blob: 12ccb12826c99d0cf620fc531b3803de982bde52 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +01004 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +000026#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000027
Paul Bakker40e46942009-01-03 21:51:57 +000028#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000029
Paul Bakker40e46942009-01-03 21:51:57 +000030#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker41c83d32013-03-20 14:39:14 +010032#if defined(POLARSSL_ECP_C)
33#include "polarssl/ecp.h"
34#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000035
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020036#if defined(POLARSSL_MEMORY_C)
37#include "polarssl/memory.h"
38#else
39#define polarssl_malloc malloc
40#define polarssl_free free
41#endif
42
Paul Bakker5121ce52009-01-03 21:22:43 +000043#include <stdlib.h>
44#include <stdio.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020045
46#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +000047#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020048#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000049
Paul Bakkera503a632013-08-14 13:48:06 +020050#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020051/*
52 * Serialize a session in the following format:
53 * 0 . n-1 session structure, n = sizeof(ssl_session)
54 * n . n+2 peer_cert length = m (0 if no certificate)
55 * n+3 . n+2+m peer cert ASN.1
56 *
57 * Assumes ticket is NULL (always true on server side).
58 */
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020059static int ssl_save_session( const ssl_session *session,
60 unsigned char *buf, size_t buf_len,
61 size_t *olen )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020062{
63 unsigned char *p = buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020064 size_t left = buf_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +020065#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020066 size_t cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +020067#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020068
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020069 if( left < sizeof( ssl_session ) )
70 return( -1 );
71
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020072 memcpy( p, session, sizeof( ssl_session ) );
73 p += sizeof( ssl_session );
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020074 left -= sizeof( ssl_session );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020075
Paul Bakker7c6b2c32013-09-16 13:49:26 +020076#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020077 if( session->peer_cert == NULL )
78 cert_len = 0;
79 else
80 cert_len = session->peer_cert->raw.len;
81
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020082 if( left < 3 + cert_len )
83 return( -1 );
84
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020085 *p++ = (unsigned char)( cert_len >> 16 & 0xFF );
86 *p++ = (unsigned char)( cert_len >> 8 & 0xFF );
87 *p++ = (unsigned char)( cert_len & 0xFF );
88
89 if( session->peer_cert != NULL )
90 memcpy( p, session->peer_cert->raw.p, cert_len );
91
92 p += cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +020093#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020094
95 *olen = p - buf;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +020096
97 return( 0 );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +020098}
99
100/*
101 * Unserialise session, see ssl_save_session()
102 */
103static int ssl_load_session( ssl_session *session,
104 const unsigned char *buf, size_t len )
105{
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200106 const unsigned char *p = buf;
107 const unsigned char * const end = buf + len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200108#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200109 size_t cert_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200110#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200111
112 if( p + sizeof( ssl_session ) > end )
113 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
114
115 memcpy( session, p, sizeof( ssl_session ) );
116 p += sizeof( ssl_session );
117
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200118#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200119 if( p + 3 > end )
120 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
121
122 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
123 p += 3;
124
125 if( cert_len == 0 )
126 {
127 session->peer_cert = NULL;
128 }
129 else
130 {
Paul Bakker2292d1f2013-09-15 17:06:49 +0200131 int ret;
132
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200133 if( p + cert_len > end )
134 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
135
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200136 session->peer_cert = polarssl_malloc( sizeof( x509_crt ) );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200137
138 if( session->peer_cert == NULL )
139 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
140
Paul Bakkerb6b09562013-09-18 14:17:41 +0200141 x509_crt_init( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200142
Paul Bakkerddf26b42013-09-18 13:46:23 +0200143 if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 )
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200144 {
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200145 x509_crt_free( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200146 polarssl_free( session->peer_cert );
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200147 session->peer_cert = NULL;
148 return( ret );
149 }
150
151 p += cert_len;
152 }
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200153#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard94f6a792013-08-01 14:33:49 +0200154
155 if( p != end )
156 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
157
158 return( 0 );
159}
160
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200161/*
162 * Create session ticket, secured as recommended in RFC 5077 section 4:
163 *
164 * struct {
165 * opaque key_name[16];
166 * opaque iv[16];
167 * opaque encrypted_state<0..2^16-1>;
168 * opaque mac[32];
169 * } ticket;
170 *
171 * (the internal state structure differs, however).
172 */
173static int ssl_write_ticket( ssl_context *ssl, size_t *tlen )
174{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200175 int ret;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200176 unsigned char * const start = ssl->out_msg + 10;
177 unsigned char *p = start;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200178 unsigned char *state;
179 unsigned char iv[16];
180 size_t clear_len, enc_len, pad_len, i;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200181
Manuel Pégourié-Gonnard0a201712013-08-23 16:25:16 +0200182 *tlen = 0;
183
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200184 if( ssl->ticket_keys == NULL )
185 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
186
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200187 /* Write key name */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200188 memcpy( p, ssl->ticket_keys->key_name, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200189 p += 16;
190
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200191 /* Generate and write IV (with a copy for aes_crypt) */
192 if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 )
193 return( ret );
194 memcpy( iv, p, 16 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200195 p += 16;
196
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200197 /*
198 * Dump session state
199 *
200 * After the session state itself, we still need room for 16 bytes of
201 * padding and 32 bytes of MAC, so there's only so much room left
202 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200203 state = p + 2;
Manuel Pégourié-Gonnardc6554aa2013-08-23 11:10:28 +0200204 if( ssl_save_session( ssl->session_negotiate, state,
205 SSL_MAX_CONTENT_LEN - (state - ssl->out_ctr) - 48,
206 &clear_len ) != 0 )
207 {
208 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
209 }
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200210 SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200211
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200212 /* Apply PKCS padding */
213 pad_len = 16 - clear_len % 16;
214 enc_len = clear_len + pad_len;
215 for( i = clear_len; i < enc_len; i++ )
216 state[i] = (unsigned char) pad_len;
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200217
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200218 /* Encrypt */
219 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT,
220 enc_len, iv, state, state ) ) != 0 )
221 {
222 return( ret );
223 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200224
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200225 /* Write length */
226 *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF );
227 *p++ = (unsigned char)( ( enc_len ) & 0xFF );
228 p = state + enc_len;
229
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200230 /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */
231 sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200232 p += 32;
233
234 *tlen = p - start;
235
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200236 SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200237
238 return( 0 );
239}
240
241/*
242 * Load session ticket (see ssl_write_ticket for structure)
243 */
244static int ssl_parse_ticket( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200245 unsigned char *buf,
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200246 size_t len )
247{
248 int ret;
249 ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200250 unsigned char *key_name = buf;
251 unsigned char *iv = buf + 16;
252 unsigned char *enc_len_p = iv + 16;
253 unsigned char *ticket = enc_len_p + 2;
254 unsigned char *mac;
Manuel Pégourié-Gonnard34ced2d2013-09-20 11:37:39 +0200255 unsigned char computed_mac[32];
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200256 size_t enc_len, clear_len, i;
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100257 unsigned char pad_len, diff;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200258
259 SSL_DEBUG_BUF( 3, "session ticket structure", buf, len );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200260
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +0200261 if( len < 34 || ssl->ticket_keys == NULL )
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200262 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
263
264 enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
265 mac = ticket + enc_len;
266
267 if( len != enc_len + 66 )
268 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
269
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100270 /* Check name, in constant time though it's not a big secret */
271 diff = 0;
272 for( i = 0; i < 16; i++ )
273 diff |= key_name[i] ^ ssl->ticket_keys->key_name[i];
274 /* don't return yet, check the MAC anyway */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200275
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100276 /* Check mac, with constant-time buffer comparison */
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200277 sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32,
278 computed_mac, 0 );
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100279
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +0200280 for( i = 0; i < 32; i++ )
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100281 diff |= mac[i] ^ computed_mac[i];
282
283 /* Now return if ticket is not authentic, since we want to avoid
284 * decrypting arbitrary attacker-chosen data */
285 if( diff != 0 )
286 return( POLARSSL_ERR_SSL_INVALID_MAC );
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200287
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200288 /* Decrypt */
289 if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT,
290 enc_len, iv, ticket, ticket ) ) != 0 )
291 {
292 return( ret );
293 }
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200294
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200295 /* Check PKCS padding */
296 pad_len = ticket[enc_len - 1];
297
298 ret = 0;
299 for( i = 2; i < pad_len; i++ )
300 if( ticket[enc_len - i] != pad_len )
301 ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA;
302 if( ret != 0 )
303 return( ret );
304
305 clear_len = enc_len - pad_len;
306
307 SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len );
308
309 /* Actually load session */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200310 if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 )
311 {
312 SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) );
313 memset( &session, 0, sizeof( ssl_session ) );
314 return( ret );
315 }
316
Paul Bakker606b4ba2013-08-14 16:52:14 +0200317#if defined(POLARSSL_HAVE_TIME)
318 /* Check if still valid */
319 if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime )
320 {
321 SSL_DEBUG_MSG( 1, ( "session ticket expired" ) );
322 memset( &session, 0, sizeof( ssl_session ) );
323 return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED );
324 }
325#endif
326
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200327 /*
328 * Keep the session ID sent by the client, since we MUST send it back to
329 * inform him we're accepting the ticket (RFC 5077 section 3.4)
330 */
331 session.length = ssl->session_negotiate->length;
332 memcpy( &session.id, ssl->session_negotiate->id, session.length );
333
334 ssl_session_free( ssl->session_negotiate );
335 memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) );
336 memset( &session, 0, sizeof( ssl_session ) );
337
338 return( 0 );
339}
Paul Bakkera503a632013-08-14 13:48:06 +0200340#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200341
Paul Bakker0be444a2013-08-27 21:55:01 +0200342#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200343/*
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200344 * Wrapper around f_sni, allowing use of ssl_set_own_cert() but
345 * making it act on ssl->hanshake->sni_key_cert instead.
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200346 */
347static int ssl_sni_wrapper( ssl_context *ssl,
348 const unsigned char* name, size_t len )
349{
350 int ret;
351 ssl_key_cert *key_cert_ori = ssl->key_cert;
352
353 ssl->key_cert = NULL;
354 ret = ssl->f_sni( ssl->p_sni, ssl, name, len );
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200355 ssl->handshake->sni_key_cert = ssl->key_cert;
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200356
357 ssl->key_cert = key_cert_ori;
358
359 return( ret );
360}
361
Paul Bakker5701cdc2012-09-27 21:49:42 +0000362static int ssl_parse_servername_ext( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000363 const unsigned char *buf,
Paul Bakker5701cdc2012-09-27 21:49:42 +0000364 size_t len )
365{
366 int ret;
367 size_t servername_list_size, hostname_len;
Paul Bakker23f36802012-09-28 14:15:14 +0000368 const unsigned char *p;
Paul Bakker5701cdc2012-09-27 21:49:42 +0000369
370 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
371 if( servername_list_size + 2 != len )
372 {
373 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
374 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
375 }
376
377 p = buf + 2;
378 while( servername_list_size > 0 )
379 {
380 hostname_len = ( ( p[1] << 8 ) | p[2] );
381 if( hostname_len + 3 > servername_list_size )
382 {
383 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
384 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
385 }
386
387 if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
388 {
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +0200389 ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000390 if( ret != 0 )
391 {
392 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
393 SSL_ALERT_MSG_UNRECOGNIZED_NAME );
394 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
395 }
Paul Bakker81420ab2012-10-23 10:31:15 +0000396 return( 0 );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000397 }
398
399 servername_list_size -= hostname_len + 3;
Paul Bakker23f36802012-09-28 14:15:14 +0000400 p += hostname_len + 3;
401 }
402
403 if( servername_list_size != 0 )
404 {
405 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
406 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5701cdc2012-09-27 21:49:42 +0000407 }
408
409 return( 0 );
410}
Paul Bakker0be444a2013-08-27 21:55:01 +0200411#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000412
Paul Bakker48916f92012-09-16 19:57:18 +0000413static int ssl_parse_renegotiation_info( ssl_context *ssl,
Paul Bakker23f36802012-09-28 14:15:14 +0000414 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000415 size_t len )
416{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000417 int ret;
418
Paul Bakker48916f92012-09-16 19:57:18 +0000419 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
420 {
421 if( len != 1 || buf[0] != 0x0 )
422 {
423 SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000424
425 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
426 return( ret );
427
Paul Bakker48916f92012-09-16 19:57:18 +0000428 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
429 }
430
431 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
432 }
433 else
434 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100435 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +0000436 if( len != 1 + ssl->verify_data_len ||
437 buf[0] != ssl->verify_data_len ||
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100438 safer_memcmp( buf + 1, ssl->peer_verify_data,
439 ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000440 {
441 SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000442
443 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
444 return( ret );
445
Paul Bakker48916f92012-09-16 19:57:18 +0000446 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
447 }
448 }
449
450 return( 0 );
451}
452
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200453#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +0000454static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
455 const unsigned char *buf,
456 size_t len )
457{
458 size_t sig_alg_list_size;
459 const unsigned char *p;
460
461 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
462 if( sig_alg_list_size + 2 != len ||
463 sig_alg_list_size %2 != 0 )
464 {
465 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
466 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
467 }
468
469 p = buf + 2;
470 while( sig_alg_list_size > 0 )
471 {
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200472 /*
473 * For now, just ignore signature algorithm and rely on offered
474 * ciphersuites only. To be fixed later.
475 */
Paul Bakker9e36f042013-06-30 14:34:05 +0200476#if defined(POLARSSL_SHA512_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000477 if( p[0] == SSL_HASH_SHA512 )
478 {
479 ssl->handshake->sig_alg = SSL_HASH_SHA512;
480 break;
481 }
482 if( p[0] == SSL_HASH_SHA384 )
483 {
484 ssl->handshake->sig_alg = SSL_HASH_SHA384;
485 break;
486 }
487#endif
Paul Bakker9e36f042013-06-30 14:34:05 +0200488#if defined(POLARSSL_SHA256_C)
Paul Bakker23f36802012-09-28 14:15:14 +0000489 if( p[0] == SSL_HASH_SHA256 )
490 {
491 ssl->handshake->sig_alg = SSL_HASH_SHA256;
492 break;
493 }
494 if( p[0] == SSL_HASH_SHA224 )
495 {
496 ssl->handshake->sig_alg = SSL_HASH_SHA224;
497 break;
498 }
499#endif
500 if( p[0] == SSL_HASH_SHA1 )
501 {
502 ssl->handshake->sig_alg = SSL_HASH_SHA1;
503 break;
504 }
505 if( p[0] == SSL_HASH_MD5 )
506 {
507 ssl->handshake->sig_alg = SSL_HASH_MD5;
508 break;
509 }
510
511 sig_alg_list_size -= 2;
512 p += 2;
513 }
514
515 SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
516 ssl->handshake->sig_alg ) );
517
518 return( 0 );
519}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200520#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker23f36802012-09-28 14:15:14 +0000521
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200522#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200523static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
524 const unsigned char *buf,
525 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100526{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200527 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100528 const unsigned char *p;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200529 const ecp_curve_info *curve_info, **curves;
Paul Bakker41c83d32013-03-20 14:39:14 +0100530
531 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
532 if( list_size + 2 != len ||
533 list_size % 2 != 0 )
534 {
535 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
536 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
537 }
538
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200539 /* Don't allow our peer to make use allocated too much memory,
540 * and leave room for a final 0 */
541 our_size = list_size / 2 + 1;
542 if( our_size > POLARSSL_ECP_DP_MAX )
543 our_size = POLARSSL_ECP_DP_MAX;
544
545 if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL )
546 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
547
Paul Bakkerbeccd9f2013-10-11 15:20:27 +0200548 /* explicit void pointer cast for buggy MS compiler */
549 memset( (void *) curves, 0, our_size * sizeof( *curves ) );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200550 ssl->handshake->curves = curves;
551
Paul Bakker41c83d32013-03-20 14:39:14 +0100552 p = buf + 2;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200553 while( list_size > 0 && our_size > 1 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100554 {
Manuel Pégourié-Gonnardf24b4a72013-09-23 18:14:50 +0200555 curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200556
Manuel Pégourié-Gonnardf24b4a72013-09-23 18:14:50 +0200557 if( curve_info != NULL )
Paul Bakker41c83d32013-03-20 14:39:14 +0100558 {
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200559 *curves++ = curve_info;
560 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100561 }
562
563 list_size -= 2;
564 p += 2;
565 }
566
567 return( 0 );
568}
569
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200570static int ssl_parse_supported_point_formats( ssl_context *ssl,
571 const unsigned char *buf,
572 size_t len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100573{
574 size_t list_size;
575 const unsigned char *p;
576
577 list_size = buf[0];
578 if( list_size + 1 != len )
579 {
580 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
581 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
582 }
583
584 p = buf + 2;
585 while( list_size > 0 )
586 {
587 if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
588 p[0] == POLARSSL_ECP_PF_COMPRESSED )
589 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200590 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200591 SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +0100592 return( 0 );
593 }
594
595 list_size--;
596 p++;
597 }
598
599 return( 0 );
600}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +0200601#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +0100602
Paul Bakker05decb22013-08-15 13:33:48 +0200603#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200604static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
605 const unsigned char *buf,
606 size_t len )
607{
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200608 if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID )
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200609 {
610 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
611 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
612 }
613
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200614 ssl->session_negotiate->mfl_code = buf[0];
615
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200616 return( 0 );
617}
Paul Bakker05decb22013-08-15 13:33:48 +0200618#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200619
Paul Bakker1f2bc622013-08-15 13:45:55 +0200620#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200621static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
622 const unsigned char *buf,
623 size_t len )
624{
625 if( len != 0 )
626 {
627 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
628 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
629 }
630
631 ((void) buf);
632
633 ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
634
635 return( 0 );
636}
Paul Bakker1f2bc622013-08-15 13:45:55 +0200637#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200638
Paul Bakkera503a632013-08-14 13:48:06 +0200639#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200640static int ssl_parse_session_ticket_ext( ssl_context *ssl,
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200641 unsigned char *buf,
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200642 size_t len )
643{
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200644 int ret;
645
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200646 if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
647 return( 0 );
648
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200649 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200650 ssl->handshake->new_session_ticket = 1;
651
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200652 SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
653
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200654 if( len == 0 )
655 return( 0 );
656
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200657 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
658 {
659 SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
660 return( 0 );
661 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200662
663 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200664 * Failures are ok: just ignore the ticket and proceed.
665 */
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200666 if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 )
667 {
668 SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret );
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200669 return( 0 );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200670 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200671
672 SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
673
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200674 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200675
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200676 /* Don't send a new ticket after all, this one is OK */
677 ssl->handshake->new_session_ticket = 0;
678
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200679 return( 0 );
680}
Paul Bakkera503a632013-08-14 13:48:06 +0200681#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200682
Paul Bakker78a8c712013-03-06 17:01:52 +0100683#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
684static int ssl_parse_client_hello_v2( ssl_context *ssl )
685{
686 int ret;
687 unsigned int i, j;
688 size_t n;
689 unsigned int ciph_len, sess_len, chal_len;
690 unsigned char *buf, *p;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200691 const int *ciphersuites;
Paul Bakker59c28a22013-06-29 15:33:42 +0200692 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker78a8c712013-03-06 17:01:52 +0100693
694 SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
695
696 if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
697 {
698 SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
699
700 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
701 return( ret );
702
703 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
704 }
705
706 buf = ssl->in_hdr;
707
708 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
709
710 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
711 buf[2] ) );
712 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
713 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
714 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
715 buf[3], buf[4] ) );
716
717 /*
718 * SSLv2 Client Hello
719 *
720 * Record layer:
721 * 0 . 1 message length
722 *
723 * SSL layer:
724 * 2 . 2 message type
725 * 3 . 4 protocol version
726 */
727 if( buf[2] != SSL_HS_CLIENT_HELLO ||
728 buf[3] != SSL_MAJOR_VERSION_3 )
729 {
730 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
731 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
732 }
733
734 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
735
736 if( n < 17 || n > 512 )
737 {
738 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
739 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
740 }
741
742 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200743 ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver )
744 ? buf[4] : ssl->max_minor_ver;
Paul Bakker78a8c712013-03-06 17:01:52 +0100745
746 if( ssl->minor_ver < ssl->min_minor_ver )
747 {
748 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
749 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
750 ssl->min_major_ver, ssl->min_minor_ver ) );
751
752 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
753 SSL_ALERT_MSG_PROTOCOL_VERSION );
754 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
755 }
756
Paul Bakker2fbefde2013-06-29 16:01:15 +0200757 ssl->handshake->max_major_ver = buf[3];
758 ssl->handshake->max_minor_ver = buf[4];
Paul Bakker78a8c712013-03-06 17:01:52 +0100759
760 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
761 {
762 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
763 return( ret );
764 }
765
766 ssl->handshake->update_checksum( ssl, buf + 2, n );
767
768 buf = ssl->in_msg;
769 n = ssl->in_left - 5;
770
771 /*
772 * 0 . 1 ciphersuitelist length
773 * 2 . 3 session id length
774 * 4 . 5 challenge length
775 * 6 . .. ciphersuitelist
776 * .. . .. session id
777 * .. . .. challenge
778 */
779 SSL_DEBUG_BUF( 4, "record contents", buf, n );
780
781 ciph_len = ( buf[0] << 8 ) | buf[1];
782 sess_len = ( buf[2] << 8 ) | buf[3];
783 chal_len = ( buf[4] << 8 ) | buf[5];
784
785 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
786 ciph_len, sess_len, chal_len ) );
787
788 /*
789 * Make sure each parameter length is valid
790 */
791 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
792 {
793 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
794 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
795 }
796
797 if( sess_len > 32 )
798 {
799 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
800 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
801 }
802
803 if( chal_len < 8 || chal_len > 32 )
804 {
805 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
806 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
807 }
808
809 if( n != 6 + ciph_len + sess_len + chal_len )
810 {
811 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
812 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
813 }
814
815 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
816 buf + 6, ciph_len );
817 SSL_DEBUG_BUF( 3, "client hello, session id",
818 buf + 6 + ciph_len, sess_len );
819 SSL_DEBUG_BUF( 3, "client hello, challenge",
820 buf + 6 + ciph_len + sess_len, chal_len );
821
822 p = buf + 6 + ciph_len;
823 ssl->session_negotiate->length = sess_len;
824 memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
825 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
826
827 p += sess_len;
828 memset( ssl->handshake->randbytes, 0, 64 );
829 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
830
831 /*
832 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
833 */
834 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
835 {
836 if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
837 {
838 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
839 if( ssl->renegotiation == SSL_RENEGOTIATION )
840 {
841 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
842
843 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
844 return( ret );
845
846 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
847 }
848 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
849 break;
850 }
851 }
852
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200853 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
854 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker78a8c712013-03-06 17:01:52 +0100855 {
856 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
857 {
Paul Bakker41c83d32013-03-20 14:39:14 +0100858 // Only allow non-ECC ciphersuites as we do not have extensions
859 //
Paul Bakker59c28a22013-06-29 15:33:42 +0200860 if( p[0] == 0 && p[1] == 0 &&
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200861 ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
862 p[2] == ( ciphersuites[i] & 0xFF ) )
Paul Bakker59c28a22013-06-29 15:33:42 +0200863 {
864 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
865
866 if( ciphersuite_info == NULL )
867 {
868 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
869 ciphersuites[i] ) );
870 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
871 }
872
Paul Bakker2fbefde2013-06-29 16:01:15 +0200873 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
874 ciphersuite_info->max_minor_ver < ssl->minor_ver )
875 continue;
Paul Bakker59c28a22013-06-29 15:33:42 +0200876
Paul Bakker78a8c712013-03-06 17:01:52 +0100877 goto have_ciphersuite_v2;
Paul Bakker59c28a22013-06-29 15:33:42 +0200878 }
Paul Bakker78a8c712013-03-06 17:01:52 +0100879 }
880 }
881
882 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
883
884 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
885
886have_ciphersuite_v2:
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200887 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker59c28a22013-06-29 15:33:42 +0200888 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100889 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Paul Bakker78a8c712013-03-06 17:01:52 +0100890
891 /*
892 * SSLv2 Client Hello relevant renegotiation security checks
893 */
894 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
895 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
896 {
897 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
898
899 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
900 return( ret );
901
902 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
903 }
904
905 ssl->in_left = 0;
906 ssl->state++;
907
908 SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
909
910 return( 0 );
911}
912#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
913
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200914#if defined(POLARSSL_X509_CRT_PARSE_C)
915#if defined(POLARSSL_ECDSA_C)
916static int ssl_key_matches_curves( pk_context *pk,
917 const ecp_curve_info **curves )
918{
919 const ecp_curve_info **crv = curves;
920 ecp_group_id grp_id = pk_ec( *pk )->grp.id;
921
922 while( *crv != NULL )
923 {
924 if( (*crv)->grp_id == grp_id )
925 return( 1 );
926 crv++;
927 }
928
929 return( 0 );
930}
931#endif /* POLARSSL_ECDSA_C */
932
933/*
934 * Try picking a certificate for this ciphersuite,
935 * return 0 on success and -1 on failure.
936 */
937static int ssl_pick_cert( ssl_context *ssl,
938 const ssl_ciphersuite_t * ciphersuite_info )
939{
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200940 ssl_key_cert *cur, *list;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200941 pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
942
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200943#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
944 if( ssl->handshake->sni_key_cert != NULL )
945 list = ssl->handshake->sni_key_cert;
946 else
947#endif
948 list = ssl->handshake->key_cert;
949
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200950 if( pk_alg == POLARSSL_PK_NONE )
951 return( 0 );
952
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +0200953 for( cur = list; cur != NULL; cur = cur->next )
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200954 {
955 if( ! pk_can_do( cur->key, pk_alg ) )
956 continue;
957
958#if defined(POLARSSL_ECDSA_C)
959 if( pk_alg == POLARSSL_PK_ECDSA )
960 {
961 if( ssl_key_matches_curves( cur->key, ssl->handshake->curves ) )
962 break;
963 }
964 else
965#endif
966 break;
967 }
968
969 if( cur == NULL )
970 return( -1 );
971
972 ssl->handshake->key_cert = cur;
973 return( 0 );
974}
975#endif /* POLARSSL_X509_CRT_PARSE_C */
976
Paul Bakker5121ce52009-01-03 21:22:43 +0000977static int ssl_parse_client_hello( ssl_context *ssl )
978{
Paul Bakker23986e52011-04-24 08:57:21 +0000979 int ret;
980 unsigned int i, j;
981 size_t n;
982 unsigned int ciph_len, sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000983 unsigned int comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000984 unsigned int ext_len = 0;
985 unsigned char *buf, *p, *ext;
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000986 int renegotiation_info_seen = 0;
987 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200988 const int *ciphersuites;
Paul Bakker41c83d32013-03-20 14:39:14 +0100989 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000990
991 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
992
Paul Bakker48916f92012-09-16 19:57:18 +0000993 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
994 ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000995 {
996 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
997 return( ret );
998 }
999
1000 buf = ssl->in_hdr;
1001
Paul Bakker78a8c712013-03-06 17:01:52 +01001002#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1003 if( ( buf[0] & 0x80 ) != 0 )
1004 return ssl_parse_client_hello_v2( ssl );
1005#endif
1006
Paul Bakkerec636f32012-09-09 19:17:02 +00001007 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1008
1009 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1010 buf[0] ) );
1011 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1012 ( buf[3] << 8 ) | buf[4] ) );
1013 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
1014 buf[1], buf[2] ) );
1015
1016 /*
1017 * SSLv3 Client Hello
1018 *
1019 * Record layer:
1020 * 0 . 0 message type
1021 * 1 . 2 protocol version
1022 * 3 . 4 message length
1023 */
1024 if( buf[0] != SSL_MSG_HANDSHAKE ||
1025 buf[1] != SSL_MAJOR_VERSION_3 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001026 {
Paul Bakkerec636f32012-09-09 19:17:02 +00001027 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1028 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1029 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001030
Paul Bakkerec636f32012-09-09 19:17:02 +00001031 n = ( buf[3] << 8 ) | buf[4];
Paul Bakker5121ce52009-01-03 21:22:43 +00001032
Manuel Pégourié-Gonnard72882b22013-08-02 13:36:00 +02001033 if( n < 45 || n > 2048 )
Paul Bakkerec636f32012-09-09 19:17:02 +00001034 {
1035 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1036 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1037 }
1038
Paul Bakker48916f92012-09-16 19:57:18 +00001039 if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
1040 ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
Paul Bakkerec636f32012-09-09 19:17:02 +00001041 {
1042 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1043 return( ret );
1044 }
1045
1046 buf = ssl->in_msg;
Paul Bakker48916f92012-09-16 19:57:18 +00001047 if( !ssl->renegotiation )
1048 n = ssl->in_left - 5;
1049 else
1050 n = ssl->in_msglen;
Paul Bakkerec636f32012-09-09 19:17:02 +00001051
Paul Bakker48916f92012-09-16 19:57:18 +00001052 ssl->handshake->update_checksum( ssl, buf, n );
Paul Bakkerec636f32012-09-09 19:17:02 +00001053
1054 /*
1055 * SSL layer:
1056 * 0 . 0 handshake type
1057 * 1 . 3 handshake length
1058 * 4 . 5 protocol version
1059 * 6 . 9 UNIX time()
1060 * 10 . 37 random bytes
1061 * 38 . 38 session id length
1062 * 39 . 38+x session id
1063 * 39+x . 40+x ciphersuitelist length
1064 * 41+x . .. ciphersuitelist
1065 * .. . .. compression alg.
1066 * .. . .. extensions
1067 */
1068 SSL_DEBUG_BUF( 4, "record contents", buf, n );
1069
1070 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
1071 buf[0] ) );
1072 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1073 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1074 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
1075 buf[4], buf[5] ) );
1076
1077 /*
1078 * Check the handshake type and protocol version
1079 */
1080 if( buf[0] != SSL_HS_CLIENT_HELLO ||
1081 buf[4] != SSL_MAJOR_VERSION_3 )
1082 {
1083 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1084 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1085 }
1086
1087 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker2fbefde2013-06-29 16:01:15 +02001088 ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver )
1089 ? buf[5] : ssl->max_minor_ver;
Paul Bakkerec636f32012-09-09 19:17:02 +00001090
Paul Bakker1d29fb52012-09-28 13:28:45 +00001091 if( ssl->minor_ver < ssl->min_minor_ver )
1092 {
1093 SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1094 " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
Paul Bakker81420ab2012-10-23 10:31:15 +00001095 ssl->min_major_ver, ssl->min_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +00001096
1097 ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1098 SSL_ALERT_MSG_PROTOCOL_VERSION );
1099
1100 return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1101 }
1102
Paul Bakker2fbefde2013-06-29 16:01:15 +02001103 ssl->handshake->max_major_ver = buf[4];
1104 ssl->handshake->max_minor_ver = buf[5];
Paul Bakkerec636f32012-09-09 19:17:02 +00001105
Paul Bakker48916f92012-09-16 19:57:18 +00001106 memcpy( ssl->handshake->randbytes, buf + 6, 32 );
Paul Bakkerec636f32012-09-09 19:17:02 +00001107
1108 /*
1109 * Check the handshake message length
1110 */
1111 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
1112 {
1113 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1114 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1115 }
1116
1117 /*
1118 * Check the session length
1119 */
1120 sess_len = buf[38];
1121
1122 if( sess_len > 32 )
1123 {
1124 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1125 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1126 }
1127
Paul Bakker48916f92012-09-16 19:57:18 +00001128 ssl->session_negotiate->length = sess_len;
1129 memset( ssl->session_negotiate->id, 0,
1130 sizeof( ssl->session_negotiate->id ) );
1131 memcpy( ssl->session_negotiate->id, buf + 39,
1132 ssl->session_negotiate->length );
Paul Bakkerec636f32012-09-09 19:17:02 +00001133
1134 /*
1135 * Check the ciphersuitelist length
1136 */
1137 ciph_len = ( buf[39 + sess_len] << 8 )
1138 | ( buf[40 + sess_len] );
1139
1140 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
1141 {
1142 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1143 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1144 }
1145
1146 /*
1147 * Check the compression algorithms length
1148 */
1149 comp_len = buf[41 + sess_len + ciph_len];
1150
1151 if( comp_len < 1 || comp_len > 16 )
1152 {
1153 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1154 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1155 }
1156
Paul Bakker48916f92012-09-16 19:57:18 +00001157 /*
1158 * Check the extension length
1159 */
1160 if( n > 42 + sess_len + ciph_len + comp_len )
1161 {
1162 ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
1163 | ( buf[43 + sess_len + ciph_len + comp_len] );
1164
1165 if( ( ext_len > 0 && ext_len < 4 ) ||
1166 n != 44 + sess_len + ciph_len + comp_len + ext_len )
1167 {
1168 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1169 SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
1170 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1171 }
1172 }
1173
1174 ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
Paul Bakkerec636f32012-09-09 19:17:02 +00001175#if defined(POLARSSL_ZLIB_SUPPORT)
1176 for( i = 0; i < comp_len; ++i )
1177 {
Paul Bakker48916f92012-09-16 19:57:18 +00001178 if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001179 {
Paul Bakker48916f92012-09-16 19:57:18 +00001180 ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
Paul Bakkerec636f32012-09-09 19:17:02 +00001181 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00001182 }
1183 }
Paul Bakker2770fbd2012-07-03 13:30:23 +00001184#endif
1185
Paul Bakkerec636f32012-09-09 19:17:02 +00001186 SSL_DEBUG_BUF( 3, "client hello, random bytes",
1187 buf + 6, 32 );
1188 SSL_DEBUG_BUF( 3, "client hello, session id",
1189 buf + 38, sess_len );
1190 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1191 buf + 41 + sess_len, ciph_len );
1192 SSL_DEBUG_BUF( 3, "client hello, compression",
1193 buf + 42 + sess_len + ciph_len, comp_len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001194
Paul Bakkerec636f32012-09-09 19:17:02 +00001195 /*
Paul Bakker48916f92012-09-16 19:57:18 +00001196 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1197 */
1198 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1199 {
1200 if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
1201 {
1202 SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1203 if( ssl->renegotiation == SSL_RENEGOTIATION )
1204 {
1205 SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001206
1207 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1208 return( ret );
1209
Paul Bakker48916f92012-09-16 19:57:18 +00001210 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1211 }
1212 ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
1213 break;
1214 }
1215 }
1216
Paul Bakker48916f92012-09-16 19:57:18 +00001217 ext = buf + 44 + sess_len + ciph_len + comp_len;
Paul Bakker48916f92012-09-16 19:57:18 +00001218
1219 while( ext_len )
1220 {
1221 unsigned int ext_id = ( ( ext[0] << 8 )
1222 | ( ext[1] ) );
1223 unsigned int ext_size = ( ( ext[2] << 8 )
1224 | ( ext[3] ) );
1225
1226 if( ext_size + 4 > ext_len )
1227 {
1228 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1229 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1230 }
1231 switch( ext_id )
1232 {
Paul Bakker0be444a2013-08-27 21:55:01 +02001233#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakker5701cdc2012-09-27 21:49:42 +00001234 case TLS_EXT_SERVERNAME:
1235 SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1236 if( ssl->f_sni == NULL )
1237 break;
1238
1239 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1240 if( ret != 0 )
1241 return( ret );
1242 break;
Paul Bakker0be444a2013-08-27 21:55:01 +02001243#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00001244
Paul Bakker48916f92012-09-16 19:57:18 +00001245 case TLS_EXT_RENEGOTIATION_INFO:
1246 SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1247 renegotiation_info_seen = 1;
1248
Paul Bakker23f36802012-09-28 14:15:14 +00001249 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1250 if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001251 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +00001252 break;
Paul Bakker48916f92012-09-16 19:57:18 +00001253
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001254#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +00001255 case TLS_EXT_SIG_ALG:
1256 SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1257 if( ssl->renegotiation == SSL_RENEGOTIATION )
1258 break;
1259
1260 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1261 if( ret != 0 )
1262 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00001263 break;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001264#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker48916f92012-09-16 19:57:18 +00001265
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001266#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker41c83d32013-03-20 14:39:14 +01001267 case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1268 SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1269
1270 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1271 if( ret != 0 )
1272 return( ret );
1273 break;
1274
1275 case TLS_EXT_SUPPORTED_POINT_FORMATS:
1276 SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
Paul Bakker677377f2013-10-28 12:54:26 +01001277 ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +01001278
1279 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1280 if( ret != 0 )
1281 return( ret );
1282 break;
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001283#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Paul Bakker41c83d32013-03-20 14:39:14 +01001284
Paul Bakker05decb22013-08-15 13:33:48 +02001285#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +02001286 case TLS_EXT_MAX_FRAGMENT_LENGTH:
1287 SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1288
1289 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1290 if( ret != 0 )
1291 return( ret );
1292 break;
Paul Bakker05decb22013-08-15 13:33:48 +02001293#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +02001294
Paul Bakker1f2bc622013-08-15 13:45:55 +02001295#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001296 case TLS_EXT_TRUNCATED_HMAC:
1297 SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1298
1299 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1300 if( ret != 0 )
1301 return( ret );
1302 break;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001303#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001304
Paul Bakkera503a632013-08-14 13:48:06 +02001305#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001306 case TLS_EXT_SESSION_TICKET:
1307 SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1308
1309 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1310 if( ret != 0 )
1311 return( ret );
1312 break;
Paul Bakkera503a632013-08-14 13:48:06 +02001313#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001314
Paul Bakker48916f92012-09-16 19:57:18 +00001315 default:
1316 SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1317 ext_id ) );
1318 }
1319
1320 ext_len -= 4 + ext_size;
1321 ext += 4 + ext_size;
1322
1323 if( ext_len > 0 && ext_len < 4 )
1324 {
1325 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1326 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1327 }
1328 }
1329
1330 /*
1331 * Renegotiation security checks
1332 */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001333 if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1334 ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
1335 {
1336 SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1337 handshake_failure = 1;
1338 }
1339 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1340 ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
1341 renegotiation_info_seen == 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001342 {
1343 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001344 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +00001345 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001346 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1347 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1348 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +00001349 {
1350 SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001351 handshake_failure = 1;
1352 }
1353 else if( ssl->renegotiation == SSL_RENEGOTIATION &&
1354 ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
1355 renegotiation_info_seen == 1 )
1356 {
1357 SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1358 handshake_failure = 1;
1359 }
1360
1361 if( handshake_failure == 1 )
1362 {
1363 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1364 return( ret );
1365
Paul Bakker48916f92012-09-16 19:57:18 +00001366 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
1367 }
Paul Bakker380da532012-04-18 16:10:25 +00001368
Paul Bakker41c83d32013-03-20 14:39:14 +01001369 /*
1370 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +02001371 * (At the end because we need information from the EC-based extensions
1372 * and certificate from the SNI callback triggered by the SNI extension.)
Paul Bakker41c83d32013-03-20 14:39:14 +01001373 */
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001374 ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
1375 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker41c83d32013-03-20 14:39:14 +01001376 {
1377 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
1378 j += 2, p += 2 )
1379 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001380 if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
1381 p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
Paul Bakker41c83d32013-03-20 14:39:14 +01001382 {
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001383 ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker41c83d32013-03-20 14:39:14 +01001384
1385 if( ciphersuite_info == NULL )
1386 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02001387 SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found",
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001388 ciphersuites[i] ) );
Paul Bakker41c83d32013-03-20 14:39:14 +01001389 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1390 }
1391
Paul Bakker2fbefde2013-06-29 16:01:15 +02001392 if( ciphersuite_info->min_minor_ver > ssl->minor_ver ||
1393 ciphersuite_info->max_minor_ver < ssl->minor_ver )
1394 continue;
1395
Paul Bakker5fd49172013-08-19 13:29:26 +02001396#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard51451f82013-09-17 12:06:25 +02001397 if( ssl_ciphersuite_uses_ec( ciphersuite_info ) &&
Paul Bakkercaa3af42013-09-26 13:32:43 +02001398 ( ssl->handshake->curves == NULL ||
1399 ssl->handshake->curves[0] == NULL ) )
Paul Bakker41c83d32013-03-20 14:39:14 +01001400 continue;
Paul Bakker5fd49172013-08-19 13:29:26 +02001401#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01001402
Manuel Pégourié-Gonnard21ef42f2013-10-27 14:47:25 +01001403#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
1404 /* If the ciphersuite requires a pre-shared key and we don't
1405 * have one, skip it now rather than failing later */
1406 if( ssl_ciphersuite_uses_psk( ciphersuite_info ) &&
1407 ssl->f_psk == NULL &&
1408 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
1409 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
1410 continue;
1411#endif
1412
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +02001413#if defined(POLARSSL_X509_CRT_PARSE_C)
1414 /*
1415 * Final check: if ciphersuite requires us to have a
1416 * certificate/key of a particular type:
1417 * - select the appropriate certificate if we have one, or
1418 * - try the next ciphersuite if we don't
1419 * This must be done last since we modify the key_cert list.
1420 */
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02001421 if( ssl_pick_cert( ssl, ciphersuite_info ) != 0 )
1422 continue;
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02001423#endif
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +02001424
Paul Bakker41c83d32013-03-20 14:39:14 +01001425 goto have_ciphersuite;
1426 }
1427 }
1428 }
1429
1430 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1431
1432 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1433 return( ret );
1434
1435 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
1436
1437have_ciphersuite:
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001438 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Paul Bakker41c83d32013-03-20 14:39:14 +01001439 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1440 ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1441
Paul Bakker5121ce52009-01-03 21:22:43 +00001442 ssl->in_left = 0;
1443 ssl->state++;
1444
1445 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1446
1447 return( 0 );
1448}
1449
Paul Bakker1f2bc622013-08-15 13:45:55 +02001450#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001451static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
1452 unsigned char *buf,
1453 size_t *olen )
1454{
1455 unsigned char *p = buf;
1456
1457 if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
1458 {
1459 *olen = 0;
1460 return;
1461 }
1462
1463 SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1464
1465 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1466 *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1467
1468 *p++ = 0x00;
1469 *p++ = 0x00;
1470
1471 *olen = 4;
1472}
Paul Bakker1f2bc622013-08-15 13:45:55 +02001473#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001474
Paul Bakkera503a632013-08-14 13:48:06 +02001475#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001476static void ssl_write_session_ticket_ext( ssl_context *ssl,
1477 unsigned char *buf,
1478 size_t *olen )
1479{
1480 unsigned char *p = buf;
1481
1482 if( ssl->handshake->new_session_ticket == 0 )
1483 {
1484 *olen = 0;
1485 return;
1486 }
1487
1488 SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1489
1490 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1491 *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF );
1492
1493 *p++ = 0x00;
1494 *p++ = 0x00;
1495
1496 *olen = 4;
1497}
Paul Bakkera503a632013-08-14 13:48:06 +02001498#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001499
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001500static void ssl_write_renegotiation_ext( ssl_context *ssl,
1501 unsigned char *buf,
1502 size_t *olen )
1503{
1504 unsigned char *p = buf;
1505
1506 if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION )
1507 {
1508 *olen = 0;
1509 return;
1510 }
1511
1512 SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1513
1514 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1515 *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1516
1517 *p++ = 0x00;
1518 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1519 *p++ = ssl->verify_data_len * 2 & 0xFF;
1520
1521 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
1522 p += ssl->verify_data_len;
1523 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
1524 p += ssl->verify_data_len;
1525
1526 *olen = 5 + ssl->verify_data_len * 2;
1527}
1528
Paul Bakker05decb22013-08-15 13:33:48 +02001529#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001530static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
1531 unsigned char *buf,
1532 size_t *olen )
1533{
1534 unsigned char *p = buf;
1535
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +02001536 if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE )
1537 {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001538 *olen = 0;
1539 return;
1540 }
1541
1542 SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
1543
1544 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
1545 *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
1546
1547 *p++ = 0x00;
1548 *p++ = 1;
1549
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02001550 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001551
1552 *olen = 5;
1553}
Paul Bakker05decb22013-08-15 13:33:48 +02001554#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001555
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001556#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001557static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
1558 unsigned char *buf,
1559 size_t *olen )
1560{
1561 unsigned char *p = buf;
1562 ((void) ssl);
1563
Paul Bakker677377f2013-10-28 12:54:26 +01001564 if( ( ssl->handshake->cli_exts &
1565 TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
1566 {
1567 *olen = 0;
1568 return;
1569 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001570
1571 SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
1572
1573 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
1574 *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
1575
1576 *p++ = 0x00;
1577 *p++ = 2;
1578
1579 *p++ = 1;
1580 *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
1581
1582 *olen = 6;
1583}
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001584#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001585
Paul Bakker5121ce52009-01-03 21:22:43 +00001586static int ssl_write_server_hello( ssl_context *ssl )
1587{
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001588#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +00001589 time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001590#endif
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02001591 int ret;
1592 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +00001593 unsigned char *buf, *p;
1594
1595 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1596
Paul Bakkera9a028e2013-11-21 17:31:06 +01001597 if( ssl->f_rng == NULL )
1598 {
1599 SSL_DEBUG_MSG( 1, ( "no RNG provided") );
1600 return( POLARSSL_ERR_SSL_NO_RNG );
1601 }
1602
Paul Bakker5121ce52009-01-03 21:22:43 +00001603 /*
1604 * 0 . 0 handshake type
1605 * 1 . 3 handshake length
1606 * 4 . 5 protocol version
1607 * 6 . 9 UNIX time()
1608 * 10 . 37 random bytes
1609 */
1610 buf = ssl->out_msg;
1611 p = buf + 4;
1612
1613 *p++ = (unsigned char) ssl->major_ver;
1614 *p++ = (unsigned char) ssl->minor_ver;
1615
1616 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
1617 buf[4], buf[5] ) );
1618
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001619#if defined(POLARSSL_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +00001620 t = time( NULL );
1621 *p++ = (unsigned char)( t >> 24 );
1622 *p++ = (unsigned char)( t >> 16 );
1623 *p++ = (unsigned char)( t >> 8 );
1624 *p++ = (unsigned char)( t );
1625
1626 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001627#else
1628 if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 )
1629 return( ret );
1630
1631 p += 4;
1632#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001633
Paul Bakkera3d195c2011-11-27 21:07:34 +00001634 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
1635 return( ret );
1636
1637 p += 28;
Paul Bakker5121ce52009-01-03 21:22:43 +00001638
Paul Bakker48916f92012-09-16 19:57:18 +00001639 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001640
1641 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
1642
1643 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001644 * Resume is 0 by default, see ssl_handshake_init().
1645 * It may be already set to 1 by ssl_parse_session_ticket_ext().
1646 * If not, try looking up session ID in our cache.
Paul Bakker5121ce52009-01-03 21:22:43 +00001647 */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001648 if( ssl->handshake->resume == 0 &&
1649 ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02001650 ssl->session_negotiate->length != 0 &&
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001651 ssl->f_get_cache != NULL &&
1652 ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )
1653 {
1654 ssl->handshake->resume = 1;
1655 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001656
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001657 if( ssl->handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001658 {
1659 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001660 * New session, create a new session id,
1661 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +00001662 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001663 ssl->state++;
1664
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02001665#if defined(POLARSSL_HAVE_TIME)
1666 ssl->session_negotiate->start = time( NULL );
1667#endif
1668
Paul Bakkera503a632013-08-14 13:48:06 +02001669#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02001670 if( ssl->handshake->new_session_ticket != 0 )
1671 {
1672 ssl->session_negotiate->length = n = 0;
1673 memset( ssl->session_negotiate->id, 0, 32 );
1674 }
1675 else
1676#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001677 {
1678 ssl->session_negotiate->length = n = 32;
1679 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
Paul Bakkera503a632013-08-14 13:48:06 +02001680 n ) ) != 0 )
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001681 return( ret );
1682 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001683 }
1684 else
1685 {
1686 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001687 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +00001688 */
Paul Bakkerf0e39ac2013-08-15 11:40:48 +02001689 n = ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +00001690 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +00001691
1692 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
1693 {
1694 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
1695 return( ret );
1696 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001697 }
1698
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +02001699 /*
1700 * 38 . 38 session id length
1701 * 39 . 38+n session id
1702 * 39+n . 40+n chosen ciphersuite
1703 * 41+n . 41+n chosen compression alg.
1704 * 42+n . 43+n extensions length
1705 * 44+n . 43+n+m extensions
1706 */
1707 *p++ = (unsigned char) ssl->session_negotiate->length;
Paul Bakker48916f92012-09-16 19:57:18 +00001708 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
1709 p += ssl->session_negotiate->length;
Paul Bakker5121ce52009-01-03 21:22:43 +00001710
1711 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1712 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
1713 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +00001714 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001715
Paul Bakker48916f92012-09-16 19:57:18 +00001716 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
1717 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
1718 *p++ = (unsigned char)( ssl->session_negotiate->compression );
Paul Bakker5121ce52009-01-03 21:22:43 +00001719
Manuel Pégourié-Gonnard51451f82013-09-17 12:06:25 +02001720 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
1721 ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +02001722 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
Paul Bakker48916f92012-09-16 19:57:18 +00001723 ssl->session_negotiate->compression ) );
1724
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001725 /*
1726 * First write extensions, then the total length
1727 */
1728 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1729 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +00001730
Paul Bakker05decb22013-08-15 13:33:48 +02001731#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001732 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1733 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +02001734#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +02001735
Paul Bakker1f2bc622013-08-15 13:45:55 +02001736#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001737 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1738 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001739#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001740
Paul Bakkera503a632013-08-14 13:48:06 +02001741#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001742 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1743 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +02001744#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02001745
Manuel Pégourié-Gonnard0b272672013-08-15 19:38:07 +02001746#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001747 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1748 ext_len += olen;
1749#endif
1750
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001751 SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
Paul Bakker48916f92012-09-16 19:57:18 +00001752
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +02001753 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1754 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1755 p += ext_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00001756
1757 ssl->out_msglen = p - buf;
1758 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1759 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
1760
1761 ret = ssl_write_record( ssl );
1762
1763 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1764
1765 return( ret );
1766}
1767
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001768#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1769 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02001770 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
1771 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00001772static int ssl_write_certificate_request( ssl_context *ssl )
1773{
Paul Bakkered27a042013-04-18 22:46:23 +02001774 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1775 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001776
1777 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1778
1779 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02001780 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1781 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001782 {
1783 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
1784 ssl->state++;
1785 return( 0 );
1786 }
1787
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02001788 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001789 return( ret );
1790}
1791#else
1792static int ssl_write_certificate_request( ssl_context *ssl )
1793{
1794 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1795 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001796 size_t dn_size, total_dn_size; /* excluding length bytes */
1797 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +00001798 unsigned char *buf, *p;
Paul Bakkerc559c7a2013-09-18 14:13:26 +02001799 const x509_crt *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +00001800
1801 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
1802
1803 ssl->state++;
1804
Paul Bakkerfbb17802013-04-17 19:10:21 +02001805 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001806 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02001807 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakkerfbb17802013-04-17 19:10:21 +02001808 ssl->authmode == SSL_VERIFY_NONE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001809 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001810 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001811 return( 0 );
1812 }
1813
1814 /*
1815 * 0 . 0 handshake type
1816 * 1 . 3 handshake length
1817 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +01001818 * 5 .. m-1 cert types
1819 * m .. m+1 sig alg length (TLS 1.2 only)
1820 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +00001821 * n .. n+1 length of all DNs
1822 * n+2 .. n+3 length of DN 1
1823 * n+4 .. ... Distinguished Name #1
1824 * ... .. ... length of DN 2, etc.
1825 */
1826 buf = ssl->out_msg;
1827 p = buf + 4;
1828
1829 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001830 * Supported certificate types
1831 *
1832 * ClientCertificateType certificate_types<1..2^8-1>;
1833 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +00001834 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001835 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +01001836
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001837#if defined(POLARSSL_RSA_C)
1838 p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN;
1839#endif
1840#if defined(POLARSSL_ECDSA_C)
1841 p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN;
1842#endif
1843
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02001844 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001845 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +01001846
Paul Bakker577e0062013-08-28 11:57:20 +02001847 sa_len = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001848#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker926af752012-11-23 13:38:07 +01001849 /*
1850 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +01001851 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001852 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
1853 *
1854 * struct {
1855 * HashAlgorithm hash;
1856 * SignatureAlgorithm signature;
1857 * } SignatureAndHashAlgorithm;
1858 *
1859 * enum { (255) } HashAlgorithm;
1860 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +01001861 */
Paul Bakker21dca692013-01-03 11:41:08 +01001862 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01001863 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001864 /*
1865 * Only use current running hash algorithm that is already required
1866 * for requested ciphersuite.
1867 */
Paul Bakker926af752012-11-23 13:38:07 +01001868 ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
1869
Paul Bakkerb7149bc2013-03-20 15:30:09 +01001870 if( ssl->transform_negotiate->ciphersuite_info->mac ==
1871 POLARSSL_MD_SHA384 )
Paul Bakker926af752012-11-23 13:38:07 +01001872 {
1873 ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
1874 }
Paul Bakkerf7abd422013-04-16 13:15:56 +02001875
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001876 /*
1877 * Supported signature algorithms
1878 */
1879#if defined(POLARSSL_RSA_C)
1880 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1881 p[2 + sa_len++] = SSL_SIG_RSA;
1882#endif
1883#if defined(POLARSSL_ECDSA_C)
1884 p[2 + sa_len++] = ssl->handshake->verify_sig_alg;
1885 p[2 + sa_len++] = SSL_SIG_ECDSA;
1886#endif
Paul Bakker926af752012-11-23 13:38:07 +01001887
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001888 p[0] = (unsigned char)( sa_len >> 8 );
1889 p[1] = (unsigned char)( sa_len );
1890 sa_len += 2;
1891 p += sa_len;
Paul Bakker926af752012-11-23 13:38:07 +01001892 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001893#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001894
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001895 /*
1896 * DistinguishedName certificate_authorities<0..2^16-1>;
1897 * opaque DistinguishedName<1..2^16-1>;
1898 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001899 p += 2;
1900 crt = ssl->ca_chain;
1901
Paul Bakkerbc3d9842012-11-26 16:12:02 +01001902 total_dn_size = 0;
Paul Bakker29087132010-03-21 21:03:34 +00001903 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001904 {
1905 if( p - buf > 4096 )
1906 break;
1907
Paul Bakker926af752012-11-23 13:38:07 +01001908 dn_size = crt->subject_raw.len;
1909 *p++ = (unsigned char)( dn_size >> 8 );
1910 *p++ = (unsigned char)( dn_size );
1911 memcpy( p, crt->subject_raw.p, dn_size );
1912 p += dn_size;
Paul Bakker5121ce52009-01-03 21:22:43 +00001913
Paul Bakker926af752012-11-23 13:38:07 +01001914 SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
1915
Paul Bakkerbc3d9842012-11-26 16:12:02 +01001916 total_dn_size += 2 + dn_size;
Paul Bakker926af752012-11-23 13:38:07 +01001917 crt = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +00001918 }
1919
Paul Bakker926af752012-11-23 13:38:07 +01001920 ssl->out_msglen = p - buf;
Paul Bakker5121ce52009-01-03 21:22:43 +00001921 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1922 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02001923 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
1924 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
Paul Bakker5121ce52009-01-03 21:22:43 +00001925
1926 ret = ssl_write_record( ssl );
1927
1928 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
1929
1930 return( ret );
1931}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001932#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
1933 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
1934 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00001935
Paul Bakker41c83d32013-03-20 14:39:14 +01001936static int ssl_write_server_key_exchange( ssl_context *ssl )
1937{
Paul Bakker23986e52011-04-24 08:57:21 +00001938 int ret;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02001939 size_t n = 0;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02001940 const ssl_ciphersuite_t *ciphersuite_info =
1941 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker2292d1f2013-09-15 17:06:49 +02001942
1943#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1944 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
1945 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02001946 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Paul Bakker2292d1f2013-09-15 17:06:49 +02001947 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02001948 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02001949 unsigned char *dig_signed = p;
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02001950 size_t dig_signed_len = 0, len;
Paul Bakker2292d1f2013-09-15 17:06:49 +02001951 ((void) dig_signed);
1952 ((void) dig_signed_len);
1953#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01001954
Paul Bakker5121ce52009-01-03 21:22:43 +00001955 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
1956
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02001957 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ||
1958 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1959 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +00001960 {
1961 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
1962 ssl->state++;
1963 return( 0 );
1964 }
1965
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02001966#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
1967 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1968 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
1969 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001970 {
1971 /* TODO: Support identity hints */
1972 *(p++) = 0x00;
1973 *(p++) = 0x00;
1974
1975 n += 2;
1976 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02001977#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED ||
1978 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001979
1980#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1981 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
1982 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
1983 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48916f92012-09-16 19:57:18 +00001984 {
Paul Bakker41c83d32013-03-20 14:39:14 +01001985 /*
1986 * Ephemeral DH parameters:
1987 *
1988 * struct {
1989 * opaque dh_p<1..2^16-1>;
1990 * opaque dh_g<1..2^16-1>;
1991 * opaque dh_Ys<1..2^16-1>;
1992 * } ServerDHParams;
1993 */
1994 if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
1995 ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
1996 {
1997 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1998 return( ret );
1999 }
Paul Bakker48916f92012-09-16 19:57:18 +00002000
Paul Bakker41c83d32013-03-20 14:39:14 +01002001 if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02002002 (int) mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002003 p,
2004 &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002005 {
2006 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
2007 return( ret );
2008 }
2009
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002010 dig_signed = p;
2011 dig_signed_len = len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002012
2013 p += len;
2014 n += len;
2015
Paul Bakker41c83d32013-03-20 14:39:14 +01002016 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2017 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2018 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2019 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2020 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002021#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2022 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +01002023
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002024#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002025 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2026 defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2027
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002028 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002029 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ||
2030 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +00002031 {
Paul Bakker41c83d32013-03-20 14:39:14 +01002032 /*
2033 * Ephemeral ECDH parameters:
2034 *
2035 * struct {
2036 * ECParameters curve_params;
2037 * ECPoint public;
2038 * } ServerECDHParams;
2039 */
Paul Bakker41c83d32013-03-20 14:39:14 +01002040 if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02002041 ssl->handshake->curves[0]->grp_id ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002042 {
2043 SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret );
2044 return( ret );
2045 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002046
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +02002047 SSL_DEBUG_MSG( 2, ( "ECDH curve size: %d",
2048 (int) ssl->handshake->ecdh_ctx.grp.nbits ) );
2049
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002050 if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2051 p, SSL_MAX_CONTENT_LEN - n,
2052 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002053 {
2054 SSL_DEBUG_RET( 1, "ecdh_make_params", ret );
2055 return( ret );
2056 }
2057
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002058 dig_signed = p;
2059 dig_signed_len = len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002060
2061 p += len;
2062 n += len;
2063
Paul Bakker41c83d32013-03-20 14:39:14 +01002064 SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2065 }
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002066#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002067 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2068 POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002069
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002070#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002071 defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2072 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002073 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002074 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2075 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002076 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002077 size_t signature_len = 0;
Paul Bakker2292d1f2013-09-15 17:06:49 +02002078 unsigned int hashlen = 0;
2079 unsigned char hash[64];
2080 md_type_t md_alg = POLARSSL_MD_NONE;
Paul Bakker23f36802012-09-28 14:15:14 +00002081
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002082 /*
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002083 * Choose hash algorithm. NONE means MD5 + SHA1 here.
2084 */
Paul Bakker577e0062013-08-28 11:57:20 +02002085#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002086 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2087 {
2088 md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2089
2090 if( md_alg == POLARSSL_MD_NONE )
2091 {
2092 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2093 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2094 }
2095 }
Paul Bakker577e0062013-08-28 11:57:20 +02002096 else
2097#endif
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002098#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2099 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker577e0062013-08-28 11:57:20 +02002100 if ( ciphersuite_info->key_exchange ==
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002101 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
2102 {
2103 md_alg = POLARSSL_MD_SHA1;
2104 }
2105 else
Paul Bakker577e0062013-08-28 11:57:20 +02002106#endif
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002107 {
2108 md_alg = POLARSSL_MD_NONE;
2109 }
2110
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002111 /*
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002112 * Compute the hash to be signed
2113 */
Paul Bakker577e0062013-08-28 11:57:20 +02002114#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2115 defined(POLARSSL_SSL_PROTO_TLS1_1)
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002116 if( md_alg == POLARSSL_MD_NONE )
Paul Bakker23f36802012-09-28 14:15:14 +00002117 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002118 md5_context md5;
2119 sha1_context sha1;
2120
2121 /*
2122 * digitally-signed struct {
2123 * opaque md5_hash[16];
2124 * opaque sha_hash[20];
2125 * };
2126 *
2127 * md5_hash
2128 * MD5(ClientHello.random + ServerHello.random
2129 * + ServerParams);
2130 * sha_hash
2131 * SHA(ClientHello.random + ServerHello.random
2132 * + ServerParams);
2133 */
2134 md5_starts( &md5 );
2135 md5_update( &md5, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002136 md5_update( &md5, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002137 md5_finish( &md5, hash );
2138
2139 sha1_starts( &sha1 );
2140 sha1_update( &sha1, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002141 sha1_update( &sha1, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002142 sha1_finish( &sha1, hash + 16 );
2143
2144 hashlen = 36;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002145 }
2146 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002147#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
2148 POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker9659dae2013-08-28 16:21:34 +02002149#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2150 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker577e0062013-08-28 11:57:20 +02002151 if( md_alg != POLARSSL_MD_NONE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002152 {
2153 md_context_t ctx;
2154
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02002155 /* Info from md_alg will be used instead */
2156 hashlen = 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002157
2158 /*
2159 * digitally-signed struct {
2160 * opaque client_random[32];
2161 * opaque server_random[32];
2162 * ServerDHParams params;
2163 * };
2164 */
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02002165 if( ( ret = md_init_ctx( &ctx, md_info_from_type(md_alg) ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002166 {
2167 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
2168 return( ret );
2169 }
2170
2171 md_starts( &ctx );
2172 md_update( &ctx, ssl->handshake->randbytes, 64 );
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002173 md_update( &ctx, dig_signed, dig_signed_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002174 md_finish( &ctx, hash );
Paul Bakker61d113b2013-07-04 11:51:43 +02002175
2176 if( ( ret = md_free_ctx( &ctx ) ) != 0 )
2177 {
2178 SSL_DEBUG_RET( 1, "md_free_ctx", ret );
2179 return( ret );
2180 }
2181
Paul Bakker23f36802012-09-28 14:15:14 +00002182 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002183 else
Paul Bakker9659dae2013-08-28 16:21:34 +02002184#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2185 POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02002186 {
2187 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002188 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker577e0062013-08-28 11:57:20 +02002189 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002190
Manuel Pégourié-Gonnard9cc6f5c2013-08-27 14:29:44 +02002191 SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2192 (unsigned int) ( md_info_from_type( md_alg ) )->size );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002193
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002194 /*
2195 * Make the signature
2196 */
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002197 if( ssl_own_key( ssl ) == NULL )
Paul Bakker23f36802012-09-28 14:15:14 +00002198 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002199 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2200 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002201 }
Paul Bakker23f36802012-09-28 14:15:14 +00002202
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002203#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker23f36802012-09-28 14:15:14 +00002204 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
2205 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002206 *(p++) = ssl->handshake->sig_alg;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002207 *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002208
2209 n += 2;
2210 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002211#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002212
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002213 if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02002214 p + 2 , &signature_len,
2215 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002216 {
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02002217 SSL_DEBUG_RET( 1, "pk_sign", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +02002218 return( ret );
Paul Bakker23f36802012-09-28 14:15:14 +00002219 }
Paul Bakkerc70b9822013-04-07 22:00:46 +02002220
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002221 *(p++) = (unsigned char)( signature_len >> 8 );
2222 *(p++) = (unsigned char)( signature_len );
Paul Bakkerbf63b362012-04-12 20:44:34 +00002223 n += 2;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002224
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002225 SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
Paul Bakker48916f92012-09-16 19:57:18 +00002226
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002227 p += signature_len;
2228 n += signature_len;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002229 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002230#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002231 POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2232 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002233
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002234 ssl->out_msglen = 4 + n;
Paul Bakker5121ce52009-01-03 21:22:43 +00002235 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2236 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
2237
2238 ssl->state++;
2239
2240 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2241 {
2242 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2243 return( ret );
2244 }
2245
2246 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
2247
2248 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002249}
2250
2251static int ssl_write_server_hello_done( ssl_context *ssl )
2252{
2253 int ret;
2254
2255 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
2256
2257 ssl->out_msglen = 4;
2258 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2259 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
2260
2261 ssl->state++;
2262
2263 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2264 {
2265 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2266 return( ret );
2267 }
2268
2269 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
2270
2271 return( 0 );
2272}
2273
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002274#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2275 defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2276static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p,
2277 const unsigned char *end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002278{
2279 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002280 size_t n;
2281
2282 /*
2283 * Receive G^Y mod P, premaster = (G^Y)^X mod P
2284 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002285 if( *p + 2 > end )
2286 {
2287 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2288 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2289 }
Paul Bakker70df2fb2013-04-17 17:19:09 +02002290
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002291 n = ( (*p)[0] << 8 ) | (*p)[1];
2292 *p += 2;
2293
2294 if( n < 1 || n > ssl->handshake->dhm_ctx.len || *p + n > end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002295 {
2296 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2297 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2298 }
2299
2300 if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002301 *p, n ) ) != 0 )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002302 {
2303 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
2304 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2305 }
2306
2307 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2308
Paul Bakker70df2fb2013-04-17 17:19:09 +02002309 return( ret );
2310}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002311#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2312 POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002313
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +02002314#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
2315 defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002316static int ssl_parse_encrypted_pms( ssl_context *ssl,
2317 const unsigned char *p,
2318 const unsigned char *end,
2319 size_t pms_offset )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002320{
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002321 int ret;
2322 size_t len = pk_get_len( ssl_own_key( ssl ) );
2323 unsigned char *pms = ssl->handshake->premaster + pms_offset;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002324
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002325 if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002326 {
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02002327 SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002328 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2329 }
2330
2331 /*
2332 * Decrypt the premaster using own private RSA key
2333 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002334#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2335 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker70df2fb2013-04-17 17:19:09 +02002336 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
2337 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002338 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
2339 *p++ != ( ( len ) & 0xFF ) )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002340 {
2341 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2342 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2343 }
2344 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002345#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +02002346
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002347 if( p + len != end )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002348 {
2349 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2350 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2351 }
2352
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002353 ret = pk_decrypt( ssl_own_key( ssl ), p, len,
2354 pms, &ssl->handshake->pmslen,
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02002355 sizeof(ssl->handshake->premaster),
2356 ssl->f_rng, ssl->p_rng );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002357
2358 if( ret != 0 || ssl->handshake->pmslen != 48 ||
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002359 pms[0] != ssl->handshake->max_major_ver ||
2360 pms[1] != ssl->handshake->max_minor_ver )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002361 {
2362 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2363
2364 /*
2365 * Protection against Bleichenbacher's attack:
2366 * invalid PKCS#1 v1.5 padding must not cause
2367 * the connection to end immediately; instead,
2368 * send a bad_record_mac later in the handshake.
2369 */
2370 ssl->handshake->pmslen = 48;
2371
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002372 ret = ssl->f_rng( ssl->p_rng, pms, ssl->handshake->pmslen );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002373 if( ret != 0 )
2374 return( ret );
2375 }
2376
2377 return( ret );
2378}
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +02002379#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED ||
2380 POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +02002381
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02002382#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002383static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
2384 const unsigned char *end )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002385{
Paul Bakker6db455e2013-09-18 17:29:31 +02002386 int ret = 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002387 size_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002388
Paul Bakker6db455e2013-09-18 17:29:31 +02002389 if( ssl->f_psk == NULL &&
2390 ( ssl->psk == NULL || ssl->psk_identity == NULL ||
2391 ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002392 {
2393 SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2394 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
2395 }
2396
2397 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002398 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +02002399 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002400 if( *p + 2 > end )
2401 {
2402 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2403 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2404 }
Paul Bakkerfbb17802013-04-17 19:10:21 +02002405
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002406 n = ( (*p)[0] << 8 ) | (*p)[1];
2407 *p += 2;
2408
2409 if( n < 1 || n > 65535 || *p + n > end )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002410 {
2411 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2412 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2413 }
2414
Paul Bakker6db455e2013-09-18 17:29:31 +02002415 if( ssl->f_psk != NULL )
2416 {
2417 if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
2418 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2419 }
2420
2421 if( ret == 0 )
2422 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01002423 /* Identity is not a big secret since clients send it in the clear,
2424 * but treat it carefully anyway, just in case */
Paul Bakker6db455e2013-09-18 17:29:31 +02002425 if( n != ssl->psk_identity_len ||
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01002426 safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
Paul Bakker6db455e2013-09-18 17:29:31 +02002427 {
2428 ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
2429 }
2430 }
2431
2432 if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002433 {
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002434 SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
Paul Bakker6db455e2013-09-18 17:29:31 +02002435 if( ( ret = ssl_send_alert_message( ssl,
2436 SSL_ALERT_LEVEL_FATAL,
2437 SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
2438 {
2439 return( ret );
2440 }
2441
2442 return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
Paul Bakkerfbb17802013-04-17 19:10:21 +02002443 }
2444
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002445 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002446 ret = 0;
2447
Paul Bakkerfbb17802013-04-17 19:10:21 +02002448 return( ret );
2449}
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02002450#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +02002451
Paul Bakker5121ce52009-01-03 21:22:43 +00002452static int ssl_parse_client_key_exchange( ssl_context *ssl )
2453{
Paul Bakker23986e52011-04-24 08:57:21 +00002454 int ret;
Paul Bakker41c83d32013-03-20 14:39:14 +01002455 const ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker70df2fb2013-04-17 17:19:09 +02002456
Paul Bakker41c83d32013-03-20 14:39:14 +01002457 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002458
2459 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
2460
2461 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2462 {
2463 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2464 return( ret );
2465 }
2466
2467 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2468 {
2469 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002470 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002471 }
2472
2473 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
2474 {
2475 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002476 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002477 }
2478
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002479#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
Paul Bakker41c83d32013-03-20 14:39:14 +01002480 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00002481 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002482 unsigned char *p = ssl->in_msg + 4;
2483 unsigned char *end = ssl->in_msg + ssl->in_msglen;
2484
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002485 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002486 {
Paul Bakker70df2fb2013-04-17 17:19:09 +02002487 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2488 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002489 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002490
2491 ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
2492
2493 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
2494 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +02002495 &ssl->handshake->pmslen,
Manuel Pégourié-Gonnard15d5de12013-09-17 11:34:11 +02002496 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002497 {
2498 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
2499 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2500 }
2501
2502 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002503 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002504 else
2505#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002506#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2507 defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2508 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
2509 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakker70df2fb2013-04-17 17:19:09 +02002510 {
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02002511 size_t n = ssl->in_msg[3];
2512
2513 if( n < 1 || n > mpi_size( &ssl->handshake->ecdh_ctx.grp.P ) * 2 + 2 ||
2514 n + 4 != ssl->in_hslen )
Paul Bakker5121ce52009-01-03 21:22:43 +00002515 {
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02002516 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
2517 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002518 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002519
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02002520 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2521 ssl->in_msg + 4, n ) ) != 0 )
2522 {
2523 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2524 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
2525 }
2526
2527 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2528
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002529 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2530 &ssl->handshake->pmslen,
2531 ssl->handshake->premaster,
Manuel Pégourié-Gonnarde09d2f82013-09-02 14:29:09 +02002532 POLARSSL_MPI_MAX_SIZE,
2533 ssl->f_rng, ssl->p_rng ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002534 {
2535 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
2536 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
2537 }
2538
2539 SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
Paul Bakker5121ce52009-01-03 21:22:43 +00002540 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002541 else
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002542#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2543 POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002544#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2545 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002546 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002547 unsigned char *p = ssl->in_msg + 4;
2548 unsigned char *end = ssl->in_msg + ssl->in_msglen;
2549
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002550 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
Paul Bakkerfbb17802013-04-17 19:10:21 +02002551 {
2552 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2553 return( ret );
2554 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002555
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002556 if( ( ret = ssl_psk_derive_premaster( ssl,
2557 ciphersuite_info->key_exchange ) ) != 0 )
2558 {
2559 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2560 return( ret );
2561 }
Paul Bakkerfbb17802013-04-17 19:10:21 +02002562 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002563 else
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002564#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002565#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
2566 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
2567 {
2568 unsigned char *p = ssl->in_msg + 4;
2569 unsigned char *end = ssl->in_msg + ssl->in_msglen;
2570
2571 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2572 {
2573 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2574 return( ret );
2575 }
2576
2577 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
2578 {
2579 SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
2580 return( ret );
2581 }
2582
2583 if( ( ret = ssl_psk_derive_premaster( ssl,
2584 ciphersuite_info->key_exchange ) ) != 0 )
2585 {
2586 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2587 return( ret );
2588 }
2589 }
2590 else
2591#endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002592#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
2593 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2594 {
Manuel Pégourié-Gonnarda7496f02013-09-20 11:29:59 +02002595 unsigned char *p = ssl->in_msg + 4;
2596 unsigned char *end = ssl->in_msg + ssl->in_msglen;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002597
2598 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2599 {
2600 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2601 return( ret );
2602 }
2603 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
2604 {
2605 SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
2606 return( ret );
2607 }
2608
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002609 if( ( ret = ssl_psk_derive_premaster( ssl,
2610 ciphersuite_info->key_exchange ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002611 {
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002612 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
2613 return( ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002614 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002615 }
2616 else
2617#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002618#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2619 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2620 {
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002621 unsigned char *p = ssl->in_msg + 4;
2622 unsigned char *end = ssl->in_msg + ssl->in_msglen;
2623
2624 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
2625 {
2626 SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
2627 return( ret );
2628 }
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02002629
2630 if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx,
2631 p, end - p ) ) != 0 )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002632 {
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02002633 SSL_DEBUG_RET( 1, "ecdh_read_public", ret );
2634 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002635 }
2636
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02002637 SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
2638
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002639 if( ( ret = ssl_psk_derive_premaster( ssl,
2640 ciphersuite_info->key_exchange ) ) != 0 )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002641 {
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002642 SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret );
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002643 return( ret );
2644 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002645 }
2646 else
2647#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002648#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
2649 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA )
Paul Bakker41c83d32013-03-20 14:39:14 +01002650 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002651 if( ( ret = ssl_parse_encrypted_pms( ssl,
2652 ssl->in_msg + 4,
2653 ssl->in_msg + ssl->in_msglen,
2654 0 ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002655 {
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +02002656 SSL_DEBUG_RET( 1, ( "ssl_parse_parse_ecrypted_pms_secret" ), ret );
Paul Bakker70df2fb2013-04-17 17:19:09 +02002657 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002658 }
2659 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002660 else
2661#endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */
2662 {
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +02002663 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002664 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
2665 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002666
Paul Bakkerff60ee62010-03-16 21:09:09 +00002667 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
2668 {
2669 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
2670 return( ret );
2671 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002672
Paul Bakker5121ce52009-01-03 21:22:43 +00002673 ssl->state++;
2674
2675 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
2676
2677 return( 0 );
2678}
2679
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002680#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2681 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02002682 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2683 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00002684static int ssl_parse_certificate_verify( ssl_context *ssl )
2685{
Paul Bakkered27a042013-04-18 22:46:23 +02002686 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerfbb17802013-04-17 19:10:21 +02002687 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002688
2689 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2690
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002691 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02002692 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002693 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkered27a042013-04-18 22:46:23 +02002694 {
2695 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2696 ssl->state++;
2697 return( 0 );
2698 }
2699
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +02002700 SSL_DEBUG_MSG( 1, ( "should not happen" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002701 return( ret );
2702}
2703#else
2704static int ssl_parse_certificate_verify( ssl_context *ssl )
2705{
2706 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002707 size_t sa_len, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002708 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002709 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002710 size_t hashlen;
Paul Bakker577e0062013-08-28 11:57:20 +02002711#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002712 pk_type_t pk_alg;
Paul Bakker577e0062013-08-28 11:57:20 +02002713#endif
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002714 md_type_t md_alg;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002715 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2716
2717 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
2718
2719 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02002720 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ||
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002721 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
2722 {
2723 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2724 ssl->state++;
2725 return( 0 );
2726 }
2727
Paul Bakkered27a042013-04-18 22:46:23 +02002728 if( ssl->session_negotiate->peer_cert == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002729 {
2730 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
2731 ssl->state++;
2732 return( 0 );
2733 }
2734
Paul Bakker48916f92012-09-16 19:57:18 +00002735 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00002736
2737 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2738 {
2739 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2740 return( ret );
2741 }
2742
2743 ssl->state++;
2744
2745 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2746 {
2747 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002748 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002749 }
2750
2751 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
2752 {
2753 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002754 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002755 }
2756
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002757 /*
2758 * 0 . 0 handshake type
2759 * 1 . 3 handshake length
2760 * 4 . 5 sig alg (TLS 1.2 only)
2761 * 4+n . 5+n signature length (n = sa_len)
2762 * 6+n . 6+n+m signature (m = sig_len)
2763 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002764
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002765#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2766 defined(POLARSSL_SSL_PROTO_TLS1_1)
2767 if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01002768 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002769 sa_len = 0;
2770
Paul Bakkerc70b9822013-04-07 22:00:46 +02002771 md_alg = POLARSSL_MD_NONE;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002772 hashlen = 36;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002773
2774 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
2775 if( pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2776 POLARSSL_PK_ECDSA ) )
2777 {
2778 hash_start += 16;
2779 hashlen -= 16;
2780 md_alg = POLARSSL_MD_SHA1;
2781 }
Paul Bakker926af752012-11-23 13:38:07 +01002782 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002783 else
2784#endif
Paul Bakker577e0062013-08-28 11:57:20 +02002785#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2786 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02002787 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002788 sa_len = 2;
2789
Paul Bakker5121ce52009-01-03 21:22:43 +00002790 /*
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002791 * Hash
Paul Bakker5121ce52009-01-03 21:22:43 +00002792 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002793 if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg )
Paul Bakker5121ce52009-01-03 21:22:43 +00002794 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002795 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2796 " for verify message" ) );
Paul Bakker926af752012-11-23 13:38:07 +01002797 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2798 }
2799
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002800 md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg );
Paul Bakker926af752012-11-23 13:38:07 +01002801
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02002802 /* Info from md_alg will be used instead */
2803 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002804
2805 /*
2806 * Signature
2807 */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002808 if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) )
2809 == POLARSSL_PK_NONE )
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002810 {
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002811 SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
2812 " for verify message" ) );
2813 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002814 }
2815
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002816 /*
2817 * Check the certificate's key type matches the signature alg
2818 */
2819 if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2820 {
2821 SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
2822 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
2823 }
Paul Bakker577e0062013-08-28 11:57:20 +02002824 }
2825 else
2826#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2827 {
2828 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +02002829 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02002830 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +02002831
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002832 sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len];
Paul Bakker926af752012-11-23 13:38:07 +01002833
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002834 if( sa_len + sig_len + 6 != ssl->in_hslen )
Paul Bakker5121ce52009-01-03 21:22:43 +00002835 {
2836 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002837 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002838 }
2839
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002840 if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002841 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002842 ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002843 {
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +02002844 SSL_DEBUG_RET( 1, "pk_verify", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002845 return( ret );
2846 }
2847
2848 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
2849
Paul Bakkered27a042013-04-18 22:46:23 +02002850 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002851}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002852#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2853 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2854 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002855
Paul Bakkera503a632013-08-14 13:48:06 +02002856#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002857static int ssl_write_new_session_ticket( ssl_context *ssl )
2858{
2859 int ret;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002860 size_t tlen;
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02002861 uint32_t lifetime = (uint32_t) ssl->ticket_lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002862
2863 SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
2864
2865 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2866 ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET;
2867
2868 /*
2869 * struct {
2870 * uint32 ticket_lifetime_hint;
2871 * opaque ticket<0..2^16-1>;
2872 * } NewSessionTicket;
2873 *
2874 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
2875 * 8 . 9 ticket_len (n)
2876 * 10 . 9+n ticket content
2877 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +02002878
2879 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
2880 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
2881 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
2882 ssl->out_msg[7] = ( lifetime ) & 0xFF;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002883
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +02002884 if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 )
2885 {
2886 SSL_DEBUG_RET( 1, "ssl_write_ticket", ret );
2887 tlen = 0;
2888 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002889
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002890 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
2891 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002892
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +02002893 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002894
2895 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2896 {
2897 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2898 return( ret );
2899 }
2900
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02002901 /* No need to remember writing a NewSessionTicket any more */
2902 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002903
2904 SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2905
2906 return( 0 );
2907}
Paul Bakkera503a632013-08-14 13:48:06 +02002908#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002909
Paul Bakker5121ce52009-01-03 21:22:43 +00002910/*
Paul Bakker1961b702013-01-25 14:49:24 +01002911 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +00002912 */
Paul Bakker1961b702013-01-25 14:49:24 +01002913int ssl_handshake_server_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002914{
2915 int ret = 0;
2916
Paul Bakker1961b702013-01-25 14:49:24 +01002917 if( ssl->state == SSL_HANDSHAKE_OVER )
2918 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00002919
Paul Bakker1961b702013-01-25 14:49:24 +01002920 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
2921
2922 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2923 return( ret );
2924
2925 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +00002926 {
Paul Bakker1961b702013-01-25 14:49:24 +01002927 case SSL_HELLO_REQUEST:
2928 ssl->state = SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +00002929 break;
2930
Paul Bakker1961b702013-01-25 14:49:24 +01002931 /*
2932 * <== ClientHello
2933 */
2934 case SSL_CLIENT_HELLO:
2935 ret = ssl_parse_client_hello( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00002936 break;
Paul Bakker1961b702013-01-25 14:49:24 +01002937
2938 /*
2939 * ==> ServerHello
2940 * Certificate
2941 * ( ServerKeyExchange )
2942 * ( CertificateRequest )
2943 * ServerHelloDone
2944 */
2945 case SSL_SERVER_HELLO:
2946 ret = ssl_write_server_hello( ssl );
2947 break;
2948
2949 case SSL_SERVER_CERTIFICATE:
2950 ret = ssl_write_certificate( ssl );
2951 break;
2952
2953 case SSL_SERVER_KEY_EXCHANGE:
2954 ret = ssl_write_server_key_exchange( ssl );
2955 break;
2956
2957 case SSL_CERTIFICATE_REQUEST:
2958 ret = ssl_write_certificate_request( ssl );
2959 break;
2960
2961 case SSL_SERVER_HELLO_DONE:
2962 ret = ssl_write_server_hello_done( ssl );
2963 break;
2964
2965 /*
2966 * <== ( Certificate/Alert )
2967 * ClientKeyExchange
2968 * ( CertificateVerify )
2969 * ChangeCipherSpec
2970 * Finished
2971 */
2972 case SSL_CLIENT_CERTIFICATE:
2973 ret = ssl_parse_certificate( ssl );
2974 break;
2975
2976 case SSL_CLIENT_KEY_EXCHANGE:
2977 ret = ssl_parse_client_key_exchange( ssl );
2978 break;
2979
2980 case SSL_CERTIFICATE_VERIFY:
2981 ret = ssl_parse_certificate_verify( ssl );
2982 break;
2983
2984 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
2985 ret = ssl_parse_change_cipher_spec( ssl );
2986 break;
2987
2988 case SSL_CLIENT_FINISHED:
2989 ret = ssl_parse_finished( ssl );
2990 break;
2991
2992 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +02002993 * ==> ( NewSessionTicket )
2994 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +01002995 * Finished
2996 */
2997 case SSL_SERVER_CHANGE_CIPHER_SPEC:
Paul Bakkera503a632013-08-14 13:48:06 +02002998#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02002999 if( ssl->handshake->new_session_ticket != 0 )
3000 ret = ssl_write_new_session_ticket( ssl );
3001 else
Paul Bakkera503a632013-08-14 13:48:06 +02003002#endif
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02003003 ret = ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003004 break;
3005
3006 case SSL_SERVER_FINISHED:
3007 ret = ssl_write_finished( ssl );
3008 break;
3009
3010 case SSL_FLUSH_BUFFERS:
3011 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3012 ssl->state = SSL_HANDSHAKE_WRAPUP;
3013 break;
3014
3015 case SSL_HANDSHAKE_WRAPUP:
3016 ssl_handshake_wrapup( ssl );
3017 break;
3018
3019 default:
3020 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3021 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00003022 }
3023
Paul Bakker5121ce52009-01-03 21:22:43 +00003024 return( ret );
3025}
Paul Bakker5121ce52009-01-03 21:22:43 +00003026#endif