blob: 53b6031947ef43d7722b6fae5da51340643b9c0e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +01004 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +000026#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000027
Paul Bakker40e46942009-01-03 21:51:57 +000028#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000029
Paul Bakker40e46942009-01-03 21:51:57 +000030#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +010032#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000035
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020036#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +000043#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020045
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +000047#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020048#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000049
Paul Bakkera503a632013-08-14 13:48:06 +020050#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020051/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020059static int ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t buf_len,
61 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020062{
63 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020064 size_t left = buf_len;
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020065#if defined(POLARSSL_X509_PARSE_C)
66 size_t cert_len;
67#endif /* POLARSSL_X509_PARSE_C */
68
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020069 if( left < sizeof( ssl_session ) )
70 return( -1 );
71
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020072 memcpy( p, session, sizeof( ssl_session ) );
73 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020074 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020075
76#if defined(POLARSSL_X509_PARSE_C)
77 ((ssl_session *) buf)->peer_cert = NULL;
78
79 if( session->peer_cert == NULL )
80 cert_len = 0;
81 else
82 cert_len = session->peer_cert->raw.len;
83
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020084 if( left < 3 + cert_len )
85 return( -1 );
86
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020087 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
88 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
89 *p++ = (unsigned char)( cert_len & 0xFF );
90
91 if( session->peer_cert != NULL )
92 memcpy( p, session->peer_cert->raw.p, cert_len );
93
94 p += cert_len;
95#endif /* POLARSSL_X509_PARSE_C */
96
97 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020098
99 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200100}
101
102/*
103 * Unserialise session, see ssl_save_session()
104 */
105static int ssl_load_session( ssl_session *session,
106 const unsigned char *buf, size_t len )
107{
108 int ret;
109 const unsigned char *p = buf;
110 const unsigned char * const end = buf + len;
111#if defined(POLARSSL_X509_PARSE_C)
112 size_t cert_len;
113#endif /* POLARSSL_X509_PARSE_C */
114
115 if( p + sizeof( ssl_session ) > end )
116 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
117
118 memcpy( session, p, sizeof( ssl_session ) );
119 p += sizeof( ssl_session );
120
121#if defined(POLARSSL_X509_PARSE_C)
122 if( p + 3 > end )
123 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
124
125 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
126 p += 3;
127
128 if( cert_len == 0 )
129 {
130 session->peer_cert = NULL;
131 }
132 else
133 {
134 if( p + cert_len > end )
135 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
136
137 session->peer_cert = polarssl_malloc( cert_len );
138
139 if( session->peer_cert == NULL )
140 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
141
142 memset( session->peer_cert, 0, sizeof( x509_cert ) );
143
144 if( ( ret = x509parse_crt( session->peer_cert, p, cert_len ) ) != 0 )
145 {
146 polarssl_free( session->peer_cert );
147 free( session->peer_cert );
148 session->peer_cert = NULL;
149 return( ret );
150 }
151
152 p += cert_len;
153 }
154#endif /* POLARSSL_X509_PARSE_C */
155
156 if( p != end )
157 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
158
159 return( 0 );
160}
161
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200162/*
163 * Create session ticket, secured as recommended in RFC 5077 section 4:
164 *
165 * struct {
166 * opaque key_name[16];
167 * opaque iv[16];
168 * opaque encrypted_state<0..2^16-1>;
169 * opaque mac[32];
170 * } ticket;
171 *
172 * (the internal state structure differs, however).
173 */
174static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
175{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200176 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200177 unsigned char * const start = ssl->out_msg + 10;
178 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200179 unsigned char *state;
180 unsigned char iv[16];
181 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200182
Manuel Pégourié-Gonnard0a201712013-08-23 16:25:16 +0200183 *tlen = 0;
184
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200185 if( ssl->ticket_keys == NULL )
186 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
187
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200188 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200189 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200190 p += 16;
191
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200192 /* Generate and write IV (with a copy for aes_crypt) */
193 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
194 return( ret );
195 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200196 p += 16;
197
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200198 /*
199 * Dump session state
200 *
201 * After the session state itself, we still need room for 16 bytes of
202 * padding and 32 bytes of MAC, so there's only so much room left
203 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200204 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200205 if( ssl_save_session( ssl->session_negotiate, state,
206 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
207 &clear_len ) != 0 )
208 {
209 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
210 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200211 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200212
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200213 /* Apply PKCS padding */
214 pad_len = 16 - clear_len % 16;
215 enc_len = clear_len + pad_len;
216 for( i = clear_len; i < enc_len; i++ )
217 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200218
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200219 /* Encrypt */
220 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
221 enc_len, iv, state, state ) ) != 0 )
222 {
223 return( ret );
224 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200225
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200226 /* Write length */
227 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
228 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
229 p = state + enc_len;
230
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200231 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
232 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200233 p += 32;
234
235 *tlen = p - start;
236
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200237 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200238
239 return( 0 );
240}
241
242/*
243 * Load session ticket (see ssl_write_ticket for structure)
244 */
245static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200246 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200247 size_t len )
248{
249 int ret;
250 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200251 unsigned char *key_name = buf;
252 unsigned char *iv = buf + 16;
253 unsigned char *enc_len_p = iv + 16;
254 unsigned char *ticket = enc_len_p + 2;
255 unsigned char *mac;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200256 unsigned char computed_mac[16];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200257 size_t enc_len, clear_len, i;
258 unsigned char pad_len;
259
260 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200261
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200262 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200263 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
264
265 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
266 mac = ticket + enc_len;
267
268 if( len != enc_len + 66 )
269 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
270
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200271 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200272 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
273 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200274
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200275 /* Check mac */
276 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
277 computed_mac, 0 );
278 ret = 0;
279 for( i = 0; i < 32; i++ )
280 if( mac[i] != computed_mac[i] )
281 ret = POLARSSL_ERR_SSL_INVALID_MAC;
282 if( ret != 0 )
283 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200284
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200285 /* Decrypt */
286 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
287 enc_len, iv, ticket, ticket ) ) != 0 )
288 {
289 return( ret );
290 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200291
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200292 /* Check PKCS padding */
293 pad_len = ticket[enc_len - 1];
294
295 ret = 0;
296 for( i = 2; i < pad_len; i++ )
297 if( ticket[enc_len - i] != pad_len )
298 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
299 if( ret != 0 )
300 return( ret );
301
302 clear_len = enc_len - pad_len;
303
304 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
305
306 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200307 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
308 {
309 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
310 memset( &session, 0, sizeof( ssl_session ) );
311 return( ret );
312 }
313
Paul Bakker606b4ba2013-08-14 16:52:14 +0200314#if defined(POLARSSL_HAVE_TIME)
315 /* Check if still valid */
316 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
317 {
318 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
319 memset( &session, 0, sizeof( ssl_session ) );
320 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
321 }
322#endif
323
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200324 /*
325 * Keep the session ID sent by the client, since we MUST send it back to
326 * inform him we're accepting the ticket (RFC 5077 section 3.4)
327 */
328 session.length = ssl->session_negotiate->length;
329 memcpy( &session.id, ssl->session_negotiate->id, session.length );
330
331 ssl_session_free( ssl->session_negotiate );
332 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
333 memset( &session, 0, sizeof( ssl_session ) );
334
335 return( 0 );
336}
Paul Bakkera503a632013-08-14 13:48:06 +0200337#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200338
Paul Bakker5701cdc2012-09-27 21:49:42 +0000339static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000340 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000341 size_t len )
342{
343 int ret;
344 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000345 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000346
347 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
348 if( servername_list_size + 2 != len )
349 {
350 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
351 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
352 }
353
354 p = buf + 2;
355 while( servername_list_size > 0 )
356 {
357 hostname_len = ( ( p[1] << 8 ) | p[2] );
358 if( hostname_len + 3 > servername_list_size )
359 {
360 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
361 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
362 }
363
364 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
365 {
366 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
367 if( ret != 0 )
368 {
369 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
370 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
371 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
372 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000373 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000374 }
375
376 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000377 p += hostname_len + 3;
378 }
379
380 if( servername_list_size != 0 )
381 {
382 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
383 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000384 }
385
386 return( 0 );
387}
388
Paul Bakker48916f92012-09-16 19:57:18 +0000389static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000390 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000391 size_t len )
392{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000393 int ret;
394
Paul Bakker48916f92012-09-16 19:57:18 +0000395 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
396 {
397 if( len != 1 || buf[0] != 0x0 )
398 {
399 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000400
401 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
402 return( ret );
403
Paul Bakker48916f92012-09-16 19:57:18 +0000404 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
405 }
406
407 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
408 }
409 else
410 {
411 if( len != 1 + ssl->verify_data_len ||
412 buf[0] != ssl->verify_data_len ||
413 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
414 {
415 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000416
417 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
418 return( ret );
419
Paul Bakker48916f92012-09-16 19:57:18 +0000420 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
421 }
422 }
423
424 return( 0 );
425}
426
Paul Bakker23f36802012-09-28 14:15:14 +0000427static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
428 const unsigned char *buf,
429 size_t len )
430{
431 size_t sig_alg_list_size;
432 const unsigned char *p;
433
434 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
435 if( sig_alg_list_size + 2 != len ||
436 sig_alg_list_size %2 != 0 )
437 {
438 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
439 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
440 }
441
442 p = buf + 2;
443 while( sig_alg_list_size > 0 )
444 {
445 if( p[1] != SSL_SIG_RSA )
Paul Bakker8611e732012-10-30 07:52:29 +0000446 {
447 sig_alg_list_size -= 2;
448 p += 2;
Paul Bakker23f36802012-09-28 14:15:14 +0000449 continue;
Paul Bakker8611e732012-10-30 07:52:29 +0000450 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200451#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000452 if( p[0] == SSL_HASH_SHA512 )
453 {
454 ssl->handshake->sig_alg = SSL_HASH_SHA512;
455 break;
456 }
457 if( p[0] == SSL_HASH_SHA384 )
458 {
459 ssl->handshake->sig_alg = SSL_HASH_SHA384;
460 break;
461 }
462#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200463#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000464 if( p[0] == SSL_HASH_SHA256 )
465 {
466 ssl->handshake->sig_alg = SSL_HASH_SHA256;
467 break;
468 }
469 if( p[0] == SSL_HASH_SHA224 )
470 {
471 ssl->handshake->sig_alg = SSL_HASH_SHA224;
472 break;
473 }
474#endif
475 if( p[0] == SSL_HASH_SHA1 )
476 {
477 ssl->handshake->sig_alg = SSL_HASH_SHA1;
478 break;
479 }
480 if( p[0] == SSL_HASH_MD5 )
481 {
482 ssl->handshake->sig_alg = SSL_HASH_MD5;
483 break;
484 }
485
486 sig_alg_list_size -= 2;
487 p += 2;
488 }
489
490 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
491 ssl->handshake->sig_alg ) );
492
493 return( 0 );
494}
495
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200496#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200497static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
498 const unsigned char *buf,
499 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100500{
501 size_t list_size;
502 const unsigned char *p;
503
504 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
505 if( list_size + 2 != len ||
506 list_size % 2 != 0 )
507 {
508 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
509 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
510 }
511
512 p = buf + 2;
513 while( list_size > 0 )
514 {
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200515#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
516 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP192R1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100517 {
518 ssl->handshake->ec_curve = p[1];
519 return( 0 );
520 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200521#endif
522#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
523 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP224R1 )
524 {
525 ssl->handshake->ec_curve = p[1];
526 return( 0 );
527 }
528#endif
529#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
530 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP256R1 )
531 {
532 ssl->handshake->ec_curve = p[1];
533 return( 0 );
534 }
535#endif
536#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
537 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP384R1 )
538 {
539 ssl->handshake->ec_curve = p[1];
540 return( 0 );
541 }
542#endif
543#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
544 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP521R1 )
545 {
546 ssl->handshake->ec_curve = p[1];
547 return( 0 );
548 }
549#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100550
551 list_size -= 2;
552 p += 2;
553 }
554
555 return( 0 );
556}
557
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200558static int ssl_parse_supported_point_formats( ssl_context *ssl,
559 const unsigned char *buf,
560 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100561{
562 size_t list_size;
563 const unsigned char *p;
564
565 list_size = buf[0];
566 if( list_size + 1 != len )
567 {
568 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
569 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
570 }
571
572 p = buf + 2;
573 while( list_size > 0 )
574 {
575 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
576 p[0] == POLARSSL_ECP_PF_COMPRESSED )
577 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200578 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200579 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100580 return( 0 );
581 }
582
583 list_size--;
584 p++;
585 }
586
587 return( 0 );
588}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200589#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100590
Paul Bakker05decb22013-08-15 13:33:48 +0200591#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200592static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
593 const unsigned char *buf,
594 size_t len )
595{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200596 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200597 {
598 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
599 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
600 }
601
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200602 ssl->session_negotiate->mfl_code = buf[0];
603
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200604 return( 0 );
605}
Paul Bakker05decb22013-08-15 13:33:48 +0200606#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200607
Paul Bakker1f2bc622013-08-15 13:45:55 +0200608#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200609static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
610 const unsigned char *buf,
611 size_t len )
612{
613 if( len != 0 )
614 {
615 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
616 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
617 }
618
619 ((void) buf);
620
621 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
622
623 return( 0 );
624}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200625#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200626
Paul Bakkera503a632013-08-14 13:48:06 +0200627#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200628static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200629 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200630 size_t len )
631{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200632 int ret;
633
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200634 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
635 return( 0 );
636
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200637 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200638 ssl->handshake->new_session_ticket = 1;
639
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200640 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
641
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200642 if( len == 0 )
643 return( 0 );
644
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200645 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
646 {
647 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
648 return( 0 );
649 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200650
651 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200652 * Failures are ok: just ignore the ticket and proceed.
653 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200654 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
655 {
656 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200657 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200658 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200659
660 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
661
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200662 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200663
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200664 /* Don't send a new ticket after all, this one is OK */
665 ssl->handshake->new_session_ticket = 0;
666
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200667 return( 0 );
668}
Paul Bakkera503a632013-08-14 13:48:06 +0200669#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200670
Paul Bakker78a8c712013-03-06 17:01:52 +0100671#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
672static int ssl_parse_client_hello_v2( ssl_context *ssl )
673{
674 int ret;
675 unsigned int i, j;
676 size_t n;
677 unsigned int ciph_len, sess_len, chal_len;
678 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200679 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200680 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100681
682 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
683
684 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
685 {
686 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
687
688 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
689 return( ret );
690
691 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
692 }
693
694 buf = ssl->in_hdr;
695
696 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
697
698 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
699 buf[2] ) );
700 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
701 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
702 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
703 buf[3], buf[4] ) );
704
705 /*
706 * SSLv2 Client Hello
707 *
708 * Record layer:
709 * 0 . 1 message length
710 *
711 * SSL layer:
712 * 2 . 2 message type
713 * 3 . 4 protocol version
714 */
715 if( buf[2] != SSL_HS_CLIENT_HELLO ||
716 buf[3] != SSL_MAJOR_VERSION_3 )
717 {
718 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
719 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
720 }
721
722 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
723
724 if( n < 17 || n > 512 )
725 {
726 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
727 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
728 }
729
730 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200731 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
732 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100733
734 if( ssl->minor_ver < ssl->min_minor_ver )
735 {
736 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
737 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
738 ssl->min_major_ver, ssl->min_minor_ver ) );
739
740 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
741 SSL_ALERT_MSG_PROTOCOL_VERSION );
742 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
743 }
744
Paul Bakker2fbefde2013-06-29 16:01:15 +0200745 ssl->handshake->max_major_ver = buf[3];
746 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100747
748 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
749 {
750 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
751 return( ret );
752 }
753
754 ssl->handshake->update_checksum( ssl, buf + 2, n );
755
756 buf = ssl->in_msg;
757 n = ssl->in_left - 5;
758
759 /*
760 * 0 . 1 ciphersuitelist length
761 * 2 . 3 session id length
762 * 4 . 5 challenge length
763 * 6 . .. ciphersuitelist
764 * .. . .. session id
765 * .. . .. challenge
766 */
767 SSL_DEBUG_BUF( 4, "record contents", buf, n );
768
769 ciph_len = ( buf[0] << 8 ) | buf[1];
770 sess_len = ( buf[2] << 8 ) | buf[3];
771 chal_len = ( buf[4] << 8 ) | buf[5];
772
773 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
774 ciph_len, sess_len, chal_len ) );
775
776 /*
777 * Make sure each parameter length is valid
778 */
779 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
780 {
781 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
782 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
783 }
784
785 if( sess_len > 32 )
786 {
787 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
788 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
789 }
790
791 if( chal_len < 8 || chal_len > 32 )
792 {
793 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
794 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
795 }
796
797 if( n != 6 + ciph_len + sess_len + chal_len )
798 {
799 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
800 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
801 }
802
803 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
804 buf + 6, ciph_len );
805 SSL_DEBUG_BUF( 3, "client hello, session id",
806 buf + 6 + ciph_len, sess_len );
807 SSL_DEBUG_BUF( 3, "client hello, challenge",
808 buf + 6 + ciph_len + sess_len, chal_len );
809
810 p = buf + 6 + ciph_len;
811 ssl->session_negotiate->length = sess_len;
812 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
813 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
814
815 p += sess_len;
816 memset( ssl->handshake->randbytes, 0, 64 );
817 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
818
819 /*
820 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
821 */
822 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
823 {
824 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
825 {
826 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
827 if( ssl->renegotiation == SSL_RENEGOTIATION )
828 {
829 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
830
831 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
832 return( ret );
833
834 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
835 }
836 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
837 break;
838 }
839 }
840
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200841 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
842 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100843 {
844 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
845 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100846 // Only allow non-ECC ciphersuites as we do not have extensions
847 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200848 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200849 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
850 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200851 {
852 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
853
854 if( ciphersuite_info == NULL )
855 {
856 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
857 ciphersuites[i] ) );
858 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
859 }
860
Paul Bakker2fbefde2013-06-29 16:01:15 +0200861 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
862 ciphersuite_info->max_minor_ver < ssl->minor_ver )
863 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200864
Paul Bakker78a8c712013-03-06 17:01:52 +0100865 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200866 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100867 }
868 }
869
870 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
871
872 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
873
874have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200875 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200876 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100877 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100878
879 /*
880 * SSLv2 Client Hello relevant renegotiation security checks
881 */
882 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
883 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
884 {
885 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
886
887 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
888 return( ret );
889
890 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
891 }
892
893 ssl->in_left = 0;
894 ssl->state++;
895
896 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
897
898 return( 0 );
899}
900#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
901
Paul Bakker5121ce52009-01-03 21:22:43 +0000902static int ssl_parse_client_hello( ssl_context *ssl )
903{
Paul Bakker23986e52011-04-24 08:57:21 +0000904 int ret;
905 unsigned int i, j;
906 size_t n;
907 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000908 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000909 unsigned int ext_len = 0;
910 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000911 int renegotiation_info_seen = 0;
912 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200913 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100914 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000915
916 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
917
Paul Bakker48916f92012-09-16 19:57:18 +0000918 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
919 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000920 {
921 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
922 return( ret );
923 }
924
925 buf = ssl->in_hdr;
926
Paul Bakker78a8c712013-03-06 17:01:52 +0100927#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
928 if( ( buf[0] & 0x80 ) != 0 )
929 return ssl_parse_client_hello_v2( ssl );
930#endif
931
Paul Bakkerec636f32012-09-09 19:17:02 +0000932 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
933
934 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
935 buf[0] ) );
936 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
937 ( buf[3] << 8 ) | buf[4] ) );
938 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
939 buf[1], buf[2] ) );
940
941 /*
942 * SSLv3 Client Hello
943 *
944 * Record layer:
945 * 0 . 0 message type
946 * 1 . 2 protocol version
947 * 3 . 4 message length
948 */
949 if( buf[0] != SSL_MSG_HANDSHAKE ||
950 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000951 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000952 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
953 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
954 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000955
Paul Bakkerec636f32012-09-09 19:17:02 +0000956 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000957
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +0200958 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000959 {
960 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
961 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
962 }
963
Paul Bakker48916f92012-09-16 19:57:18 +0000964 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
965 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000966 {
967 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
968 return( ret );
969 }
970
971 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +0000972 if( !ssl->renegotiation )
973 n = ssl->in_left - 5;
974 else
975 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +0000976
Paul Bakker48916f92012-09-16 19:57:18 +0000977 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000978
979 /*
980 * SSL layer:
981 * 0 . 0 handshake type
982 * 1 . 3 handshake length
983 * 4 . 5 protocol version
984 * 6 . 9 UNIX time()
985 * 10 . 37 random bytes
986 * 38 . 38 session id length
987 * 39 . 38+x session id
988 * 39+x . 40+x ciphersuitelist length
989 * 41+x . .. ciphersuitelist
990 * .. . .. compression alg.
991 * .. . .. extensions
992 */
993 SSL_DEBUG_BUF( 4, "record contents", buf, n );
994
995 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
996 buf[0] ) );
997 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
998 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
999 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1000 buf[4], buf[5] ) );
1001
1002 /*
1003 * Check the handshake type and protocol version
1004 */
1005 if( buf[0] != SSL_HS_CLIENT_HELLO ||
1006 buf[4] != SSL_MAJOR_VERSION_3 )
1007 {
1008 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1009 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1010 }
1011
1012 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +02001013 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1014 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +00001015
Paul Bakker1d29fb52012-09-28 13:28:45 +00001016 if( ssl->minor_ver < ssl->min_minor_ver )
1017 {
1018 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1019 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +00001020 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +00001021
1022 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1023 SSL_ALERT_MSG_PROTOCOL_VERSION );
1024
1025 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1026 }
1027
Paul Bakker2fbefde2013-06-29 16:01:15 +02001028 ssl->handshake->max_major_ver = buf[4];
1029 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +00001030
Paul Bakker48916f92012-09-16 19:57:18 +00001031 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +00001032
1033 /*
1034 * Check the handshake message length
1035 */
1036 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1037 {
1038 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1039 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1040 }
1041
1042 /*
1043 * Check the session length
1044 */
1045 sess_len = buf[38];
1046
1047 if( sess_len > 32 )
1048 {
1049 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1050 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1051 }
1052
Paul Bakker48916f92012-09-16 19:57:18 +00001053 ssl->session_negotiate->length = sess_len;
1054 memset( ssl->session_negotiate->id, 0,
1055 sizeof( ssl->session_negotiate->id ) );
1056 memcpy( ssl->session_negotiate->id, buf + 39,
1057 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +00001058
1059 /*
1060 * Check the ciphersuitelist length
1061 */
1062 ciph_len = ( buf[39 + sess_len] << 8 )
1063 | ( buf[40 + sess_len] );
1064
1065 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1066 {
1067 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1068 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1069 }
1070
1071 /*
1072 * Check the compression algorithms length
1073 */
1074 comp_len = buf[41 + sess_len + ciph_len];
1075
1076 if( comp_len < 1 || comp_len > 16 )
1077 {
1078 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1079 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1080 }
1081
Paul Bakker48916f92012-09-16 19:57:18 +00001082 /*
1083 * Check the extension length
1084 */
1085 if( n > 42 + sess_len + ciph_len + comp_len )
1086 {
1087 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1088 | ( buf[43 + sess_len + ciph_len + comp_len] );
1089
1090 if( ( ext_len > 0 && ext_len < 4 ) ||
1091 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1092 {
1093 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1094 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1095 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1096 }
1097 }
1098
1099 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +00001100#if defined(POLARSSL_ZLIB_SUPPORT)
1101 for( i = 0; i < comp_len; ++i )
1102 {
Paul Bakker48916f92012-09-16 19:57:18 +00001103 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001104 {
Paul Bakker48916f92012-09-16 19:57:18 +00001105 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +00001106 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00001107 }
1108 }
Paul Bakker2770fbd2012-07-03 13:30:23 +00001109#endif
1110
Paul Bakkerec636f32012-09-09 19:17:02 +00001111 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1112 buf + 6, 32 );
1113 SSL_DEBUG_BUF( 3, "client hello, session id",
1114 buf + 38, sess_len );
1115 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1116 buf + 41 + sess_len, ciph_len );
1117 SSL_DEBUG_BUF( 3, "client hello, compression",
1118 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001119
Paul Bakkerec636f32012-09-09 19:17:02 +00001120 /*
Paul Bakker48916f92012-09-16 19:57:18 +00001121 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1122 */
1123 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1124 {
1125 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1126 {
1127 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1128 if( ssl->renegotiation == SSL_RENEGOTIATION )
1129 {
1130 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001131
1132 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1133 return( ret );
1134
Paul Bakker48916f92012-09-16 19:57:18 +00001135 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1136 }
1137 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1138 break;
1139 }
1140 }
1141
Paul Bakker48916f92012-09-16 19:57:18 +00001142 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +00001143
1144 while( ext_len )
1145 {
1146 unsigned int ext_id = ( ( ext[0] << 8 )
1147 | ( ext[1] ) );
1148 unsigned int ext_size = ( ( ext[2] << 8 )
1149 | ( ext[3] ) );
1150
1151 if( ext_size + 4 > ext_len )
1152 {
1153 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1154 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1155 }
1156 switch( ext_id )
1157 {
Paul Bakker5701cdc2012-09-27 21:49:42 +00001158 case TLS_EXT_SERVERNAME:
1159 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1160 if( ssl->f_sni == NULL )
1161 break;
1162
1163 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1164 if( ret != 0 )
1165 return( ret );
1166 break;
1167
Paul Bakker48916f92012-09-16 19:57:18 +00001168 case TLS_EXT_RENEGOTIATION_INFO:
1169 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1170 renegotiation_info_seen = 1;
1171
Paul Bakker23f36802012-09-28 14:15:14 +00001172 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1173 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001174 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +00001175 break;
Paul Bakker48916f92012-09-16 19:57:18 +00001176
Paul Bakker23f36802012-09-28 14:15:14 +00001177 case TLS_EXT_SIG_ALG:
1178 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1179 if( ssl->renegotiation == SSL_RENEGOTIATION )
1180 break;
1181
1182 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1183 if( ret != 0 )
1184 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00001185 break;
1186
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001187#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +01001188 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1189 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1190
1191 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1192 if( ret != 0 )
1193 return( ret );
1194 break;
1195
1196 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1197 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1198
1199 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1200 if( ret != 0 )
1201 return( ret );
1202 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001203#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +01001204
Paul Bakker05decb22013-08-15 13:33:48 +02001205#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +02001206 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1207 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1208
1209 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1210 if( ret != 0 )
1211 return( ret );
1212 break;
Paul Bakker05decb22013-08-15 13:33:48 +02001213#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +02001214
Paul Bakker1f2bc622013-08-15 13:45:55 +02001215#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001216 case TLS_EXT_TRUNCATED_HMAC:
1217 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1218
1219 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1220 if( ret != 0 )
1221 return( ret );
1222 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001223#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001224
Paul Bakkera503a632013-08-14 13:48:06 +02001225#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001226 case TLS_EXT_SESSION_TICKET:
1227 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1228
1229 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1230 if( ret != 0 )
1231 return( ret );
1232 break;
Paul Bakkera503a632013-08-14 13:48:06 +02001233#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001234
Paul Bakker48916f92012-09-16 19:57:18 +00001235 default:
1236 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1237 ext_id ) );
1238 }
1239
1240 ext_len -= 4 + ext_size;
1241 ext += 4 + ext_size;
1242
1243 if( ext_len > 0 && ext_len < 4 )
1244 {
1245 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1246 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1247 }
1248 }
1249
1250 /*
1251 * Renegotiation security checks
1252 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001253 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1254 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1255 {
1256 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1257 handshake_failure = 1;
1258 }
1259 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1260 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1261 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001262 {
1263 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001264 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +00001265 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001266 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1267 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1268 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +00001269 {
1270 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001271 handshake_failure = 1;
1272 }
1273 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1274 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1275 renegotiation_info_seen == 1 )
1276 {
1277 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1278 handshake_failure = 1;
1279 }
1280
1281 if( handshake_failure == 1 )
1282 {
1283 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1284 return( ret );
1285
Paul Bakker48916f92012-09-16 19:57:18 +00001286 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1287 }
Paul Bakker380da532012-04-18 16:10:25 +00001288
Paul Bakker41c83d32013-03-20 14:39:14 +01001289 /*
1290 * Search for a matching ciphersuite
1291 * (At the end because we need information from the EC-based extensions)
1292 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001293 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1294 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +01001295 {
1296 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1297 j += 2, p += 2 )
1298 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001299 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1300 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +01001301 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001302 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +01001303
1304 if( ciphersuite_info == NULL )
1305 {
1306 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001307 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +01001308 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1309 }
1310
Paul Bakker2fbefde2013-06-29 16:01:15 +02001311 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1312 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1313 continue;
1314
Paul Bakker5fd49172013-08-19 13:29:26 +02001315#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +01001316 if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
1317 ssl->handshake->ec_curve == 0 )
1318 continue;
Paul Bakker5fd49172013-08-19 13:29:26 +02001319#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01001320
1321 goto have_ciphersuite;
1322 }
1323 }
1324 }
1325
1326 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1327
1328 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1329 return( ret );
1330
1331 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1332
1333have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001334 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +01001335 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1336 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1337
Paul Bakker5121ce52009-01-03 21:22:43 +00001338 ssl->in_left = 0;
1339 ssl->state++;
1340
1341 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1342
1343 return( 0 );
1344}
1345
Paul Bakker1f2bc622013-08-15 13:45:55 +02001346#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001347static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1348 unsigned char *buf,
1349 size_t *olen )
1350{
1351 unsigned char *p = buf;
1352
1353 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1354 {
1355 *olen = 0;
1356 return;
1357 }
1358
1359 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1360
1361 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1362 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1363
1364 *p++ = 0x00;
1365 *p++ = 0x00;
1366
1367 *olen = 4;
1368}
Paul Bakker1f2bc622013-08-15 13:45:55 +02001369#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001370
Paul Bakkera503a632013-08-14 13:48:06 +02001371#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001372static void ssl_write_session_ticket_ext( ssl_context *ssl,
1373 unsigned char *buf,
1374 size_t *olen )
1375{
1376 unsigned char *p = buf;
1377
1378 if( ssl->handshake->new_session_ticket == 0 )
1379 {
1380 *olen = 0;
1381 return;
1382 }
1383
1384 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1385
1386 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1387 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1388
1389 *p++ = 0x00;
1390 *p++ = 0x00;
1391
1392 *olen = 4;
1393}
Paul Bakkera503a632013-08-14 13:48:06 +02001394#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001395
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001396static void ssl_write_renegotiation_ext( ssl_context *ssl,
1397 unsigned char *buf,
1398 size_t *olen )
1399{
1400 unsigned char *p = buf;
1401
1402 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1403 {
1404 *olen = 0;
1405 return;
1406 }
1407
1408 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1409
1410 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1411 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1412
1413 *p++ = 0x00;
1414 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1415 *p++ = ssl->verify_data_len * 2 & 0xFF;
1416
1417 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1418 p += ssl->verify_data_len;
1419 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1420 p += ssl->verify_data_len;
1421
1422 *olen = 5 + ssl->verify_data_len * 2;
1423}
1424
Paul Bakker05decb22013-08-15 13:33:48 +02001425#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001426static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1427 unsigned char *buf,
1428 size_t *olen )
1429{
1430 unsigned char *p = buf;
1431
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +02001432 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1433 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001434 *olen = 0;
1435 return;
1436 }
1437
1438 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1439
1440 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1441 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1442
1443 *p++ = 0x00;
1444 *p++ = 1;
1445
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02001446 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001447
1448 *olen = 5;
1449}
Paul Bakker05decb22013-08-15 13:33:48 +02001450#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001451
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001452#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001453static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1454 unsigned char *buf,
1455 size_t *olen )
1456{
1457 unsigned char *p = buf;
1458 ((void) ssl);
1459
1460 *olen = 0;
1461
1462 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1463
1464 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1465 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1466
1467 *p++ = 0x00;
1468 *p++ = 2;
1469
1470 *p++ = 1;
1471 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1472
1473 *olen = 6;
1474}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001475#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001476
Paul Bakker5121ce52009-01-03 21:22:43 +00001477static int ssl_write_server_hello( ssl_context *ssl )
1478{
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001479#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +00001480 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001481#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +00001482 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001483 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001484 unsigned char *buf, *p;
1485
1486 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1487
1488 /*
1489 * 0 . 0 handshake type
1490 * 1 . 3 handshake length
1491 * 4 . 5 protocol version
1492 * 6 . 9 UNIX time()
1493 * 10 . 37 random bytes
1494 */
1495 buf = ssl->out_msg;
1496 p = buf + 4;
1497
1498 *p++ = (unsigned char) ssl->major_ver;
1499 *p++ = (unsigned char) ssl->minor_ver;
1500
1501 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1502 buf[4], buf[5] ) );
1503
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001504#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +00001505 t = time( NULL );
1506 *p++ = (unsigned char)( t >> 24 );
1507 *p++ = (unsigned char)( t >> 16 );
1508 *p++ = (unsigned char)( t >> 8 );
1509 *p++ = (unsigned char)( t );
1510
1511 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001512#else
1513 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1514 return( ret );
1515
1516 p += 4;
1517#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001518
Paul Bakkera3d195c2011-11-27 21:07:34 +00001519 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1520 return( ret );
1521
1522 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +00001523
Paul Bakker48916f92012-09-16 19:57:18 +00001524 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001525
1526 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1527
1528 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001529 * Resume is 0 by default, see ssl_handshake_init().
1530 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1531 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +00001532 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001533 if( ssl->handshake->resume == 0 &&
1534 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02001535 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001536 ssl->f_get_cache != NULL &&
1537 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1538 {
1539 ssl->handshake->resume = 1;
1540 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001541
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001542 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001543 {
1544 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001545 * New session, create a new session id,
1546 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +00001547 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001548 ssl->state++;
1549
Paul Bakkera503a632013-08-14 13:48:06 +02001550#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001551 if( ssl->handshake->new_session_ticket == 0 )
1552 {
1553 ssl->session_negotiate->length = n = 32;
1554 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +02001555 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001556 return( ret );
1557 }
1558 else
1559 {
Paul Bakkerf0e39ac2013-08-15 11:40:48 +02001560 ssl->session_negotiate->length = n = 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001561 memset( ssl->session_negotiate->id, 0, 32 );
1562 }
Paul Bakkera503a632013-08-14 13:48:06 +02001563#else
1564 ssl->session_negotiate->length = n = 32;
1565 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1566 n ) ) != 0 )
1567 return( ret );
1568#endif /* POLARSSL_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +00001569 }
1570 else
1571 {
1572 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001573 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +00001574 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +02001575 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +00001576 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +00001577
1578 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1579 {
1580 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1581 return( ret );
1582 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001583 }
1584
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001585 /*
1586 * 38 . 38 session id length
1587 * 39 . 38+n session id
1588 * 39+n . 40+n chosen ciphersuite
1589 * 41+n . 41+n chosen compression alg.
1590 * 42+n . 43+n extensions length
1591 * 44+n . 43+n+m extensions
1592 */
1593 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +00001594 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1595 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +00001596
1597 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1598 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1599 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +00001600 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001601
Paul Bakker48916f92012-09-16 19:57:18 +00001602 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1603 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1604 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +00001605
Paul Bakkere3166ce2011-01-27 17:40:50 +00001606 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
Paul Bakker48916f92012-09-16 19:57:18 +00001607 ssl->session_negotiate->ciphersuite ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001608 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
Paul Bakker48916f92012-09-16 19:57:18 +00001609 ssl->session_negotiate->compression ) );
1610
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001611 /*
1612 * First write extensions, then the total length
1613 */
1614 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1615 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +00001616
Paul Bakker05decb22013-08-15 13:33:48 +02001617#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001618 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1619 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +02001620#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001621
Paul Bakker1f2bc622013-08-15 13:45:55 +02001622#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001623 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1624 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001625#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001626
Paul Bakkera503a632013-08-14 13:48:06 +02001627#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001628 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1629 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +02001630#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001631
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001632#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001633 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1634 ext_len += olen;
1635#endif
1636
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001637 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +00001638
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001639 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1640 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1641 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00001642
1643 ssl->out_msglen = p - buf;
1644 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1645 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1646
1647 ret = ssl_write_record( ssl );
1648
1649 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1650
1651 return( ret );
1652}
1653
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001654#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1655 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1656 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00001657static int ssl_write_certificate_request( ssl_context *ssl )
1658{
Paul Bakkered27a042013-04-18 22:46:23 +02001659 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1660 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001661
1662 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1663
1664 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1665 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1666 {
1667 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1668 ssl->state++;
1669 return( 0 );
1670 }
1671
1672 return( ret );
1673}
1674#else
1675static int ssl_write_certificate_request( ssl_context *ssl )
1676{
1677 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1678 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001679 size_t dn_size, total_dn_size; /* excluding length bytes */
1680 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +00001681 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +00001682 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +00001683
1684 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1685
1686 ssl->state++;
1687
Paul Bakkerfbb17802013-04-17 19:10:21 +02001688 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001689 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +02001690 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001691 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001692 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001693 return( 0 );
1694 }
1695
1696 /*
1697 * 0 . 0 handshake type
1698 * 1 . 3 handshake length
1699 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +01001700 * 5 .. m-1 cert types
1701 * m .. m+1 sig alg length (TLS 1.2 only)
1702 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +00001703 * n .. n+1 length of all DNs
1704 * n+2 .. n+3 length of DN 1
1705 * n+4 .. ... Distinguished Name #1
1706 * ... .. ... length of DN 2, etc.
1707 */
1708 buf = ssl->out_msg;
1709 p = buf + 4;
1710
1711 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001712 * Supported certificate types
1713 *
1714 * ClientCertificateType certificate_types<1..2^8-1>;
1715 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +00001716 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001717 ct_len = 0;
1718
1719#if defined(POLARSSL_RSA_C)
1720 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
1721#endif
1722#if defined(POLARSSL_ECDSA_C)
1723 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
1724#endif
1725
1726 p[0] = ct_len++;
1727 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +01001728
1729 /*
1730 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +01001731 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001732 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
1733 *
1734 * struct {
1735 * HashAlgorithm hash;
1736 * SignatureAlgorithm signature;
1737 * } SignatureAndHashAlgorithm;
1738 *
1739 * enum { (255) } HashAlgorithm;
1740 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +01001741 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001742 sa_len = 0;
Paul Bakker21dca692013-01-03 11:41:08 +01001743 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01001744 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001745 /*
1746 * Only use current running hash algorithm that is already required
1747 * for requested ciphersuite.
1748 */
Paul Bakker926af752012-11-23 13:38:07 +01001749 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1750
Paul Bakkerb7149bc2013-03-20 15:30:09 +01001751 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1752 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +01001753 {
1754 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1755 }
Paul Bakkerf7abd422013-04-16 13:15:56 +02001756
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001757 /*
1758 * Supported signature algorithms
1759 */
1760#if defined(POLARSSL_RSA_C)
1761 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1762 p[2 + sa_len++] = SSL_SIG_RSA;
1763#endif
1764#if defined(POLARSSL_ECDSA_C)
1765 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1766 p[2 + sa_len++] = SSL_SIG_ECDSA;
1767#endif
Paul Bakker926af752012-11-23 13:38:07 +01001768
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001769 p[0] = (unsigned char)( sa_len >> 8 );
1770 p[1] = (unsigned char)( sa_len );
1771 sa_len += 2;
1772 p += sa_len;
Paul Bakker926af752012-11-23 13:38:07 +01001773 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001774
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001775 /*
1776 * DistinguishedName certificate_authorities<0..2^16-1>;
1777 * opaque DistinguishedName<1..2^16-1>;
1778 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001779 p += 2;
1780 crt = ssl->ca_chain;
1781
Paul Bakkerbc3d9842012-11-26 16:12:02 +01001782 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +00001783 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001784 {
1785 if( p - buf > 4096 )
1786 break;
1787
Paul Bakker926af752012-11-23 13:38:07 +01001788 dn_size = crt->subject_raw.len;
1789 *p++ = (unsigned char)( dn_size >> 8 );
1790 *p++ = (unsigned char)( dn_size );
1791 memcpy( p, crt->subject_raw.p, dn_size );
1792 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +00001793
Paul Bakker926af752012-11-23 13:38:07 +01001794 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1795
Paul Bakkerbc3d9842012-11-26 16:12:02 +01001796 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +01001797 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +00001798 }
1799
Paul Bakker926af752012-11-23 13:38:07 +01001800 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +00001801 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1802 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001803 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
1804 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +00001805
1806 ret = ssl_write_record( ssl );
1807
1808 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1809
1810 return( ret );
1811}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001812#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1813 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1814 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00001815
Paul Bakker41c83d32013-03-20 14:39:14 +01001816static int ssl_write_server_key_exchange( ssl_context *ssl )
1817{
Paul Bakker23986e52011-04-24 08:57:21 +00001818 int ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001819 size_t n = 0, len;
Paul Bakker23f36802012-09-28 14:15:14 +00001820 unsigned char hash[64];
Paul Bakkerc70b9822013-04-07 22:00:46 +02001821 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker35a7fe52012-10-31 09:07:14 +00001822 unsigned int hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001823 unsigned char *p = ssl->out_msg + 4;
1824 unsigned char *dig_sig = p;
1825 size_t dig_sig_len = 0;
Paul Bakker41c83d32013-03-20 14:39:14 +01001826
1827 const ssl_ciphersuite_t *ciphersuite_info;
1828 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001829
1830 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1831
Paul Bakker41c83d32013-03-20 14:39:14 +01001832 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001833 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
1834 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +00001835 {
1836 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1837 ssl->state++;
1838 return( 0 );
1839 }
1840
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001841#if defined(POLARSSL_RSA_C)
Paul Bakker43b7e352011-01-18 15:27:19 +00001842 if( ssl->rsa_key == NULL )
1843 {
Paul Bakkereb2c6582012-09-27 19:15:01 +00001844 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1845 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker43b7e352011-01-18 15:27:19 +00001846 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001847#endif /* POLARSSL_RSA_C */
Paul Bakker43b7e352011-01-18 15:27:19 +00001848
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001849#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1850 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1851 {
1852 /* TODO: Support identity hints */
1853 *(p++) = 0x00;
1854 *(p++) = 0x00;
1855
1856 n += 2;
1857 }
1858#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1859
1860#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1861 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1862 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1863 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +00001864 {
Paul Bakker41c83d32013-03-20 14:39:14 +01001865 /*
1866 * Ephemeral DH parameters:
1867 *
1868 * struct {
1869 * opaque dh_p<1..2^16-1>;
1870 * opaque dh_g<1..2^16-1>;
1871 * opaque dh_Ys<1..2^16-1>;
1872 * } ServerDHParams;
1873 */
1874 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1875 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1876 {
1877 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1878 return( ret );
1879 }
Paul Bakker48916f92012-09-16 19:57:18 +00001880
Paul Bakker41c83d32013-03-20 14:39:14 +01001881 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1882 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001883 p,
1884 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01001885 {
1886 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1887 return( ret );
1888 }
1889
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001890 dig_sig = p;
1891 dig_sig_len = len;
1892
1893 p += len;
1894 n += len;
1895
Paul Bakker41c83d32013-03-20 14:39:14 +01001896 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1897 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1898 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1899 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1900 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001901#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1902 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +01001903
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001904#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +01001905 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00001906 {
Paul Bakker41c83d32013-03-20 14:39:14 +01001907 /*
1908 * Ephemeral ECDH parameters:
1909 *
1910 * struct {
1911 * ECParameters curve_params;
1912 * ECPoint public;
1913 * } ServerECDHParams;
1914 */
Paul Bakker41c83d32013-03-20 14:39:14 +01001915 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
1916 ssl->handshake->ec_curve ) ) != 0 )
1917 {
1918 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1919 return( ret );
1920 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001921
Paul Bakker41c83d32013-03-20 14:39:14 +01001922 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001923 &len,
1924 p,
Paul Bakker41c83d32013-03-20 14:39:14 +01001925 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1926 {
1927 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1928 return( ret );
1929 }
1930
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001931 dig_sig = p;
1932 dig_sig_len = len;
1933
1934 p += len;
1935 n += len;
1936
Paul Bakker41c83d32013-03-20 14:39:14 +01001937 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
1938 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001939#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00001940
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001941#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1942 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
1943 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1944 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +00001945 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001946 size_t rsa_key_len = 0;
Paul Bakker23f36802012-09-28 14:15:14 +00001947
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001948 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +00001949 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001950 md5_context md5;
1951 sha1_context sha1;
1952
1953 /*
1954 * digitally-signed struct {
1955 * opaque md5_hash[16];
1956 * opaque sha_hash[20];
1957 * };
1958 *
1959 * md5_hash
1960 * MD5(ClientHello.random + ServerHello.random
1961 * + ServerParams);
1962 * sha_hash
1963 * SHA(ClientHello.random + ServerHello.random
1964 * + ServerParams);
1965 */
1966 md5_starts( &md5 );
1967 md5_update( &md5, ssl->handshake->randbytes, 64 );
1968 md5_update( &md5, dig_sig, dig_sig_len );
1969 md5_finish( &md5, hash );
1970
1971 sha1_starts( &sha1 );
1972 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1973 sha1_update( &sha1, dig_sig, dig_sig_len );
1974 sha1_finish( &sha1, hash + 16 );
1975
1976 hashlen = 36;
1977 md_alg = POLARSSL_MD_NONE;
1978 }
1979 else
1980 {
1981 md_context_t ctx;
1982
1983 /*
1984 * digitally-signed struct {
1985 * opaque client_random[32];
1986 * opaque server_random[32];
1987 * ServerDHParams params;
1988 * };
1989 */
1990 switch( ssl->handshake->sig_alg )
1991 {
Paul Bakkerc70b9822013-04-07 22:00:46 +02001992#if defined(POLARSSL_MD5_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001993 case SSL_HASH_MD5:
1994 md_alg = POLARSSL_MD_MD5;
1995 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +02001996#endif
1997#if defined(POLARSSL_SHA1_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001998 case SSL_HASH_SHA1:
1999 md_alg = POLARSSL_MD_SHA1;
2000 break;
Paul Bakker23f36802012-09-28 14:15:14 +00002001#endif
Paul Bakker9e36f042013-06-30 14:34:05 +02002002#if defined(POLARSSL_SHA256_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002003 case SSL_HASH_SHA224:
2004 md_alg = POLARSSL_MD_SHA224;
2005 break;
2006 case SSL_HASH_SHA256:
2007 md_alg = POLARSSL_MD_SHA256;
2008 break;
Paul Bakker23f36802012-09-28 14:15:14 +00002009#endif
Paul Bakker9e36f042013-06-30 14:34:05 +02002010#if defined(POLARSSL_SHA512_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002011 case SSL_HASH_SHA384:
2012 md_alg = POLARSSL_MD_SHA384;
2013 break;
2014 case SSL_HASH_SHA512:
2015 md_alg = POLARSSL_MD_SHA512;
2016 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +02002017#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002018 default:
2019 /* Should never happen */
2020 return( -1 );
2021 }
2022
2023 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
2024 {
2025 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2026 return( ret );
2027 }
2028
2029 md_starts( &ctx );
2030 md_update( &ctx, ssl->handshake->randbytes, 64 );
2031 md_update( &ctx, dig_sig, dig_sig_len );
2032 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +02002033
2034 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2035 {
2036 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2037 return( ret );
2038 }
2039
Paul Bakker23f36802012-09-28 14:15:14 +00002040 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002041
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002042 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2043
2044 if ( ssl->rsa_key )
2045 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
2046
2047 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +00002048 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002049 *(p++) = ssl->handshake->sig_alg;
2050 *(p++) = SSL_SIG_RSA;
2051
2052 n += 2;
2053 }
2054
2055 *(p++) = (unsigned char)( rsa_key_len >> 8 );
2056 *(p++) = (unsigned char)( rsa_key_len );
2057 n += 2;
2058
2059 if ( ssl->rsa_key )
2060 {
2061 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
2062 RSA_PRIVATE, md_alg, hashlen, hash, p );
2063 }
2064
2065 if( ret != 0 )
2066 {
2067 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +02002068 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +00002069 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002070
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002071 SSL_DEBUG_BUF( 3, "my RSA sig", p, rsa_key_len );
2072
2073 p += rsa_key_len;
2074 n += rsa_key_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002075 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002076#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2077 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002078
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002079 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +00002080 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2081 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2082
2083 ssl->state++;
2084
2085 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2086 {
2087 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2088 return( ret );
2089 }
2090
2091 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2092
2093 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002094}
2095
2096static int ssl_write_server_hello_done( ssl_context *ssl )
2097{
2098 int ret;
2099
2100 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2101
2102 ssl->out_msglen = 4;
2103 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2104 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2105
2106 ssl->state++;
2107
2108 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2109 {
2110 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2111 return( ret );
2112 }
2113
2114 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2115
2116 return( 0 );
2117}
2118
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002119#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2120 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2121static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2122 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002123{
2124 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002125 size_t n;
2126
2127 /*
2128 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2129 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002130 if( *p + 2 > end )
2131 {
2132 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2133 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2134 }
Paul Bakker70df2fb2013-04-17 17:19:09 +02002135
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002136 n = ( (*p)[0] << 8 ) | (*p)[1];
2137 *p += 2;
2138
2139 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002140 {
2141 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2142 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2143 }
2144
2145 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002146 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002147 {
2148 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2149 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2150 }
2151
2152 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2153
Paul Bakker70df2fb2013-04-17 17:19:09 +02002154 return( ret );
2155}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002156#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2157 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002158
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002159#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +02002160static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2161{
2162 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002163 size_t n;
2164
2165 /*
2166 * Receive client public key and calculate premaster
2167 */
2168 n = ssl->in_msg[3];
2169
2170 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2171 n + 4 != ssl->in_hslen )
2172 {
2173 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2174 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2175 }
2176
2177 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2178 ssl->in_msg + 4, n ) ) != 0 )
2179 {
2180 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2181 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2182 }
2183
2184 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2185
Paul Bakker70df2fb2013-04-17 17:19:09 +02002186 return( ret );
2187}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002188#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002189
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002190#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +02002191static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2192{
2193 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2194 size_t i, n = 0;
2195
2196 if( ssl->rsa_key == NULL )
2197 {
2198 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2199 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2200 }
2201
2202 /*
2203 * Decrypt the premaster using own private RSA key
2204 */
2205 i = 4;
2206 if( ssl->rsa_key )
2207 n = ssl->rsa_key_len( ssl->rsa_key );
2208 ssl->handshake->pmslen = 48;
2209
2210 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2211 {
2212 i += 2;
2213 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2214 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2215 {
2216 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2217 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2218 }
2219 }
2220
2221 if( ssl->in_hslen != i + n )
2222 {
2223 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2224 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2225 }
2226
2227 if( ssl->rsa_key ) {
2228 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
2229 &ssl->handshake->pmslen,
2230 ssl->in_msg + i,
2231 ssl->handshake->premaster,
2232 sizeof(ssl->handshake->premaster) );
2233 }
2234
2235 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +02002236 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2237 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002238 {
2239 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2240
2241 /*
2242 * Protection against Bleichenbacher's attack:
2243 * invalid PKCS#1 v1.5 padding must not cause
2244 * the connection to end immediately; instead,
2245 * send a bad_record_mac later in the handshake.
2246 */
2247 ssl->handshake->pmslen = 48;
2248
2249 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2250 ssl->handshake->pmslen );
2251 if( ret != 0 )
2252 return( ret );
2253 }
2254
2255 return( ret );
2256}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002257#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002258
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002259#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2260 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2261static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2262 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002263{
2264 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002265 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002266
2267 if( ssl->psk == NULL || ssl->psk_identity == NULL ||
2268 ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
2269 {
2270 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2271 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2272 }
2273
2274 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002275 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +02002276 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002277 if( *p + 2 > end )
2278 {
2279 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2280 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2281 }
Paul Bakkerfbb17802013-04-17 19:10:21 +02002282
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002283 n = ( (*p)[0] << 8 ) | (*p)[1];
2284 *p += 2;
2285
2286 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002287 {
2288 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2289 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2290 }
2291
2292 if( n != ssl->psk_identity_len ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002293 memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002294 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002295 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakkerfbb17802013-04-17 19:10:21 +02002296 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2297 }
2298
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002299 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002300 ret = 0;
2301
Paul Bakkerfbb17802013-04-17 19:10:21 +02002302 return( ret );
2303}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002304#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2305 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +02002306
Paul Bakker5121ce52009-01-03 21:22:43 +00002307static int ssl_parse_client_key_exchange( ssl_context *ssl )
2308{
Paul Bakker23986e52011-04-24 08:57:21 +00002309 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +01002310 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002311 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002312
Paul Bakker41c83d32013-03-20 14:39:14 +01002313 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002314
2315 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2316
2317 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2318 {
2319 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2320 return( ret );
2321 }
2322
2323 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2324 {
2325 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002326 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002327 }
2328
2329 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2330 {
2331 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002332 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002333 }
2334
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002335 p = ssl->in_msg + 4;
2336 end = ssl->in_msg + ssl->in_msglen;
2337
2338#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +01002339 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00002340 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002341 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002342 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002343 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2344 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002345 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002346
2347 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2348
2349 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2350 ssl->handshake->premaster,
2351 &ssl->handshake->pmslen ) ) != 0 )
2352 {
2353 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2354 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2355 }
2356
2357 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002358 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002359 else
2360#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2361#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
2362 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002363 {
2364 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002365 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002366 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2367 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002368 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002369
2370 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2371 &ssl->handshake->pmslen,
2372 ssl->handshake->premaster,
2373 POLARSSL_MPI_MAX_SIZE ) ) != 0 )
2374 {
2375 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2376 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2377 }
2378
2379 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +00002380 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002381 else
2382#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2383#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2384 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002385 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002386 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002387 {
2388 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2389 return( ret );
2390 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002391
2392 // Set up the premaster secret
2393 //
2394 p = ssl->handshake->premaster;
2395 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2396 *(p++) = (unsigned char)( ssl->psk_len );
2397 p += ssl->psk_len;
2398
2399 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2400 *(p++) = (unsigned char)( ssl->psk_len );
2401 memcpy( p, ssl->psk, ssl->psk_len );
2402 p += ssl->psk_len;
2403
2404 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002405 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002406 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002407#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2408#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2409 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2410 {
2411 size_t n;
2412
2413 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2414 {
2415 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2416 return( ret );
2417 }
2418 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2419 {
2420 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2421 return( ret );
2422 }
2423
2424 // Set up the premaster secret
2425 //
2426 p = ssl->handshake->premaster;
2427 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2428 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2429
2430 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2431 p, &n ) ) != 0 )
2432 {
2433 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2434 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2435 }
2436
2437 if( n != ssl->handshake->dhm_ctx.len )
2438 {
2439 SSL_DEBUG_MSG( 1, ( "dhm_calc_secret result smaller than DHM" ) );
2440 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2441 }
2442
2443 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2444
2445 p += ssl->handshake->dhm_ctx.len;
2446
2447 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2448 *(p++) = (unsigned char)( ssl->psk_len );
2449 memcpy( p, ssl->psk, ssl->psk_len );
2450 p += ssl->psk_len;
2451
2452 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2453 }
2454 else
2455#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2456#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2457 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +01002458 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002459 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002460 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002461 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2462 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002463 }
2464 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002465 else
2466#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2467 {
2468 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2469 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002470
Paul Bakkerff60ee62010-03-16 21:09:09 +00002471 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2472 {
2473 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2474 return( ret );
2475 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002476
Paul Bakker5121ce52009-01-03 21:22:43 +00002477 ssl->state++;
2478
2479 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2480
2481 return( 0 );
2482}
2483
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002484#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2485 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2486 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00002487static int ssl_parse_certificate_verify( ssl_context *ssl )
2488{
Paul Bakkered27a042013-04-18 22:46:23 +02002489 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002490 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002491
2492 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2493
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002494 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2495 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +02002496 {
2497 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2498 ssl->state++;
2499 return( 0 );
2500 }
2501
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002502 return( ret );
2503}
2504#else
2505static int ssl_parse_certificate_verify( ssl_context *ssl )
2506{
2507 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002508 size_t sa_len, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002509 unsigned char hash[48];
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002510 size_t hashlen;
2511 pk_type_t pk_alg;
2512 md_type_t md_alg;
2513 const md_info_t *md_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002514 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2515
2516 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2517
2518 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2519 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2520 {
2521 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2522 ssl->state++;
2523 return( 0 );
2524 }
2525
Paul Bakkered27a042013-04-18 22:46:23 +02002526 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002527 {
2528 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2529 ssl->state++;
2530 return( 0 );
2531 }
2532
Paul Bakker48916f92012-09-16 19:57:18 +00002533 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00002534
2535 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2536 {
2537 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2538 return( ret );
2539 }
2540
2541 ssl->state++;
2542
2543 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2544 {
2545 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002546 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002547 }
2548
2549 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2550 {
2551 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002552 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002553 }
2554
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002555 /*
2556 * 0 . 0 handshake type
2557 * 1 . 3 handshake length
2558 * 4 . 5 sig alg (TLS 1.2 only)
2559 * 4+n . 5+n signature length (n = sa_len)
2560 * 6+n . 6+n+m signature (m = sig_len)
2561 */
2562
2563 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01002564 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002565 sa_len = 0;
2566
2567 md_alg = POLARSSL_MD_NONE;
2568 hashlen = 36;
2569 }
2570 else
2571 {
2572 sa_len = 2;
2573
Paul Bakker926af752012-11-23 13:38:07 +01002574 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002575 * Hash: as server we know we either have SSL_HASH_SHA384 or
Paul Bakker926af752012-11-23 13:38:07 +01002576 * SSL_HASH_SHA256
2577 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002578 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
Paul Bakker926af752012-11-23 13:38:07 +01002579 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002580 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2581 " for verify message" ) );
Paul Bakker926af752012-11-23 13:38:07 +01002582 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2583 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002584
Paul Bakker926af752012-11-23 13:38:07 +01002585 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
Paul Bakkerc70b9822013-04-07 22:00:46 +02002586 md_alg = POLARSSL_MD_SHA384;
Paul Bakker926af752012-11-23 13:38:07 +01002587 else
Paul Bakkerc70b9822013-04-07 22:00:46 +02002588 md_alg = POLARSSL_MD_SHA256;
Paul Bakker926af752012-11-23 13:38:07 +01002589
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002590 /*
2591 * Get hashlen from MD
2592 */
2593 if( ( md_info = md_info_from_type( md_alg ) ) == NULL )
2594 {
2595 SSL_DEBUG_MSG( 1, ( "requested hash not available " ) );
2596 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2597 }
2598 hashlen = md_info->size;
2599
2600 /*
2601 * Signature
2602 */
2603 switch( ssl->in_msg[5] )
2604 {
2605#if defined(POLARSSL_RSA_C)
2606 case SSL_SIG_RSA:
2607 pk_alg = POLARSSL_PK_RSA;
2608 break;
2609#endif
2610
2611#if defined(POLARSSL_ECDSA_C)
2612 case SSL_SIG_ECDSA:
2613 pk_alg = POLARSSL_PK_ECDSA;
2614 break;
2615#endif
2616
2617 default:
2618 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2619 " for verify message" ) );
2620 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2621 }
2622
2623
2624 /*
2625 * Check the certificate's key type matches the signature alg
2626 */
2627 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2628 {
2629 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
2630 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2631 }
2632
Paul Bakker926af752012-11-23 13:38:07 +01002633 }
2634
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002635 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +02002636
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002637 if( sa_len + sig_len + 6 != ssl->in_hslen )
Paul Bakker5121ce52009-01-03 21:22:43 +00002638 {
2639 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002640 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002641 }
2642
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002643 ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
2644 md_alg, hash, hashlen,
2645 ssl->in_msg + 6 + sa_len, sig_len );
Paul Bakker5121ce52009-01-03 21:22:43 +00002646 if( ret != 0 )
2647 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002648 SSL_DEBUG_RET( 1, "pk_verify", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002649 return( ret );
2650 }
2651
2652 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2653
Paul Bakkered27a042013-04-18 22:46:23 +02002654 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002655}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002656#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2657 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2658 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002659
Paul Bakkera503a632013-08-14 13:48:06 +02002660#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002661static int ssl_write_new_session_ticket( ssl_context *ssl )
2662{
2663 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002664 size_t tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002665
2666 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2667
2668 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2669 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2670
2671 /*
2672 * struct {
2673 * uint32 ticket_lifetime_hint;
2674 * opaque ticket<0..2^16-1>;
2675 * } NewSessionTicket;
2676 *
2677 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2678 * 8 . 9 ticket_len (n)
2679 * 10 . 9+n ticket content
2680 */
2681 ssl->out_msg[4] = 0x00;
2682 ssl->out_msg[5] = 0x00;
2683 ssl->out_msg[6] = 0x00;
2684 ssl->out_msg[7] = 0x00;
2685
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +02002686 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2687 {
2688 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2689 tlen = 0;
2690 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002691
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002692 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2693 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002694
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002695 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002696
2697 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2698 {
2699 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2700 return( ret );
2701 }
2702
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02002703 /* No need to remember writing a NewSessionTicket any more */
2704 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002705
2706 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2707
2708 return( 0 );
2709}
Paul Bakkera503a632013-08-14 13:48:06 +02002710#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002711
Paul Bakker5121ce52009-01-03 21:22:43 +00002712/*
Paul Bakker1961b702013-01-25 14:49:24 +01002713 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +00002714 */
Paul Bakker1961b702013-01-25 14:49:24 +01002715int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002716{
2717 int ret = 0;
2718
Paul Bakker1961b702013-01-25 14:49:24 +01002719 if( ssl->state == SSL_HANDSHAKE_OVER )
2720 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00002721
Paul Bakker1961b702013-01-25 14:49:24 +01002722 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2723
2724 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2725 return( ret );
2726
2727 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +00002728 {
Paul Bakker1961b702013-01-25 14:49:24 +01002729 case SSL_HELLO_REQUEST:
2730 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +00002731 break;
2732
Paul Bakker1961b702013-01-25 14:49:24 +01002733 /*
2734 * <== ClientHello
2735 */
2736 case SSL_CLIENT_HELLO:
2737 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00002738 break;
Paul Bakker1961b702013-01-25 14:49:24 +01002739
2740 /*
2741 * ==> ServerHello
2742 * Certificate
2743 * ( ServerKeyExchange )
2744 * ( CertificateRequest )
2745 * ServerHelloDone
2746 */
2747 case SSL_SERVER_HELLO:
2748 ret = ssl_write_server_hello( ssl );
2749 break;
2750
2751 case SSL_SERVER_CERTIFICATE:
2752 ret = ssl_write_certificate( ssl );
2753 break;
2754
2755 case SSL_SERVER_KEY_EXCHANGE:
2756 ret = ssl_write_server_key_exchange( ssl );
2757 break;
2758
2759 case SSL_CERTIFICATE_REQUEST:
2760 ret = ssl_write_certificate_request( ssl );
2761 break;
2762
2763 case SSL_SERVER_HELLO_DONE:
2764 ret = ssl_write_server_hello_done( ssl );
2765 break;
2766
2767 /*
2768 * <== ( Certificate/Alert )
2769 * ClientKeyExchange
2770 * ( CertificateVerify )
2771 * ChangeCipherSpec
2772 * Finished
2773 */
2774 case SSL_CLIENT_CERTIFICATE:
2775 ret = ssl_parse_certificate( ssl );
2776 break;
2777
2778 case SSL_CLIENT_KEY_EXCHANGE:
2779 ret = ssl_parse_client_key_exchange( ssl );
2780 break;
2781
2782 case SSL_CERTIFICATE_VERIFY:
2783 ret = ssl_parse_certificate_verify( ssl );
2784 break;
2785
2786 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2787 ret = ssl_parse_change_cipher_spec( ssl );
2788 break;
2789
2790 case SSL_CLIENT_FINISHED:
2791 ret = ssl_parse_finished( ssl );
2792 break;
2793
2794 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002795 * ==> ( NewSessionTicket )
2796 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +01002797 * Finished
2798 */
2799 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +02002800#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02002801 if( ssl->handshake->new_session_ticket != 0 )
2802 ret = ssl_write_new_session_ticket( ssl );
2803 else
Paul Bakkera503a632013-08-14 13:48:06 +02002804#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02002805 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01002806 break;
2807
2808 case SSL_SERVER_FINISHED:
2809 ret = ssl_write_finished( ssl );
2810 break;
2811
2812 case SSL_FLUSH_BUFFERS:
2813 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2814 ssl->state = SSL_HANDSHAKE_WRAPUP;
2815 break;
2816
2817 case SSL_HANDSHAKE_WRAPUP:
2818 ssl_handshake_wrapup( ssl );
2819 break;
2820
2821 default:
2822 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2823 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00002824 }
2825
Paul Bakker5121ce52009-01-03 21:22:43 +00002826 return( ret );
2827}
Paul Bakker5121ce52009-01-03 21:22:43 +00002828#endif