TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f0e39acb58990d7fe659770674261cd6829bdc02 / . / library / ssl_srv.c
blob: 9ae25f5f766f1b537438a385bc7848b39f94ec88 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]26#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]32#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]36#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]50#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200[diff] [blame]51/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
59static void ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t *olen )
61{
62 unsigned char *p = buf;
63#if defined(POLARSSL_X509_PARSE_C)
64 size_t cert_len;
65#endif /* POLARSSL_X509_PARSE_C */
66
67 memcpy( p, session, sizeof( ssl_session ) );
68 p += sizeof( ssl_session );
69
70#if defined(POLARSSL_X509_PARSE_C)
71 ((ssl_session *) buf)->peer_cert = NULL;
72
73 if( session->peer_cert == NULL )
74 cert_len = 0;
75 else
76 cert_len = session->peer_cert->raw.len;
77
78 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
79 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
80 *p++ = (unsigned char)( cert_len & 0xFF );
81
82 if( session->peer_cert != NULL )
83 memcpy( p, session->peer_cert->raw.p, cert_len );
84
85 p += cert_len;
86#endif /* POLARSSL_X509_PARSE_C */
87
88 *olen = p - buf;
89}
90
91/*
92 * Unserialise session, see ssl_save_session()
93 */
94static int ssl_load_session( ssl_session *session,
95 const unsigned char *buf, size_t len )
96{
97 int ret;
98 const unsigned char *p = buf;
99 const unsigned char * const end = buf + len;
100#if defined(POLARSSL_X509_PARSE_C)
101 size_t cert_len;
102#endif /* POLARSSL_X509_PARSE_C */
103
104 if( p + sizeof( ssl_session ) > end )
105 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
106
107 memcpy( session, p, sizeof( ssl_session ) );
108 p += sizeof( ssl_session );
109
110#if defined(POLARSSL_X509_PARSE_C)
111 if( p + 3 > end )
112 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
113
114 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
115 p += 3;
116
117 if( cert_len == 0 )
118 {
119 session->peer_cert = NULL;
120 }
121 else
122 {
123 if( p + cert_len > end )
124 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
125
126 session->peer_cert = polarssl_malloc( cert_len );
127
128 if( session->peer_cert == NULL )
129 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
130
131 memset( session->peer_cert, 0, sizeof( x509_cert ) );
132
133 if( ( ret = x509parse_crt( session->peer_cert, p, cert_len ) ) != 0 )
134 {
135 polarssl_free( session->peer_cert );
136 free( session->peer_cert );
137 session->peer_cert = NULL;
138 return( ret );
139 }
140
141 p += cert_len;
142 }
143#endif /* POLARSSL_X509_PARSE_C */
144
145 if( p != end )
146 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
147
148 return( 0 );
149}
150
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]151/*
152 * Create session ticket, secured as recommended in RFC 5077 section 4:
153 *
154 * struct {
155 * opaque key_name[16];
156 * opaque iv[16];
157 * opaque encrypted_state<0..2^16-1>;
158 * opaque mac[32];
159 * } ticket;
160 *
161 * (the internal state structure differs, however).
162 */
163static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
164{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]165 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]166 unsigned char * const start = ssl->out_msg + 10;
167 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]168 unsigned char *state;
169 unsigned char iv[16];
170 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]171
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]172 if( ssl->ticket_keys == NULL )
173 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
174
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]175 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]176 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]177 p += 16;
178
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]179 /* Generate and write IV (with a copy for aes_crypt) */
180 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
181 return( ret );
182 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]183 p += 16;
184
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]185 /* Dump session state */
186 state = p + 2;
187 ssl_save_session( ssl->session_negotiate, state, &clear_len );
188 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]189
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]190 /* Apply PKCS padding */
191 pad_len = 16 - clear_len % 16;
192 enc_len = clear_len + pad_len;
193 for( i = clear_len; i < enc_len; i++ )
194 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]195
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]196 /* Encrypt */
197 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
198 enc_len, iv, state, state ) ) != 0 )
199 {
200 return( ret );
201 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]202
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]203 /* Write length */
204 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
205 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
206 p = state + enc_len;
207
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]208 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
209 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]210 p += 32;
211
212 *tlen = p - start;
213
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]214 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]215
216 return( 0 );
217}
218
219/*
220 * Load session ticket (see ssl_write_ticket for structure)
221 */
222static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]223 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]224 size_t len )
225{
226 int ret;
227 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]228 unsigned char *key_name = buf;
229 unsigned char *iv = buf + 16;
230 unsigned char *enc_len_p = iv + 16;
231 unsigned char *ticket = enc_len_p + 2;
232 unsigned char *mac;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]233 unsigned char computed_mac[16];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]234 size_t enc_len, clear_len, i;
235 unsigned char pad_len;
236
237 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]238
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]239 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]240 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
241
242 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
243 mac = ticket + enc_len;
244
245 if( len != enc_len + 66 )
246 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
247
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]248 /* Check name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200[diff] [blame]249 if( memcmp( key_name, ssl->ticket_keys->key_name, 16 ) != 0 )
250 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]251
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200[diff] [blame]252 /* Check mac */
253 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
254 computed_mac, 0 );
255 ret = 0;
256 for( i = 0; i < 32; i++ )
257 if( mac[i] != computed_mac[i] )
258 ret = POLARSSL_ERR_SSL_INVALID_MAC;
259 if( ret != 0 )
260 return( ret );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]261
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]262 /* Decrypt */
263 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
264 enc_len, iv, ticket, ticket ) ) != 0 )
265 {
266 return( ret );
267 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]268
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]269 /* Check PKCS padding */
270 pad_len = ticket[enc_len - 1];
271
272 ret = 0;
273 for( i = 2; i < pad_len; i++ )
274 if( ticket[enc_len - i] != pad_len )
275 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
276 if( ret != 0 )
277 return( ret );
278
279 clear_len = enc_len - pad_len;
280
281 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
282
283 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]284 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
285 {
286 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
287 memset( &session, 0, sizeof( ssl_session ) );
288 return( ret );
289 }
290
291 /*
292 * Keep the session ID sent by the client, since we MUST send it back to
293 * inform him we're accepting the ticket (RFC 5077 section 3.4)
294 */
295 session.length = ssl->session_negotiate->length;
296 memcpy( &session.id, ssl->session_negotiate->id, session.length );
297
298 ssl_session_free( ssl->session_negotiate );
299 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
300 memset( &session, 0, sizeof( ssl_session ) );
301
302 return( 0 );
303}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]304#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]305
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]306static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]307 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]308 size_t len )
309{
310 int ret;
311 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]312 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]313
314 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
315 if( servername_list_size + 2 != len )
316 {
317 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
318 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
319 }
320
321 p = buf + 2;
322 while( servername_list_size > 0 )
323 {
324 hostname_len = ( ( p[1] << 8 ) | p[2] );
325 if( hostname_len + 3 > servername_list_size )
326 {
327 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
328 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
329 }
330
331 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
332 {
333 ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
334 if( ret != 0 )
335 {
336 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
337 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
338 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
339 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]340 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]341 }
342
343 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]344 p += hostname_len + 3;
345 }
346
347 if( servername_list_size != 0 )
348 {
349 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
350 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]351 }
352
353 return( 0 );
354}
355
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]356static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]357 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]358 size_t len )
359{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]360 int ret;
361
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]362 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
363 {
364 if( len != 1 || buf[0] != 0x0 )
365 {
366 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]367
368 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
369 return( ret );
370
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]371 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
372 }
373
374 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
375 }
376 else
377 {
378 if( len != 1 + ssl->verify_data_len ||
379 buf[0] != ssl->verify_data_len ||
380 memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
381 {
382 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]383
384 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
385 return( ret );
386
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]387 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
388 }
389 }
390
391 return( 0 );
392}
393
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]394static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
395 const unsigned char *buf,
396 size_t len )
397{
398 size_t sig_alg_list_size;
399 const unsigned char *p;
400
401 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
402 if( sig_alg_list_size + 2 != len ||
403 sig_alg_list_size %2 != 0 )
404 {
405 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
406 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
407 }
408
409 p = buf + 2;
410 while( sig_alg_list_size > 0 )
411 {
412 if( p[1] != SSL_SIG_RSA )
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]413 {
414 sig_alg_list_size -= 2;
415 p += 2;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]416 continue;
Paul Bakker8611e732012-10-30 07:52:29 +0000[diff] [blame]417 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]418#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]419 if( p[0] == SSL_HASH_SHA512 )
420 {
421 ssl->handshake->sig_alg = SSL_HASH_SHA512;
422 break;
423 }
424 if( p[0] == SSL_HASH_SHA384 )
425 {
426 ssl->handshake->sig_alg = SSL_HASH_SHA384;
427 break;
428 }
429#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]430#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]431 if( p[0] == SSL_HASH_SHA256 )
432 {
433 ssl->handshake->sig_alg = SSL_HASH_SHA256;
434 break;
435 }
436 if( p[0] == SSL_HASH_SHA224 )
437 {
438 ssl->handshake->sig_alg = SSL_HASH_SHA224;
439 break;
440 }
441#endif
442 if( p[0] == SSL_HASH_SHA1 )
443 {
444 ssl->handshake->sig_alg = SSL_HASH_SHA1;
445 break;
446 }
447 if( p[0] == SSL_HASH_MD5 )
448 {
449 ssl->handshake->sig_alg = SSL_HASH_MD5;
450 break;
451 }
452
453 sig_alg_list_size -= 2;
454 p += 2;
455 }
456
457 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
458 ssl->handshake->sig_alg ) );
459
460 return( 0 );
461}
462
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]463#if defined(POLARSSL_ECP_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]464static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
465 const unsigned char *buf,
466 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]467{
468 size_t list_size;
469 const unsigned char *p;
470
471 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
472 if( list_size + 2 != len ||
473 list_size % 2 != 0 )
474 {
475 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
476 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
477 }
478
479 p = buf + 2;
480 while( list_size > 0 )
481 {
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]482#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
483 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP192R1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]484 {
485 ssl->handshake->ec_curve = p[1];
486 return( 0 );
487 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]488#endif
489#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
490 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP224R1 )
491 {
492 ssl->handshake->ec_curve = p[1];
493 return( 0 );
494 }
495#endif
496#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
497 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP256R1 )
498 {
499 ssl->handshake->ec_curve = p[1];
500 return( 0 );
501 }
502#endif
503#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
504 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP384R1 )
505 {
506 ssl->handshake->ec_curve = p[1];
507 return( 0 );
508 }
509#endif
510#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
511 if( p[0] == 0x00 && p[1] == POLARSSL_ECP_DP_SECP521R1 )
512 {
513 ssl->handshake->ec_curve = p[1];
514 return( 0 );
515 }
516#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]517
518 list_size -= 2;
519 p += 2;
520 }
521
522 return( 0 );
523}
524
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]525static int ssl_parse_supported_point_formats( ssl_context *ssl,
526 const unsigned char *buf,
527 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]528{
529 size_t list_size;
530 const unsigned char *p;
531
532 list_size = buf[0];
533 if( list_size + 1 != len )
534 {
535 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
536 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
537 }
538
539 p = buf + 2;
540 while( list_size > 0 )
541 {
542 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
543 p[0] == POLARSSL_ECP_PF_COMPRESSED )
544 {
545 ssl->handshake->ec_point_format = p[0];
546 return( 0 );
547 }
548
549 list_size--;
550 p++;
551 }
552
553 return( 0 );
554}
555#endif /* POLARSSL_ECP_C */
556
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]557static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
558 const unsigned char *buf,
559 size_t len )
560{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]561 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]562 {
563 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
564 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
565 }
566
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]567 ssl->session_negotiate->mfl_code = buf[0];
568
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]569 return( 0 );
570}
571
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]572static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
573 const unsigned char *buf,
574 size_t len )
575{
576 if( len != 0 )
577 {
578 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
579 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
580 }
581
582 ((void) buf);
583
584 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
585
586 return( 0 );
587}
588
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]589#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]590static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]591 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]592 size_t len )
593{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]594 int ret;
595
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]596 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
597 return( 0 );
598
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]599 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]600 ssl->handshake->new_session_ticket = 1;
601
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]602 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
603
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]604 if( len == 0 )
605 return( 0 );
606
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]607 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
608 {
609 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
610 return( 0 );
611 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]612
613 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]614 * Failures are ok: just ignore the ticket and proceed.
615 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]616 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
617 {
618 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]619 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]620 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]621
622 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
623
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]624 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]625
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]626 /* Don't send a new ticket after all, this one is OK */
627 ssl->handshake->new_session_ticket = 0;
628
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]629 return( 0 );
630}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]631#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]632
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]633#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
634static int ssl_parse_client_hello_v2( ssl_context *ssl )
635{
636 int ret;
637 unsigned int i, j;
638 size_t n;
639 unsigned int ciph_len, sess_len, chal_len;
640 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]641 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]642 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]643
644 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
645
646 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
647 {
648 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
649
650 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
651 return( ret );
652
653 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
654 }
655
656 buf = ssl->in_hdr;
657
658 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
659
660 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
661 buf[2] ) );
662 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
663 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
664 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
665 buf[3], buf[4] ) );
666
667 /*
668 * SSLv2 Client Hello
669 *
670 * Record layer:
671 * 0 . 1 message length
672 *
673 * SSL layer:
674 * 2 . 2 message type
675 * 3 . 4 protocol version
676 */
677 if( buf[2] != SSL_HS_CLIENT_HELLO ||
678 buf[3] != SSL_MAJOR_VERSION_3 )
679 {
680 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
681 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
682 }
683
684 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
685
686 if( n < 17 || n > 512 )
687 {
688 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
689 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
690 }
691
692 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]693 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
694 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]695
696 if( ssl->minor_ver < ssl->min_minor_ver )
697 {
698 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
699 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
700 ssl->min_major_ver, ssl->min_minor_ver ) );
701
702 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
703 SSL_ALERT_MSG_PROTOCOL_VERSION );
704 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
705 }
706
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]707 ssl->handshake->max_major_ver = buf[3];
708 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]709
710 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
711 {
712 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
713 return( ret );
714 }
715
716 ssl->handshake->update_checksum( ssl, buf + 2, n );
717
718 buf = ssl->in_msg;
719 n = ssl->in_left - 5;
720
721 /*
722 * 0 . 1 ciphersuitelist length
723 * 2 . 3 session id length
724 * 4 . 5 challenge length
725 * 6 . .. ciphersuitelist
726 * .. . .. session id
727 * .. . .. challenge
728 */
729 SSL_DEBUG_BUF( 4, "record contents", buf, n );
730
731 ciph_len = ( buf[0] << 8 ) | buf[1];
732 sess_len = ( buf[2] << 8 ) | buf[3];
733 chal_len = ( buf[4] << 8 ) | buf[5];
734
735 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
736 ciph_len, sess_len, chal_len ) );
737
738 /*
739 * Make sure each parameter length is valid
740 */
741 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
742 {
743 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
744 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
745 }
746
747 if( sess_len > 32 )
748 {
749 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
750 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
751 }
752
753 if( chal_len < 8 || chal_len > 32 )
754 {
755 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
756 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
757 }
758
759 if( n != 6 + ciph_len + sess_len + chal_len )
760 {
761 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
762 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
763 }
764
765 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
766 buf + 6, ciph_len );
767 SSL_DEBUG_BUF( 3, "client hello, session id",
768 buf + 6 + ciph_len, sess_len );
769 SSL_DEBUG_BUF( 3, "client hello, challenge",
770 buf + 6 + ciph_len + sess_len, chal_len );
771
772 p = buf + 6 + ciph_len;
773 ssl->session_negotiate->length = sess_len;
774 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
775 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
776
777 p += sess_len;
778 memset( ssl->handshake->randbytes, 0, 64 );
779 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
780
781 /*
782 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
783 */
784 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
785 {
786 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
787 {
788 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
789 if( ssl->renegotiation == SSL_RENEGOTIATION )
790 {
791 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
792
793 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
794 return( ret );
795
796 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
797 }
798 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
799 break;
800 }
801 }
802
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]803 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
804 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]805 {
806 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
807 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]808 // Only allow non-ECC ciphersuites as we do not have extensions
809 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]810 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]811 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
812 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]813 {
814 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
815
816 if( ciphersuite_info == NULL )
817 {
818 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
819 ciphersuites[i] ) );
820 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
821 }
822
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]823 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
824 ciphersuite_info->max_minor_ver < ssl->minor_ver )
825 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]826
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]827 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]828 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]829 }
830 }
831
832 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
833
834 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
835
836have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]837 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200[diff] [blame]838 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]839 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]840
841 /*
842 * SSLv2 Client Hello relevant renegotiation security checks
843 */
844 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
845 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
846 {
847 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
848
849 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
850 return( ret );
851
852 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
853 }
854
855 ssl->in_left = 0;
856 ssl->state++;
857
858 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
859
860 return( 0 );
861}
862#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
863
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864static int ssl_parse_client_hello( ssl_context *ssl )
865{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]866 int ret;
867 unsigned int i, j;
868 size_t n;
869 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]870 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]871 unsigned int ext_len = 0;
872 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]873 int renegotiation_info_seen = 0;
874 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]875 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]876 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]877
878 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
879
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]880 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
881 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]882 {
883 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
884 return( ret );
885 }
886
887 buf = ssl->in_hdr;
888
Paul Bakker78a8c712013-03-06 17:01:52 +0100[diff] [blame]889#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
890 if( ( buf[0] & 0x80 ) != 0 )
891 return ssl_parse_client_hello_v2( ssl );
892#endif
893
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]894 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
895
896 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
897 buf[0] ) );
898 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
899 ( buf[3] << 8 ) | buf[4] ) );
900 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
901 buf[1], buf[2] ) );
902
903 /*
904 * SSLv3 Client Hello
905 *
906 * Record layer:
907 * 0 . 0 message type
908 * 1 . 2 protocol version
909 * 3 . 4 message length
910 */
911 if( buf[0] != SSL_MSG_HANDSHAKE ||
912 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]913 {
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]914 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
915 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
916 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]917
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]918 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]919
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +0200[diff] [blame]920 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]921 {
922 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
923 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
924 }
925
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]926 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
927 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]928 {
929 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
930 return( ret );
931 }
932
933 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]934 if( !ssl->renegotiation )
935 n = ssl->in_left - 5;
936 else
937 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]938
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]939 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]940
941 /*
942 * SSL layer:
943 * 0 . 0 handshake type
944 * 1 . 3 handshake length
945 * 4 . 5 protocol version
946 * 6 . 9 UNIX time()
947 * 10 . 37 random bytes
948 * 38 . 38 session id length
949 * 39 . 38+x session id
950 * 39+x . 40+x ciphersuitelist length
951 * 41+x . .. ciphersuitelist
952 * .. . .. compression alg.
953 * .. . .. extensions
954 */
955 SSL_DEBUG_BUF( 4, "record contents", buf, n );
956
957 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
958 buf[0] ) );
959 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
960 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
961 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
962 buf[4], buf[5] ) );
963
964 /*
965 * Check the handshake type and protocol version
966 */
967 if( buf[0] != SSL_HS_CLIENT_HELLO ||
968 buf[4] != SSL_MAJOR_VERSION_3 )
969 {
970 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
971 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
972 }
973
974 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]975 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
976 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]977
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]978 if( ssl->minor_ver < ssl->min_minor_ver )
979 {
980 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
981 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +0000[diff] [blame]982 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]983
984 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
985 SSL_ALERT_MSG_PROTOCOL_VERSION );
986
987 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
988 }
989
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]990 ssl->handshake->max_major_ver = buf[4];
991 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]992
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]993 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]994
995 /*
996 * Check the handshake message length
997 */
998 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
999 {
1000 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1001 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1002 }
1003
1004 /*
1005 * Check the session length
1006 */
1007 sess_len = buf[38];
1008
1009 if( sess_len > 32 )
1010 {
1011 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1012 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1013 }
1014
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1015 ssl->session_negotiate->length = sess_len;
1016 memset( ssl->session_negotiate->id, 0,
1017 sizeof( ssl->session_negotiate->id ) );
1018 memcpy( ssl->session_negotiate->id, buf + 39,
1019 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1020
1021 /*
1022 * Check the ciphersuitelist length
1023 */
1024 ciph_len = ( buf[39 + sess_len] << 8 )
1025 | ( buf[40 + sess_len] );
1026
1027 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1028 {
1029 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1030 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1031 }
1032
1033 /*
1034 * Check the compression algorithms length
1035 */
1036 comp_len = buf[41 + sess_len + ciph_len];
1037
1038 if( comp_len < 1 || comp_len > 16 )
1039 {
1040 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1041 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1042 }
1043
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1044 /*
1045 * Check the extension length
1046 */
1047 if( n > 42 + sess_len + ciph_len + comp_len )
1048 {
1049 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1050 | ( buf[43 + sess_len + ciph_len + comp_len] );
1051
1052 if( ( ext_len > 0 && ext_len < 4 ) ||
1053 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1054 {
1055 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1056 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1057 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1058 }
1059 }
1060
1061 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1062#if defined(POLARSSL_ZLIB_SUPPORT)
1063 for( i = 0; i < comp_len; ++i )
1064 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1065 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1067 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1068 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069 }
1070 }
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1071#endif
1072
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1073 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1074 buf + 6, 32 );
1075 SSL_DEBUG_BUF( 3, "client hello, session id",
1076 buf + 38, sess_len );
1077 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1078 buf + 41 + sess_len, ciph_len );
1079 SSL_DEBUG_BUF( 3, "client hello, compression",
1080 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1082 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1083 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1084 */
1085 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1086 {
1087 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1088 {
1089 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1090 if( ssl->renegotiation == SSL_RENEGOTIATION )
1091 {
1092 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1093
1094 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1095 return( ret );
1096
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1097 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1098 }
1099 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1100 break;
1101 }
1102 }
1103
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1104 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1105
1106 while( ext_len )
1107 {
1108 unsigned int ext_id = ( ( ext[0] << 8 )
1109 | ( ext[1] ) );
1110 unsigned int ext_size = ( ( ext[2] << 8 )
1111 | ( ext[3] ) );
1112
1113 if( ext_size + 4 > ext_len )
1114 {
1115 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1116 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1117 }
1118 switch( ext_id )
1119 {
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1120 case TLS_EXT_SERVERNAME:
1121 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1122 if( ssl->f_sni == NULL )
1123 break;
1124
1125 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1126 if( ret != 0 )
1127 return( ret );
1128 break;
1129
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1130 case TLS_EXT_RENEGOTIATION_INFO:
1131 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1132 renegotiation_info_seen = 1;
1133
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1134 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1135 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1136 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1137 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1138
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1139 case TLS_EXT_SIG_ALG:
1140 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1141 if( ssl->renegotiation == SSL_RENEGOTIATION )
1142 break;
1143
1144 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1145 if( ret != 0 )
1146 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1147 break;
1148
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1149#if defined(POLARSSL_ECP_C)
1150 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1151 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1152
1153 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1154 if( ret != 0 )
1155 return( ret );
1156 break;
1157
1158 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1159 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1160
1161 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1162 if( ret != 0 )
1163 return( ret );
1164 break;
1165#endif /* POLARSSL_ECP_C */
1166
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1167 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1168 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1169
1170 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1171 if( ret != 0 )
1172 return( ret );
1173 break;
1174
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1175 case TLS_EXT_TRUNCATED_HMAC:
1176 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1177
1178 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1179 if( ret != 0 )
1180 return( ret );
1181 break;
1182
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1183#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1184 case TLS_EXT_SESSION_TICKET:
1185 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1186
1187 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1188 if( ret != 0 )
1189 return( ret );
1190 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1191#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1192
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1193 default:
1194 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1195 ext_id ) );
1196 }
1197
1198 ext_len -= 4 + ext_size;
1199 ext += 4 + ext_size;
1200
1201 if( ext_len > 0 && ext_len < 4 )
1202 {
1203 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1204 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1205 }
1206 }
1207
1208 /*
1209 * Renegotiation security checks
1210 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1211 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1212 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1213 {
1214 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1215 handshake_failure = 1;
1216 }
1217 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1218 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1219 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1220 {
1221 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1222 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1223 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1224 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1225 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1226 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1227 {
1228 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1229 handshake_failure = 1;
1230 }
1231 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1232 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1233 renegotiation_info_seen == 1 )
1234 {
1235 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1236 handshake_failure = 1;
1237 }
1238
1239 if( handshake_failure == 1 )
1240 {
1241 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1242 return( ret );
1243
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1244 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1245 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1246
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1247 /*
1248 * Search for a matching ciphersuite
1249 * (At the end because we need information from the EC-based extensions)
1250 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1251 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1252 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1253 {
1254 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1255 j += 2, p += 2 )
1256 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1257 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1258 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1259 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1260 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1261
1262 if( ciphersuite_info == NULL )
1263 {
1264 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1265 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1266 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1267 }
1268
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1269 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1270 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1271 continue;
1272
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1273 if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
1274 ssl->handshake->ec_curve == 0 )
1275 continue;
1276
1277 goto have_ciphersuite;
1278 }
1279 }
1280 }
1281
1282 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1283
1284 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1285 return( ret );
1286
1287 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1288
1289have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1290 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1291 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1292 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1293
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1294 ssl->in_left = 0;
1295 ssl->state++;
1296
1297 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1298
1299 return( 0 );
1300}
1301
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1302static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1303 unsigned char *buf,
1304 size_t *olen )
1305{
1306 unsigned char *p = buf;
1307
1308 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1309 {
1310 *olen = 0;
1311 return;
1312 }
1313
1314 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1315
1316 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1317 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1318
1319 *p++ = 0x00;
1320 *p++ = 0x00;
1321
1322 *olen = 4;
1323}
1324
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1325#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1326static void ssl_write_session_ticket_ext( ssl_context *ssl,
1327 unsigned char *buf,
1328 size_t *olen )
1329{
1330 unsigned char *p = buf;
1331
1332 if( ssl->handshake->new_session_ticket == 0 )
1333 {
1334 *olen = 0;
1335 return;
1336 }
1337
1338 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1339
1340 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1341 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1342
1343 *p++ = 0x00;
1344 *p++ = 0x00;
1345
1346 *olen = 4;
1347}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1348#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1349
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1350static void ssl_write_renegotiation_ext( ssl_context *ssl,
1351 unsigned char *buf,
1352 size_t *olen )
1353{
1354 unsigned char *p = buf;
1355
1356 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1357 {
1358 *olen = 0;
1359 return;
1360 }
1361
1362 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1363
1364 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1365 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1366
1367 *p++ = 0x00;
1368 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1369 *p++ = ssl->verify_data_len * 2 & 0xFF;
1370
1371 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1372 p += ssl->verify_data_len;
1373 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1374 p += ssl->verify_data_len;
1375
1376 *olen = 5 + ssl->verify_data_len * 2;
1377}
1378
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1379static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1380 unsigned char *buf,
1381 size_t *olen )
1382{
1383 unsigned char *p = buf;
1384
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1385 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1386 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1387 *olen = 0;
1388 return;
1389 }
1390
1391 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1392
1393 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1394 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1395
1396 *p++ = 0x00;
1397 *p++ = 1;
1398
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1399 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1400
1401 *olen = 5;
1402}
1403
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1404static int ssl_write_server_hello( ssl_context *ssl )
1405{
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1406#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1407 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1408#endif
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1409 int ret, n;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1410 size_t olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1411 unsigned char *buf, *p;
1412
1413 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1414
1415 /*
1416 * 0 . 0 handshake type
1417 * 1 . 3 handshake length
1418 * 4 . 5 protocol version
1419 * 6 . 9 UNIX time()
1420 * 10 . 37 random bytes
1421 */
1422 buf = ssl->out_msg;
1423 p = buf + 4;
1424
1425 *p++ = (unsigned char) ssl->major_ver;
1426 *p++ = (unsigned char) ssl->minor_ver;
1427
1428 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1429 buf[4], buf[5] ) );
1430
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1431#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1432 t = time( NULL );
1433 *p++ = (unsigned char)( t >> 24 );
1434 *p++ = (unsigned char)( t >> 16 );
1435 *p++ = (unsigned char)( t >> 8 );
1436 *p++ = (unsigned char)( t );
1437
1438 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1439#else
1440 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1441 return( ret );
1442
1443 p += 4;
1444#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1445
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1446 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1447 return( ret );
1448
1449 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1451 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1452
1453 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1454
1455 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1456 * Resume is 0 by default, see ssl_handshake_init().
1457 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1458 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1459 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1460 if( ssl->handshake->resume == 0 &&
1461 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +0200[diff] [blame]1462 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1463 ssl->f_get_cache != NULL &&
1464 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1465 {
1466 ssl->handshake->resume = 1;
1467 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1468
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1469 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1470 {
1471 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1472 * New session, create a new session id,
1473 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1475 ssl->state++;
1476
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1477#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1478 if( ssl->handshake->new_session_ticket == 0 )
1479 {
1480 ssl->session_negotiate->length = n = 32;
1481 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1482 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1483 return( ret );
1484 }
1485 else
1486 {
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame^]1487 ssl->session_negotiate->length = n = 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1488 memset( ssl->session_negotiate->id, 0, 32 );
1489 }
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1490#else
1491 ssl->session_negotiate->length = n = 32;
1492 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
1493 n ) ) != 0 )
1494 return( ret );
1495#endif /* POLARSSL_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1496 }
1497 else
1498 {
1499 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1500 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1501 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +0200[diff] [blame^]1502 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1503 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1504
1505 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1506 {
1507 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1508 return( ret );
1509 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510 }
1511
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]1512 /*
1513 * 38 . 38 session id length
1514 * 39 . 38+n session id
1515 * 39+n . 40+n chosen ciphersuite
1516 * 41+n . 41+n chosen compression alg.
1517 * 42+n . 43+n extensions length
1518 * 44+n . 43+n+m extensions
1519 */
1520 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1521 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1522 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1523
1524 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1525 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1526 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1527 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1528
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1529 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1530 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1531 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1532
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1533 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1534 ssl->session_negotiate->ciphersuite ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1535 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1536 ssl->session_negotiate->compression ) );
1537
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1538 /*
1539 * First write extensions, then the total length
1540 */
1541 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1542 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1543
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1544 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1545 ext_len += olen;
1546
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1547 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1548 ext_len += olen;
1549
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1550#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1551 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1552 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1553#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1554
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1555 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1556
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1557 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1558 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1559 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1560
1561 ssl->out_msglen = p - buf;
1562 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1563 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1564
1565 ret = ssl_write_record( ssl );
1566
1567 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1568
1569 return( ret );
1570}
1571
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1572#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1573 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1574 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1575static int ssl_write_certificate_request( ssl_context *ssl )
1576{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]1577 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1578 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1579
1580 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1581
1582 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1583 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1584 {
1585 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1586 ssl->state++;
1587 return( 0 );
1588 }
1589
1590 return( ret );
1591}
1592#else
1593static int ssl_write_certificate_request( ssl_context *ssl )
1594{
1595 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1596 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1597 size_t n = 0, dn_size, total_dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1598 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1599 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1600
1601 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1602
1603 ssl->state++;
1604
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1605 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1606 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]1607 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1608 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1609 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1610 return( 0 );
1611 }
1612
1613 /*
1614 * 0 . 0 handshake type
1615 * 1 . 3 handshake length
1616 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1617 * 5 .. m-1 cert types
1618 * m .. m+1 sig alg length (TLS 1.2 only)
1619 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1620 * n .. n+1 length of all DNs
1621 * n+2 .. n+3 length of DN 1
1622 * n+4 .. ... Distinguished Name #1
1623 * ... .. ... length of DN 2, etc.
1624 */
1625 buf = ssl->out_msg;
1626 p = buf + 4;
1627
1628 /*
1629 * At the moment, only RSA certificates are supported
1630 */
1631 *p++ = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1632 *p++ = SSL_CERT_TYPE_RSA_SIGN;
1633
1634 /*
1635 * Add signature_algorithms for verify (TLS 1.2)
1636 * Only add current running algorithm that is already required for
1637 * requested ciphersuite.
1638 *
1639 * Length is always 2
1640 */
Paul Bakker21dca692013-01-03 11:41:08 +0100[diff] [blame]1641 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1642 {
1643 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1644
1645 *p++ = 0;
1646 *p++ = 2;
1647
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]1648 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1649 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1650 {
1651 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1652 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1653
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1654 *p++ = ssl->handshake->verify_sig_alg;
1655 *p++ = SSL_SIG_RSA;
1656
1657 n += 4;
1658 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1659
1660 p += 2;
1661 crt = ssl->ca_chain;
1662
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1663 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1664 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1665 {
1666 if( p - buf > 4096 )
1667 break;
1668
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1669 dn_size = crt->subject_raw.len;
1670 *p++ = (unsigned char)( dn_size >> 8 );
1671 *p++ = (unsigned char)( dn_size );
1672 memcpy( p, crt->subject_raw.p, dn_size );
1673 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1674
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1675 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1676
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]1677 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1678 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1679 }
1680
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1681 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1682 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1683 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]1684 ssl->out_msg[6 + n] = (unsigned char)( total_dn_size >> 8 );
1685 ssl->out_msg[7 + n] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1686
1687 ret = ssl_write_record( ssl );
1688
1689 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1690
1691 return( ret );
1692}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1693#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1694 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1695 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1697static int ssl_write_server_key_exchange( ssl_context *ssl )
1698{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1699 int ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1700 size_t n = 0, len;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1701 unsigned char hash[64];
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1702 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker35a7fe52012-10-31 09:07:14 +0000[diff] [blame]1703 unsigned int hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1704 unsigned char *p = ssl->out_msg + 4;
1705 unsigned char *dig_sig = p;
1706 size_t dig_sig_len = 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1707
1708 const ssl_ciphersuite_t *ciphersuite_info;
1709 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1710
1711 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1712
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1713 if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1714 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
1715 ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1716 {
1717 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1718 ssl->state++;
1719 return( 0 );
1720 }
1721
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1722#if defined(POLARSSL_RSA_C)
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1723 if( ssl->rsa_key == NULL )
1724 {
Paul Bakkereb2c6582012-09-27 19:15:01 +0000[diff] [blame]1725 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
1726 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1727 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1728#endif /* POLARSSL_RSA_C */
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1729
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1730#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1731 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1732 {
1733 /* TODO: Support identity hints */
1734 *(p++) = 0x00;
1735 *(p++) = 0x00;
1736
1737 n += 2;
1738 }
1739#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1740
1741#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1742 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1743 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1744 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1745 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1746 /*
1747 * Ephemeral DH parameters:
1748 *
1749 * struct {
1750 * opaque dh_p<1..2^16-1>;
1751 * opaque dh_g<1..2^16-1>;
1752 * opaque dh_Ys<1..2^16-1>;
1753 * } ServerDHParams;
1754 */
1755 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1756 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1757 {
1758 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1759 return( ret );
1760 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1761
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1762 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
1763 mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1764 p,
1765 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1766 {
1767 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
1768 return( ret );
1769 }
1770
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1771 dig_sig = p;
1772 dig_sig_len = len;
1773
1774 p += len;
1775 n += len;
1776
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1777 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
1778 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1779 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1780 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
1781 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1782#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1783 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1784
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1785#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1786 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1788 /*
1789 * Ephemeral ECDH parameters:
1790 *
1791 * struct {
1792 * ECParameters curve_params;
1793 * ECPoint public;
1794 * } ServerECDHParams;
1795 */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1796 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
1797 ssl->handshake->ec_curve ) ) != 0 )
1798 {
1799 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
1800 return( ret );
1801 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1802
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1803 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1804 &len,
1805 p,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1806 1000, ssl->f_rng, ssl->p_rng ) ) != 0 )
1807 {
1808 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
1809 return( ret );
1810 }
1811
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1812 dig_sig = p;
1813 dig_sig_len = len;
1814
1815 p += len;
1816 n += len;
1817
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1818 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
1819 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1820#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1821
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1822#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1823 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
1824 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1825 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1826 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1827 size_t rsa_key_len = 0;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1828
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1829 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1830 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1831 md5_context md5;
1832 sha1_context sha1;
1833
1834 /*
1835 * digitally-signed struct {
1836 * opaque md5_hash[16];
1837 * opaque sha_hash[20];
1838 * };
1839 *
1840 * md5_hash
1841 * MD5(ClientHello.random + ServerHello.random
1842 * + ServerParams);
1843 * sha_hash
1844 * SHA(ClientHello.random + ServerHello.random
1845 * + ServerParams);
1846 */
1847 md5_starts( &md5 );
1848 md5_update( &md5, ssl->handshake->randbytes, 64 );
1849 md5_update( &md5, dig_sig, dig_sig_len );
1850 md5_finish( &md5, hash );
1851
1852 sha1_starts( &sha1 );
1853 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
1854 sha1_update( &sha1, dig_sig, dig_sig_len );
1855 sha1_finish( &sha1, hash + 16 );
1856
1857 hashlen = 36;
1858 md_alg = POLARSSL_MD_NONE;
1859 }
1860 else
1861 {
1862 md_context_t ctx;
1863
1864 /*
1865 * digitally-signed struct {
1866 * opaque client_random[32];
1867 * opaque server_random[32];
1868 * ServerDHParams params;
1869 * };
1870 */
1871 switch( ssl->handshake->sig_alg )
1872 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1873#if defined(POLARSSL_MD5_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1874 case SSL_HASH_MD5:
1875 md_alg = POLARSSL_MD_MD5;
1876 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1877#endif
1878#if defined(POLARSSL_SHA1_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1879 case SSL_HASH_SHA1:
1880 md_alg = POLARSSL_MD_SHA1;
1881 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1882#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1883#if defined(POLARSSL_SHA256_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1884 case SSL_HASH_SHA224:
1885 md_alg = POLARSSL_MD_SHA224;
1886 break;
1887 case SSL_HASH_SHA256:
1888 md_alg = POLARSSL_MD_SHA256;
1889 break;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1890#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]1891#if defined(POLARSSL_SHA512_C)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1892 case SSL_HASH_SHA384:
1893 md_alg = POLARSSL_MD_SHA384;
1894 break;
1895 case SSL_HASH_SHA512:
1896 md_alg = POLARSSL_MD_SHA512;
1897 break;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1898#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1899 default:
1900 /* Should never happen */
1901 return( -1 );
1902 }
1903
1904 if( ( ret = md_init_ctx( &ctx, md_info_from_type( md_alg ) ) ) != 0 )
1905 {
1906 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
1907 return( ret );
1908 }
1909
1910 md_starts( &ctx );
1911 md_update( &ctx, ssl->handshake->randbytes, 64 );
1912 md_update( &ctx, dig_sig, dig_sig_len );
1913 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +0200[diff] [blame]1914
1915 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
1916 {
1917 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
1918 return( ret );
1919 }
1920
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1921 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1922
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1923 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
1924
1925 if ( ssl->rsa_key )
1926 rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
1927
1928 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1929 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1930 *(p++) = ssl->handshake->sig_alg;
1931 *(p++) = SSL_SIG_RSA;
1932
1933 n += 2;
1934 }
1935
1936 *(p++) = (unsigned char)( rsa_key_len >> 8 );
1937 *(p++) = (unsigned char)( rsa_key_len );
1938 n += 2;
1939
1940 if ( ssl->rsa_key )
1941 {
1942 ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
1943 RSA_PRIVATE, md_alg, hashlen, hash, p );
1944 }
1945
1946 if( ret != 0 )
1947 {
1948 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1949 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]1950 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1951
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1952 SSL_DEBUG_BUF( 3, "my RSA sig", p, rsa_key_len );
1953
1954 p += rsa_key_len;
1955 n += rsa_key_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1956 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1957#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
1958 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1959
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1960 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1961 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1962 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
1963
1964 ssl->state++;
1965
1966 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1967 {
1968 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1969 return( ret );
1970 }
1971
1972 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
1973
1974 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975}
1976
1977static int ssl_write_server_hello_done( ssl_context *ssl )
1978{
1979 int ret;
1980
1981 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
1982
1983 ssl->out_msglen = 4;
1984 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1985 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
1986
1987 ssl->state++;
1988
1989 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1990 {
1991 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1992 return( ret );
1993 }
1994
1995 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
1996
1997 return( 0 );
1998}
1999
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2000#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2001 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2002static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2003 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2004{
2005 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2006 size_t n;
2007
2008 /*
2009 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2010 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2011 if( *p + 2 > end )
2012 {
2013 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2014 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2015 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2016
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2017 n = ( (*p)[0] << 8 ) | (*p)[1];
2018 *p += 2;
2019
2020 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2021 {
2022 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2023 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2024 }
2025
2026 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2027 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2028 {
2029 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2030 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2031 }
2032
2033 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2034
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2035 return( ret );
2036}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2037#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2038 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2039
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2040#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2041static int ssl_parse_client_ecdh_public( ssl_context *ssl )
2042{
2043 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2044 size_t n;
2045
2046 /*
2047 * Receive client public key and calculate premaster
2048 */
2049 n = ssl->in_msg[3];
2050
2051 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2052 n + 4 != ssl->in_hslen )
2053 {
2054 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2055 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2056 }
2057
2058 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2059 ssl->in_msg + 4, n ) ) != 0 )
2060 {
2061 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2062 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2063 }
2064
2065 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2066
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2067 return( ret );
2068}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2069#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2070
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2071#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2072static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
2073{
2074 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2075 size_t i, n = 0;
2076
2077 if( ssl->rsa_key == NULL )
2078 {
2079 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2080 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2081 }
2082
2083 /*
2084 * Decrypt the premaster using own private RSA key
2085 */
2086 i = 4;
2087 if( ssl->rsa_key )
2088 n = ssl->rsa_key_len( ssl->rsa_key );
2089 ssl->handshake->pmslen = 48;
2090
2091 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2092 {
2093 i += 2;
2094 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
2095 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
2096 {
2097 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2098 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2099 }
2100 }
2101
2102 if( ssl->in_hslen != i + n )
2103 {
2104 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2105 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2106 }
2107
2108 if( ssl->rsa_key ) {
2109 ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
2110 &ssl->handshake->pmslen,
2111 ssl->in_msg + i,
2112 ssl->handshake->premaster,
2113 sizeof(ssl->handshake->premaster) );
2114 }
2115
2116 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]2117 ssl->handshake->premaster[0] != ssl->handshake->max_major_ver ||
2118 ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2119 {
2120 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2121
2122 /*
2123 * Protection against Bleichenbacher's attack:
2124 * invalid PKCS#1 v1.5 padding must not cause
2125 * the connection to end immediately; instead,
2126 * send a bad_record_mac later in the handshake.
2127 */
2128 ssl->handshake->pmslen = 48;
2129
2130 ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
2131 ssl->handshake->pmslen );
2132 if( ret != 0 )
2133 return( ret );
2134 }
2135
2136 return( ret );
2137}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2138#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2139
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2140#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
2141 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2142static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2143 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2144{
2145 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2146 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2147
2148 if( ssl->psk == NULL || ssl->psk_identity == NULL ||
2149 ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
2150 {
2151 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2152 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2153 }
2154
2155 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2156 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2157 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2158 if( *p + 2 > end )
2159 {
2160 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2161 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2162 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2163
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2164 n = ( (*p)[0] << 8 ) | (*p)[1];
2165 *p += 2;
2166
2167 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2168 {
2169 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2170 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2171 }
2172
2173 if( n != ssl->psk_identity_len ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2174 memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2175 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2176 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2177 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2178 }
2179
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2180 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2181 ret = 0;
2182
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2183 return( ret );
2184}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2185#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
2186 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2187
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2188static int ssl_parse_client_key_exchange( ssl_context *ssl )
2189{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2190 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2191 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2192 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2193
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2194 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195
2196 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2197
2198 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2199 {
2200 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2201 return( ret );
2202 }
2203
2204 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2205 {
2206 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2207 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2208 }
2209
2210 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2211 {
2212 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2213 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2214 }
2215
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2216 p = ssl->in_msg + 4;
2217 end = ssl->in_msg + ssl->in_msglen;
2218
2219#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2220 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2221 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2222 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2223 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2224 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2225 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2226 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2227
2228 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2229
2230 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2231 ssl->handshake->premaster,
2232 &ssl->handshake->pmslen ) ) != 0 )
2233 {
2234 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2235 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2236 }
2237
2238 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2239 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2240 else
2241#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
2242#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
2243 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2244 {
2245 if( ( ret = ssl_parse_client_ecdh_public( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2246 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2247 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2248 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2249 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2250
2251 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2252 &ssl->handshake->pmslen,
2253 ssl->handshake->premaster,
2254 POLARSSL_MPI_MAX_SIZE ) ) != 0 )
2255 {
2256 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2257 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2258 }
2259
2260 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2261 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2262 else
2263#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2264#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2265 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2266 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2267 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2268 {
2269 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2270 return( ret );
2271 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2272
2273 // Set up the premaster secret
2274 //
2275 p = ssl->handshake->premaster;
2276 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2277 *(p++) = (unsigned char)( ssl->psk_len );
2278 p += ssl->psk_len;
2279
2280 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2281 *(p++) = (unsigned char)( ssl->psk_len );
2282 memcpy( p, ssl->psk, ssl->psk_len );
2283 p += ssl->psk_len;
2284
2285 ssl->handshake->pmslen = 4 + 2 * ssl->psk_len;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2286 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2287 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2288#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
2289#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2290 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2291 {
2292 size_t n;
2293
2294 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2295 {
2296 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2297 return( ret );
2298 }
2299 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2300 {
2301 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2302 return( ret );
2303 }
2304
2305 // Set up the premaster secret
2306 //
2307 p = ssl->handshake->premaster;
2308 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
2309 *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len );
2310
2311 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2312 p, &n ) ) != 0 )
2313 {
2314 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2315 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2316 }
2317
2318 if( n != ssl->handshake->dhm_ctx.len )
2319 {
2320 SSL_DEBUG_MSG( 1, ( "dhm_calc_secret result smaller than DHM" ) );
2321 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2322 }
2323
2324 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2325
2326 p += ssl->handshake->dhm_ctx.len;
2327
2328 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
2329 *(p++) = (unsigned char)( ssl->psk_len );
2330 memcpy( p, ssl->psk, ssl->psk_len );
2331 p += ssl->psk_len;
2332
2333 ssl->handshake->pmslen = 4 + ssl->handshake->dhm_ctx.len + ssl->psk_len;
2334 }
2335 else
2336#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
2337#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2338 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2339 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2340 if( ( ret = ssl_parse_encrypted_pms_secret( ssl ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2341 {
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]2342 SSL_DEBUG_RET( 1, ( "ssl_parse_client_ecdh_public" ), ret );
2343 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2344 }
2345 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2346 else
2347#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2348 {
2349 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2350 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2351
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2352 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2353 {
2354 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2355 return( ret );
2356 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2358 ssl->state++;
2359
2360 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2361
2362 return( 0 );
2363}
2364
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2365#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2366 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2367 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2368static int ssl_parse_certificate_verify( ssl_context *ssl )
2369{
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2370 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]2371 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2372
2373 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2374
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2375 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2376 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2377 {
2378 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2379 ssl->state++;
2380 return( 0 );
2381 }
2382
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2383 return( ret );
2384}
2385#else
2386static int ssl_parse_certificate_verify( ssl_context *ssl )
2387{
2388 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2389 size_t n = 0, n1, n2;
2390 unsigned char hash[48];
2391 md_type_t md_alg = POLARSSL_MD_NONE;
2392 unsigned int hashlen = 0;
2393 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2394
2395 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2396
2397 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2398 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2399 {
2400 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2401 ssl->state++;
2402 return( 0 );
2403 }
2404
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2405 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2406 {
2407 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2408 ssl->state++;
2409 return( 0 );
2410 }
2411
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2412 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2413
2414 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2415 {
2416 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2417 return( ret );
2418 }
2419
2420 ssl->state++;
2421
2422 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2423 {
2424 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2425 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2426 }
2427
2428 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2429 {
2430 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2431 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2432 }
2433
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2434 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2435 {
2436 /*
2437 * As server we know we either have SSL_HASH_SHA384 or
2438 * SSL_HASH_SHA256
2439 */
2440 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
2441 ssl->in_msg[5] != SSL_SIG_RSA )
2442 {
2443 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
2444 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2445 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2446
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2447 if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2448 md_alg = POLARSSL_MD_SHA384;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2449 else
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2450 md_alg = POLARSSL_MD_SHA256;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2451
2452 n += 2;
2453 }
2454 else
2455 {
2456 hashlen = 36;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2457 md_alg = POLARSSL_MD_NONE;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2458 }
2459
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2460 /* EC NOT IMPLEMENTED YET */
2461 if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA )
2462 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2463
2464 n1 = pk_rsa( ssl->session_negotiate->peer_cert->pk )->len;
Paul Bakker78ce5072012-11-23 14:23:53 +0100[diff] [blame]2465 n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2466
2467 if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2468 {
2469 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2470 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2471 }
2472
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2473 ret = rsa_pkcs1_verify( pk_rsa( ssl->session_negotiate->peer_cert->pk ),
2474 RSA_PUBLIC, md_alg, hashlen, hash,
2475 ssl->in_msg + 6 + n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2476 if( ret != 0 )
2477 {
2478 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
2479 return( ret );
2480 }
2481
2482 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2483
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2484 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2485}
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2486#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2487 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2488 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2489
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2490#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2491static int ssl_write_new_session_ticket( ssl_context *ssl )
2492{
2493 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2494 size_t tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2495
2496 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2497
2498 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2499 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2500
2501 /*
2502 * struct {
2503 * uint32 ticket_lifetime_hint;
2504 * opaque ticket<0..2^16-1>;
2505 * } NewSessionTicket;
2506 *
2507 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2508 * 8 . 9 ticket_len (n)
2509 * 10 . 9+n ticket content
2510 */
2511 ssl->out_msg[4] = 0x00;
2512 ssl->out_msg[5] = 0x00;
2513 ssl->out_msg[6] = 0x00;
2514 ssl->out_msg[7] = 0x00;
2515
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]2516 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2517 {
2518 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2519 tlen = 0;
2520 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2521
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2522 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2523 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2524
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]2525 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2526
2527 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2528 {
2529 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2530 return( ret );
2531 }
2532
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2533 /* No need to remember writing a NewSessionTicket any more */
2534 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2535
2536 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2537
2538 return( 0 );
2539}
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2540#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2541
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2542/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2543 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2544 */
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2545int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2546{
2547 int ret = 0;
2548
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2549 if( ssl->state == SSL_HANDSHAKE_OVER )
2550 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2551
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2552 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2553
2554 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2555 return( ret );
2556
2557 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2558 {
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2559 case SSL_HELLO_REQUEST:
2560 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2561 break;
2562
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2563 /*
2564 * <== ClientHello
2565 */
2566 case SSL_CLIENT_HELLO:
2567 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2568 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2569
2570 /*
2571 * ==> ServerHello
2572 * Certificate
2573 * ( ServerKeyExchange )
2574 * ( CertificateRequest )
2575 * ServerHelloDone
2576 */
2577 case SSL_SERVER_HELLO:
2578 ret = ssl_write_server_hello( ssl );
2579 break;
2580
2581 case SSL_SERVER_CERTIFICATE:
2582 ret = ssl_write_certificate( ssl );
2583 break;
2584
2585 case SSL_SERVER_KEY_EXCHANGE:
2586 ret = ssl_write_server_key_exchange( ssl );
2587 break;
2588
2589 case SSL_CERTIFICATE_REQUEST:
2590 ret = ssl_write_certificate_request( ssl );
2591 break;
2592
2593 case SSL_SERVER_HELLO_DONE:
2594 ret = ssl_write_server_hello_done( ssl );
2595 break;
2596
2597 /*
2598 * <== ( Certificate/Alert )
2599 * ClientKeyExchange
2600 * ( CertificateVerify )
2601 * ChangeCipherSpec
2602 * Finished
2603 */
2604 case SSL_CLIENT_CERTIFICATE:
2605 ret = ssl_parse_certificate( ssl );
2606 break;
2607
2608 case SSL_CLIENT_KEY_EXCHANGE:
2609 ret = ssl_parse_client_key_exchange( ssl );
2610 break;
2611
2612 case SSL_CERTIFICATE_VERIFY:
2613 ret = ssl_parse_certificate_verify( ssl );
2614 break;
2615
2616 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2617 ret = ssl_parse_change_cipher_spec( ssl );
2618 break;
2619
2620 case SSL_CLIENT_FINISHED:
2621 ret = ssl_parse_finished( ssl );
2622 break;
2623
2624 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2625 * ==> ( NewSessionTicket )
2626 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2627 * Finished
2628 */
2629 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2630#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2631 if( ssl->handshake->new_session_ticket != 0 )
2632 ret = ssl_write_new_session_ticket( ssl );
2633 else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2634#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]2635 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]2636 break;
2637
2638 case SSL_SERVER_FINISHED:
2639 ret = ssl_write_finished( ssl );
2640 break;
2641
2642 case SSL_FLUSH_BUFFERS:
2643 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2644 ssl->state = SSL_HANDSHAKE_WRAPUP;
2645 break;
2646
2647 case SSL_HANDSHAKE_WRAPUP:
2648 ssl_handshake_wrapup( ssl );
2649 break;
2650
2651 default:
2652 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2653 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2654 }
2655
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2656 return( ret );
2657}
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2658#endif