MD_NONE;
1941 }
1942 else
1943 {
1944 md_context_t ctx;
1945
1946 /*
1947 * digitally-signed struct {
1948 * opaque client_random[32];
1949 * opaque server_random[32];
1950 * ServerDHParams params;
1951 * };
1952 */
1953 switch( ssl->handshake->sig_alg )
1954 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1955#if defined(POLARSSL_MD5_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1956 case SSL_HASH_MD5:
1957 md_alg = POLARSSL_MD_MD5;
1958 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1959#endif
1960#if defined(POLARSSL_SHA1_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1961 case SSL_HASH_SHA1:
1962 md_alg = POLARSSL_MD_SHA1;
1963 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1964#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1965#if defined(POLARSSL_SHA256_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1966 case SSL_HASH_SHA224:
1967 md_alg = POLARSSL_MD_SHA224;
1968 break;
1969 case SSL_HASH_SHA256:
1970 md_alg = POLARSSL_MD_SHA256;
1971 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1972#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1973#if defined(POLARSSL_SHA512_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1974 case SSL_HASH_SHA384:
1975 md_alg = POLARSSL_MD_SHA384;
1976 break;
1977 case SSL_HASH_SHA512:
1978 md_alg = POLARSSL_MD_SHA512;
1979 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1980#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1981 default:
1982 /* Should never happen */
1983 return( -1 );
1984 }
1985
1986 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1987 {
1988 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1989 return( ret );
1990 }
1991
1992 md_starts( &ctx );
1993 md_update( &ctx, ssl->handshake->randbytes, 64 );
1994 md_update( &ctx, dig_sig, dig_sig_len );
1995 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]1996
1997 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
1998 {
1999 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2000 return( ret );
2001 }
2002
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2003 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2004
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2005 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2006
2007 if ( ssl->rsa_key )
2008 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
2009
2010 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2011 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2012 *(p++) = ssl->handshake->sig_alg;
2013 *(p++) = SSL_SIG_RSA;
2014
2015 n += 2;
2016 }
2017
2018 *(p++) = (unsigned char)( rsa_key_len >> 8 );
2019 *(p++) = (unsigned char)( rsa_key_len );
2020 n += 2;
2021
2022 if ( ssl->rsa_key )
2023 {
2024 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
2025 RSA_PRIVATE, md_alg, hashlen, hash, p );
2026 }
2027
2028 if( ret != 0 )
2029 {
2030 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2031 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2032 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2033
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2034 SSL_DEBUG_BUF( 3, "my RSA sig", p, rsa_key_len );
2035
2036 p += rsa_key_len;
2037 n += rsa_key_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2038 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2039#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2040 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2041
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2042 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2043 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2044 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2045
2046 ssl->state++;
2047
2048 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2049 {
2050 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2051 return( ret );
2052 }
2053
2054 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2055
2056 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057}
2058
2059static int ssl_write_server_hello_done( ssl_context *ssl )
2060{
2061 int ret;
2062
2063 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2064
2065 ssl->out_msglen = 4;
2066 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2067 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2068
2069 ssl->state++;
2070
2071 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2072 {
2073 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2074 return( ret );
2075 }
2076
2077 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2078
2079 return( 0 );
2080}
2081
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2082#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2083 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2084static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2085 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2086{
2087 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2088 size_t n;
2089
2090 /*
2091 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2092 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2093 if( *p + 2 > end )
2094 {
2095 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2096 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2097 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2098
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2099 n = ( (*p)[0] << 8 ) | (*p)[1];
2100 *p += 2;
2101
2102 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2103 {
2104 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2105 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2106 }
2107
2108 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2109 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2110 {
2111 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2112 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2113 }
2114
2115 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2116
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2117 return( ret );
2118}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2119#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2120 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2121
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2122#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2123static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2124{
2125 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2126 size_t n;
2127
2128 /*
2129 * Receive client public key and calculate premaster
2130 */
2131 n = ssl->in_msg[3];
2132
2133 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2134 n + 4 != ssl->in_hslen )
2135 {
2136 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2137 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2138 }
2139
2140 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2141 ssl->in_msg + 4, n ) ) != 0 )
2142 {
2143 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2144 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2145 }
2146
2147 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2148
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2149 return( ret );
2150}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2151#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2152
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2153#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2154static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2155{
2156 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2157 size_t i, n = 0;
2158
2159 if( ssl->rsa_key == NULL )
2160 {
2161 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2162 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2163 }
2164
2165 /*
2166 * Decrypt the premaster using own private RSA key
2167 */
2168 i = 4;
2169 if( ssl->rsa_key )
2170 n = ssl->rsa_key_len( ssl->rsa_key );
2171 ssl->handshake->pmslen = 48;
2172
2173 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2174 {
2175 i += 2;
2176 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2177 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2178 {
2179 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2180 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2181 }
2182 }
2183
2184 if( ssl->in_hslen != i + n )
2185 {
2186 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2187 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2188 }
2189
2190 if( ssl->rsa_key ) {
2191 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
2192 &ssl->handshake->pmslen,
2193 ssl->in_msg + i,
2194 ssl->handshake->premaster,
2195 sizeof(ssl->handshake->premaster) );
2196 }
2197
2198 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]2199 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2200 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2201 {
2202 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2203
2204 /*
2205 * Protection against Bleichenbacher's attack:
2206 * invalid PKCS#1 v1.5 padding must not cause
2207 * the connection to end immediately; instead,
2208 * send a bad_record_mac later in the handshake.
2209 */
2210 ssl->handshake->pmslen = 48;
2211
2212 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2213 ssl->handshake->pmslen );
2214 if( ret != 0 )
2215 return( ret );
2216 }
2217
2218 return( ret );
2219}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2220#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2221
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2222#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2223 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2224static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2225 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2226{
2227 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2228 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2229
2230 if( ssl->psk == NULL || ssl->psk_identity == NULL ||
2231 ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
2232 {
2233 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2234 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2235 }
2236
2237 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2238 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2239 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2240 if( *p + 2 > end )
2241 {
2242 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2243 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2244 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2245
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2246 n = ( (*p)[0] << 8 ) | (*p)[1];
2247 *p += 2;
2248
2249 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2250 {
2251 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2252 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2253 }
2254
2255 if( n != ssl->psk_identity_len ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2256 memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2257 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2258 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2259 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2260 }
2261
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2262 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2263 ret = 0;
2264
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2265 return( ret );
2266}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2267#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2268 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2269
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2270static int ssl_parse_client_key_exchange( ssl_context *ssl )
2271{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2272 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2273 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2274 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2275
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2276 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2277
2278 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2279
2280 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2281 {
2282 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2283 return( ret );
2284 }
2285
2286 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2287 {
2288 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2289 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2290 }
2291
2292 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2293 {
2294 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2295 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2296 }
2297
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2298 p = ssl->in_msg + 4;
2299 end = ssl->in_msg + ssl->in_msglen;
2300
2301#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2302 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2303 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2304 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2305 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2306 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2307 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2308 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2309
2310 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2311
2312 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2313 ssl->handshake->premaster,
2314 &ssl->handshake->pmslen ) ) != 0 )
2315 {
2316 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2317 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2318 }
2319
2320 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2321 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2322 else
2323#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2324#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
2325 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2326 {
2327 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2328 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2329 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2330 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2331 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2332
2333 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2334 &ssl->handshake->pmslen,
2335 ssl->handshake->premaster,
2336 POLARSSL_MPI_MAX_SIZE ) ) != 0 )
2337 {
2338 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2339 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2340 }
2341
2342 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2343 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2344 else
2345#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2346#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2347 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2348 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2349 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2350 {
2351 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2352 return( ret );
2353 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2354
2355 // Set up the premaster secret
2356 //
2357 p = ssl->handshake->premaster;
2358 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2359 *(p++) = (unsigned char)( ssl->psk_len );
2360 p += ssl->psk_len;
2361
2362 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2363 *(p++) = (unsigned char)( ssl->psk_len );
2364 memcpy( p, ssl->psk, ssl->psk_len );
2365 p += ssl->psk_len;
2366
2367 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2368 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2369 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2370#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2371#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2372 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2373 {
2374 size_t n;
2375
2376 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2377 {
2378 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2379 return( ret );
2380 }
2381 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2382 {
2383 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2384 return( ret );
2385 }
2386
2387 // Set up the premaster secret
2388 //
2389 p = ssl->handshake->premaster;
2390 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2391 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2392
2393 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2394 p, &n ) ) != 0 )
2395 {
2396 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2397 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2398 }
2399
2400 if( n != ssl->handshake->dhm_ctx.len )
2401 {
2402 SSL_DEBUG_MSG( 1, ( "dhm_calc_secret result smaller than DHM" ) );
2403 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2404 }
2405
2406 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2407
2408 p += ssl->handshake->dhm_ctx.len;
2409
2410 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2411 *(p++) = (unsigned char)( ssl->psk_len );
2412 memcpy( p, ssl->psk, ssl->psk_len );
2413 p += ssl->psk_len;
2414
2415 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2416 }
2417 else
2418#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2419#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2420 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2421 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2422 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2423 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2424 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2425 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2426 }
2427 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2428 else
2429#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2430 {
2431 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2432 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2433
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2434 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2435 {
2436 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2437 return( ret );
2438 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2439
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2440 ssl->state++;
2441
2442 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2443
2444 return( 0 );
2445}
2446
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2447#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2448 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2449 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2450static int ssl_parse_certificate_verify( ssl_context *ssl )
2451{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2452 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2453 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2454
2455 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2456
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2457 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2458 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2459 {
2460 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2461 ssl->state++;
2462 return( 0 );
2463 }
2464
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2465 return( ret );
2466}
2467#else
2468static int ssl_parse_certificate_verify( ssl_context *ssl )
2469{
2470 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2471 size_t n = 0, n1, n2;
2472 unsigned char hash[48];
2473 md_type_t md_alg = POLARSSL_MD_NONE;
2474 unsigned int hashlen = 0;
2475 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2476
2477 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2478
2479 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2480 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2481 {
2482 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2483 ssl->state++;
2484 return( 0 );
2485 }
2486
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2487 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2488 {
2489 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2490 ssl->state++;
2491 return( 0 );
2492 }
2493
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2494 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2495
2496 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2497 {
2498 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2499 return( ret );
2500 }
2501
2502 ssl->state++;
2503
2504 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2505 {
2506 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2507 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2508 }
2509
2510 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2511 {
2512 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2513 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2514 }
2515
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2516 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2517 {
2518 /*
2519 * As server we know we either have SSL_HASH_SHA384 or
2520 * SSL_HASH_SHA256
2521 */
2522 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
2523 ssl->in_msg[5] != SSL_SIG_RSA )
2524 {
2525 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
2526 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2527 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2528
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2529 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2530 md_alg = POLARSSL_MD_SHA384;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2531 else
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2532 md_alg = POLARSSL_MD_SHA256;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2533
2534 n += 2;
2535 }
2536 else
2537 {
2538 hashlen = 36;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2539 md_alg = POLARSSL_MD_NONE;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2540 }
2541
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2542 /* EC NOT IMPLEMENTED YET */
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2543 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2544 POLARSSL_PK_RSA ) )
2545 {
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2546 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2547 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2548
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]2549 n1 = pk_get_size( &ssl->session_negotiate->peer_cert->pk ) / 8;
Paul Bakker78ce5072012-11-23 14:23:53 +0100[diff] [blame]2550 n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2551
2552 if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2553 {
2554 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2555 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2556 }
2557
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2558 ret = rsa_pkcs1_verify( pk_rsa( ssl->session_negotiate->peer_cert->pk ),
2559 RSA_PUBLIC, md_alg, hashlen, hash,
2560 ssl->in_msg + 6 + n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2561 if( ret != 0 )
2562 {
2563 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
2564 return( ret );
2565 }
2566
2567 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2568
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2569 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2570}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2571#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2572 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2573 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2574
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2575#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2576static int ssl_write_new_session_ticket( ssl_context *ssl )
2577{
2578 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2579 size_t tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2580
2581 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2582
2583 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2584 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2585
2586 /*
2587 * struct {
2588 * uint32 ticket_lifetime_hint;
2589 * opaque ticket<0..2^16-1>;
2590 * } NewSessionTicket;
2591 *
2592 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2593 * 8 . 9 ticket_len (n)
2594 * 10 . 9+n ticket content
2595 */
2596 ssl->out_msg[4] = 0x00;
2597 ssl->out_msg[5] = 0x00;
2598 ssl->out_msg[6] = 0x00;
2599 ssl->out_msg[7] = 0x00;
2600
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]2601 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2602 {
2603 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2604 tlen = 0;
2605 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2606
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2607 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2608 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2609
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2610 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2611
2612 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2613 {
2614 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2615 return( ret );
2616 }
2617
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2618 /* No need to remember writing a NewSessionTicket any more */
2619 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2620
2621 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2622
2623 return( 0 );
2624}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2625#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2626
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2627/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2628 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2629 */
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2630int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2631{
2632 int ret = 0;
2633
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2634 if( ssl->state == SSL_HANDSHAKE_OVER )
2635 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2636
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2637 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2638
2639 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2640 return( ret );
2641
2642 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2643 {
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2644 case SSL_HELLO_REQUEST:
2645 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2646 break;
2647
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2648 /*
2649 * <== ClientHello
2650 */
2651 case SSL_CLIENT_HELLO:
2652 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2653 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2654
2655 /*
2656 * ==> ServerHello
2657 * Certificate
2658 * ( ServerKeyExchange )
2659 * ( CertificateRequest )
2660 * ServerHelloDone
2661 */
2662 case SSL_SERVER_HELLO:
2663 ret = ssl_write_server_hello( ssl );
2664 break;
2665
2666 case SSL_SERVER_CERTIFICATE:
2667 ret = ssl_write_certificate( ssl );
2668 break;
2669
2670 case SSL_SERVER_KEY_EXCHANGE:
2671 ret = ssl_write_server_key_exchange( ssl );
2672 break;
2673
2674 case SSL_CERTIFICATE_REQUEST:
2675 ret = ssl_write_certificate_request( ssl );
2676 break;
2677
2678 case SSL_SERVER_HELLO_DONE:
2679 ret = ssl_write_server_hello_done( ssl );
2680 break;
2681
2682 /*
2683 * <== ( Certificate/Alert )
2684 * ClientKeyExchange
2685 * ( CertificateVerify )
2686 * ChangeCipherSpec
2687 * Finished
2688 */
2689 case SSL_CLIENT_CERTIFICATE:
2690 ret = ssl_parse_certificate( ssl );
2691 break;
2692
2693 case SSL_CLIENT_KEY_EXCHANGE:
2694 ret = ssl_parse_client_key_exchange( ssl );
2695 break;
2696
2697 case SSL_CERTIFICATE_VERIFY:
2698 ret = ssl_parse_certificate_verify( ssl );
2699 break;
2700
2701 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2702 ret = ssl_parse_change_cipher_spec( ssl );
2703 break;
2704
2705 case SSL_CLIENT_FINISHED:
2706 ret = ssl_parse_finished( ssl );
2707 break;
2708
2709 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2710 * ==> ( NewSessionTicket )
2711 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2712 * Finished
2713 */
2714 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2715#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2716 if( ssl->handshake->new_session_ticket != 0 )
2717 ret = ssl_write_new_session_ticket( ssl );
2718 else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2719#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2720 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2721 break;
2722
2723 case SSL_SERVER_FINISHED:
2724 ret = ssl_write_finished( ssl );
2725 break;
2726
2727 case SSL_FLUSH_BUFFERS:
2728 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2729 ssl->state = SSL_HANDSHAKE_WRAPUP;
2730 break;
2731
2732 case SSL_HANDSHAKE_WRAPUP:
2733 ssl_handshake_wrapup( ssl );
2734 break;
2735
2736 default:
2737 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2738 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2739 }
2740
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2741 return( ret );
2742}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2743#endif