blob: 138d1f981af477e482572d999777af3ea3e5afb8 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +01004 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020026#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +000027#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020028#else
29#include POLARSSL_CONFIG_FILE
30#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000031
Paul Bakker40e46942009-01-03 21:51:57 +000032#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000033
Paul Bakker40e46942009-01-03 21:51:57 +000034#include "polarssl/debug.h"
35#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +010036#if defined(POLARSSL_ECP_C)
37#include "polarssl/ecp.h"
38#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000039
Paul Bakker7dc4c442014-02-01 22:50:26 +010040#if defined(POLARSSL_PLATFORM_C)
41#include "polarssl/platform.h"
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020042#else
43#define polarssl_malloc malloc
44#define polarssl_free free
45#endif
46
Paul Bakker5121ce52009-01-03 21:22:43 +000047#include <stdlib.h>
48#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020049
50#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +000051#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020052#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000053
Paul Bakkera503a632013-08-14 13:48:06 +020054#if defined(POLARSSL_SSL_SESSION_TICKETS)
Paul Bakker34617722014-06-13 17:20:13 +020055/* Implementation that should never be optimized out by the compiler */
56static void polarssl_zeroize( void *v, size_t n ) {
57 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
58}
59
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020060/*
61 * Serialize a session in the following format:
62 * 0 . n-1 session structure, n = sizeof(ssl_session)
63 * n . n+2 peer_cert length = m (0 if no certificate)
64 * n+3 . n+2+m peer cert ASN.1
65 *
66 * Assumes ticket is NULL (always true on server side).
67 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020068static int ssl_save_session( const ssl_session *session,
69 unsigned char *buf, size_t buf_len,
70 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020071{
72 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020073 size_t left = buf_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +020074#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020075 size_t cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +020076#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020077
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020078 if( left < sizeof( ssl_session ) )
79 return( -1 );
80
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020081 memcpy( p, session, sizeof( ssl_session ) );
82 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020083 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020084
Paul Bakker7c6b2c32013-09-16 13:49:26 +020085#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020086 if( session->peer_cert == NULL )
87 cert_len = 0;
88 else
89 cert_len = session->peer_cert->raw.len;
90
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020091 if( left < 3 + cert_len )
92 return( -1 );
93
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020094 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
95 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
96 *p++ = (unsigned char)( cert_len & 0xFF );
97
98 if( session->peer_cert != NULL )
99 memcpy( p, session->peer_cert->raw.p, cert_len );
100
101 p += cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200102#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200103
104 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200105
106 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200107}
108
109/*
110 * Unserialise session, see ssl_save_session()
111 */
112static int ssl_load_session( ssl_session *session,
113 const unsigned char *buf, size_t len )
114{
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200115 const unsigned char *p = buf;
116 const unsigned char * const end = buf + len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200117#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200118 size_t cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200119#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200120
121 if( p + sizeof( ssl_session ) > end )
122 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
123
124 memcpy( session, p, sizeof( ssl_session ) );
125 p += sizeof( ssl_session );
126
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200127#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200128 if( p + 3 > end )
129 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
130
131 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
132 p += 3;
133
134 if( cert_len == 0 )
135 {
136 session->peer_cert = NULL;
137 }
138 else
139 {
Paul Bakker2292d1f2013-09-15 17:06:49 +0200140 int ret;
141
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200142 if( p + cert_len > end )
143 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
144
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200145 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200146
147 if( session->peer_cert == NULL )
148 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
149
Paul Bakkerb6b09562013-09-18 14:17:41 +0200150 x509_crt_init( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200151
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200152 if( ( ret = x509_crt_parse_der( session->peer_cert,
153 p, cert_len ) ) != 0 )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200154 {
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200155 x509_crt_free( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200156 polarssl_free( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200157 session->peer_cert = NULL;
158 return( ret );
159 }
160
161 p += cert_len;
162 }
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200163#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200164
165 if( p != end )
166 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
167
168 return( 0 );
169}
170
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200171/*
172 * Create session ticket, secured as recommended in RFC 5077 section 4:
173 *
174 * struct {
175 * opaque key_name[16];
176 * opaque iv[16];
177 * opaque encrypted_state<0..2^16-1>;
178 * opaque mac[32];
179 * } ticket;
180 *
181 * (the internal state structure differs, however).
182 */
183static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
184{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200185 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200186 unsigned char * const start = ssl->out_msg + 10;
187 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200188 unsigned char *state;
189 unsigned char iv[16];
190 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200191
Manuel Pégourié-Gonnard0a201712013-08-23 16:25:16 +0200192 *tlen = 0;
193
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200194 if( ssl->ticket_keys == NULL )
195 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
196
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200197 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200198 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200199 p += 16;
200
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200201 /* Generate and write IV (with a copy for aes_crypt) */
202 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
203 return( ret );
204 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200205 p += 16;
206
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200207 /*
208 * Dump session state
209 *
210 * After the session state itself, we still need room for 16 bytes of
211 * padding and 32 bytes of MAC, so there's only so much room left
212 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200213 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200214 if( ssl_save_session( ssl->session_negotiate, state,
Paul Bakker66d5d072014-06-17 16:39:18 +0200215 SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48,
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200216 &clear_len ) != 0 )
217 {
218 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
219 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200220 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200221
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200222 /* Apply PKCS padding */
223 pad_len = 16 - clear_len % 16;
224 enc_len = clear_len + pad_len;
225 for( i = clear_len; i < enc_len; i++ )
226 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200227
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200228 /* Encrypt */
229 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
230 enc_len, iv, state, state ) ) != 0 )
231 {
232 return( ret );
233 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200234
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200235 /* Write length */
236 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
237 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
238 p = state + enc_len;
239
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200240 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
241 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200242 p += 32;
243
244 *tlen = p - start;
245
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200246 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200247
248 return( 0 );
249}
250
251/*
252 * Load session ticket (see ssl_write_ticket for structure)
253 */
254static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200255 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200256 size_t len )
257{
258 int ret;
259 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200260 unsigned char *key_name = buf;
261 unsigned char *iv = buf + 16;
262 unsigned char *enc_len_p = iv + 16;
263 unsigned char *ticket = enc_len_p + 2;
264 unsigned char *mac;
Manuel Pégourié-Gonnard34ced2d2013-09-20 11:37:39 +0200265 unsigned char computed_mac[32];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200266 size_t enc_len, clear_len, i;
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100267 unsigned char pad_len, diff;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200268
269 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200270
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200271 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200272 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
273
274 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
275 mac = ticket + enc_len;
276
277 if( len != enc_len + 66 )
278 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
279
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100280 /* Check name, in constant time though it's not a big secret */
281 diff = 0;
282 for( i = 0; i < 16; i++ )
283 diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
284 /* don't return yet, check the MAC anyway */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200285
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100286 /* Check mac, with constant-time buffer comparison */
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200287 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
288 computed_mac, 0 );
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100289
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200290 for( i = 0; i < 32; i++ )
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100291 diff |= mac[i] ^ computed_mac[i];
292
293 /* Now return if ticket is not authentic, since we want to avoid
294 * decrypting arbitrary attacker-chosen data */
295 if( diff != 0 )
296 return( POLARSSL_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200297
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200298 /* Decrypt */
299 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
300 enc_len, iv, ticket, ticket ) ) != 0 )
301 {
302 return( ret );
303 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200304
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200305 /* Check PKCS padding */
306 pad_len = ticket[enc_len - 1];
307
308 ret = 0;
309 for( i = 2; i < pad_len; i++ )
310 if( ticket[enc_len - i] != pad_len )
311 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
312 if( ret != 0 )
313 return( ret );
314
315 clear_len = enc_len - pad_len;
316
317 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
318
319 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200320 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
321 {
322 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
Manuel Pégourié-Gonnardd701c9a2014-02-26 17:54:07 +0100323 ssl_session_free( &session );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200324 return( ret );
325 }
326
Paul Bakker606b4ba2013-08-14 16:52:14 +0200327#if defined(POLARSSL_HAVE_TIME)
328 /* Check if still valid */
329 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
330 {
331 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
Manuel Pégourié-Gonnardd701c9a2014-02-26 17:54:07 +0100332 ssl_session_free( &session );
Paul Bakker606b4ba2013-08-14 16:52:14 +0200333 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
334 }
335#endif
336
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200337 /*
338 * Keep the session ID sent by the client, since we MUST send it back to
339 * inform him we're accepting the ticket (RFC 5077 section 3.4)
340 */
341 session.length = ssl->session_negotiate->length;
342 memcpy( &session.id, ssl->session_negotiate->id, session.length );
343
344 ssl_session_free( ssl->session_negotiate );
345 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +0200346
347 /* Zeroize instead of free as we copied the content */
Paul Bakker34617722014-06-13 17:20:13 +0200348 polarssl_zeroize( &session, sizeof( ssl_session ) );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200349
350 return( 0 );
351}
Paul Bakkera503a632013-08-14 13:48:06 +0200352#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200353
Paul Bakker0be444a2013-08-27 21:55:01 +0200354#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200355/*
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200356 * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
357 * making it act on ssl->hanshake->sni_key_cert instead.
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200358 */
359static int ssl_sni_wrapper( ssl_context *ssl,
360 const unsigned char* name, size_t len )
361{
362 int ret;
363 ssl_key_cert *key_cert_ori = ssl->key_cert;
364
365 ssl->key_cert = NULL;
366 ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200367 ssl->handshake->sni_key_cert = ssl->key_cert;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200368
369 ssl->key_cert = key_cert_ori;
370
371 return( ret );
372}
373
Paul Bakker5701cdc2012-09-27 21:49:42 +0000374static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000375 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000376 size_t len )
377{
378 int ret;
379 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000380 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000381
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100382 SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
383
Paul Bakker5701cdc2012-09-27 21:49:42 +0000384 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
385 if( servername_list_size + 2 != len )
386 {
387 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
388 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
389 }
390
391 p = buf + 2;
392 while( servername_list_size > 0 )
393 {
394 hostname_len = ( ( p[1] << 8 ) | p[2] );
395 if( hostname_len + 3 > servername_list_size )
396 {
397 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
398 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
399 }
400
401 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
402 {
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200403 ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000404 if( ret != 0 )
405 {
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100406 SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000407 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
408 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
409 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
410 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000411 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000412 }
413
414 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000415 p += hostname_len + 3;
416 }
417
418 if( servername_list_size != 0 )
419 {
420 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
421 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000422 }
423
424 return( 0 );
425}
Paul Bakker0be444a2013-08-27 21:55:01 +0200426#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000427
Paul Bakker48916f92012-09-16 19:57:18 +0000428static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000429 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000430 size_t len )
431{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000432 int ret;
433
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100434#if defined(POLARSSL_SSL_RENEGOTIATION)
435 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
436 {
437 /* Check verify-data in constant-time. The length OTOH is no secret */
438 if( len != 1 + ssl->verify_data_len ||
439 buf[0] != ssl->verify_data_len ||
440 safer_memcmp( buf + 1, ssl->peer_verify_data,
441 ssl->verify_data_len ) != 0 )
442 {
443 SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
444
445 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
446 return( ret );
447
448 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
449 }
450 }
451 else
452#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000453 {
454 if( len != 1 || buf[0] != 0x0 )
455 {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100456 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000457
458 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
459 return( ret );
460
Paul Bakker48916f92012-09-16 19:57:18 +0000461 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
462 }
463
464 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
465 }
Paul Bakker48916f92012-09-16 19:57:18 +0000466
467 return( 0 );
468}
469
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100470#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
471 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakker23f36802012-09-28 14:15:14 +0000472static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
473 const unsigned char *buf,
474 size_t len )
475{
476 size_t sig_alg_list_size;
477 const unsigned char *p;
Manuel Pégourié-Gonnard08e81e02014-07-08 12:56:25 +0200478 const unsigned char *end = buf + len;
479 const int *md_cur;
480
Paul Bakker23f36802012-09-28 14:15:14 +0000481
482 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
483 if( sig_alg_list_size + 2 != len ||
Manuel Pégourié-Gonnard08e81e02014-07-08 12:56:25 +0200484 sig_alg_list_size % 2 != 0 )
Paul Bakker23f36802012-09-28 14:15:14 +0000485 {
486 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
487 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
488 }
489
Manuel Pégourié-Gonnard08e81e02014-07-08 12:56:25 +0200490 /*
491 * For now, ignore the SignatureAlgorithm part and rely on offered
492 * ciphersuites only for that part. To be fixed later.
493 *
494 * So, just look at the HashAlgorithm part.
495 */
496 for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
497 for( p = buf + 2; p < end; p += 2 ) {
498 if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
499 ssl->handshake->sig_alg = p[0];
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200500 goto have_sig_alg;
Manuel Pégourié-Gonnard08e81e02014-07-08 12:56:25 +0200501 }
Paul Bakker23f36802012-09-28 14:15:14 +0000502 }
Paul Bakker23f36802012-09-28 14:15:14 +0000503 }
504
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200505 /* Some key echanges do not need signatures at all */
506 SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
507 return( 0 );
508
509have_sig_alg:
Paul Bakker23f36802012-09-28 14:15:14 +0000510 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
511 ssl->handshake->sig_alg ) );
512
513 return( 0 );
514}
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100515#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
516 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakker23f36802012-09-28 14:15:14 +0000517
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200518#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200519static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
520 const unsigned char *buf,
521 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100522{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200523 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100524 const unsigned char *p;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200525 const ecp_curve_info *curve_info, **curves;
Paul Bakker41c83d32013-03-20 14:39:14 +0100526
527 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
528 if( list_size + 2 != len ||
529 list_size % 2 != 0 )
530 {
531 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
532 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
533 }
534
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200535 /* Should never happen unless client duplicates the extension */
536 if( ssl->handshake->curves != NULL )
537 {
538 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
539 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
540 }
541
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100542 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200543 * and leave room for a final 0 */
544 our_size = list_size / 2 + 1;
545 if( our_size > POLARSSL_ECP_DP_MAX )
546 our_size = POLARSSL_ECP_DP_MAX;
547
548 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
549 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
550
Paul Bakker9af723c2014-05-01 13:03:14 +0200551 /* explicit void pointer cast for buggy MS compiler */
Paul Bakkerbeccd9f2013-10-11 15:20:27 +0200552 memset( (void *) curves, 0, our_size * sizeof( *curves ) );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200553 ssl->handshake->curves = curves;
554
Paul Bakker41c83d32013-03-20 14:39:14 +0100555 p = buf + 2;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200556 while( list_size > 0 && our_size > 1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100557 {
Manuel Pégourié-Gonnardf24b4a72013-09-23 18:14:50 +0200558 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200559
Manuel Pégourié-Gonnardf24b4a72013-09-23 18:14:50 +0200560 if( curve_info != NULL )
Paul Bakker41c83d32013-03-20 14:39:14 +0100561 {
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200562 *curves++ = curve_info;
563 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100564 }
565
566 list_size -= 2;
567 p += 2;
568 }
569
570 return( 0 );
571}
572
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200573static int ssl_parse_supported_point_formats( ssl_context *ssl,
574 const unsigned char *buf,
575 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100576{
577 size_t list_size;
578 const unsigned char *p;
579
580 list_size = buf[0];
581 if( list_size + 1 != len )
582 {
583 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
584 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
585 }
586
587 p = buf + 2;
588 while( list_size > 0 )
589 {
590 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
591 p[0] == POLARSSL_ECP_PF_COMPRESSED )
592 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200593 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200594 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100595 return( 0 );
596 }
597
598 list_size--;
599 p++;
600 }
601
602 return( 0 );
603}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200604#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100605
Paul Bakker05decb22013-08-15 13:33:48 +0200606#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200607static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
608 const unsigned char *buf,
609 size_t len )
610{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200611 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200612 {
613 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
614 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
615 }
616
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200617 ssl->session_negotiate->mfl_code = buf[0];
618
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200619 return( 0 );
620}
Paul Bakker05decb22013-08-15 13:33:48 +0200621#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200622
Paul Bakker1f2bc622013-08-15 13:45:55 +0200623#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200624static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
625 const unsigned char *buf,
626 size_t len )
627{
628 if( len != 0 )
629 {
630 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
631 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
632 }
633
634 ((void) buf);
635
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100636 if( ssl->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
637 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200638
639 return( 0 );
640}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200641#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200642
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100643#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
644static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl,
645 const unsigned char *buf,
646 size_t len )
647{
648 if( len != 0 )
649 {
650 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
651 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
652 }
653
654 ((void) buf);
655
656 if( ssl->encrypt_then_mac == SSL_ETM_ENABLED &&
657 ssl->minor_ver != SSL_MINOR_VERSION_0 )
658 {
659 ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED;
660 }
661
662 return( 0 );
663}
664#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
665
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200666#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
667static int ssl_parse_extended_ms_ext( ssl_context *ssl,
668 const unsigned char *buf,
669 size_t len )
670{
671 if( len != 0 )
672 {
673 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
674 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
675 }
676
677 ((void) buf);
678
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200679 if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED &&
680 ssl->minor_ver != SSL_MINOR_VERSION_0 )
681 {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200682 ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200683 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200684
685 return( 0 );
686}
687#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
688
Paul Bakkera503a632013-08-14 13:48:06 +0200689#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200690static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200691 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200692 size_t len )
693{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200694 int ret;
695
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200696 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
697 return( 0 );
698
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200699 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200700 ssl->handshake->new_session_ticket = 1;
701
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200702 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
703
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200704 if( len == 0 )
705 return( 0 );
706
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100707#if defined(POLARSSL_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200708 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
709 {
710 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
711 return( 0 );
712 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100713#endif /* POLARSSL_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200714
715 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200716 * Failures are ok: just ignore the ticket and proceed.
717 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200718 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
719 {
720 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200721 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200722 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200723
724 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
725
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200726 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200727
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200728 /* Don't send a new ticket after all, this one is OK */
729 ssl->handshake->new_session_ticket = 0;
730
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200731 return( 0 );
732}
Paul Bakkera503a632013-08-14 13:48:06 +0200733#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200734
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200735#if defined(POLARSSL_SSL_ALPN)
736static int ssl_parse_alpn_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard14beb082014-07-08 13:50:35 +0200737 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200738{
Paul Bakker14b16c62014-05-28 11:33:54 +0200739 size_t list_len, cur_len, ours_len;
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200740 const unsigned char *theirs, *start, *end;
741 const char **ours;
742
743 /* If ALPN not configured, just ignore the extension */
744 if( ssl->alpn_list == NULL )
745 return( 0 );
746
747 /*
748 * opaque ProtocolName<1..2^8-1>;
749 *
750 * struct {
751 * ProtocolName protocol_name_list<2..2^16-1>
752 * } ProtocolNameList;
753 */
754
755 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
756 if( len < 4 )
757 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
758
759 list_len = ( buf[0] << 8 ) | buf[1];
760 if( list_len != len - 2 )
761 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
762
763 /*
764 * Use our order of preference
765 */
766 start = buf + 2;
767 end = buf + len;
768 for( ours = ssl->alpn_list; *ours != NULL; ours++ )
769 {
Paul Bakker14b16c62014-05-28 11:33:54 +0200770 ours_len = strlen( *ours );
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200771 for( theirs = start; theirs != end; theirs += cur_len )
772 {
773 /* If the list is well formed, we should get equality first */
774 if( theirs > end )
775 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
776
777 cur_len = *theirs++;
778
779 /* Empty strings MUST NOT be included */
780 if( cur_len == 0 )
781 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
782
Paul Bakker14b16c62014-05-28 11:33:54 +0200783 if( cur_len == ours_len &&
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200784 memcmp( theirs, *ours, cur_len ) == 0 )
785 {
786 ssl->alpn_chosen = *ours;
787 return( 0 );
788 }
789 }
790 }
791
792 /* If we get there, no match was found */
793 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
794 SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
795 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
796}
797#endif /* POLARSSL_SSL_ALPN */
798
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100799/*
800 * Auxiliary functions for ServerHello parsing and related actions
801 */
802
803#if defined(POLARSSL_X509_CRT_PARSE_C)
804/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100805 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100806 */
807#if defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100808static int ssl_check_key_curve( pk_context *pk,
809 const ecp_curve_info **curves )
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100810{
811 const ecp_curve_info **crv = curves;
812 ecp_group_id grp_id = pk_ec( *pk )->grp.id;
813
814 while( *crv != NULL )
815 {
816 if( (*crv)->grp_id == grp_id )
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100817 return( 0 );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100818 crv++;
819 }
820
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100821 return( -1 );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100822}
823#endif /* POLARSSL_ECDSA_C */
824
825/*
826 * Try picking a certificate for this ciphersuite,
827 * return 0 on success and -1 on failure.
828 */
829static int ssl_pick_cert( ssl_context *ssl,
830 const ssl_ciphersuite_t * ciphersuite_info )
831{
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100832 ssl_key_cert *cur, *list, *fallback = NULL;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100833 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
834
835#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
836 if( ssl->handshake->sni_key_cert != NULL )
837 list = ssl->handshake->sni_key_cert;
838 else
839#endif
840 list = ssl->handshake->key_cert;
841
842 if( pk_alg == POLARSSL_PK_NONE )
843 return( 0 );
844
845 for( cur = list; cur != NULL; cur = cur->next )
846 {
847 if( ! pk_can_do( cur->key, pk_alg ) )
848 continue;
849
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200850 /*
851 * This avoids sending the client a cert it'll reject based on
852 * keyUsage or other extensions.
853 *
854 * It also allows the user to provision different certificates for
855 * different uses based on keyUsage, eg if they want to avoid signing
856 * and decrypting with the same RSA key.
857 */
858 if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
859 SSL_IS_SERVER ) != 0 )
860 {
861 continue;
862 }
863
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100864#if defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100865 if( pk_alg == POLARSSL_PK_ECDSA &&
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100866 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100867 continue;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100868#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100869
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100870 /*
871 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
872 * present them a SHA-higher cert rather than failing if it's the only
873 * one we got that satisfies the other conditions.
874 */
875 if( ssl->minor_ver < SSL_MINOR_VERSION_3 &&
876 cur->cert->sig_md != POLARSSL_MD_SHA1 )
877 {
878 if( fallback == NULL )
879 fallback = cur;
880 continue;
881 }
882
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100883 /* If we get there, we got a winner */
884 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100885 }
886
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100887 if( cur != NULL )
888 {
889 ssl->handshake->key_cert = cur;
890 return( 0 );
891 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100892
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100893 if( fallback != NULL )
894 {
895 ssl->handshake->key_cert = fallback;
896 return( 0 );
897 }
898
899 return( -1 );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100900}
901#endif /* POLARSSL_X509_CRT_PARSE_C */
902
903/*
904 * Check if a given ciphersuite is suitable for use with our config/keys/etc
905 * Sets ciphersuite_info only if the suite matches.
906 */
907static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
908 const ssl_ciphersuite_t **ciphersuite_info )
909{
910 const ssl_ciphersuite_t *suite_info;
911
912 suite_info = ssl_ciphersuite_from_id( suite_id );
913 if( suite_info == NULL )
914 {
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100915 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
916 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100917 }
918
919 if( suite_info->min_minor_ver > ssl->minor_ver ||
920 suite_info->max_minor_ver < ssl->minor_ver )
921 return( 0 );
922
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100923 if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
924 suite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
925 return( 0 );
926
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100927#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
928 if( ssl_ciphersuite_uses_ec( suite_info ) &&
929 ( ssl->handshake->curves == NULL ||
930 ssl->handshake->curves[0] == NULL ) )
931 return( 0 );
932#endif
933
934#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
935 /* If the ciphersuite requires a pre-shared key and we don't
936 * have one, skip it now rather than failing later */
937 if( ssl_ciphersuite_uses_psk( suite_info ) &&
938 ssl->f_psk == NULL &&
939 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
940 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
941 return( 0 );
942#endif
943
944#if defined(POLARSSL_X509_CRT_PARSE_C)
945 /*
946 * Final check: if ciphersuite requires us to have a
947 * certificate/key of a particular type:
948 * - select the appropriate certificate if we have one, or
949 * - try the next ciphersuite if we don't
950 * This must be done last since we modify the key_cert list.
951 */
952 if( ssl_pick_cert( ssl, suite_info ) != 0 )
953 return( 0 );
954#endif
955
956 *ciphersuite_info = suite_info;
957 return( 0 );
958}
959
Paul Bakker78a8c712013-03-06 17:01:52 +0100960#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
961static int ssl_parse_client_hello_v2( ssl_context *ssl )
962{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100963 int ret, got_common_suite;
Paul Bakker78a8c712013-03-06 17:01:52 +0100964 unsigned int i, j;
965 size_t n;
966 unsigned int ciph_len, sess_len, chal_len;
967 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200968 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200969 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100970
971 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
972
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100973#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker78a8c712013-03-06 17:01:52 +0100974 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
975 {
976 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
977
978 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
979 return( ret );
980
981 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
982 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100983#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker78a8c712013-03-06 17:01:52 +0100984
985 buf = ssl->in_hdr;
986
987 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
988
989 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
990 buf[2] ) );
991 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
992 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
993 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
994 buf[3], buf[4] ) );
995
996 /*
997 * SSLv2 Client Hello
998 *
999 * Record layer:
1000 * 0 . 1 message length
1001 *
1002 * SSL layer:
1003 * 2 . 2 message type
1004 * 3 . 4 protocol version
1005 */
1006 if( buf[2] != SSL_HS_CLIENT_HELLO ||
1007 buf[3] != SSL_MAJOR_VERSION_3 )
1008 {
1009 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1010 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1011 }
1012
1013 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
1014
1015 if( n < 17 || n > 512 )
1016 {
1017 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1018 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1019 }
1020
1021 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +02001022 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
1023 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +01001024
1025 if( ssl->minor_ver < ssl->min_minor_ver )
1026 {
1027 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001028 " [%d:%d] < [%d:%d]",
1029 ssl->major_ver, ssl->minor_ver,
Paul Bakker78a8c712013-03-06 17:01:52 +01001030 ssl->min_major_ver, ssl->min_minor_ver ) );
1031
1032 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1033 SSL_ALERT_MSG_PROTOCOL_VERSION );
1034 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1035 }
1036
Paul Bakker2fbefde2013-06-29 16:01:15 +02001037 ssl->handshake->max_major_ver = buf[3];
1038 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +01001039
1040 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
1041 {
1042 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1043 return( ret );
1044 }
1045
1046 ssl->handshake->update_checksum( ssl, buf + 2, n );
1047
1048 buf = ssl->in_msg;
1049 n = ssl->in_left - 5;
1050
1051 /*
1052 * 0 . 1 ciphersuitelist length
1053 * 2 . 3 session id length
1054 * 4 . 5 challenge length
1055 * 6 . .. ciphersuitelist
1056 * .. . .. session id
1057 * .. . .. challenge
1058 */
1059 SSL_DEBUG_BUF( 4, "record contents", buf, n );
1060
1061 ciph_len = ( buf[0] << 8 ) | buf[1];
1062 sess_len = ( buf[2] << 8 ) | buf[3];
1063 chal_len = ( buf[4] << 8 ) | buf[5];
1064
1065 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
1066 ciph_len, sess_len, chal_len ) );
1067
1068 /*
1069 * Make sure each parameter length is valid
1070 */
1071 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
1072 {
1073 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1074 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1075 }
1076
1077 if( sess_len > 32 )
1078 {
1079 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1080 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1081 }
1082
1083 if( chal_len < 8 || chal_len > 32 )
1084 {
1085 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1086 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1087 }
1088
1089 if( n != 6 + ciph_len + sess_len + chal_len )
1090 {
1091 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1092 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1093 }
1094
1095 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1096 buf + 6, ciph_len );
1097 SSL_DEBUG_BUF( 3, "client hello, session id",
1098 buf + 6 + ciph_len, sess_len );
1099 SSL_DEBUG_BUF( 3, "client hello, challenge",
1100 buf + 6 + ciph_len + sess_len, chal_len );
1101
1102 p = buf + 6 + ciph_len;
1103 ssl->session_negotiate->length = sess_len;
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001104 memset( ssl->session_negotiate->id, 0,
1105 sizeof( ssl->session_negotiate->id ) );
Paul Bakker78a8c712013-03-06 17:01:52 +01001106 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
1107
1108 p += sess_len;
1109 memset( ssl->handshake->randbytes, 0, 64 );
1110 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1111
1112 /*
1113 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1114 */
1115 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1116 {
1117 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
1118 {
1119 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001120#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker78a8c712013-03-06 17:01:52 +01001121 if( ssl->renegotiation == SSL_RENEGOTIATION )
1122 {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001123 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1124 "during renegotiation" ) );
Paul Bakker78a8c712013-03-06 17:01:52 +01001125
1126 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1127 return( ret );
1128
1129 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1130 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001131#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker78a8c712013-03-06 17:01:52 +01001132 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1133 break;
1134 }
1135 }
1136
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +02001137#if defined(POLARSSL_SSL_FALLBACK_SCSV)
1138 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1139 {
1140 if( p[0] == 0 &&
1141 p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
1142 p[2] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) )
1143 {
1144 SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
1145
1146 if( ssl->minor_ver < ssl->max_minor_ver )
1147 {
1148 SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1149
1150 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1151 SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1152
1153 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1154 }
1155
1156 break;
1157 }
1158 }
1159#endif /* POLARSSL_SSL_FALLBACK_SCSV */
1160
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +01001161 got_common_suite = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001162 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +01001163 ciphersuite_info = NULL;
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001164#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1165 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1166 {
1167 for( i = 0; ciphersuites[i] != 0; i++ )
1168#else
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001169 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +01001170 {
1171 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001172#endif
Paul Bakker78a8c712013-03-06 17:01:52 +01001173 {
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +01001174 if( p[0] != 0 ||
1175 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1176 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1177 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +02001178
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +01001179 got_common_suite = 1;
1180
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +01001181 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1182 &ciphersuite_info ) ) != 0 )
1183 return( ret );
Paul Bakker59c28a22013-06-29 15:33:42 +02001184
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +01001185 if( ciphersuite_info != NULL )
Paul Bakker78a8c712013-03-06 17:01:52 +01001186 goto have_ciphersuite_v2;
1187 }
1188 }
1189
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +01001190 if( got_common_suite )
1191 {
1192 SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1193 "but none of them usable" ) );
1194 return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE );
1195 }
1196 else
1197 {
1198 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1199 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1200 }
Paul Bakker78a8c712013-03-06 17:01:52 +01001201
1202have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001203 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +02001204 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +01001205 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +01001206
1207 /*
1208 * SSLv2 Client Hello relevant renegotiation security checks
1209 */
1210 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1211 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1212 {
1213 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1214
1215 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1216 return( ret );
1217
1218 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1219 }
1220
1221 ssl->in_left = 0;
1222 ssl->state++;
1223
1224 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1225
1226 return( 0 );
1227}
1228#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1229
Paul Bakker5121ce52009-01-03 21:22:43 +00001230static int ssl_parse_client_hello( ssl_context *ssl )
1231{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +01001232 int ret, got_common_suite;
Paul Bakker23986e52011-04-24 08:57:21 +00001233 unsigned int i, j;
1234 size_t n;
1235 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +00001236 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +00001237 unsigned int ext_len = 0;
1238 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001239#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001240 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001241#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001242 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001243 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +01001244 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001245
1246 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1247
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001248#if defined(POLARSSL_SSL_RENEGOTIATION)
1249 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
1250#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001251 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +00001252 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1253 {
1254 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1255 return( ret );
1256 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001257 }
1258
1259 buf = ssl->in_hdr;
1260
Paul Bakker78a8c712013-03-06 17:01:52 +01001261#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1262 if( ( buf[0] & 0x80 ) != 0 )
1263 return ssl_parse_client_hello_v2( ssl );
1264#endif
1265
Paul Bakkerec636f32012-09-09 19:17:02 +00001266 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1267
1268 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1269 buf[0] ) );
1270 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1271 ( buf[3] << 8 ) | buf[4] ) );
1272 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1273 buf[1], buf[2] ) );
1274
1275 /*
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +01001276 * SSLv3/TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +00001277 *
1278 * Record layer:
1279 * 0 . 0 message type
1280 * 1 . 2 protocol version
1281 * 3 . 4 message length
1282 */
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +01001283
1284 /* According to RFC 5246 Appendix E.1, the version here is typically
1285 * "{03,00}, the lowest version number supported by the client, [or] the
1286 * value of ClientHello.client_version", so the only meaningful check here
1287 * is the major version shouldn't be less than 3 */
Paul Bakkerec636f32012-09-09 19:17:02 +00001288 if( buf[0] != SSL_MSG_HANDSHAKE ||
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +01001289 buf[1] < SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001290 {
Paul Bakkerec636f32012-09-09 19:17:02 +00001291 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1292 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1293 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001294
Paul Bakkerec636f32012-09-09 19:17:02 +00001295 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +00001296
Paul Bakker4f42c112014-04-17 14:48:23 +02001297 if( n < 45 || n > SSL_MAX_CONTENT_LEN )
Paul Bakkerec636f32012-09-09 19:17:02 +00001298 {
1299 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1300 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1301 }
1302
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001303#if defined(POLARSSL_SSL_RENEGOTIATION)
1304 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
1305#endif
Paul Bakkerec636f32012-09-09 19:17:02 +00001306 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +00001307 if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
1308 {
1309 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1310 return( ret );
1311 }
Paul Bakkerec636f32012-09-09 19:17:02 +00001312 }
1313
1314 buf = ssl->in_msg;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001315#if defined(POLARSSL_SSL_RENEGOTIATION)
1316 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +00001317 n = ssl->in_msglen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001318 else
1319#endif
1320 n = ssl->in_left - 5;
Paul Bakkerec636f32012-09-09 19:17:02 +00001321
Paul Bakker48916f92012-09-16 19:57:18 +00001322 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +00001323
1324 /*
1325 * SSL layer:
1326 * 0 . 0 handshake type
1327 * 1 . 3 handshake length
1328 * 4 . 5 protocol version
1329 * 6 . 9 UNIX time()
1330 * 10 . 37 random bytes
1331 * 38 . 38 session id length
1332 * 39 . 38+x session id
1333 * 39+x . 40+x ciphersuitelist length
Paul Bakker0f651c72014-05-22 15:12:19 +02001334 * 41+x . 40+y ciphersuitelist
1335 * 41+y . 41+y compression alg length
1336 * 42+y . 41+z compression algs
Paul Bakkerec636f32012-09-09 19:17:02 +00001337 * .. . .. extensions
1338 */
1339 SSL_DEBUG_BUF( 4, "record contents", buf, n );
1340
1341 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1342 buf[0] ) );
1343 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1344 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1345 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1346 buf[4], buf[5] ) );
1347
1348 /*
1349 * Check the handshake type and protocol version
1350 */
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +01001351 if( buf[0] != SSL_HS_CLIENT_HELLO )
Paul Bakkerec636f32012-09-09 19:17:02 +00001352 {
1353 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1354 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1355 }
1356
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +01001357 ssl->major_ver = buf[4];
1358 ssl->minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +00001359
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +01001360 ssl->handshake->max_major_ver = ssl->major_ver;
1361 ssl->handshake->max_minor_ver = ssl->minor_ver;
1362
1363 if( ssl->major_ver < ssl->min_major_ver ||
1364 ssl->minor_ver < ssl->min_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +00001365 {
1366 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +01001367 " [%d:%d] < [%d:%d]",
1368 ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +00001369 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +00001370
1371 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1372 SSL_ALERT_MSG_PROTOCOL_VERSION );
1373
1374 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1375 }
1376
Manuel Pégourié-Gonnard6b1e2072014-02-12 10:14:54 +01001377 if( ssl->major_ver > ssl->max_major_ver )
1378 {
1379 ssl->major_ver = ssl->max_major_ver;
1380 ssl->minor_ver = ssl->max_minor_ver;
1381 }
1382 else if( ssl->minor_ver > ssl->max_minor_ver )
1383 ssl->minor_ver = ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +00001384
Paul Bakker48916f92012-09-16 19:57:18 +00001385 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +00001386
1387 /*
1388 * Check the handshake message length
1389 */
1390 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1391 {
1392 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1393 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1394 }
1395
1396 /*
1397 * Check the session length
1398 */
1399 sess_len = buf[38];
1400
Paul Bakker0f651c72014-05-22 15:12:19 +02001401 if( sess_len > 32 || sess_len > n - 42 )
Paul Bakkerec636f32012-09-09 19:17:02 +00001402 {
1403 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1404 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1405 }
1406
Paul Bakker48916f92012-09-16 19:57:18 +00001407 ssl->session_negotiate->length = sess_len;
1408 memset( ssl->session_negotiate->id, 0,
1409 sizeof( ssl->session_negotiate->id ) );
1410 memcpy( ssl->session_negotiate->id, buf + 39,
1411 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +00001412
1413 /*
1414 * Check the ciphersuitelist length
1415 */
1416 ciph_len = ( buf[39 + sess_len] << 8 )
1417 | ( buf[40 + sess_len] );
1418
Paul Bakker0f651c72014-05-22 15:12:19 +02001419 if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
Paul Bakkerec636f32012-09-09 19:17:02 +00001420 {
1421 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1422 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1423 }
1424
1425 /*
1426 * Check the compression algorithms length
1427 */
1428 comp_len = buf[41 + sess_len + ciph_len];
1429
Paul Bakker0f651c72014-05-22 15:12:19 +02001430 if( comp_len < 1 || comp_len > 16 ||
1431 comp_len > n - 42 - sess_len - ciph_len )
Paul Bakkerec636f32012-09-09 19:17:02 +00001432 {
1433 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1434 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1435 }
1436
Paul Bakker48916f92012-09-16 19:57:18 +00001437 /*
1438 * Check the extension length
1439 */
1440 if( n > 42 + sess_len + ciph_len + comp_len )
1441 {
1442 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1443 | ( buf[43 + sess_len + ciph_len + comp_len] );
1444
1445 if( ( ext_len > 0 && ext_len < 4 ) ||
1446 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1447 {
1448 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1449 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1450 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1451 }
1452 }
1453
1454 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +00001455#if defined(POLARSSL_ZLIB_SUPPORT)
1456 for( i = 0; i < comp_len; ++i )
1457 {
Paul Bakker48916f92012-09-16 19:57:18 +00001458 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001459 {
Paul Bakker48916f92012-09-16 19:57:18 +00001460 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +00001461 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00001462 }
1463 }
Paul Bakker2770fbd2012-07-03 13:30:23 +00001464#endif
1465
Paul Bakkerec636f32012-09-09 19:17:02 +00001466 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1467 buf + 6, 32 );
1468 SSL_DEBUG_BUF( 3, "client hello, session id",
1469 buf + 38, sess_len );
1470 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1471 buf + 41 + sess_len, ciph_len );
1472 SSL_DEBUG_BUF( 3, "client hello, compression",
1473 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001474
Paul Bakkerec636f32012-09-09 19:17:02 +00001475 /*
Paul Bakker48916f92012-09-16 19:57:18 +00001476 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1477 */
1478 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1479 {
1480 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1481 {
1482 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001483#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00001484 if( ssl->renegotiation == SSL_RENEGOTIATION )
1485 {
1486 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001487
1488 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1489 return( ret );
1490
Paul Bakker48916f92012-09-16 19:57:18 +00001491 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1492 }
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001493 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001494#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +00001495 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1496 break;
1497 }
1498 }
1499
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +02001500#if defined(POLARSSL_SSL_FALLBACK_SCSV)
1501 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1502 {
1503 if( p[0] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
1504 p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) )
1505 {
1506 SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) );
1507
1508 if( ssl->minor_ver < ssl->max_minor_ver )
1509 {
1510 SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) );
1511
1512 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1513 SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1514
1515 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1516 }
1517
1518 break;
1519 }
1520 }
1521#endif /* POLARSSL_SSL_FALLBACK_SCSV */
1522
Paul Bakker48916f92012-09-16 19:57:18 +00001523 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +00001524
1525 while( ext_len )
1526 {
1527 unsigned int ext_id = ( ( ext[0] << 8 )
1528 | ( ext[1] ) );
1529 unsigned int ext_size = ( ( ext[2] << 8 )
1530 | ( ext[3] ) );
1531
1532 if( ext_size + 4 > ext_len )
1533 {
1534 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1535 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1536 }
1537 switch( ext_id )
1538 {
Paul Bakker0be444a2013-08-27 21:55:01 +02001539#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakker5701cdc2012-09-27 21:49:42 +00001540 case TLS_EXT_SERVERNAME:
1541 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1542 if( ssl->f_sni == NULL )
1543 break;
1544
1545 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1546 if( ret != 0 )
1547 return( ret );
1548 break;
Paul Bakker0be444a2013-08-27 21:55:01 +02001549#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00001550
Paul Bakker48916f92012-09-16 19:57:18 +00001551 case TLS_EXT_RENEGOTIATION_INFO:
1552 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001553#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00001554 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001555#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001556
Paul Bakker23f36802012-09-28 14:15:14 +00001557 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1558 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001559 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +00001560 break;
Paul Bakker48916f92012-09-16 19:57:18 +00001561
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +01001562#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
1563 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakker23f36802012-09-28 14:15:14 +00001564 case TLS_EXT_SIG_ALG:
1565 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001566#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker23f36802012-09-28 14:15:14 +00001567 if( ssl->renegotiation == SSL_RENEGOTIATION )
1568 break;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001569#endif
Paul Bakker23f36802012-09-28 14:15:14 +00001570
1571 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1572 if( ret != 0 )
1573 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00001574 break;
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +01001575#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
1576 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +00001577
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001578#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +01001579 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1580 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1581
1582 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1583 if( ret != 0 )
1584 return( ret );
1585 break;
1586
1587 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1588 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
Paul Bakker677377f2013-10-28 12:54:26 +01001589 ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +01001590
1591 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1592 if( ret != 0 )
1593 return( ret );
1594 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001595#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +01001596
Paul Bakker05decb22013-08-15 13:33:48 +02001597#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +02001598 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1599 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1600
1601 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1602 if( ret != 0 )
1603 return( ret );
1604 break;
Paul Bakker05decb22013-08-15 13:33:48 +02001605#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +02001606
Paul Bakker1f2bc622013-08-15 13:45:55 +02001607#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001608 case TLS_EXT_TRUNCATED_HMAC:
1609 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1610
1611 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1612 if( ret != 0 )
1613 return( ret );
1614 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001615#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001616
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001617#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
1618 case TLS_EXT_ENCRYPT_THEN_MAC:
1619 SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1620
1621 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
1622 if( ret != 0 )
1623 return( ret );
1624 break;
1625#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
1626
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001627#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
1628 case TLS_EXT_EXTENDED_MASTER_SECRET:
1629 SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1630
1631 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
1632 if( ret != 0 )
1633 return( ret );
1634 break;
1635#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
1636
Paul Bakkera503a632013-08-14 13:48:06 +02001637#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001638 case TLS_EXT_SESSION_TICKET:
1639 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1640
1641 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1642 if( ret != 0 )
1643 return( ret );
1644 break;
Paul Bakkera503a632013-08-14 13:48:06 +02001645#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001646
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +02001647#if defined(POLARSSL_SSL_ALPN)
1648 case TLS_EXT_ALPN:
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +02001649 SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +02001650
1651 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1652 if( ret != 0 )
1653 return( ret );
1654 break;
1655#endif /* POLARSSL_SSL_SESSION_TICKETS */
1656
Paul Bakker48916f92012-09-16 19:57:18 +00001657 default:
1658 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1659 ext_id ) );
1660 }
1661
1662 ext_len -= 4 + ext_size;
1663 ext += 4 + ext_size;
1664
1665 if( ext_len > 0 && ext_len < 4 )
1666 {
1667 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1668 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1669 }
1670 }
1671
1672 /*
1673 * Renegotiation security checks
1674 */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001675 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001676 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1677 {
1678 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1679 handshake_failure = 1;
1680 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001681#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001682 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1683 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1684 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001685 {
1686 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001687 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +00001688 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001689 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1690 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1691 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +00001692 {
1693 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001694 handshake_failure = 1;
1695 }
1696 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1697 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1698 renegotiation_info_seen == 1 )
1699 {
1700 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1701 handshake_failure = 1;
1702 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001703#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001704
1705 if( handshake_failure == 1 )
1706 {
1707 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1708 return( ret );
1709
Paul Bakker48916f92012-09-16 19:57:18 +00001710 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1711 }
Paul Bakker380da532012-04-18 16:10:25 +00001712
Paul Bakker41c83d32013-03-20 14:39:14 +01001713 /*
1714 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +02001715 * (At the end because we need information from the EC-based extensions
1716 * and certificate from the SNI callback triggered by the SNI extension.)
Paul Bakker41c83d32013-03-20 14:39:14 +01001717 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +01001718 got_common_suite = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001719 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +01001720 ciphersuite_info = NULL;
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001721#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1722 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
1723 {
1724 for( i = 0; ciphersuites[i] != 0; i++ )
1725#else
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001726 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +01001727 {
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +01001728 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 )
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001729#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01001730 {
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +01001731 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1732 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1733 continue;
Paul Bakker41c83d32013-03-20 14:39:14 +01001734
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +01001735 got_common_suite = 1;
1736
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +01001737 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1738 &ciphersuite_info ) ) != 0 )
1739 return( ret );
1740
1741 if( ciphersuite_info != NULL )
1742 goto have_ciphersuite;
Paul Bakker41c83d32013-03-20 14:39:14 +01001743 }
1744 }
1745
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +01001746 if( got_common_suite )
1747 {
1748 SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1749 "but none of them usable" ) );
1750 ssl_send_fatal_handshake_failure( ssl );
1751 return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE );
1752 }
1753 else
1754 {
1755 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1756 ssl_send_fatal_handshake_failure( ssl );
1757 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1758 }
Paul Bakker41c83d32013-03-20 14:39:14 +01001759
1760have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001761 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +01001762 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1763 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1764
Paul Bakker5121ce52009-01-03 21:22:43 +00001765 ssl->in_left = 0;
1766 ssl->state++;
1767
1768 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1769
1770 return( 0 );
1771}
1772
Paul Bakker1f2bc622013-08-15 13:45:55 +02001773#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001774static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1775 unsigned char *buf,
1776 size_t *olen )
1777{
1778 unsigned char *p = buf;
1779
1780 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1781 {
1782 *olen = 0;
1783 return;
1784 }
1785
1786 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1787
1788 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1789 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1790
1791 *p++ = 0x00;
1792 *p++ = 0x00;
1793
1794 *olen = 4;
1795}
Paul Bakker1f2bc622013-08-15 13:45:55 +02001796#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001797
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001798#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
1799static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
1800 unsigned char *buf,
1801 size_t *olen )
1802{
1803 unsigned char *p = buf;
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +01001804 const ssl_ciphersuite_t *suite = NULL;
1805 const cipher_info_t *cipher = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001806
1807 if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED ||
1808 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1809 {
1810 *olen = 0;
1811 return;
1812 }
1813
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +01001814 /*
1815 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1816 * from a client and then selects a stream or Authenticated Encryption
1817 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1818 * encrypt-then-MAC response extension back to the client."
1819 */
1820 if( ( suite = ssl_ciphersuite_from_id(
1821 ssl->session_negotiate->ciphersuite ) ) == NULL ||
1822 ( cipher = cipher_info_from_type( suite->cipher ) ) == NULL ||
1823 cipher->mode != POLARSSL_MODE_CBC )
1824 {
1825 *olen = 0;
1826 return;
1827 }
1828
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001829 SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
1830
1831 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
1832 *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
1833
1834 *p++ = 0x00;
1835 *p++ = 0x00;
1836
1837 *olen = 4;
1838}
1839#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
1840
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001841#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
1842static void ssl_write_extended_ms_ext( ssl_context *ssl,
1843 unsigned char *buf,
1844 size_t *olen )
1845{
1846 unsigned char *p = buf;
1847
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +02001848 if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED ||
1849 ssl->minor_ver == SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001850 {
1851 *olen = 0;
1852 return;
1853 }
1854
1855 SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
1856 "extension" ) );
1857
1858 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
1859 *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
1860
1861 *p++ = 0x00;
1862 *p++ = 0x00;
1863
1864 *olen = 4;
1865}
1866#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
1867
Paul Bakkera503a632013-08-14 13:48:06 +02001868#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001869static void ssl_write_session_ticket_ext( ssl_context *ssl,
1870 unsigned char *buf,
1871 size_t *olen )
1872{
1873 unsigned char *p = buf;
1874
1875 if( ssl->handshake->new_session_ticket == 0 )
1876 {
1877 *olen = 0;
1878 return;
1879 }
1880
1881 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1882
1883 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1884 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1885
1886 *p++ = 0x00;
1887 *p++ = 0x00;
1888
1889 *olen = 4;
1890}
Paul Bakkera503a632013-08-14 13:48:06 +02001891#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001892
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001893static void ssl_write_renegotiation_ext( ssl_context *ssl,
1894 unsigned char *buf,
1895 size_t *olen )
1896{
1897 unsigned char *p = buf;
1898
1899 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1900 {
1901 *olen = 0;
1902 return;
1903 }
1904
1905 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1906
1907 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1908 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1909
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001910#if defined(POLARSSL_SSL_RENEGOTIATION)
1911 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
1912 {
1913 *p++ = 0x00;
1914 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1915 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001916
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001917 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1918 p += ssl->verify_data_len;
1919 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1920 p += ssl->verify_data_len;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001921
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001922 *olen = 5 + ssl->verify_data_len * 2;
1923 }
1924 else
1925#endif /* POLARSSL_SSL_RENEGOTIATION */
1926 {
1927 *p++ = 0x00;
1928 *p++ = 0x01;
1929 *p++ = 0x00;
1930
1931 *olen = 5;
1932 }
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001933}
1934
Paul Bakker05decb22013-08-15 13:33:48 +02001935#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001936static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1937 unsigned char *buf,
1938 size_t *olen )
1939{
1940 unsigned char *p = buf;
1941
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +02001942 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1943 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001944 *olen = 0;
1945 return;
1946 }
1947
1948 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1949
1950 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1951 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1952
1953 *p++ = 0x00;
1954 *p++ = 1;
1955
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02001956 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001957
1958 *olen = 5;
1959}
Paul Bakker05decb22013-08-15 13:33:48 +02001960#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001961
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001962#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001963static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1964 unsigned char *buf,
1965 size_t *olen )
1966{
1967 unsigned char *p = buf;
1968 ((void) ssl);
1969
Paul Bakker677377f2013-10-28 12:54:26 +01001970 if( ( ssl->handshake->cli_exts &
1971 TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
1972 {
1973 *olen = 0;
1974 return;
1975 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001976
1977 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1978
1979 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1980 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1981
1982 *p++ = 0x00;
1983 *p++ = 2;
1984
1985 *p++ = 1;
1986 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1987
1988 *olen = 6;
1989}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001990#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001991
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +02001992#if defined(POLARSSL_SSL_ALPN )
1993static void ssl_write_alpn_ext( ssl_context *ssl,
1994 unsigned char *buf, size_t *olen )
1995{
1996 if( ssl->alpn_chosen == NULL )
1997 {
1998 *olen = 0;
1999 return;
2000 }
2001
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +02002002 SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +02002003
2004 /*
2005 * 0 . 1 ext identifier
2006 * 2 . 3 ext length
2007 * 4 . 5 protocol list length
2008 * 6 . 6 protocol name length
2009 * 7 . 7+n protocol name
2010 */
2011 buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
2012 buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF );
2013
2014 *olen = 7 + strlen( ssl->alpn_chosen );
2015
2016 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
2017 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
2018
2019 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
2020 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
2021
2022 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
2023
2024 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
2025}
2026#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
2027
Paul Bakker5121ce52009-01-03 21:22:43 +00002028static int ssl_write_server_hello( ssl_context *ssl )
2029{
Paul Bakkerfa9b1002013-07-03 15:31:03 +02002030#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +00002031 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +02002032#endif
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02002033 int ret;
2034 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +00002035 unsigned char *buf, *p;
2036
2037 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2038
Paul Bakkera9a028e2013-11-21 17:31:06 +01002039 if( ssl->f_rng == NULL )
2040 {
2041 SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2042 return( POLARSSL_ERR_SSL_NO_RNG );
2043 }
2044
Paul Bakker5121ce52009-01-03 21:22:43 +00002045 /*
2046 * 0 . 0 handshake type
2047 * 1 . 3 handshake length
2048 * 4 . 5 protocol version
2049 * 6 . 9 UNIX time()
2050 * 10 . 37 random bytes
2051 */
2052 buf = ssl->out_msg;
2053 p = buf + 4;
2054
2055 *p++ = (unsigned char) ssl->major_ver;
2056 *p++ = (unsigned char) ssl->minor_ver;
2057
2058 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2059 buf[4], buf[5] ) );
2060
Paul Bakkerfa9b1002013-07-03 15:31:03 +02002061#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +00002062 t = time( NULL );
2063 *p++ = (unsigned char)( t >> 24 );
2064 *p++ = (unsigned char)( t >> 16 );
2065 *p++ = (unsigned char)( t >> 8 );
2066 *p++ = (unsigned char)( t );
2067
2068 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +02002069#else
2070 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
2071 return( ret );
2072
2073 p += 4;
Paul Bakker9af723c2014-05-01 13:03:14 +02002074#endif /* POLARSSL_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +00002075
Paul Bakkera3d195c2011-11-27 21:07:34 +00002076 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
2077 return( ret );
2078
2079 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +00002080
Paul Bakker48916f92012-09-16 19:57:18 +00002081 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002082
2083 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
2084
2085 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002086 * Resume is 0 by default, see ssl_handshake_init().
2087 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2088 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +00002089 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002090 if( ssl->handshake->resume == 0 &&
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002091#if defined(POLARSSL_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002092 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002093#endif
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02002094 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002095 ssl->f_get_cache != NULL &&
2096 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
2097 {
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +01002098 SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002099 ssl->handshake->resume = 1;
2100 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002101
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002102 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002103 {
2104 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002105 * New session, create a new session id,
2106 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +00002107 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002108 ssl->state++;
2109
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02002110#if defined(POLARSSL_HAVE_TIME)
2111 ssl->session_negotiate->start = time( NULL );
2112#endif
2113
Paul Bakkera503a632013-08-14 13:48:06 +02002114#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02002115 if( ssl->handshake->new_session_ticket != 0 )
2116 {
2117 ssl->session_negotiate->length = n = 0;
2118 memset( ssl->session_negotiate->id, 0, 32 );
2119 }
2120 else
2121#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002122 {
2123 ssl->session_negotiate->length = n = 32;
2124 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +02002125 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002126 return( ret );
2127 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002128 }
2129 else
2130 {
2131 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002132 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +00002133 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +02002134 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +00002135 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +00002136
2137 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2138 {
2139 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2140 return( ret );
2141 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002142 }
2143
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02002144 /*
2145 * 38 . 38 session id length
2146 * 39 . 38+n session id
2147 * 39+n . 40+n chosen ciphersuite
2148 * 41+n . 41+n chosen compression alg.
2149 * 42+n . 43+n extensions length
2150 * 44+n . 43+n+m extensions
2151 */
2152 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +00002153 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
2154 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +00002155
2156 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
2157 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
2158 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +00002159 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002160
Paul Bakker48916f92012-09-16 19:57:18 +00002161 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
2162 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
2163 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +00002164
Manuel Pégourié-Gonnard51451f82013-09-17 12:06:25 +02002165 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2166 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +02002167 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
Paul Bakker48916f92012-09-16 19:57:18 +00002168 ssl->session_negotiate->compression ) );
2169
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02002170 /*
2171 * First write extensions, then the total length
2172 */
2173 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
2174 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +00002175
Paul Bakker05decb22013-08-15 13:33:48 +02002176#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02002177 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
2178 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +02002179#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02002180
Paul Bakker1f2bc622013-08-15 13:45:55 +02002181#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02002182 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
2183 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +02002184#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02002185
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01002186#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
2187 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
2188 ext_len += olen;
2189#endif
2190
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02002191#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
2192 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
2193 ext_len += olen;
2194#endif
2195
Paul Bakkera503a632013-08-14 13:48:06 +02002196#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002197 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
2198 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +02002199#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002200
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02002201#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02002202 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
2203 ext_len += olen;
2204#endif
2205
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +02002206#if defined(POLARSSL_SSL_ALPN)
2207 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
2208 ext_len += olen;
2209#endif
2210
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02002211 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002212
Paul Bakkera7036632014-04-30 10:15:38 +02002213 if( ext_len > 0 )
2214 {
2215 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
2216 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
2217 p += ext_len;
2218 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002219
2220 ssl->out_msglen = p - buf;
2221 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2222 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
2223
2224 ret = ssl_write_record( ssl );
2225
2226 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2227
2228 return( ret );
2229}
2230
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002231#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2232 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02002233 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2234 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00002235static int ssl_write_certificate_request( ssl_context *ssl )
2236{
Paul Bakkered27a042013-04-18 22:46:23 +02002237 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002238
2239 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2240
2241 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +01002242 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002243 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2244 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002245 {
2246 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2247 ssl->state++;
2248 return( 0 );
2249 }
2250
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002251 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2252 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002253}
2254#else
2255static int ssl_write_certificate_request( ssl_context *ssl )
2256{
2257 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2258 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002259 size_t dn_size, total_dn_size; /* excluding length bytes */
2260 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +00002261 unsigned char *buf, *p;
Paul Bakkerc559c7a2013-09-18 14:13:26 +02002262 const x509_crt *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +00002263
2264 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2265
2266 ssl->state++;
2267
Paul Bakkerfbb17802013-04-17 19:10:21 +02002268 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +01002269 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002270 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002271 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +02002272 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002273 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002274 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002275 return( 0 );
2276 }
2277
2278 /*
2279 * 0 . 0 handshake type
2280 * 1 . 3 handshake length
2281 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +01002282 * 5 .. m-1 cert types
2283 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +02002284 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +00002285 * n .. n+1 length of all DNs
2286 * n+2 .. n+3 length of DN 1
2287 * n+4 .. ... Distinguished Name #1
2288 * ... .. ... length of DN 2, etc.
2289 */
2290 buf = ssl->out_msg;
2291 p = buf + 4;
2292
2293 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002294 * Supported certificate types
2295 *
2296 * ClientCertificateType certificate_types<1..2^8-1>;
2297 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +00002298 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002299 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +01002300
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002301#if defined(POLARSSL_RSA_C)
2302 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
2303#endif
2304#if defined(POLARSSL_ECDSA_C)
2305 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
2306#endif
2307
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02002308 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002309 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +01002310
Paul Bakker577e0062013-08-28 11:57:20 +02002311 sa_len = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002312#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker926af752012-11-23 13:38:07 +01002313 /*
2314 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +01002315 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002316 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2317 *
2318 * struct {
2319 * HashAlgorithm hash;
2320 * SignatureAlgorithm signature;
2321 * } SignatureAndHashAlgorithm;
2322 *
2323 * enum { (255) } HashAlgorithm;
2324 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +01002325 */
Paul Bakker21dca692013-01-03 11:41:08 +01002326 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01002327 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002328 /*
2329 * Only use current running hash algorithm that is already required
2330 * for requested ciphersuite.
2331 */
Paul Bakker926af752012-11-23 13:38:07 +01002332 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
2333
Paul Bakkerb7149bc2013-03-20 15:30:09 +01002334 if( ssl->transform_negotiate->ciphersuite_info->mac ==
2335 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +01002336 {
2337 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
2338 }
Paul Bakkerf7abd422013-04-16 13:15:56 +02002339
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002340 /*
2341 * Supported signature algorithms
2342 */
2343#if defined(POLARSSL_RSA_C)
2344 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2345 p[2 + sa_len++] = SSL_SIG_RSA;
2346#endif
2347#if defined(POLARSSL_ECDSA_C)
2348 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
2349 p[2 + sa_len++] = SSL_SIG_ECDSA;
2350#endif
Paul Bakker926af752012-11-23 13:38:07 +01002351
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002352 p[0] = (unsigned char)( sa_len >> 8 );
2353 p[1] = (unsigned char)( sa_len );
2354 sa_len += 2;
2355 p += sa_len;
Paul Bakker926af752012-11-23 13:38:07 +01002356 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002357#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002358
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002359 /*
2360 * DistinguishedName certificate_authorities<0..2^16-1>;
2361 * opaque DistinguishedName<1..2^16-1>;
2362 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002363 p += 2;
2364 crt = ssl->ca_chain;
2365
Paul Bakkerbc3d9842012-11-26 16:12:02 +01002366 total_dn_size = 0;
Paul Bakkerc70e4252014-04-18 13:47:38 +02002367 while( crt != NULL && crt->version != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002368 {
2369 if( p - buf > 4096 )
2370 break;
2371
Paul Bakker926af752012-11-23 13:38:07 +01002372 dn_size = crt->subject_raw.len;
2373 *p++ = (unsigned char)( dn_size >> 8 );
2374 *p++ = (unsigned char)( dn_size );
2375 memcpy( p, crt->subject_raw.p, dn_size );
2376 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +00002377
Paul Bakker926af752012-11-23 13:38:07 +01002378 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
2379
Paul Bakkerbc3d9842012-11-26 16:12:02 +01002380 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +01002381 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +00002382 }
2383
Paul Bakker926af752012-11-23 13:38:07 +01002384 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +00002385 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2386 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002387 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2388 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +00002389
2390 ret = ssl_write_record( ssl );
2391
2392 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2393
2394 return( ret );
2395}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002396#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2397 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002398 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2399 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002400
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +01002401#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2402 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2403static int ssl_get_ecdh_params_from_cert( ssl_context *ssl )
2404{
2405 int ret;
2406
2407 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) )
2408 {
2409 SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2410 return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
2411 }
2412
2413 if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx,
2414 pk_ec( *ssl_own_key( ssl ) ),
2415 POLARSSL_ECDH_OURS ) ) != 0 )
2416 {
2417 SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret );
2418 return( ret );
2419 }
2420
2421 return( 0 );
2422}
2423#endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2424 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2425
Paul Bakker41c83d32013-03-20 14:39:14 +01002426static int ssl_write_server_key_exchange( ssl_context *ssl )
2427{
Paul Bakker23986e52011-04-24 08:57:21 +00002428 int ret;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002429 size_t n = 0;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02002430 const ssl_ciphersuite_t *ciphersuite_info =
2431 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker2292d1f2013-09-15 17:06:49 +02002432
2433#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2434 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2435 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02002436 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Paul Bakker2292d1f2013-09-15 17:06:49 +02002437 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002438 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002439 unsigned char *dig_signed = p;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002440 size_t dig_signed_len = 0, len;
Paul Bakker2292d1f2013-09-15 17:06:49 +02002441 ((void) dig_signed);
2442 ((void) dig_signed_len);
2443#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01002444
Paul Bakker5121ce52009-01-03 21:22:43 +00002445 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2446
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +01002447#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2448 defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2449 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02002450 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
2451 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2452 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +00002453 {
2454 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2455 ssl->state++;
2456 return( 0 );
2457 }
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +01002458#endif
2459
2460#if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2461 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2462 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
2463 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
2464 {
2465 ssl_get_ecdh_params_from_cert( ssl );
2466
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +01002467 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +01002468 ssl->state++;
2469 return( 0 );
2470 }
2471#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002472
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002473#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2474 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2475 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2476 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002477 {
2478 /* TODO: Support identity hints */
2479 *(p++) = 0x00;
2480 *(p++) = 0x00;
2481
2482 n += 2;
2483 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002484#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2485 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002486
2487#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2488 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2489 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
2490 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +00002491 {
Paul Bakker41c83d32013-03-20 14:39:14 +01002492 /*
2493 * Ephemeral DH parameters:
2494 *
2495 * struct {
2496 * opaque dh_p<1..2^16-1>;
2497 * opaque dh_g<1..2^16-1>;
2498 * opaque dh_Ys<1..2^16-1>;
2499 * } ServerDHParams;
2500 */
2501 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
2502 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
2503 {
2504 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2505 return( ret );
2506 }
Paul Bakker48916f92012-09-16 19:57:18 +00002507
Paul Bakker41c83d32013-03-20 14:39:14 +01002508 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02002509 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
2510 p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002511 {
2512 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2513 return( ret );
2514 }
2515
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002516 dig_signed = p;
2517 dig_signed_len = len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002518
2519 p += len;
2520 n += len;
2521
Paul Bakker41c83d32013-03-20 14:39:14 +01002522 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2523 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2524 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2525 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2526 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002527#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2528 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +01002529
Gergely Budai987bfb52014-01-19 21:48:42 +01002530#if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002531 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002532 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2533 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +00002534 {
Paul Bakker41c83d32013-03-20 14:39:14 +01002535 /*
2536 * Ephemeral ECDH parameters:
2537 *
2538 * struct {
2539 * ECParameters curve_params;
2540 * ECPoint public;
2541 * } ServerECDHParams;
2542 */
Paul Bakkerd893aef2014-04-17 14:45:17 +02002543 const ecp_curve_info **curve = NULL;
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +01002544#if defined(POLARSSL_SSL_SET_CURVES)
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01002545 const ecp_group_id *gid;
Gergely Budai987bfb52014-01-19 21:48:42 +01002546
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01002547 /* Match our preference list against the offered curves */
2548 for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
2549 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
2550 if( (*curve)->grp_id == *gid )
2551 goto curve_matching_done;
2552
2553curve_matching_done:
2554#else
2555 curve = ssl->handshake->curves;
2556#endif
2557
2558 if( *curve == NULL )
Gergely Budai987bfb52014-01-19 21:48:42 +01002559 {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01002560 SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2561 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
Gergely Budai987bfb52014-01-19 21:48:42 +01002562 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +01002563
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01002564 SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
Gergely Budai987bfb52014-01-19 21:48:42 +01002565
Paul Bakker41c83d32013-03-20 14:39:14 +01002566 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01002567 (*curve)->grp_id ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002568 {
2569 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2570 return( ret );
2571 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002572
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002573 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2574 p, SSL_MAX_CONTENT_LEN - n,
2575 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002576 {
2577 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2578 return( ret );
2579 }
2580
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002581 dig_signed = p;
2582 dig_signed_len = len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002583
2584 p += len;
2585 n += len;
2586
Paul Bakker41c83d32013-03-20 14:39:14 +01002587 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2588 }
Gergely Budai987bfb52014-01-19 21:48:42 +01002589#endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002590
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002591#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002592 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2593 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002594 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002595 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2596 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002597 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002598 size_t signature_len = 0;
Paul Bakker2292d1f2013-09-15 17:06:49 +02002599 unsigned int hashlen = 0;
2600 unsigned char hash[64];
2601 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker23f36802012-09-28 14:15:14 +00002602
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002603 /*
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002604 * Choose hash algorithm. NONE means MD5 + SHA1 here.
2605 */
Paul Bakker577e0062013-08-28 11:57:20 +02002606#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002607 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2608 {
2609 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2610
2611 if( md_alg == POLARSSL_MD_NONE )
2612 {
2613 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002614 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002615 }
2616 }
Paul Bakker577e0062013-08-28 11:57:20 +02002617 else
Paul Bakkerdb20c102014-06-17 14:34:44 +02002618#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002619#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2620 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker66d5d072014-06-17 16:39:18 +02002621 if( ciphersuite_info->key_exchange ==
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002622 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2623 {
2624 md_alg = POLARSSL_MD_SHA1;
2625 }
2626 else
Paul Bakker577e0062013-08-28 11:57:20 +02002627#endif
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002628 {
2629 md_alg = POLARSSL_MD_NONE;
2630 }
2631
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002632 /*
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002633 * Compute the hash to be signed
2634 */
Paul Bakker577e0062013-08-28 11:57:20 +02002635#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2636 defined(POLARSSL_SSL_PROTO_TLS1_1)
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002637 if( md_alg == POLARSSL_MD_NONE )
Paul Bakker23f36802012-09-28 14:15:14 +00002638 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002639 md5_context md5;
2640 sha1_context sha1;
2641
Paul Bakker5b4af392014-06-26 12:09:34 +02002642 md5_init( &md5 );
2643 sha1_init( &sha1 );
2644
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002645 /*
2646 * digitally-signed struct {
2647 * opaque md5_hash[16];
2648 * opaque sha_hash[20];
2649 * };
2650 *
2651 * md5_hash
2652 * MD5(ClientHello.random + ServerHello.random
2653 * + ServerParams);
2654 * sha_hash
2655 * SHA(ClientHello.random + ServerHello.random
2656 * + ServerParams);
2657 */
2658 md5_starts( &md5 );
2659 md5_update( &md5, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002660 md5_update( &md5, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002661 md5_finish( &md5, hash );
2662
2663 sha1_starts( &sha1 );
2664 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002665 sha1_update( &sha1, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002666 sha1_finish( &sha1, hash + 16 );
2667
2668 hashlen = 36;
Paul Bakker5b4af392014-06-26 12:09:34 +02002669
2670 md5_free( &md5 );
2671 sha1_free( &sha1 );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002672 }
2673 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002674#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2675 POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker9659dae2013-08-28 16:21:34 +02002676#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2677 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker577e0062013-08-28 11:57:20 +02002678 if( md_alg != POLARSSL_MD_NONE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002679 {
2680 md_context_t ctx;
Paul Bakker66d5d072014-06-17 16:39:18 +02002681 const md_info_t *md_info = md_info_from_type( md_alg );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002682
Paul Bakker84bbeb52014-07-01 14:53:22 +02002683 md_init( &ctx );
2684
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02002685 /* Info from md_alg will be used instead */
2686 hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002687
2688 /*
2689 * digitally-signed struct {
2690 * opaque client_random[32];
2691 * opaque server_random[32];
2692 * ServerDHParams params;
2693 * };
2694 */
Paul Bakker66d5d072014-06-17 16:39:18 +02002695 if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002696 {
2697 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2698 return( ret );
2699 }
2700
2701 md_starts( &ctx );
2702 md_update( &ctx, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002703 md_update( &ctx, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002704 md_finish( &ctx, hash );
Paul Bakker84bbeb52014-07-01 14:53:22 +02002705 md_free( &ctx );
Paul Bakker23f36802012-09-28 14:15:14 +00002706 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002707 else
Paul Bakker9659dae2013-08-28 16:21:34 +02002708#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2709 POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02002710 {
2711 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002712 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02002713 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002714
Manuel Pégourié-Gonnard9cc6f5c2013-08-27 14:29:44 +02002715 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2716 (unsigned int) ( md_info_from_type( md_alg ) )->size );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002717
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002718 /*
2719 * Make the signature
2720 */
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002721 if( ssl_own_key( ssl ) == NULL )
Paul Bakker23f36802012-09-28 14:15:14 +00002722 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002723 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2724 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002725 }
Paul Bakker23f36802012-09-28 14:15:14 +00002726
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002727#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +00002728 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2729 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002730 *(p++) = ssl->handshake->sig_alg;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002731 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002732
2733 n += 2;
2734 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002735#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002736
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002737 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02002738 p + 2 , &signature_len,
2739 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002740 {
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02002741 SSL_DEBUG_RET( 1, "pk_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +02002742 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +00002743 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002744
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002745 *(p++) = (unsigned char)( signature_len >> 8 );
2746 *(p++) = (unsigned char)( signature_len );
Paul Bakkerbf63b362012-04-12 20:44:34 +00002747 n += 2;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002748
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002749 SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
Paul Bakker48916f92012-09-16 19:57:18 +00002750
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002751 p += signature_len;
2752 n += signature_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002753 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002754#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002755 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2756 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002757
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002758 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +00002759 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2760 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2761
2762 ssl->state++;
2763
2764 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2765 {
2766 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2767 return( ret );
2768 }
2769
2770 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2771
2772 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002773}
2774
2775static int ssl_write_server_hello_done( ssl_context *ssl )
2776{
2777 int ret;
2778
2779 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2780
2781 ssl->out_msglen = 4;
2782 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2783 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2784
2785 ssl->state++;
2786
2787 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2788 {
2789 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2790 return( ret );
2791 }
2792
2793 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2794
2795 return( 0 );
2796}
2797
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002798#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2799 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2800static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2801 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002802{
2803 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002804 size_t n;
2805
2806 /*
2807 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2808 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002809 if( *p + 2 > end )
2810 {
2811 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2812 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2813 }
Paul Bakker70df2fb2013-04-17 17:19:09 +02002814
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002815 n = ( (*p)[0] << 8 ) | (*p)[1];
2816 *p += 2;
2817
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01002818 if( *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002819 {
2820 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2821 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2822 }
2823
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01002824 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002825 {
2826 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2827 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2828 }
2829
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01002830 *p += n;
2831
Paul Bakker70df2fb2013-04-17 17:19:09 +02002832 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2833
Paul Bakker70df2fb2013-04-17 17:19:09 +02002834 return( ret );
2835}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002836#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2837 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002838
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +02002839#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2840 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002841static int ssl_parse_encrypted_pms( ssl_context *ssl,
2842 const unsigned char *p,
2843 const unsigned char *end,
2844 size_t pms_offset )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002845{
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002846 int ret;
2847 size_t len = pk_get_len( ssl_own_key( ssl ) );
2848 unsigned char *pms = ssl->handshake->premaster + pms_offset;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002849
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002850 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002851 {
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02002852 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002853 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2854 }
2855
2856 /*
2857 * Decrypt the premaster using own private RSA key
2858 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002859#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2860 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker70df2fb2013-04-17 17:19:09 +02002861 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2862 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002863 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2864 *p++ != ( ( len ) & 0xFF ) )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002865 {
2866 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2867 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2868 }
2869 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002870#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +02002871
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002872 if( p + len != end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002873 {
2874 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2875 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2876 }
2877
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002878 ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2879 pms, &ssl->handshake->pmslen,
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01002880 sizeof( ssl->handshake->premaster ) - pms_offset,
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02002881 ssl->f_rng, ssl->p_rng );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002882
2883 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002884 pms[0] != ssl->handshake->max_major_ver ||
2885 pms[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002886 {
2887 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2888
2889 /*
2890 * Protection against Bleichenbacher's attack:
2891 * invalid PKCS#1 v1.5 padding must not cause
2892 * the connection to end immediately; instead,
2893 * send a bad_record_mac later in the handshake.
2894 */
2895 ssl->handshake->pmslen = 48;
2896
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002897 ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002898 if( ret != 0 )
2899 return( ret );
2900 }
2901
2902 return( ret );
2903}
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +02002904#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2905 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002906
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02002907#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002908static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2909 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002910{
Paul Bakker6db455e2013-09-18 17:29:31 +02002911 int ret = 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002912 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002913
Paul Bakker6db455e2013-09-18 17:29:31 +02002914 if( ssl->f_psk == NULL &&
2915 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2916 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002917 {
2918 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2919 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2920 }
2921
2922 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002923 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +02002924 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002925 if( *p + 2 > end )
2926 {
2927 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2928 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2929 }
Paul Bakkerfbb17802013-04-17 19:10:21 +02002930
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002931 n = ( (*p)[0] << 8 ) | (*p)[1];
2932 *p += 2;
2933
2934 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002935 {
2936 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2937 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2938 }
2939
Paul Bakker6db455e2013-09-18 17:29:31 +02002940 if( ssl->f_psk != NULL )
2941 {
Manuel Pégourié-Gonnardd27680b2014-07-08 14:15:55 +02002942 if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 )
Paul Bakker6db455e2013-09-18 17:29:31 +02002943 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2944 }
Manuel Pégourié-Gonnardd27680b2014-07-08 14:15:55 +02002945 else
Paul Bakker6db455e2013-09-18 17:29:31 +02002946 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01002947 /* Identity is not a big secret since clients send it in the clear,
2948 * but treat it carefully anyway, just in case */
Paul Bakker6db455e2013-09-18 17:29:31 +02002949 if( n != ssl->psk_identity_len ||
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01002950 safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakker6db455e2013-09-18 17:29:31 +02002951 {
2952 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2953 }
2954 }
2955
2956 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002957 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002958 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakker6db455e2013-09-18 17:29:31 +02002959 if( ( ret = ssl_send_alert_message( ssl,
2960 SSL_ALERT_LEVEL_FATAL,
2961 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
2962 {
2963 return( ret );
2964 }
2965
2966 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
Paul Bakkerfbb17802013-04-17 19:10:21 +02002967 }
2968
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002969 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002970
Manuel Pégourié-Gonnardd27680b2014-07-08 14:15:55 +02002971 return( 0 );
Paul Bakkerfbb17802013-04-17 19:10:21 +02002972}
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02002973#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +02002974
Paul Bakker5121ce52009-01-03 21:22:43 +00002975static int ssl_parse_client_key_exchange( ssl_context *ssl )
2976{
Paul Bakker23986e52011-04-24 08:57:21 +00002977 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +01002978 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002979
Paul Bakker41c83d32013-03-20 14:39:14 +01002980 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002981
2982 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2983
2984 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2985 {
2986 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2987 return( ret );
2988 }
2989
2990 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2991 {
2992 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002993 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002994 }
2995
2996 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2997 {
2998 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002999 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00003000 }
3001
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003002#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +01003003 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00003004 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02003005 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003006 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02003007
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003008 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003009 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02003010 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3011 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003012 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003013
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003014 if( p != end )
3015 {
3016 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3017 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3018 }
3019
Manuel Pégourié-Gonnarddd0c0f32014-06-23 18:07:11 +02003020 ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003021
3022 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
3023 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +02003024 &ssl->handshake->pmslen,
Manuel Pégourié-Gonnard15d5de12013-09-17 11:34:11 +02003025 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003026 {
3027 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
3028 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3029 }
3030
3031 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +02003032 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003033 else
3034#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02003035#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +01003036 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3037 defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3038 defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02003039 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +01003040 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
3041 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA ||
3042 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +02003043 {
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02003044 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02003045 ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 )
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02003046 {
3047 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
3048 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3049 }
3050
3051 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
3052
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003053 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3054 &ssl->handshake->pmslen,
3055 ssl->handshake->premaster,
Manuel Pégourié-Gonnarde09d2f82013-09-02 14:29:09 +02003056 POLARSSL_MPI_MAX_SIZE,
3057 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003058 {
3059 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
3060 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3061 }
3062
3063 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +00003064 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003065 else
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02003066#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +01003067 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3068 POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3069 POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003070#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
3071 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +02003072 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02003073 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003074 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02003075
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003076 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +02003077 {
3078 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3079 return( ret );
3080 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003081
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003082 if( p != end )
3083 {
3084 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3085 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3086 }
3087
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02003088 if( ( ret = ssl_psk_derive_premaster( ssl,
3089 ciphersuite_info->key_exchange ) ) != 0 )
3090 {
3091 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
3092 return( ret );
3093 }
Paul Bakkerfbb17802013-04-17 19:10:21 +02003094 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003095 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003096#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02003097#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
3098 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
3099 {
3100 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003101 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02003102
3103 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3104 {
3105 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3106 return( ret );
3107 }
3108
3109 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
3110 {
3111 SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
3112 return( ret );
3113 }
3114
3115 if( ( ret = ssl_psk_derive_premaster( ssl,
3116 ciphersuite_info->key_exchange ) ) != 0 )
3117 {
3118 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
3119 return( ret );
3120 }
3121 }
3122 else
3123#endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003124#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
3125 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
3126 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02003127 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003128 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003129
3130 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3131 {
3132 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3133 return( ret );
3134 }
3135 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3136 {
3137 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3138 return( ret );
3139 }
3140
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003141 if( p != end )
3142 {
3143 SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3144 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3145 }
3146
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02003147 if( ( ret = ssl_psk_derive_premaster( ssl,
3148 ciphersuite_info->key_exchange ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003149 {
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02003150 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
3151 return( ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003152 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003153 }
3154 else
3155#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02003156#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3157 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
3158 {
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02003159 unsigned char *p = ssl->in_msg + 4;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003160 unsigned char *end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02003161
3162 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3163 {
3164 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3165 return( ret );
3166 }
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02003167
3168 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
3169 p, end - p ) ) != 0 )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02003170 {
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02003171 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
3172 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02003173 }
3174
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02003175 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
3176
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02003177 if( ( ret = ssl_psk_derive_premaster( ssl,
3178 ciphersuite_info->key_exchange ) ) != 0 )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02003179 {
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02003180 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02003181 return( ret );
3182 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02003183 }
3184 else
3185#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003186#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
3187 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +01003188 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02003189 if( ( ret = ssl_parse_encrypted_pms( ssl,
3190 ssl->in_msg + 4,
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003191 ssl->in_msg + ssl->in_hslen,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02003192 0 ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01003193 {
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +01003194 SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
Paul Bakker70df2fb2013-04-17 17:19:09 +02003195 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003196 }
3197 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003198 else
3199#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
3200 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02003201 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02003202 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003203 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003204
Paul Bakkerff60ee62010-03-16 21:09:09 +00003205 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
3206 {
3207 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
3208 return( ret );
3209 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003210
Paul Bakker5121ce52009-01-03 21:22:43 +00003211 ssl->state++;
3212
3213 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
3214
3215 return( 0 );
3216}
3217
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003218#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
3219 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02003220 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3221 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00003222static int ssl_parse_certificate_verify( ssl_context *ssl )
3223{
Paul Bakkerfbb17802013-04-17 19:10:21 +02003224 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00003225
3226 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3227
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003228 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +01003229 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02003230 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003231 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +02003232 {
3233 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3234 ssl->state++;
3235 return( 0 );
3236 }
3237
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02003238 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3239 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003240}
3241#else
3242static int ssl_parse_certificate_verify( ssl_context *ssl )
3243{
3244 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003245 size_t sa_len, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003246 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003247 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003248 size_t hashlen;
Paul Bakker577e0062013-08-28 11:57:20 +02003249#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003250 pk_type_t pk_alg;
Paul Bakker577e0062013-08-28 11:57:20 +02003251#endif
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003252 md_type_t md_alg;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003253 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
3254
3255 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3256
3257 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +01003258 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ||
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02003259 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003260 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
3261 {
3262 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3263 ssl->state++;
3264 return( 0 );
3265 }
3266
Paul Bakkered27a042013-04-18 22:46:23 +02003267 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003268 {
3269 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3270 ssl->state++;
3271 return( 0 );
3272 }
3273
Paul Bakker48916f92012-09-16 19:57:18 +00003274 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00003275
3276 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3277 {
3278 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3279 return( ret );
3280 }
3281
3282 ssl->state++;
3283
3284 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3285 {
3286 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003287 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00003288 }
3289
3290 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
3291 {
3292 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003293 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00003294 }
3295
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003296 /*
3297 * 0 . 0 handshake type
3298 * 1 . 3 handshake length
3299 * 4 . 5 sig alg (TLS 1.2 only)
3300 * 4+n . 5+n signature length (n = sa_len)
3301 * 6+n . 6+n+m signature (m = sig_len)
3302 */
Paul Bakker5121ce52009-01-03 21:22:43 +00003303
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003304#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3305 defined(POLARSSL_SSL_PROTO_TLS1_1)
3306 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01003307 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003308 sa_len = 0;
3309
Paul Bakkerc70b9822013-04-07 22:00:46 +02003310 md_alg = POLARSSL_MD_NONE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003311 hashlen = 36;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003312
3313 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3314 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
3315 POLARSSL_PK_ECDSA ) )
3316 {
3317 hash_start += 16;
3318 hashlen -= 16;
3319 md_alg = POLARSSL_MD_SHA1;
3320 }
Paul Bakker926af752012-11-23 13:38:07 +01003321 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003322 else
Paul Bakker9af723c2014-05-01 13:03:14 +02003323#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 ||
3324 POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker577e0062013-08-28 11:57:20 +02003325#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3326 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02003327 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003328 sa_len = 2;
3329
Paul Bakker5121ce52009-01-03 21:22:43 +00003330 /*
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02003331 * Hash
Paul Bakker5121ce52009-01-03 21:22:43 +00003332 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003333 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
Paul Bakker5121ce52009-01-03 21:22:43 +00003334 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003335 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3336 " for verify message" ) );
Paul Bakker926af752012-11-23 13:38:07 +01003337 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3338 }
3339
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02003340 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
Paul Bakker926af752012-11-23 13:38:07 +01003341
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02003342 /* Info from md_alg will be used instead */
3343 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003344
3345 /*
3346 * Signature
3347 */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02003348 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
3349 == POLARSSL_PK_NONE )
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003350 {
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02003351 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3352 " for verify message" ) );
3353 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003354 }
3355
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003356 /*
3357 * Check the certificate's key type matches the signature alg
3358 */
3359 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
3360 {
3361 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3362 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3363 }
Paul Bakker577e0062013-08-28 11:57:20 +02003364 }
3365 else
3366#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3367 {
3368 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02003369 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02003370 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +02003371
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003372 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
Paul Bakker926af752012-11-23 13:38:07 +01003373
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003374 if( sa_len + sig_len + 6 != ssl->in_hslen )
Paul Bakker5121ce52009-01-03 21:22:43 +00003375 {
3376 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003377 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00003378 }
3379
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02003380 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003381 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02003382 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003383 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02003384 SSL_DEBUG_RET( 1, "pk_verify", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003385 return( ret );
3386 }
3387
3388 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3389
Paul Bakkered27a042013-04-18 22:46:23 +02003390 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003391}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003392#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
3393 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3394 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00003395
Paul Bakkera503a632013-08-14 13:48:06 +02003396#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003397static int ssl_write_new_session_ticket( ssl_context *ssl )
3398{
3399 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02003400 size_t tlen;
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02003401 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003402
3403 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3404
3405 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
3406 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
3407
3408 /*
3409 * struct {
3410 * uint32 ticket_lifetime_hint;
3411 * opaque ticket<0..2^16-1>;
3412 * } NewSessionTicket;
3413 *
3414 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3415 * 8 . 9 ticket_len (n)
3416 * 10 . 9+n ticket content
3417 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02003418
3419 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
3420 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
3421 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
3422 ssl->out_msg[7] = ( lifetime ) & 0xFF;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003423
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +02003424 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
3425 {
3426 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
3427 tlen = 0;
3428 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003429
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02003430 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
3431 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003432
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02003433 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003434
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +01003435 /*
3436 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3437 * ChangeCipherSpec share the same state.
3438 */
3439 ssl->handshake->new_session_ticket = 0;
3440
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003441 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3442 {
3443 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3444 return( ret );
3445 }
3446
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003447 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3448
3449 return( 0 );
3450}
Paul Bakkera503a632013-08-14 13:48:06 +02003451#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003452
Paul Bakker5121ce52009-01-03 21:22:43 +00003453/*
Paul Bakker1961b702013-01-25 14:49:24 +01003454 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +00003455 */
Paul Bakker1961b702013-01-25 14:49:24 +01003456int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003457{
3458 int ret = 0;
3459
Paul Bakker1961b702013-01-25 14:49:24 +01003460 if( ssl->state == SSL_HANDSHAKE_OVER )
3461 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00003462
Paul Bakker1961b702013-01-25 14:49:24 +01003463 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
3464
3465 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3466 return( ret );
3467
3468 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +00003469 {
Paul Bakker1961b702013-01-25 14:49:24 +01003470 case SSL_HELLO_REQUEST:
3471 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +00003472 break;
3473
Paul Bakker1961b702013-01-25 14:49:24 +01003474 /*
3475 * <== ClientHello
3476 */
3477 case SSL_CLIENT_HELLO:
3478 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00003479 break;
Paul Bakker1961b702013-01-25 14:49:24 +01003480
3481 /*
3482 * ==> ServerHello
3483 * Certificate
3484 * ( ServerKeyExchange )
3485 * ( CertificateRequest )
3486 * ServerHelloDone
3487 */
3488 case SSL_SERVER_HELLO:
3489 ret = ssl_write_server_hello( ssl );
3490 break;
3491
3492 case SSL_SERVER_CERTIFICATE:
3493 ret = ssl_write_certificate( ssl );
3494 break;
3495
3496 case SSL_SERVER_KEY_EXCHANGE:
3497 ret = ssl_write_server_key_exchange( ssl );
3498 break;
3499
3500 case SSL_CERTIFICATE_REQUEST:
3501 ret = ssl_write_certificate_request( ssl );
3502 break;
3503
3504 case SSL_SERVER_HELLO_DONE:
3505 ret = ssl_write_server_hello_done( ssl );
3506 break;
3507
3508 /*
3509 * <== ( Certificate/Alert )
3510 * ClientKeyExchange
3511 * ( CertificateVerify )
3512 * ChangeCipherSpec
3513 * Finished
3514 */
3515 case SSL_CLIENT_CERTIFICATE:
3516 ret = ssl_parse_certificate( ssl );
3517 break;
3518
3519 case SSL_CLIENT_KEY_EXCHANGE:
3520 ret = ssl_parse_client_key_exchange( ssl );
3521 break;
3522
3523 case SSL_CERTIFICATE_VERIFY:
3524 ret = ssl_parse_certificate_verify( ssl );
3525 break;
3526
3527 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
3528 ret = ssl_parse_change_cipher_spec( ssl );
3529 break;
3530
3531 case SSL_CLIENT_FINISHED:
3532 ret = ssl_parse_finished( ssl );
3533 break;
3534
3535 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02003536 * ==> ( NewSessionTicket )
3537 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +01003538 * Finished
3539 */
3540 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +02003541#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02003542 if( ssl->handshake->new_session_ticket != 0 )
3543 ret = ssl_write_new_session_ticket( ssl );
3544 else
Paul Bakkera503a632013-08-14 13:48:06 +02003545#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02003546 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003547 break;
3548
3549 case SSL_SERVER_FINISHED:
3550 ret = ssl_write_finished( ssl );
3551 break;
3552
3553 case SSL_FLUSH_BUFFERS:
3554 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3555 ssl->state = SSL_HANDSHAKE_WRAPUP;
3556 break;
3557
3558 case SSL_HANDSHAKE_WRAPUP:
3559 ssl_handshake_wrapup( ssl );
3560 break;
3561
3562 default:
3563 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3564 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00003565 }
3566
Paul Bakker5121ce52009-01-03 21:22:43 +00003567 return( ret );
3568}
Paul Bakker9af723c2014-05-01 13:03:14 +02003569#endif /* POLARSSL_SSL_SRV_C */