mbed TLS library
Dependents: HTTPClient-SSL WS_SERVER
polarssl/ssl_srv.c@0:137634ff4186, 2015-06-11 (annotated)
- Committer:
- ansond
- Date:
- Thu Jun 11 03:27:03 2015 +0000
- Revision:
- 0:137634ff4186
initial commit
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
ansond | 0:137634ff4186 | 1 | /* |
ansond | 0:137634ff4186 | 2 | * SSLv3/TLSv1 server-side functions |
ansond | 0:137634ff4186 | 3 | * |
ansond | 0:137634ff4186 | 4 | * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved |
ansond | 0:137634ff4186 | 5 | * |
ansond | 0:137634ff4186 | 6 | * This file is part of mbed TLS (https://tls.mbed.org) |
ansond | 0:137634ff4186 | 7 | * |
ansond | 0:137634ff4186 | 8 | * This program is free software; you can redistribute it and/or modify |
ansond | 0:137634ff4186 | 9 | * it under the terms of the GNU General Public License as published by |
ansond | 0:137634ff4186 | 10 | * the Free Software Foundation; either version 2 of the License, or |
ansond | 0:137634ff4186 | 11 | * (at your option) any later version. |
ansond | 0:137634ff4186 | 12 | * |
ansond | 0:137634ff4186 | 13 | * This program is distributed in the hope that it will be useful, |
ansond | 0:137634ff4186 | 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
ansond | 0:137634ff4186 | 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
ansond | 0:137634ff4186 | 16 | * GNU General Public License for more details. |
ansond | 0:137634ff4186 | 17 | * |
ansond | 0:137634ff4186 | 18 | * You should have received a copy of the GNU General Public License along |
ansond | 0:137634ff4186 | 19 | * with this program; if not, write to the Free Software Foundation, Inc., |
ansond | 0:137634ff4186 | 20 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
ansond | 0:137634ff4186 | 21 | */ |
ansond | 0:137634ff4186 | 22 | |
ansond | 0:137634ff4186 | 23 | #if !defined(POLARSSL_CONFIG_FILE) |
ansond | 0:137634ff4186 | 24 | #include "polarssl/config.h" |
ansond | 0:137634ff4186 | 25 | #else |
ansond | 0:137634ff4186 | 26 | #include POLARSSL_CONFIG_FILE |
ansond | 0:137634ff4186 | 27 | #endif |
ansond | 0:137634ff4186 | 28 | |
ansond | 0:137634ff4186 | 29 | #if defined(POLARSSL_SSL_SRV_C) |
ansond | 0:137634ff4186 | 30 | |
ansond | 0:137634ff4186 | 31 | #include "polarssl/debug.h" |
ansond | 0:137634ff4186 | 32 | #include "polarssl/ssl.h" |
ansond | 0:137634ff4186 | 33 | |
ansond | 0:137634ff4186 | 34 | #include <string.h> |
ansond | 0:137634ff4186 | 35 | |
ansond | 0:137634ff4186 | 36 | #if defined(POLARSSL_ECP_C) |
ansond | 0:137634ff4186 | 37 | #include "polarssl/ecp.h" |
ansond | 0:137634ff4186 | 38 | #endif |
ansond | 0:137634ff4186 | 39 | |
ansond | 0:137634ff4186 | 40 | #if defined(POLARSSL_PLATFORM_C) |
ansond | 0:137634ff4186 | 41 | #include "polarssl/platform.h" |
ansond | 0:137634ff4186 | 42 | #else |
ansond | 0:137634ff4186 | 43 | #include <stdlib.h> |
ansond | 0:137634ff4186 | 44 | #define polarssl_malloc malloc |
ansond | 0:137634ff4186 | 45 | #define polarssl_free free |
ansond | 0:137634ff4186 | 46 | #endif |
ansond | 0:137634ff4186 | 47 | |
ansond | 0:137634ff4186 | 48 | #if defined(POLARSSL_HAVE_TIME) |
ansond | 0:137634ff4186 | 49 | #include <time.h> |
ansond | 0:137634ff4186 | 50 | #endif |
ansond | 0:137634ff4186 | 51 | |
ansond | 0:137634ff4186 | 52 | #if defined(POLARSSL_SSL_SESSION_TICKETS) |
ansond | 0:137634ff4186 | 53 | /* Implementation that should never be optimized out by the compiler */ |
ansond | 0:137634ff4186 | 54 | static void polarssl_zeroize( void *v, size_t n ) { |
ansond | 0:137634ff4186 | 55 | volatile unsigned char *p = v; while( n-- ) *p++ = 0; |
ansond | 0:137634ff4186 | 56 | } |
ansond | 0:137634ff4186 | 57 | |
ansond | 0:137634ff4186 | 58 | /* |
ansond | 0:137634ff4186 | 59 | * Serialize a session in the following format: |
ansond | 0:137634ff4186 | 60 | * 0 . n-1 session structure, n = sizeof(ssl_session) |
ansond | 0:137634ff4186 | 61 | * n . n+2 peer_cert length = m (0 if no certificate) |
ansond | 0:137634ff4186 | 62 | * n+3 . n+2+m peer cert ASN.1 |
ansond | 0:137634ff4186 | 63 | * |
ansond | 0:137634ff4186 | 64 | * Assumes ticket is NULL (always true on server side). |
ansond | 0:137634ff4186 | 65 | */ |
ansond | 0:137634ff4186 | 66 | static int ssl_save_session( const ssl_session *session, |
ansond | 0:137634ff4186 | 67 | unsigned char *buf, size_t buf_len, |
ansond | 0:137634ff4186 | 68 | size_t *olen ) |
ansond | 0:137634ff4186 | 69 | { |
ansond | 0:137634ff4186 | 70 | unsigned char *p = buf; |
ansond | 0:137634ff4186 | 71 | size_t left = buf_len; |
ansond | 0:137634ff4186 | 72 | #if defined(POLARSSL_X509_CRT_PARSE_C) |
ansond | 0:137634ff4186 | 73 | size_t cert_len; |
ansond | 0:137634ff4186 | 74 | #endif /* POLARSSL_X509_CRT_PARSE_C */ |
ansond | 0:137634ff4186 | 75 | |
ansond | 0:137634ff4186 | 76 | if( left < sizeof( ssl_session ) ) |
ansond | 0:137634ff4186 | 77 | return( -1 ); |
ansond | 0:137634ff4186 | 78 | |
ansond | 0:137634ff4186 | 79 | memcpy( p, session, sizeof( ssl_session ) ); |
ansond | 0:137634ff4186 | 80 | p += sizeof( ssl_session ); |
ansond | 0:137634ff4186 | 81 | left -= sizeof( ssl_session ); |
ansond | 0:137634ff4186 | 82 | |
ansond | 0:137634ff4186 | 83 | #if defined(POLARSSL_X509_CRT_PARSE_C) |
ansond | 0:137634ff4186 | 84 | if( session->peer_cert == NULL ) |
ansond | 0:137634ff4186 | 85 | cert_len = 0; |
ansond | 0:137634ff4186 | 86 | else |
ansond | 0:137634ff4186 | 87 | cert_len = session->peer_cert->raw.len; |
ansond | 0:137634ff4186 | 88 | |
ansond | 0:137634ff4186 | 89 | if( left < 3 + cert_len ) |
ansond | 0:137634ff4186 | 90 | return( -1 ); |
ansond | 0:137634ff4186 | 91 | |
ansond | 0:137634ff4186 | 92 | *p++ = (unsigned char)( cert_len >> 16 & 0xFF ); |
ansond | 0:137634ff4186 | 93 | *p++ = (unsigned char)( cert_len >> 8 & 0xFF ); |
ansond | 0:137634ff4186 | 94 | *p++ = (unsigned char)( cert_len & 0xFF ); |
ansond | 0:137634ff4186 | 95 | |
ansond | 0:137634ff4186 | 96 | if( session->peer_cert != NULL ) |
ansond | 0:137634ff4186 | 97 | memcpy( p, session->peer_cert->raw.p, cert_len ); |
ansond | 0:137634ff4186 | 98 | |
ansond | 0:137634ff4186 | 99 | p += cert_len; |
ansond | 0:137634ff4186 | 100 | #endif /* POLARSSL_X509_CRT_PARSE_C */ |
ansond | 0:137634ff4186 | 101 | |
ansond | 0:137634ff4186 | 102 | *olen = p - buf; |
ansond | 0:137634ff4186 | 103 | |
ansond | 0:137634ff4186 | 104 | return( 0 ); |
ansond | 0:137634ff4186 | 105 | } |
ansond | 0:137634ff4186 | 106 | |
ansond | 0:137634ff4186 | 107 | /* |
ansond | 0:137634ff4186 | 108 | * Unserialise session, see ssl_save_session() |
ansond | 0:137634ff4186 | 109 | */ |
ansond | 0:137634ff4186 | 110 | static int ssl_load_session( ssl_session *session, |
ansond | 0:137634ff4186 | 111 | const unsigned char *buf, size_t len ) |
ansond | 0:137634ff4186 | 112 | { |
ansond | 0:137634ff4186 | 113 | const unsigned char *p = buf; |
ansond | 0:137634ff4186 | 114 | const unsigned char * const end = buf + len; |
ansond | 0:137634ff4186 | 115 | #if defined(POLARSSL_X509_CRT_PARSE_C) |
ansond | 0:137634ff4186 | 116 | size_t cert_len; |
ansond | 0:137634ff4186 | 117 | #endif /* POLARSSL_X509_CRT_PARSE_C */ |
ansond | 0:137634ff4186 | 118 | |
ansond | 0:137634ff4186 | 119 | if( p + sizeof( ssl_session ) > end ) |
ansond | 0:137634ff4186 | 120 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 121 | |
ansond | 0:137634ff4186 | 122 | memcpy( session, p, sizeof( ssl_session ) ); |
ansond | 0:137634ff4186 | 123 | p += sizeof( ssl_session ); |
ansond | 0:137634ff4186 | 124 | |
ansond | 0:137634ff4186 | 125 | #if defined(POLARSSL_X509_CRT_PARSE_C) |
ansond | 0:137634ff4186 | 126 | if( p + 3 > end ) |
ansond | 0:137634ff4186 | 127 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 128 | |
ansond | 0:137634ff4186 | 129 | cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2]; |
ansond | 0:137634ff4186 | 130 | p += 3; |
ansond | 0:137634ff4186 | 131 | |
ansond | 0:137634ff4186 | 132 | if( cert_len == 0 ) |
ansond | 0:137634ff4186 | 133 | { |
ansond | 0:137634ff4186 | 134 | session->peer_cert = NULL; |
ansond | 0:137634ff4186 | 135 | } |
ansond | 0:137634ff4186 | 136 | else |
ansond | 0:137634ff4186 | 137 | { |
ansond | 0:137634ff4186 | 138 | int ret; |
ansond | 0:137634ff4186 | 139 | |
ansond | 0:137634ff4186 | 140 | if( p + cert_len > end ) |
ansond | 0:137634ff4186 | 141 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 142 | |
ansond | 0:137634ff4186 | 143 | session->peer_cert = polarssl_malloc( sizeof( x509_crt ) ); |
ansond | 0:137634ff4186 | 144 | |
ansond | 0:137634ff4186 | 145 | if( session->peer_cert == NULL ) |
ansond | 0:137634ff4186 | 146 | return( POLARSSL_ERR_SSL_MALLOC_FAILED ); |
ansond | 0:137634ff4186 | 147 | |
ansond | 0:137634ff4186 | 148 | x509_crt_init( session->peer_cert ); |
ansond | 0:137634ff4186 | 149 | |
ansond | 0:137634ff4186 | 150 | if( ( ret = x509_crt_parse_der( session->peer_cert, |
ansond | 0:137634ff4186 | 151 | p, cert_len ) ) != 0 ) |
ansond | 0:137634ff4186 | 152 | { |
ansond | 0:137634ff4186 | 153 | x509_crt_free( session->peer_cert ); |
ansond | 0:137634ff4186 | 154 | polarssl_free( session->peer_cert ); |
ansond | 0:137634ff4186 | 155 | session->peer_cert = NULL; |
ansond | 0:137634ff4186 | 156 | return( ret ); |
ansond | 0:137634ff4186 | 157 | } |
ansond | 0:137634ff4186 | 158 | |
ansond | 0:137634ff4186 | 159 | p += cert_len; |
ansond | 0:137634ff4186 | 160 | } |
ansond | 0:137634ff4186 | 161 | #endif /* POLARSSL_X509_CRT_PARSE_C */ |
ansond | 0:137634ff4186 | 162 | |
ansond | 0:137634ff4186 | 163 | if( p != end ) |
ansond | 0:137634ff4186 | 164 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 165 | |
ansond | 0:137634ff4186 | 166 | return( 0 ); |
ansond | 0:137634ff4186 | 167 | } |
ansond | 0:137634ff4186 | 168 | |
ansond | 0:137634ff4186 | 169 | /* |
ansond | 0:137634ff4186 | 170 | * Create session ticket, secured as recommended in RFC 5077 section 4: |
ansond | 0:137634ff4186 | 171 | * |
ansond | 0:137634ff4186 | 172 | * struct { |
ansond | 0:137634ff4186 | 173 | * opaque key_name[16]; |
ansond | 0:137634ff4186 | 174 | * opaque iv[16]; |
ansond | 0:137634ff4186 | 175 | * opaque encrypted_state<0..2^16-1>; |
ansond | 0:137634ff4186 | 176 | * opaque mac[32]; |
ansond | 0:137634ff4186 | 177 | * } ticket; |
ansond | 0:137634ff4186 | 178 | * |
ansond | 0:137634ff4186 | 179 | * (the internal state structure differs, however). |
ansond | 0:137634ff4186 | 180 | */ |
ansond | 0:137634ff4186 | 181 | static int ssl_write_ticket( ssl_context *ssl, size_t *tlen ) |
ansond | 0:137634ff4186 | 182 | { |
ansond | 0:137634ff4186 | 183 | int ret; |
ansond | 0:137634ff4186 | 184 | unsigned char * const start = ssl->out_msg + 10; |
ansond | 0:137634ff4186 | 185 | unsigned char *p = start; |
ansond | 0:137634ff4186 | 186 | unsigned char *state; |
ansond | 0:137634ff4186 | 187 | unsigned char iv[16]; |
ansond | 0:137634ff4186 | 188 | size_t clear_len, enc_len, pad_len, i; |
ansond | 0:137634ff4186 | 189 | |
ansond | 0:137634ff4186 | 190 | *tlen = 0; |
ansond | 0:137634ff4186 | 191 | |
ansond | 0:137634ff4186 | 192 | if( ssl->ticket_keys == NULL ) |
ansond | 0:137634ff4186 | 193 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 194 | |
ansond | 0:137634ff4186 | 195 | /* Write key name */ |
ansond | 0:137634ff4186 | 196 | memcpy( p, ssl->ticket_keys->key_name, 16 ); |
ansond | 0:137634ff4186 | 197 | p += 16; |
ansond | 0:137634ff4186 | 198 | |
ansond | 0:137634ff4186 | 199 | /* Generate and write IV (with a copy for aes_crypt) */ |
ansond | 0:137634ff4186 | 200 | if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 ) |
ansond | 0:137634ff4186 | 201 | return( ret ); |
ansond | 0:137634ff4186 | 202 | memcpy( iv, p, 16 ); |
ansond | 0:137634ff4186 | 203 | p += 16; |
ansond | 0:137634ff4186 | 204 | |
ansond | 0:137634ff4186 | 205 | /* |
ansond | 0:137634ff4186 | 206 | * Dump session state |
ansond | 0:137634ff4186 | 207 | * |
ansond | 0:137634ff4186 | 208 | * After the session state itself, we still need room for 16 bytes of |
ansond | 0:137634ff4186 | 209 | * padding and 32 bytes of MAC, so there's only so much room left |
ansond | 0:137634ff4186 | 210 | */ |
ansond | 0:137634ff4186 | 211 | state = p + 2; |
ansond | 0:137634ff4186 | 212 | if( ssl_save_session( ssl->session_negotiate, state, |
ansond | 0:137634ff4186 | 213 | SSL_MAX_CONTENT_LEN - ( state - ssl->out_ctr ) - 48, |
ansond | 0:137634ff4186 | 214 | &clear_len ) != 0 ) |
ansond | 0:137634ff4186 | 215 | { |
ansond | 0:137634ff4186 | 216 | return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE ); |
ansond | 0:137634ff4186 | 217 | } |
ansond | 0:137634ff4186 | 218 | SSL_DEBUG_BUF( 3, "session ticket cleartext", state, clear_len ); |
ansond | 0:137634ff4186 | 219 | |
ansond | 0:137634ff4186 | 220 | /* Apply PKCS padding */ |
ansond | 0:137634ff4186 | 221 | pad_len = 16 - clear_len % 16; |
ansond | 0:137634ff4186 | 222 | enc_len = clear_len + pad_len; |
ansond | 0:137634ff4186 | 223 | for( i = clear_len; i < enc_len; i++ ) |
ansond | 0:137634ff4186 | 224 | state[i] = (unsigned char) pad_len; |
ansond | 0:137634ff4186 | 225 | |
ansond | 0:137634ff4186 | 226 | /* Encrypt */ |
ansond | 0:137634ff4186 | 227 | if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->enc, AES_ENCRYPT, |
ansond | 0:137634ff4186 | 228 | enc_len, iv, state, state ) ) != 0 ) |
ansond | 0:137634ff4186 | 229 | { |
ansond | 0:137634ff4186 | 230 | return( ret ); |
ansond | 0:137634ff4186 | 231 | } |
ansond | 0:137634ff4186 | 232 | |
ansond | 0:137634ff4186 | 233 | /* Write length */ |
ansond | 0:137634ff4186 | 234 | *p++ = (unsigned char)( ( enc_len >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 235 | *p++ = (unsigned char)( ( enc_len ) & 0xFF ); |
ansond | 0:137634ff4186 | 236 | p = state + enc_len; |
ansond | 0:137634ff4186 | 237 | |
ansond | 0:137634ff4186 | 238 | /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */ |
ansond | 0:137634ff4186 | 239 | sha256_hmac( ssl->ticket_keys->mac_key, 16, start, p - start, p, 0 ); |
ansond | 0:137634ff4186 | 240 | p += 32; |
ansond | 0:137634ff4186 | 241 | |
ansond | 0:137634ff4186 | 242 | *tlen = p - start; |
ansond | 0:137634ff4186 | 243 | |
ansond | 0:137634ff4186 | 244 | SSL_DEBUG_BUF( 3, "session ticket structure", start, *tlen ); |
ansond | 0:137634ff4186 | 245 | |
ansond | 0:137634ff4186 | 246 | return( 0 ); |
ansond | 0:137634ff4186 | 247 | } |
ansond | 0:137634ff4186 | 248 | |
ansond | 0:137634ff4186 | 249 | /* |
ansond | 0:137634ff4186 | 250 | * Load session ticket (see ssl_write_ticket for structure) |
ansond | 0:137634ff4186 | 251 | */ |
ansond | 0:137634ff4186 | 252 | static int ssl_parse_ticket( ssl_context *ssl, |
ansond | 0:137634ff4186 | 253 | unsigned char *buf, |
ansond | 0:137634ff4186 | 254 | size_t len ) |
ansond | 0:137634ff4186 | 255 | { |
ansond | 0:137634ff4186 | 256 | int ret; |
ansond | 0:137634ff4186 | 257 | ssl_session session; |
ansond | 0:137634ff4186 | 258 | unsigned char *key_name = buf; |
ansond | 0:137634ff4186 | 259 | unsigned char *iv = buf + 16; |
ansond | 0:137634ff4186 | 260 | unsigned char *enc_len_p = iv + 16; |
ansond | 0:137634ff4186 | 261 | unsigned char *ticket = enc_len_p + 2; |
ansond | 0:137634ff4186 | 262 | unsigned char *mac; |
ansond | 0:137634ff4186 | 263 | unsigned char computed_mac[32]; |
ansond | 0:137634ff4186 | 264 | size_t enc_len, clear_len, i; |
ansond | 0:137634ff4186 | 265 | unsigned char pad_len, diff; |
ansond | 0:137634ff4186 | 266 | |
ansond | 0:137634ff4186 | 267 | SSL_DEBUG_BUF( 3, "session ticket structure", buf, len ); |
ansond | 0:137634ff4186 | 268 | |
ansond | 0:137634ff4186 | 269 | if( len < 34 || ssl->ticket_keys == NULL ) |
ansond | 0:137634ff4186 | 270 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 271 | |
ansond | 0:137634ff4186 | 272 | enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1]; |
ansond | 0:137634ff4186 | 273 | mac = ticket + enc_len; |
ansond | 0:137634ff4186 | 274 | |
ansond | 0:137634ff4186 | 275 | if( len != enc_len + 66 ) |
ansond | 0:137634ff4186 | 276 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 277 | |
ansond | 0:137634ff4186 | 278 | /* Check name, in constant time though it's not a big secret */ |
ansond | 0:137634ff4186 | 279 | diff = 0; |
ansond | 0:137634ff4186 | 280 | for( i = 0; i < 16; i++ ) |
ansond | 0:137634ff4186 | 281 | diff |= key_name[i] ^ ssl->ticket_keys->key_name[i]; |
ansond | 0:137634ff4186 | 282 | /* don't return yet, check the MAC anyway */ |
ansond | 0:137634ff4186 | 283 | |
ansond | 0:137634ff4186 | 284 | /* Check mac, with constant-time buffer comparison */ |
ansond | 0:137634ff4186 | 285 | sha256_hmac( ssl->ticket_keys->mac_key, 16, buf, len - 32, |
ansond | 0:137634ff4186 | 286 | computed_mac, 0 ); |
ansond | 0:137634ff4186 | 287 | |
ansond | 0:137634ff4186 | 288 | for( i = 0; i < 32; i++ ) |
ansond | 0:137634ff4186 | 289 | diff |= mac[i] ^ computed_mac[i]; |
ansond | 0:137634ff4186 | 290 | |
ansond | 0:137634ff4186 | 291 | /* Now return if ticket is not authentic, since we want to avoid |
ansond | 0:137634ff4186 | 292 | * decrypting arbitrary attacker-chosen data */ |
ansond | 0:137634ff4186 | 293 | if( diff != 0 ) |
ansond | 0:137634ff4186 | 294 | return( POLARSSL_ERR_SSL_INVALID_MAC ); |
ansond | 0:137634ff4186 | 295 | |
ansond | 0:137634ff4186 | 296 | /* Decrypt */ |
ansond | 0:137634ff4186 | 297 | if( ( ret = aes_crypt_cbc( &ssl->ticket_keys->dec, AES_DECRYPT, |
ansond | 0:137634ff4186 | 298 | enc_len, iv, ticket, ticket ) ) != 0 ) |
ansond | 0:137634ff4186 | 299 | { |
ansond | 0:137634ff4186 | 300 | return( ret ); |
ansond | 0:137634ff4186 | 301 | } |
ansond | 0:137634ff4186 | 302 | |
ansond | 0:137634ff4186 | 303 | /* Check PKCS padding */ |
ansond | 0:137634ff4186 | 304 | pad_len = ticket[enc_len - 1]; |
ansond | 0:137634ff4186 | 305 | |
ansond | 0:137634ff4186 | 306 | ret = 0; |
ansond | 0:137634ff4186 | 307 | for( i = 2; i < pad_len; i++ ) |
ansond | 0:137634ff4186 | 308 | if( ticket[enc_len - i] != pad_len ) |
ansond | 0:137634ff4186 | 309 | ret = POLARSSL_ERR_SSL_BAD_INPUT_DATA; |
ansond | 0:137634ff4186 | 310 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 311 | return( ret ); |
ansond | 0:137634ff4186 | 312 | |
ansond | 0:137634ff4186 | 313 | clear_len = enc_len - pad_len; |
ansond | 0:137634ff4186 | 314 | |
ansond | 0:137634ff4186 | 315 | SSL_DEBUG_BUF( 3, "session ticket cleartext", ticket, clear_len ); |
ansond | 0:137634ff4186 | 316 | |
ansond | 0:137634ff4186 | 317 | /* Actually load session */ |
ansond | 0:137634ff4186 | 318 | if( ( ret = ssl_load_session( &session, ticket, clear_len ) ) != 0 ) |
ansond | 0:137634ff4186 | 319 | { |
ansond | 0:137634ff4186 | 320 | SSL_DEBUG_MSG( 1, ( "failed to parse ticket content" ) ); |
ansond | 0:137634ff4186 | 321 | ssl_session_free( &session ); |
ansond | 0:137634ff4186 | 322 | return( ret ); |
ansond | 0:137634ff4186 | 323 | } |
ansond | 0:137634ff4186 | 324 | |
ansond | 0:137634ff4186 | 325 | #if defined(POLARSSL_HAVE_TIME) |
ansond | 0:137634ff4186 | 326 | /* Check if still valid */ |
ansond | 0:137634ff4186 | 327 | if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime ) |
ansond | 0:137634ff4186 | 328 | { |
ansond | 0:137634ff4186 | 329 | SSL_DEBUG_MSG( 1, ( "session ticket expired" ) ); |
ansond | 0:137634ff4186 | 330 | ssl_session_free( &session ); |
ansond | 0:137634ff4186 | 331 | return( POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED ); |
ansond | 0:137634ff4186 | 332 | } |
ansond | 0:137634ff4186 | 333 | #endif |
ansond | 0:137634ff4186 | 334 | |
ansond | 0:137634ff4186 | 335 | /* |
ansond | 0:137634ff4186 | 336 | * Keep the session ID sent by the client, since we MUST send it back to |
ansond | 0:137634ff4186 | 337 | * inform him we're accepting the ticket (RFC 5077 section 3.4) |
ansond | 0:137634ff4186 | 338 | */ |
ansond | 0:137634ff4186 | 339 | session.length = ssl->session_negotiate->length; |
ansond | 0:137634ff4186 | 340 | memcpy( &session.id, ssl->session_negotiate->id, session.length ); |
ansond | 0:137634ff4186 | 341 | |
ansond | 0:137634ff4186 | 342 | ssl_session_free( ssl->session_negotiate ); |
ansond | 0:137634ff4186 | 343 | memcpy( ssl->session_negotiate, &session, sizeof( ssl_session ) ); |
ansond | 0:137634ff4186 | 344 | |
ansond | 0:137634ff4186 | 345 | /* Zeroize instead of free as we copied the content */ |
ansond | 0:137634ff4186 | 346 | polarssl_zeroize( &session, sizeof( ssl_session ) ); |
ansond | 0:137634ff4186 | 347 | |
ansond | 0:137634ff4186 | 348 | return( 0 ); |
ansond | 0:137634ff4186 | 349 | } |
ansond | 0:137634ff4186 | 350 | #endif /* POLARSSL_SSL_SESSION_TICKETS */ |
ansond | 0:137634ff4186 | 351 | |
ansond | 0:137634ff4186 | 352 | #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) |
ansond | 0:137634ff4186 | 353 | /* |
ansond | 0:137634ff4186 | 354 | * Wrapper around f_sni, allowing use of ssl_set_own_cert() but |
ansond | 0:137634ff4186 | 355 | * making it act on ssl->hanshake->sni_key_cert instead. |
ansond | 0:137634ff4186 | 356 | */ |
ansond | 0:137634ff4186 | 357 | static int ssl_sni_wrapper( ssl_context *ssl, |
ansond | 0:137634ff4186 | 358 | const unsigned char* name, size_t len ) |
ansond | 0:137634ff4186 | 359 | { |
ansond | 0:137634ff4186 | 360 | int ret; |
ansond | 0:137634ff4186 | 361 | ssl_key_cert *key_cert_ori = ssl->key_cert; |
ansond | 0:137634ff4186 | 362 | |
ansond | 0:137634ff4186 | 363 | ssl->key_cert = NULL; |
ansond | 0:137634ff4186 | 364 | ret = ssl->f_sni( ssl->p_sni, ssl, name, len ); |
ansond | 0:137634ff4186 | 365 | ssl->handshake->sni_key_cert = ssl->key_cert; |
ansond | 0:137634ff4186 | 366 | |
ansond | 0:137634ff4186 | 367 | ssl->key_cert = key_cert_ori; |
ansond | 0:137634ff4186 | 368 | |
ansond | 0:137634ff4186 | 369 | return( ret ); |
ansond | 0:137634ff4186 | 370 | } |
ansond | 0:137634ff4186 | 371 | |
ansond | 0:137634ff4186 | 372 | static int ssl_parse_servername_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 373 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 374 | size_t len ) |
ansond | 0:137634ff4186 | 375 | { |
ansond | 0:137634ff4186 | 376 | int ret; |
ansond | 0:137634ff4186 | 377 | size_t servername_list_size, hostname_len; |
ansond | 0:137634ff4186 | 378 | const unsigned char *p; |
ansond | 0:137634ff4186 | 379 | |
ansond | 0:137634ff4186 | 380 | SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); |
ansond | 0:137634ff4186 | 381 | |
ansond | 0:137634ff4186 | 382 | servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
ansond | 0:137634ff4186 | 383 | if( servername_list_size + 2 != len ) |
ansond | 0:137634ff4186 | 384 | { |
ansond | 0:137634ff4186 | 385 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 386 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 387 | } |
ansond | 0:137634ff4186 | 388 | |
ansond | 0:137634ff4186 | 389 | p = buf + 2; |
ansond | 0:137634ff4186 | 390 | while( servername_list_size > 0 ) |
ansond | 0:137634ff4186 | 391 | { |
ansond | 0:137634ff4186 | 392 | hostname_len = ( ( p[1] << 8 ) | p[2] ); |
ansond | 0:137634ff4186 | 393 | if( hostname_len + 3 > servername_list_size ) |
ansond | 0:137634ff4186 | 394 | { |
ansond | 0:137634ff4186 | 395 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 396 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 397 | } |
ansond | 0:137634ff4186 | 398 | |
ansond | 0:137634ff4186 | 399 | if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME ) |
ansond | 0:137634ff4186 | 400 | { |
ansond | 0:137634ff4186 | 401 | ret = ssl_sni_wrapper( ssl, p + 3, hostname_len ); |
ansond | 0:137634ff4186 | 402 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 403 | { |
ansond | 0:137634ff4186 | 404 | SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); |
ansond | 0:137634ff4186 | 405 | ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, |
ansond | 0:137634ff4186 | 406 | SSL_ALERT_MSG_UNRECOGNIZED_NAME ); |
ansond | 0:137634ff4186 | 407 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 408 | } |
ansond | 0:137634ff4186 | 409 | return( 0 ); |
ansond | 0:137634ff4186 | 410 | } |
ansond | 0:137634ff4186 | 411 | |
ansond | 0:137634ff4186 | 412 | servername_list_size -= hostname_len + 3; |
ansond | 0:137634ff4186 | 413 | p += hostname_len + 3; |
ansond | 0:137634ff4186 | 414 | } |
ansond | 0:137634ff4186 | 415 | |
ansond | 0:137634ff4186 | 416 | if( servername_list_size != 0 ) |
ansond | 0:137634ff4186 | 417 | { |
ansond | 0:137634ff4186 | 418 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 419 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 420 | } |
ansond | 0:137634ff4186 | 421 | |
ansond | 0:137634ff4186 | 422 | return( 0 ); |
ansond | 0:137634ff4186 | 423 | } |
ansond | 0:137634ff4186 | 424 | #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ |
ansond | 0:137634ff4186 | 425 | |
ansond | 0:137634ff4186 | 426 | static int ssl_parse_renegotiation_info( ssl_context *ssl, |
ansond | 0:137634ff4186 | 427 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 428 | size_t len ) |
ansond | 0:137634ff4186 | 429 | { |
ansond | 0:137634ff4186 | 430 | int ret; |
ansond | 0:137634ff4186 | 431 | |
ansond | 0:137634ff4186 | 432 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 433 | if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) |
ansond | 0:137634ff4186 | 434 | { |
ansond | 0:137634ff4186 | 435 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
ansond | 0:137634ff4186 | 436 | if( len != 1 + ssl->verify_data_len || |
ansond | 0:137634ff4186 | 437 | buf[0] != ssl->verify_data_len || |
ansond | 0:137634ff4186 | 438 | safer_memcmp( buf + 1, ssl->peer_verify_data, |
ansond | 0:137634ff4186 | 439 | ssl->verify_data_len ) != 0 ) |
ansond | 0:137634ff4186 | 440 | { |
ansond | 0:137634ff4186 | 441 | SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); |
ansond | 0:137634ff4186 | 442 | |
ansond | 0:137634ff4186 | 443 | if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 444 | return( ret ); |
ansond | 0:137634ff4186 | 445 | |
ansond | 0:137634ff4186 | 446 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 447 | } |
ansond | 0:137634ff4186 | 448 | } |
ansond | 0:137634ff4186 | 449 | else |
ansond | 0:137634ff4186 | 450 | #endif /* POLARSSL_SSL_RENEGOTIATION */ |
ansond | 0:137634ff4186 | 451 | { |
ansond | 0:137634ff4186 | 452 | if( len != 1 || buf[0] != 0x0 ) |
ansond | 0:137634ff4186 | 453 | { |
ansond | 0:137634ff4186 | 454 | SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); |
ansond | 0:137634ff4186 | 455 | |
ansond | 0:137634ff4186 | 456 | if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 457 | return( ret ); |
ansond | 0:137634ff4186 | 458 | |
ansond | 0:137634ff4186 | 459 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 460 | } |
ansond | 0:137634ff4186 | 461 | |
ansond | 0:137634ff4186 | 462 | ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; |
ansond | 0:137634ff4186 | 463 | } |
ansond | 0:137634ff4186 | 464 | |
ansond | 0:137634ff4186 | 465 | return( 0 ); |
ansond | 0:137634ff4186 | 466 | } |
ansond | 0:137634ff4186 | 467 | |
ansond | 0:137634ff4186 | 468 | #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \ |
ansond | 0:137634ff4186 | 469 | defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED) |
ansond | 0:137634ff4186 | 470 | static int ssl_parse_signature_algorithms_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 471 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 472 | size_t len ) |
ansond | 0:137634ff4186 | 473 | { |
ansond | 0:137634ff4186 | 474 | size_t sig_alg_list_size; |
ansond | 0:137634ff4186 | 475 | const unsigned char *p; |
ansond | 0:137634ff4186 | 476 | const unsigned char *end = buf + len; |
ansond | 0:137634ff4186 | 477 | const int *md_cur; |
ansond | 0:137634ff4186 | 478 | |
ansond | 0:137634ff4186 | 479 | |
ansond | 0:137634ff4186 | 480 | sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
ansond | 0:137634ff4186 | 481 | if( sig_alg_list_size + 2 != len || |
ansond | 0:137634ff4186 | 482 | sig_alg_list_size % 2 != 0 ) |
ansond | 0:137634ff4186 | 483 | { |
ansond | 0:137634ff4186 | 484 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 485 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 486 | } |
ansond | 0:137634ff4186 | 487 | |
ansond | 0:137634ff4186 | 488 | /* |
ansond | 0:137634ff4186 | 489 | * For now, ignore the SignatureAlgorithm part and rely on offered |
ansond | 0:137634ff4186 | 490 | * ciphersuites only for that part. To be fixed later. |
ansond | 0:137634ff4186 | 491 | * |
ansond | 0:137634ff4186 | 492 | * So, just look at the HashAlgorithm part. |
ansond | 0:137634ff4186 | 493 | */ |
ansond | 0:137634ff4186 | 494 | for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) { |
ansond | 0:137634ff4186 | 495 | for( p = buf + 2; p < end; p += 2 ) { |
ansond | 0:137634ff4186 | 496 | if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) { |
ansond | 0:137634ff4186 | 497 | ssl->handshake->sig_alg = p[0]; |
ansond | 0:137634ff4186 | 498 | goto have_sig_alg; |
ansond | 0:137634ff4186 | 499 | } |
ansond | 0:137634ff4186 | 500 | } |
ansond | 0:137634ff4186 | 501 | } |
ansond | 0:137634ff4186 | 502 | |
ansond | 0:137634ff4186 | 503 | /* Some key echanges do not need signatures at all */ |
ansond | 0:137634ff4186 | 504 | SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) ); |
ansond | 0:137634ff4186 | 505 | return( 0 ); |
ansond | 0:137634ff4186 | 506 | |
ansond | 0:137634ff4186 | 507 | have_sig_alg: |
ansond | 0:137634ff4186 | 508 | SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", |
ansond | 0:137634ff4186 | 509 | ssl->handshake->sig_alg ) ); |
ansond | 0:137634ff4186 | 510 | |
ansond | 0:137634ff4186 | 511 | return( 0 ); |
ansond | 0:137634ff4186 | 512 | } |
ansond | 0:137634ff4186 | 513 | #endif /* POLARSSL_SSL_PROTO_TLS1_2 && |
ansond | 0:137634ff4186 | 514 | POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
ansond | 0:137634ff4186 | 515 | |
ansond | 0:137634ff4186 | 516 | #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 517 | static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, |
ansond | 0:137634ff4186 | 518 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 519 | size_t len ) |
ansond | 0:137634ff4186 | 520 | { |
ansond | 0:137634ff4186 | 521 | size_t list_size, our_size; |
ansond | 0:137634ff4186 | 522 | const unsigned char *p; |
ansond | 0:137634ff4186 | 523 | const ecp_curve_info *curve_info, **curves; |
ansond | 0:137634ff4186 | 524 | |
ansond | 0:137634ff4186 | 525 | list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
ansond | 0:137634ff4186 | 526 | if( list_size + 2 != len || |
ansond | 0:137634ff4186 | 527 | list_size % 2 != 0 ) |
ansond | 0:137634ff4186 | 528 | { |
ansond | 0:137634ff4186 | 529 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 530 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 531 | } |
ansond | 0:137634ff4186 | 532 | |
ansond | 0:137634ff4186 | 533 | /* Should never happen unless client duplicates the extension */ |
ansond | 0:137634ff4186 | 534 | if( ssl->handshake->curves != NULL ) |
ansond | 0:137634ff4186 | 535 | { |
ansond | 0:137634ff4186 | 536 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 537 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 538 | } |
ansond | 0:137634ff4186 | 539 | |
ansond | 0:137634ff4186 | 540 | /* Don't allow our peer to make us allocate too much memory, |
ansond | 0:137634ff4186 | 541 | * and leave room for a final 0 */ |
ansond | 0:137634ff4186 | 542 | our_size = list_size / 2 + 1; |
ansond | 0:137634ff4186 | 543 | if( our_size > POLARSSL_ECP_DP_MAX ) |
ansond | 0:137634ff4186 | 544 | our_size = POLARSSL_ECP_DP_MAX; |
ansond | 0:137634ff4186 | 545 | |
ansond | 0:137634ff4186 | 546 | if( ( curves = polarssl_malloc( our_size * sizeof( *curves ) ) ) == NULL ) |
ansond | 0:137634ff4186 | 547 | return( POLARSSL_ERR_SSL_MALLOC_FAILED ); |
ansond | 0:137634ff4186 | 548 | |
ansond | 0:137634ff4186 | 549 | /* explicit void pointer cast for buggy MS compiler */ |
ansond | 0:137634ff4186 | 550 | memset( (void *) curves, 0, our_size * sizeof( *curves ) ); |
ansond | 0:137634ff4186 | 551 | ssl->handshake->curves = curves; |
ansond | 0:137634ff4186 | 552 | |
ansond | 0:137634ff4186 | 553 | p = buf + 2; |
ansond | 0:137634ff4186 | 554 | while( list_size > 0 && our_size > 1 ) |
ansond | 0:137634ff4186 | 555 | { |
ansond | 0:137634ff4186 | 556 | curve_info = ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); |
ansond | 0:137634ff4186 | 557 | |
ansond | 0:137634ff4186 | 558 | if( curve_info != NULL ) |
ansond | 0:137634ff4186 | 559 | { |
ansond | 0:137634ff4186 | 560 | *curves++ = curve_info; |
ansond | 0:137634ff4186 | 561 | our_size--; |
ansond | 0:137634ff4186 | 562 | } |
ansond | 0:137634ff4186 | 563 | |
ansond | 0:137634ff4186 | 564 | list_size -= 2; |
ansond | 0:137634ff4186 | 565 | p += 2; |
ansond | 0:137634ff4186 | 566 | } |
ansond | 0:137634ff4186 | 567 | |
ansond | 0:137634ff4186 | 568 | return( 0 ); |
ansond | 0:137634ff4186 | 569 | } |
ansond | 0:137634ff4186 | 570 | |
ansond | 0:137634ff4186 | 571 | static int ssl_parse_supported_point_formats( ssl_context *ssl, |
ansond | 0:137634ff4186 | 572 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 573 | size_t len ) |
ansond | 0:137634ff4186 | 574 | { |
ansond | 0:137634ff4186 | 575 | size_t list_size; |
ansond | 0:137634ff4186 | 576 | const unsigned char *p; |
ansond | 0:137634ff4186 | 577 | |
ansond | 0:137634ff4186 | 578 | list_size = buf[0]; |
ansond | 0:137634ff4186 | 579 | if( list_size + 1 != len ) |
ansond | 0:137634ff4186 | 580 | { |
ansond | 0:137634ff4186 | 581 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 582 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 583 | } |
ansond | 0:137634ff4186 | 584 | |
ansond | 0:137634ff4186 | 585 | p = buf + 2; |
ansond | 0:137634ff4186 | 586 | while( list_size > 0 ) |
ansond | 0:137634ff4186 | 587 | { |
ansond | 0:137634ff4186 | 588 | if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED || |
ansond | 0:137634ff4186 | 589 | p[0] == POLARSSL_ECP_PF_COMPRESSED ) |
ansond | 0:137634ff4186 | 590 | { |
ansond | 0:137634ff4186 | 591 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
ansond | 0:137634ff4186 | 592 | SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); |
ansond | 0:137634ff4186 | 593 | return( 0 ); |
ansond | 0:137634ff4186 | 594 | } |
ansond | 0:137634ff4186 | 595 | |
ansond | 0:137634ff4186 | 596 | list_size--; |
ansond | 0:137634ff4186 | 597 | p++; |
ansond | 0:137634ff4186 | 598 | } |
ansond | 0:137634ff4186 | 599 | |
ansond | 0:137634ff4186 | 600 | return( 0 ); |
ansond | 0:137634ff4186 | 601 | } |
ansond | 0:137634ff4186 | 602 | #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ |
ansond | 0:137634ff4186 | 603 | |
ansond | 0:137634ff4186 | 604 | #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) |
ansond | 0:137634ff4186 | 605 | static int ssl_parse_max_fragment_length_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 606 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 607 | size_t len ) |
ansond | 0:137634ff4186 | 608 | { |
ansond | 0:137634ff4186 | 609 | if( len != 1 || buf[0] >= SSL_MAX_FRAG_LEN_INVALID ) |
ansond | 0:137634ff4186 | 610 | { |
ansond | 0:137634ff4186 | 611 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 612 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 613 | } |
ansond | 0:137634ff4186 | 614 | |
ansond | 0:137634ff4186 | 615 | ssl->session_negotiate->mfl_code = buf[0]; |
ansond | 0:137634ff4186 | 616 | |
ansond | 0:137634ff4186 | 617 | return( 0 ); |
ansond | 0:137634ff4186 | 618 | } |
ansond | 0:137634ff4186 | 619 | #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ |
ansond | 0:137634ff4186 | 620 | |
ansond | 0:137634ff4186 | 621 | #if defined(POLARSSL_SSL_TRUNCATED_HMAC) |
ansond | 0:137634ff4186 | 622 | static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 623 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 624 | size_t len ) |
ansond | 0:137634ff4186 | 625 | { |
ansond | 0:137634ff4186 | 626 | if( len != 0 ) |
ansond | 0:137634ff4186 | 627 | { |
ansond | 0:137634ff4186 | 628 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 629 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 630 | } |
ansond | 0:137634ff4186 | 631 | |
ansond | 0:137634ff4186 | 632 | ((void) buf); |
ansond | 0:137634ff4186 | 633 | |
ansond | 0:137634ff4186 | 634 | if( ssl->trunc_hmac == SSL_TRUNC_HMAC_ENABLED ) |
ansond | 0:137634ff4186 | 635 | ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; |
ansond | 0:137634ff4186 | 636 | |
ansond | 0:137634ff4186 | 637 | return( 0 ); |
ansond | 0:137634ff4186 | 638 | } |
ansond | 0:137634ff4186 | 639 | #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ |
ansond | 0:137634ff4186 | 640 | |
ansond | 0:137634ff4186 | 641 | #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) |
ansond | 0:137634ff4186 | 642 | static int ssl_parse_encrypt_then_mac_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 643 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 644 | size_t len ) |
ansond | 0:137634ff4186 | 645 | { |
ansond | 0:137634ff4186 | 646 | if( len != 0 ) |
ansond | 0:137634ff4186 | 647 | { |
ansond | 0:137634ff4186 | 648 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 649 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 650 | } |
ansond | 0:137634ff4186 | 651 | |
ansond | 0:137634ff4186 | 652 | ((void) buf); |
ansond | 0:137634ff4186 | 653 | |
ansond | 0:137634ff4186 | 654 | if( ssl->encrypt_then_mac == SSL_ETM_ENABLED && |
ansond | 0:137634ff4186 | 655 | ssl->minor_ver != SSL_MINOR_VERSION_0 ) |
ansond | 0:137634ff4186 | 656 | { |
ansond | 0:137634ff4186 | 657 | ssl->session_negotiate->encrypt_then_mac = SSL_ETM_ENABLED; |
ansond | 0:137634ff4186 | 658 | } |
ansond | 0:137634ff4186 | 659 | |
ansond | 0:137634ff4186 | 660 | return( 0 ); |
ansond | 0:137634ff4186 | 661 | } |
ansond | 0:137634ff4186 | 662 | #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ |
ansond | 0:137634ff4186 | 663 | |
ansond | 0:137634ff4186 | 664 | #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) |
ansond | 0:137634ff4186 | 665 | static int ssl_parse_extended_ms_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 666 | const unsigned char *buf, |
ansond | 0:137634ff4186 | 667 | size_t len ) |
ansond | 0:137634ff4186 | 668 | { |
ansond | 0:137634ff4186 | 669 | if( len != 0 ) |
ansond | 0:137634ff4186 | 670 | { |
ansond | 0:137634ff4186 | 671 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 672 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 673 | } |
ansond | 0:137634ff4186 | 674 | |
ansond | 0:137634ff4186 | 675 | ((void) buf); |
ansond | 0:137634ff4186 | 676 | |
ansond | 0:137634ff4186 | 677 | if( ssl->extended_ms == SSL_EXTENDED_MS_ENABLED && |
ansond | 0:137634ff4186 | 678 | ssl->minor_ver != SSL_MINOR_VERSION_0 ) |
ansond | 0:137634ff4186 | 679 | { |
ansond | 0:137634ff4186 | 680 | ssl->handshake->extended_ms = SSL_EXTENDED_MS_ENABLED; |
ansond | 0:137634ff4186 | 681 | } |
ansond | 0:137634ff4186 | 682 | |
ansond | 0:137634ff4186 | 683 | return( 0 ); |
ansond | 0:137634ff4186 | 684 | } |
ansond | 0:137634ff4186 | 685 | #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ |
ansond | 0:137634ff4186 | 686 | |
ansond | 0:137634ff4186 | 687 | #if defined(POLARSSL_SSL_SESSION_TICKETS) |
ansond | 0:137634ff4186 | 688 | static int ssl_parse_session_ticket_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 689 | unsigned char *buf, |
ansond | 0:137634ff4186 | 690 | size_t len ) |
ansond | 0:137634ff4186 | 691 | { |
ansond | 0:137634ff4186 | 692 | int ret; |
ansond | 0:137634ff4186 | 693 | |
ansond | 0:137634ff4186 | 694 | if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED ) |
ansond | 0:137634ff4186 | 695 | return( 0 ); |
ansond | 0:137634ff4186 | 696 | |
ansond | 0:137634ff4186 | 697 | /* Remember the client asked us to send a new ticket */ |
ansond | 0:137634ff4186 | 698 | ssl->handshake->new_session_ticket = 1; |
ansond | 0:137634ff4186 | 699 | |
ansond | 0:137634ff4186 | 700 | SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); |
ansond | 0:137634ff4186 | 701 | |
ansond | 0:137634ff4186 | 702 | if( len == 0 ) |
ansond | 0:137634ff4186 | 703 | return( 0 ); |
ansond | 0:137634ff4186 | 704 | |
ansond | 0:137634ff4186 | 705 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 706 | if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) |
ansond | 0:137634ff4186 | 707 | { |
ansond | 0:137634ff4186 | 708 | SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); |
ansond | 0:137634ff4186 | 709 | return( 0 ); |
ansond | 0:137634ff4186 | 710 | } |
ansond | 0:137634ff4186 | 711 | #endif /* POLARSSL_SSL_RENEGOTIATION */ |
ansond | 0:137634ff4186 | 712 | |
ansond | 0:137634ff4186 | 713 | /* |
ansond | 0:137634ff4186 | 714 | * Failures are ok: just ignore the ticket and proceed. |
ansond | 0:137634ff4186 | 715 | */ |
ansond | 0:137634ff4186 | 716 | if( ( ret = ssl_parse_ticket( ssl, buf, len ) ) != 0 ) |
ansond | 0:137634ff4186 | 717 | { |
ansond | 0:137634ff4186 | 718 | SSL_DEBUG_RET( 1, "ssl_parse_ticket", ret ); |
ansond | 0:137634ff4186 | 719 | return( 0 ); |
ansond | 0:137634ff4186 | 720 | } |
ansond | 0:137634ff4186 | 721 | |
ansond | 0:137634ff4186 | 722 | SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); |
ansond | 0:137634ff4186 | 723 | |
ansond | 0:137634ff4186 | 724 | ssl->handshake->resume = 1; |
ansond | 0:137634ff4186 | 725 | |
ansond | 0:137634ff4186 | 726 | /* Don't send a new ticket after all, this one is OK */ |
ansond | 0:137634ff4186 | 727 | ssl->handshake->new_session_ticket = 0; |
ansond | 0:137634ff4186 | 728 | |
ansond | 0:137634ff4186 | 729 | return( 0 ); |
ansond | 0:137634ff4186 | 730 | } |
ansond | 0:137634ff4186 | 731 | #endif /* POLARSSL_SSL_SESSION_TICKETS */ |
ansond | 0:137634ff4186 | 732 | |
ansond | 0:137634ff4186 | 733 | #if defined(POLARSSL_SSL_ALPN) |
ansond | 0:137634ff4186 | 734 | static int ssl_parse_alpn_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 735 | const unsigned char *buf, size_t len ) |
ansond | 0:137634ff4186 | 736 | { |
ansond | 0:137634ff4186 | 737 | size_t list_len, cur_len, ours_len; |
ansond | 0:137634ff4186 | 738 | const unsigned char *theirs, *start, *end; |
ansond | 0:137634ff4186 | 739 | const char **ours; |
ansond | 0:137634ff4186 | 740 | |
ansond | 0:137634ff4186 | 741 | /* If ALPN not configured, just ignore the extension */ |
ansond | 0:137634ff4186 | 742 | if( ssl->alpn_list == NULL ) |
ansond | 0:137634ff4186 | 743 | return( 0 ); |
ansond | 0:137634ff4186 | 744 | |
ansond | 0:137634ff4186 | 745 | /* |
ansond | 0:137634ff4186 | 746 | * opaque ProtocolName<1..2^8-1>; |
ansond | 0:137634ff4186 | 747 | * |
ansond | 0:137634ff4186 | 748 | * struct { |
ansond | 0:137634ff4186 | 749 | * ProtocolName protocol_name_list<2..2^16-1> |
ansond | 0:137634ff4186 | 750 | * } ProtocolNameList; |
ansond | 0:137634ff4186 | 751 | */ |
ansond | 0:137634ff4186 | 752 | |
ansond | 0:137634ff4186 | 753 | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ |
ansond | 0:137634ff4186 | 754 | if( len < 4 ) |
ansond | 0:137634ff4186 | 755 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 756 | |
ansond | 0:137634ff4186 | 757 | list_len = ( buf[0] << 8 ) | buf[1]; |
ansond | 0:137634ff4186 | 758 | if( list_len != len - 2 ) |
ansond | 0:137634ff4186 | 759 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 760 | |
ansond | 0:137634ff4186 | 761 | /* |
ansond | 0:137634ff4186 | 762 | * Use our order of preference |
ansond | 0:137634ff4186 | 763 | */ |
ansond | 0:137634ff4186 | 764 | start = buf + 2; |
ansond | 0:137634ff4186 | 765 | end = buf + len; |
ansond | 0:137634ff4186 | 766 | for( ours = ssl->alpn_list; *ours != NULL; ours++ ) |
ansond | 0:137634ff4186 | 767 | { |
ansond | 0:137634ff4186 | 768 | ours_len = strlen( *ours ); |
ansond | 0:137634ff4186 | 769 | for( theirs = start; theirs != end; theirs += cur_len ) |
ansond | 0:137634ff4186 | 770 | { |
ansond | 0:137634ff4186 | 771 | /* If the list is well formed, we should get equality first */ |
ansond | 0:137634ff4186 | 772 | if( theirs > end ) |
ansond | 0:137634ff4186 | 773 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 774 | |
ansond | 0:137634ff4186 | 775 | cur_len = *theirs++; |
ansond | 0:137634ff4186 | 776 | |
ansond | 0:137634ff4186 | 777 | /* Empty strings MUST NOT be included */ |
ansond | 0:137634ff4186 | 778 | if( cur_len == 0 ) |
ansond | 0:137634ff4186 | 779 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 780 | |
ansond | 0:137634ff4186 | 781 | if( cur_len == ours_len && |
ansond | 0:137634ff4186 | 782 | memcmp( theirs, *ours, cur_len ) == 0 ) |
ansond | 0:137634ff4186 | 783 | { |
ansond | 0:137634ff4186 | 784 | ssl->alpn_chosen = *ours; |
ansond | 0:137634ff4186 | 785 | return( 0 ); |
ansond | 0:137634ff4186 | 786 | } |
ansond | 0:137634ff4186 | 787 | } |
ansond | 0:137634ff4186 | 788 | } |
ansond | 0:137634ff4186 | 789 | |
ansond | 0:137634ff4186 | 790 | /* If we get there, no match was found */ |
ansond | 0:137634ff4186 | 791 | ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, |
ansond | 0:137634ff4186 | 792 | SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); |
ansond | 0:137634ff4186 | 793 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 794 | } |
ansond | 0:137634ff4186 | 795 | #endif /* POLARSSL_SSL_ALPN */ |
ansond | 0:137634ff4186 | 796 | |
ansond | 0:137634ff4186 | 797 | /* |
ansond | 0:137634ff4186 | 798 | * Auxiliary functions for ServerHello parsing and related actions |
ansond | 0:137634ff4186 | 799 | */ |
ansond | 0:137634ff4186 | 800 | |
ansond | 0:137634ff4186 | 801 | #if defined(POLARSSL_X509_CRT_PARSE_C) |
ansond | 0:137634ff4186 | 802 | /* |
ansond | 0:137634ff4186 | 803 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise |
ansond | 0:137634ff4186 | 804 | */ |
ansond | 0:137634ff4186 | 805 | #if defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 806 | static int ssl_check_key_curve( pk_context *pk, |
ansond | 0:137634ff4186 | 807 | const ecp_curve_info **curves ) |
ansond | 0:137634ff4186 | 808 | { |
ansond | 0:137634ff4186 | 809 | const ecp_curve_info **crv = curves; |
ansond | 0:137634ff4186 | 810 | ecp_group_id grp_id = pk_ec( *pk )->grp.id; |
ansond | 0:137634ff4186 | 811 | |
ansond | 0:137634ff4186 | 812 | while( *crv != NULL ) |
ansond | 0:137634ff4186 | 813 | { |
ansond | 0:137634ff4186 | 814 | if( (*crv)->grp_id == grp_id ) |
ansond | 0:137634ff4186 | 815 | return( 0 ); |
ansond | 0:137634ff4186 | 816 | crv++; |
ansond | 0:137634ff4186 | 817 | } |
ansond | 0:137634ff4186 | 818 | |
ansond | 0:137634ff4186 | 819 | return( -1 ); |
ansond | 0:137634ff4186 | 820 | } |
ansond | 0:137634ff4186 | 821 | #endif /* POLARSSL_ECDSA_C */ |
ansond | 0:137634ff4186 | 822 | |
ansond | 0:137634ff4186 | 823 | /* |
ansond | 0:137634ff4186 | 824 | * Try picking a certificate for this ciphersuite, |
ansond | 0:137634ff4186 | 825 | * return 0 on success and -1 on failure. |
ansond | 0:137634ff4186 | 826 | */ |
ansond | 0:137634ff4186 | 827 | static int ssl_pick_cert( ssl_context *ssl, |
ansond | 0:137634ff4186 | 828 | const ssl_ciphersuite_t * ciphersuite_info ) |
ansond | 0:137634ff4186 | 829 | { |
ansond | 0:137634ff4186 | 830 | ssl_key_cert *cur, *list, *fallback = NULL; |
ansond | 0:137634ff4186 | 831 | pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); |
ansond | 0:137634ff4186 | 832 | int flags; |
ansond | 0:137634ff4186 | 833 | |
ansond | 0:137634ff4186 | 834 | #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) |
ansond | 0:137634ff4186 | 835 | if( ssl->handshake->sni_key_cert != NULL ) |
ansond | 0:137634ff4186 | 836 | list = ssl->handshake->sni_key_cert; |
ansond | 0:137634ff4186 | 837 | else |
ansond | 0:137634ff4186 | 838 | #endif |
ansond | 0:137634ff4186 | 839 | list = ssl->handshake->key_cert; |
ansond | 0:137634ff4186 | 840 | |
ansond | 0:137634ff4186 | 841 | if( pk_alg == POLARSSL_PK_NONE ) |
ansond | 0:137634ff4186 | 842 | return( 0 ); |
ansond | 0:137634ff4186 | 843 | |
ansond | 0:137634ff4186 | 844 | SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); |
ansond | 0:137634ff4186 | 845 | |
ansond | 0:137634ff4186 | 846 | for( cur = list; cur != NULL; cur = cur->next ) |
ansond | 0:137634ff4186 | 847 | { |
ansond | 0:137634ff4186 | 848 | SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", |
ansond | 0:137634ff4186 | 849 | cur->cert ); |
ansond | 0:137634ff4186 | 850 | |
ansond | 0:137634ff4186 | 851 | if( ! pk_can_do( cur->key, pk_alg ) ) |
ansond | 0:137634ff4186 | 852 | { |
ansond | 0:137634ff4186 | 853 | SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); |
ansond | 0:137634ff4186 | 854 | continue; |
ansond | 0:137634ff4186 | 855 | } |
ansond | 0:137634ff4186 | 856 | |
ansond | 0:137634ff4186 | 857 | /* |
ansond | 0:137634ff4186 | 858 | * This avoids sending the client a cert it'll reject based on |
ansond | 0:137634ff4186 | 859 | * keyUsage or other extensions. |
ansond | 0:137634ff4186 | 860 | * |
ansond | 0:137634ff4186 | 861 | * It also allows the user to provision different certificates for |
ansond | 0:137634ff4186 | 862 | * different uses based on keyUsage, eg if they want to avoid signing |
ansond | 0:137634ff4186 | 863 | * and decrypting with the same RSA key. |
ansond | 0:137634ff4186 | 864 | */ |
ansond | 0:137634ff4186 | 865 | if( ssl_check_cert_usage( cur->cert, ciphersuite_info, |
ansond | 0:137634ff4186 | 866 | SSL_IS_SERVER, &flags ) != 0 ) |
ansond | 0:137634ff4186 | 867 | { |
ansond | 0:137634ff4186 | 868 | SSL_DEBUG_MSG( 3, ( "certificate mismatch: " |
ansond | 0:137634ff4186 | 869 | "(extended) key usage extension" ) ); |
ansond | 0:137634ff4186 | 870 | continue; |
ansond | 0:137634ff4186 | 871 | } |
ansond | 0:137634ff4186 | 872 | |
ansond | 0:137634ff4186 | 873 | #if defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 874 | if( pk_alg == POLARSSL_PK_ECDSA && |
ansond | 0:137634ff4186 | 875 | ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 ) |
ansond | 0:137634ff4186 | 876 | { |
ansond | 0:137634ff4186 | 877 | SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); |
ansond | 0:137634ff4186 | 878 | continue; |
ansond | 0:137634ff4186 | 879 | } |
ansond | 0:137634ff4186 | 880 | #endif |
ansond | 0:137634ff4186 | 881 | |
ansond | 0:137634ff4186 | 882 | /* |
ansond | 0:137634ff4186 | 883 | * Try to select a SHA-1 certificate for pre-1.2 clients, but still |
ansond | 0:137634ff4186 | 884 | * present them a SHA-higher cert rather than failing if it's the only |
ansond | 0:137634ff4186 | 885 | * one we got that satisfies the other conditions. |
ansond | 0:137634ff4186 | 886 | */ |
ansond | 0:137634ff4186 | 887 | if( ssl->minor_ver < SSL_MINOR_VERSION_3 && |
ansond | 0:137634ff4186 | 888 | cur->cert->sig_md != POLARSSL_MD_SHA1 ) |
ansond | 0:137634ff4186 | 889 | { |
ansond | 0:137634ff4186 | 890 | if( fallback == NULL ) |
ansond | 0:137634ff4186 | 891 | fallback = cur; |
ansond | 0:137634ff4186 | 892 | { |
ansond | 0:137634ff4186 | 893 | SSL_DEBUG_MSG( 3, ( "certificate not preferred: " |
ansond | 0:137634ff4186 | 894 | "sha-2 with pre-TLS 1.2 client" ) ); |
ansond | 0:137634ff4186 | 895 | continue; |
ansond | 0:137634ff4186 | 896 | } |
ansond | 0:137634ff4186 | 897 | } |
ansond | 0:137634ff4186 | 898 | |
ansond | 0:137634ff4186 | 899 | /* If we get there, we got a winner */ |
ansond | 0:137634ff4186 | 900 | break; |
ansond | 0:137634ff4186 | 901 | } |
ansond | 0:137634ff4186 | 902 | |
ansond | 0:137634ff4186 | 903 | if( cur == NULL ) |
ansond | 0:137634ff4186 | 904 | cur = fallback; |
ansond | 0:137634ff4186 | 905 | |
ansond | 0:137634ff4186 | 906 | |
ansond | 0:137634ff4186 | 907 | /* Do not update ssl->handshake->key_cert unless the is a match */ |
ansond | 0:137634ff4186 | 908 | if( cur != NULL ) |
ansond | 0:137634ff4186 | 909 | { |
ansond | 0:137634ff4186 | 910 | ssl->handshake->key_cert = cur; |
ansond | 0:137634ff4186 | 911 | SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", |
ansond | 0:137634ff4186 | 912 | ssl->handshake->key_cert->cert ); |
ansond | 0:137634ff4186 | 913 | return( 0 ); |
ansond | 0:137634ff4186 | 914 | } |
ansond | 0:137634ff4186 | 915 | |
ansond | 0:137634ff4186 | 916 | return( -1 ); |
ansond | 0:137634ff4186 | 917 | } |
ansond | 0:137634ff4186 | 918 | #endif /* POLARSSL_X509_CRT_PARSE_C */ |
ansond | 0:137634ff4186 | 919 | |
ansond | 0:137634ff4186 | 920 | /* |
ansond | 0:137634ff4186 | 921 | * Check if a given ciphersuite is suitable for use with our config/keys/etc |
ansond | 0:137634ff4186 | 922 | * Sets ciphersuite_info only if the suite matches. |
ansond | 0:137634ff4186 | 923 | */ |
ansond | 0:137634ff4186 | 924 | static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id, |
ansond | 0:137634ff4186 | 925 | const ssl_ciphersuite_t **ciphersuite_info ) |
ansond | 0:137634ff4186 | 926 | { |
ansond | 0:137634ff4186 | 927 | const ssl_ciphersuite_t *suite_info; |
ansond | 0:137634ff4186 | 928 | |
ansond | 0:137634ff4186 | 929 | suite_info = ssl_ciphersuite_from_id( suite_id ); |
ansond | 0:137634ff4186 | 930 | if( suite_info == NULL ) |
ansond | 0:137634ff4186 | 931 | { |
ansond | 0:137634ff4186 | 932 | SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
ansond | 0:137634ff4186 | 933 | return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); |
ansond | 0:137634ff4186 | 934 | } |
ansond | 0:137634ff4186 | 935 | |
ansond | 0:137634ff4186 | 936 | SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); |
ansond | 0:137634ff4186 | 937 | |
ansond | 0:137634ff4186 | 938 | if( suite_info->min_minor_ver > ssl->minor_ver || |
ansond | 0:137634ff4186 | 939 | suite_info->max_minor_ver < ssl->minor_ver ) |
ansond | 0:137634ff4186 | 940 | { |
ansond | 0:137634ff4186 | 941 | SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); |
ansond | 0:137634ff4186 | 942 | return( 0 ); |
ansond | 0:137634ff4186 | 943 | } |
ansond | 0:137634ff4186 | 944 | |
ansond | 0:137634ff4186 | 945 | if( ssl->arc4_disabled == SSL_ARC4_DISABLED && |
ansond | 0:137634ff4186 | 946 | suite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) |
ansond | 0:137634ff4186 | 947 | { |
ansond | 0:137634ff4186 | 948 | SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); |
ansond | 0:137634ff4186 | 949 | return( 0 ); |
ansond | 0:137634ff4186 | 950 | } |
ansond | 0:137634ff4186 | 951 | |
ansond | 0:137634ff4186 | 952 | #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 953 | if( ssl_ciphersuite_uses_ec( suite_info ) && |
ansond | 0:137634ff4186 | 954 | ( ssl->handshake->curves == NULL || |
ansond | 0:137634ff4186 | 955 | ssl->handshake->curves[0] == NULL ) ) |
ansond | 0:137634ff4186 | 956 | { |
ansond | 0:137634ff4186 | 957 | SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " |
ansond | 0:137634ff4186 | 958 | "no common elliptic curve" ) ); |
ansond | 0:137634ff4186 | 959 | return( 0 ); |
ansond | 0:137634ff4186 | 960 | } |
ansond | 0:137634ff4186 | 961 | #endif |
ansond | 0:137634ff4186 | 962 | |
ansond | 0:137634ff4186 | 963 | #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) |
ansond | 0:137634ff4186 | 964 | /* If the ciphersuite requires a pre-shared key and we don't |
ansond | 0:137634ff4186 | 965 | * have one, skip it now rather than failing later */ |
ansond | 0:137634ff4186 | 966 | if( ssl_ciphersuite_uses_psk( suite_info ) && |
ansond | 0:137634ff4186 | 967 | ssl->f_psk == NULL && |
ansond | 0:137634ff4186 | 968 | ( ssl->psk == NULL || ssl->psk_identity == NULL || |
ansond | 0:137634ff4186 | 969 | ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) |
ansond | 0:137634ff4186 | 970 | { |
ansond | 0:137634ff4186 | 971 | SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); |
ansond | 0:137634ff4186 | 972 | return( 0 ); |
ansond | 0:137634ff4186 | 973 | } |
ansond | 0:137634ff4186 | 974 | #endif |
ansond | 0:137634ff4186 | 975 | |
ansond | 0:137634ff4186 | 976 | #if defined(POLARSSL_X509_CRT_PARSE_C) |
ansond | 0:137634ff4186 | 977 | /* |
ansond | 0:137634ff4186 | 978 | * Final check: if ciphersuite requires us to have a |
ansond | 0:137634ff4186 | 979 | * certificate/key of a particular type: |
ansond | 0:137634ff4186 | 980 | * - select the appropriate certificate if we have one, or |
ansond | 0:137634ff4186 | 981 | * - try the next ciphersuite if we don't |
ansond | 0:137634ff4186 | 982 | * This must be done last since we modify the key_cert list. |
ansond | 0:137634ff4186 | 983 | */ |
ansond | 0:137634ff4186 | 984 | if( ssl_pick_cert( ssl, suite_info ) != 0 ) |
ansond | 0:137634ff4186 | 985 | { |
ansond | 0:137634ff4186 | 986 | SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " |
ansond | 0:137634ff4186 | 987 | "no suitable certificate" ) ); |
ansond | 0:137634ff4186 | 988 | return( 0 ); |
ansond | 0:137634ff4186 | 989 | } |
ansond | 0:137634ff4186 | 990 | #endif |
ansond | 0:137634ff4186 | 991 | |
ansond | 0:137634ff4186 | 992 | *ciphersuite_info = suite_info; |
ansond | 0:137634ff4186 | 993 | return( 0 ); |
ansond | 0:137634ff4186 | 994 | } |
ansond | 0:137634ff4186 | 995 | |
ansond | 0:137634ff4186 | 996 | #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) |
ansond | 0:137634ff4186 | 997 | static int ssl_parse_client_hello_v2( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 998 | { |
ansond | 0:137634ff4186 | 999 | int ret, got_common_suite; |
ansond | 0:137634ff4186 | 1000 | unsigned int i, j; |
ansond | 0:137634ff4186 | 1001 | size_t n; |
ansond | 0:137634ff4186 | 1002 | unsigned int ciph_len, sess_len, chal_len; |
ansond | 0:137634ff4186 | 1003 | unsigned char *buf, *p; |
ansond | 0:137634ff4186 | 1004 | const int *ciphersuites; |
ansond | 0:137634ff4186 | 1005 | const ssl_ciphersuite_t *ciphersuite_info; |
ansond | 0:137634ff4186 | 1006 | |
ansond | 0:137634ff4186 | 1007 | SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); |
ansond | 0:137634ff4186 | 1008 | |
ansond | 0:137634ff4186 | 1009 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1010 | if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) |
ansond | 0:137634ff4186 | 1011 | { |
ansond | 0:137634ff4186 | 1012 | SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); |
ansond | 0:137634ff4186 | 1013 | |
ansond | 0:137634ff4186 | 1014 | if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 1015 | return( ret ); |
ansond | 0:137634ff4186 | 1016 | |
ansond | 0:137634ff4186 | 1017 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1018 | } |
ansond | 0:137634ff4186 | 1019 | #endif /* POLARSSL_SSL_RENEGOTIATION */ |
ansond | 0:137634ff4186 | 1020 | |
ansond | 0:137634ff4186 | 1021 | buf = ssl->in_hdr; |
ansond | 0:137634ff4186 | 1022 | |
ansond | 0:137634ff4186 | 1023 | SSL_DEBUG_BUF( 4, "record header", buf, 5 ); |
ansond | 0:137634ff4186 | 1024 | |
ansond | 0:137634ff4186 | 1025 | SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", |
ansond | 0:137634ff4186 | 1026 | buf[2] ) ); |
ansond | 0:137634ff4186 | 1027 | SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", |
ansond | 0:137634ff4186 | 1028 | ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); |
ansond | 0:137634ff4186 | 1029 | SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", |
ansond | 0:137634ff4186 | 1030 | buf[3], buf[4] ) ); |
ansond | 0:137634ff4186 | 1031 | |
ansond | 0:137634ff4186 | 1032 | /* |
ansond | 0:137634ff4186 | 1033 | * SSLv2 Client Hello |
ansond | 0:137634ff4186 | 1034 | * |
ansond | 0:137634ff4186 | 1035 | * Record layer: |
ansond | 0:137634ff4186 | 1036 | * 0 . 1 message length |
ansond | 0:137634ff4186 | 1037 | * |
ansond | 0:137634ff4186 | 1038 | * SSL layer: |
ansond | 0:137634ff4186 | 1039 | * 2 . 2 message type |
ansond | 0:137634ff4186 | 1040 | * 3 . 4 protocol version |
ansond | 0:137634ff4186 | 1041 | */ |
ansond | 0:137634ff4186 | 1042 | if( buf[2] != SSL_HS_CLIENT_HELLO || |
ansond | 0:137634ff4186 | 1043 | buf[3] != SSL_MAJOR_VERSION_3 ) |
ansond | 0:137634ff4186 | 1044 | { |
ansond | 0:137634ff4186 | 1045 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1046 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1047 | } |
ansond | 0:137634ff4186 | 1048 | |
ansond | 0:137634ff4186 | 1049 | n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; |
ansond | 0:137634ff4186 | 1050 | |
ansond | 0:137634ff4186 | 1051 | if( n < 17 || n > 512 ) |
ansond | 0:137634ff4186 | 1052 | { |
ansond | 0:137634ff4186 | 1053 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1054 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1055 | } |
ansond | 0:137634ff4186 | 1056 | |
ansond | 0:137634ff4186 | 1057 | ssl->major_ver = SSL_MAJOR_VERSION_3; |
ansond | 0:137634ff4186 | 1058 | ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver ) |
ansond | 0:137634ff4186 | 1059 | ? buf[4] : ssl->max_minor_ver; |
ansond | 0:137634ff4186 | 1060 | |
ansond | 0:137634ff4186 | 1061 | if( ssl->minor_ver < ssl->min_minor_ver ) |
ansond | 0:137634ff4186 | 1062 | { |
ansond | 0:137634ff4186 | 1063 | SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" |
ansond | 0:137634ff4186 | 1064 | " [%d:%d] < [%d:%d]", |
ansond | 0:137634ff4186 | 1065 | ssl->major_ver, ssl->minor_ver, |
ansond | 0:137634ff4186 | 1066 | ssl->min_major_ver, ssl->min_minor_ver ) ); |
ansond | 0:137634ff4186 | 1067 | |
ansond | 0:137634ff4186 | 1068 | ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, |
ansond | 0:137634ff4186 | 1069 | SSL_ALERT_MSG_PROTOCOL_VERSION ); |
ansond | 0:137634ff4186 | 1070 | return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); |
ansond | 0:137634ff4186 | 1071 | } |
ansond | 0:137634ff4186 | 1072 | |
ansond | 0:137634ff4186 | 1073 | ssl->handshake->max_major_ver = buf[3]; |
ansond | 0:137634ff4186 | 1074 | ssl->handshake->max_minor_ver = buf[4]; |
ansond | 0:137634ff4186 | 1075 | |
ansond | 0:137634ff4186 | 1076 | if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 ) |
ansond | 0:137634ff4186 | 1077 | { |
ansond | 0:137634ff4186 | 1078 | SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); |
ansond | 0:137634ff4186 | 1079 | return( ret ); |
ansond | 0:137634ff4186 | 1080 | } |
ansond | 0:137634ff4186 | 1081 | |
ansond | 0:137634ff4186 | 1082 | ssl->handshake->update_checksum( ssl, buf + 2, n ); |
ansond | 0:137634ff4186 | 1083 | |
ansond | 0:137634ff4186 | 1084 | buf = ssl->in_msg; |
ansond | 0:137634ff4186 | 1085 | n = ssl->in_left - 5; |
ansond | 0:137634ff4186 | 1086 | |
ansond | 0:137634ff4186 | 1087 | /* |
ansond | 0:137634ff4186 | 1088 | * 0 . 1 ciphersuitelist length |
ansond | 0:137634ff4186 | 1089 | * 2 . 3 session id length |
ansond | 0:137634ff4186 | 1090 | * 4 . 5 challenge length |
ansond | 0:137634ff4186 | 1091 | * 6 . .. ciphersuitelist |
ansond | 0:137634ff4186 | 1092 | * .. . .. session id |
ansond | 0:137634ff4186 | 1093 | * .. . .. challenge |
ansond | 0:137634ff4186 | 1094 | */ |
ansond | 0:137634ff4186 | 1095 | SSL_DEBUG_BUF( 4, "record contents", buf, n ); |
ansond | 0:137634ff4186 | 1096 | |
ansond | 0:137634ff4186 | 1097 | ciph_len = ( buf[0] << 8 ) | buf[1]; |
ansond | 0:137634ff4186 | 1098 | sess_len = ( buf[2] << 8 ) | buf[3]; |
ansond | 0:137634ff4186 | 1099 | chal_len = ( buf[4] << 8 ) | buf[5]; |
ansond | 0:137634ff4186 | 1100 | |
ansond | 0:137634ff4186 | 1101 | SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", |
ansond | 0:137634ff4186 | 1102 | ciph_len, sess_len, chal_len ) ); |
ansond | 0:137634ff4186 | 1103 | |
ansond | 0:137634ff4186 | 1104 | /* |
ansond | 0:137634ff4186 | 1105 | * Make sure each parameter length is valid |
ansond | 0:137634ff4186 | 1106 | */ |
ansond | 0:137634ff4186 | 1107 | if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) |
ansond | 0:137634ff4186 | 1108 | { |
ansond | 0:137634ff4186 | 1109 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1110 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1111 | } |
ansond | 0:137634ff4186 | 1112 | |
ansond | 0:137634ff4186 | 1113 | if( sess_len > 32 ) |
ansond | 0:137634ff4186 | 1114 | { |
ansond | 0:137634ff4186 | 1115 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1116 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1117 | } |
ansond | 0:137634ff4186 | 1118 | |
ansond | 0:137634ff4186 | 1119 | if( chal_len < 8 || chal_len > 32 ) |
ansond | 0:137634ff4186 | 1120 | { |
ansond | 0:137634ff4186 | 1121 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1122 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1123 | } |
ansond | 0:137634ff4186 | 1124 | |
ansond | 0:137634ff4186 | 1125 | if( n != 6 + ciph_len + sess_len + chal_len ) |
ansond | 0:137634ff4186 | 1126 | { |
ansond | 0:137634ff4186 | 1127 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1128 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1129 | } |
ansond | 0:137634ff4186 | 1130 | |
ansond | 0:137634ff4186 | 1131 | SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", |
ansond | 0:137634ff4186 | 1132 | buf + 6, ciph_len ); |
ansond | 0:137634ff4186 | 1133 | SSL_DEBUG_BUF( 3, "client hello, session id", |
ansond | 0:137634ff4186 | 1134 | buf + 6 + ciph_len, sess_len ); |
ansond | 0:137634ff4186 | 1135 | SSL_DEBUG_BUF( 3, "client hello, challenge", |
ansond | 0:137634ff4186 | 1136 | buf + 6 + ciph_len + sess_len, chal_len ); |
ansond | 0:137634ff4186 | 1137 | |
ansond | 0:137634ff4186 | 1138 | p = buf + 6 + ciph_len; |
ansond | 0:137634ff4186 | 1139 | ssl->session_negotiate->length = sess_len; |
ansond | 0:137634ff4186 | 1140 | memset( ssl->session_negotiate->id, 0, |
ansond | 0:137634ff4186 | 1141 | sizeof( ssl->session_negotiate->id ) ); |
ansond | 0:137634ff4186 | 1142 | memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length ); |
ansond | 0:137634ff4186 | 1143 | |
ansond | 0:137634ff4186 | 1144 | p += sess_len; |
ansond | 0:137634ff4186 | 1145 | memset( ssl->handshake->randbytes, 0, 64 ); |
ansond | 0:137634ff4186 | 1146 | memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); |
ansond | 0:137634ff4186 | 1147 | |
ansond | 0:137634ff4186 | 1148 | /* |
ansond | 0:137634ff4186 | 1149 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
ansond | 0:137634ff4186 | 1150 | */ |
ansond | 0:137634ff4186 | 1151 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) |
ansond | 0:137634ff4186 | 1152 | { |
ansond | 0:137634ff4186 | 1153 | if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO ) |
ansond | 0:137634ff4186 | 1154 | { |
ansond | 0:137634ff4186 | 1155 | SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); |
ansond | 0:137634ff4186 | 1156 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1157 | if( ssl->renegotiation == SSL_RENEGOTIATION ) |
ansond | 0:137634ff4186 | 1158 | { |
ansond | 0:137634ff4186 | 1159 | SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " |
ansond | 0:137634ff4186 | 1160 | "during renegotiation" ) ); |
ansond | 0:137634ff4186 | 1161 | |
ansond | 0:137634ff4186 | 1162 | if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 1163 | return( ret ); |
ansond | 0:137634ff4186 | 1164 | |
ansond | 0:137634ff4186 | 1165 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1166 | } |
ansond | 0:137634ff4186 | 1167 | #endif /* POLARSSL_SSL_RENEGOTIATION */ |
ansond | 0:137634ff4186 | 1168 | ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; |
ansond | 0:137634ff4186 | 1169 | break; |
ansond | 0:137634ff4186 | 1170 | } |
ansond | 0:137634ff4186 | 1171 | } |
ansond | 0:137634ff4186 | 1172 | |
ansond | 0:137634ff4186 | 1173 | #if defined(POLARSSL_SSL_FALLBACK_SCSV) |
ansond | 0:137634ff4186 | 1174 | for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) |
ansond | 0:137634ff4186 | 1175 | { |
ansond | 0:137634ff4186 | 1176 | if( p[0] == 0 && |
ansond | 0:137634ff4186 | 1177 | p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) && |
ansond | 0:137634ff4186 | 1178 | p[2] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) ) |
ansond | 0:137634ff4186 | 1179 | { |
ansond | 0:137634ff4186 | 1180 | SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); |
ansond | 0:137634ff4186 | 1181 | |
ansond | 0:137634ff4186 | 1182 | if( ssl->minor_ver < ssl->max_minor_ver ) |
ansond | 0:137634ff4186 | 1183 | { |
ansond | 0:137634ff4186 | 1184 | SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); |
ansond | 0:137634ff4186 | 1185 | |
ansond | 0:137634ff4186 | 1186 | ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, |
ansond | 0:137634ff4186 | 1187 | SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); |
ansond | 0:137634ff4186 | 1188 | |
ansond | 0:137634ff4186 | 1189 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1190 | } |
ansond | 0:137634ff4186 | 1191 | |
ansond | 0:137634ff4186 | 1192 | break; |
ansond | 0:137634ff4186 | 1193 | } |
ansond | 0:137634ff4186 | 1194 | } |
ansond | 0:137634ff4186 | 1195 | #endif /* POLARSSL_SSL_FALLBACK_SCSV */ |
ansond | 0:137634ff4186 | 1196 | |
ansond | 0:137634ff4186 | 1197 | got_common_suite = 0; |
ansond | 0:137634ff4186 | 1198 | ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; |
ansond | 0:137634ff4186 | 1199 | ciphersuite_info = NULL; |
ansond | 0:137634ff4186 | 1200 | #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) |
ansond | 0:137634ff4186 | 1201 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) |
ansond | 0:137634ff4186 | 1202 | { |
ansond | 0:137634ff4186 | 1203 | for( i = 0; ciphersuites[i] != 0; i++ ) |
ansond | 0:137634ff4186 | 1204 | #else |
ansond | 0:137634ff4186 | 1205 | for( i = 0; ciphersuites[i] != 0; i++ ) |
ansond | 0:137634ff4186 | 1206 | { |
ansond | 0:137634ff4186 | 1207 | for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) |
ansond | 0:137634ff4186 | 1208 | #endif |
ansond | 0:137634ff4186 | 1209 | { |
ansond | 0:137634ff4186 | 1210 | if( p[0] != 0 || |
ansond | 0:137634ff4186 | 1211 | p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || |
ansond | 0:137634ff4186 | 1212 | p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) |
ansond | 0:137634ff4186 | 1213 | continue; |
ansond | 0:137634ff4186 | 1214 | |
ansond | 0:137634ff4186 | 1215 | got_common_suite = 1; |
ansond | 0:137634ff4186 | 1216 | |
ansond | 0:137634ff4186 | 1217 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], |
ansond | 0:137634ff4186 | 1218 | &ciphersuite_info ) ) != 0 ) |
ansond | 0:137634ff4186 | 1219 | return( ret ); |
ansond | 0:137634ff4186 | 1220 | |
ansond | 0:137634ff4186 | 1221 | if( ciphersuite_info != NULL ) |
ansond | 0:137634ff4186 | 1222 | goto have_ciphersuite_v2; |
ansond | 0:137634ff4186 | 1223 | } |
ansond | 0:137634ff4186 | 1224 | } |
ansond | 0:137634ff4186 | 1225 | |
ansond | 0:137634ff4186 | 1226 | if( got_common_suite ) |
ansond | 0:137634ff4186 | 1227 | { |
ansond | 0:137634ff4186 | 1228 | SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " |
ansond | 0:137634ff4186 | 1229 | "but none of them usable" ) ); |
ansond | 0:137634ff4186 | 1230 | return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE ); |
ansond | 0:137634ff4186 | 1231 | } |
ansond | 0:137634ff4186 | 1232 | else |
ansond | 0:137634ff4186 | 1233 | { |
ansond | 0:137634ff4186 | 1234 | SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); |
ansond | 0:137634ff4186 | 1235 | return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); |
ansond | 0:137634ff4186 | 1236 | } |
ansond | 0:137634ff4186 | 1237 | |
ansond | 0:137634ff4186 | 1238 | have_ciphersuite_v2: |
ansond | 0:137634ff4186 | 1239 | SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); |
ansond | 0:137634ff4186 | 1240 | |
ansond | 0:137634ff4186 | 1241 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
ansond | 0:137634ff4186 | 1242 | ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; |
ansond | 0:137634ff4186 | 1243 | ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); |
ansond | 0:137634ff4186 | 1244 | |
ansond | 0:137634ff4186 | 1245 | /* |
ansond | 0:137634ff4186 | 1246 | * SSLv2 Client Hello relevant renegotiation security checks |
ansond | 0:137634ff4186 | 1247 | */ |
ansond | 0:137634ff4186 | 1248 | if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && |
ansond | 0:137634ff4186 | 1249 | ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) |
ansond | 0:137634ff4186 | 1250 | { |
ansond | 0:137634ff4186 | 1251 | SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); |
ansond | 0:137634ff4186 | 1252 | |
ansond | 0:137634ff4186 | 1253 | if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 1254 | return( ret ); |
ansond | 0:137634ff4186 | 1255 | |
ansond | 0:137634ff4186 | 1256 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1257 | } |
ansond | 0:137634ff4186 | 1258 | |
ansond | 0:137634ff4186 | 1259 | ssl->in_left = 0; |
ansond | 0:137634ff4186 | 1260 | ssl->state++; |
ansond | 0:137634ff4186 | 1261 | |
ansond | 0:137634ff4186 | 1262 | SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); |
ansond | 0:137634ff4186 | 1263 | |
ansond | 0:137634ff4186 | 1264 | return( 0 ); |
ansond | 0:137634ff4186 | 1265 | } |
ansond | 0:137634ff4186 | 1266 | #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ |
ansond | 0:137634ff4186 | 1267 | |
ansond | 0:137634ff4186 | 1268 | static int ssl_parse_client_hello( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 1269 | { |
ansond | 0:137634ff4186 | 1270 | int ret, got_common_suite; |
ansond | 0:137634ff4186 | 1271 | unsigned int i, j; |
ansond | 0:137634ff4186 | 1272 | size_t n; |
ansond | 0:137634ff4186 | 1273 | unsigned int ciph_len, sess_len; |
ansond | 0:137634ff4186 | 1274 | unsigned int comp_len; |
ansond | 0:137634ff4186 | 1275 | unsigned int ext_len = 0; |
ansond | 0:137634ff4186 | 1276 | unsigned char *buf, *p, *ext; |
ansond | 0:137634ff4186 | 1277 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1278 | int renegotiation_info_seen = 0; |
ansond | 0:137634ff4186 | 1279 | #endif |
ansond | 0:137634ff4186 | 1280 | int handshake_failure = 0; |
ansond | 0:137634ff4186 | 1281 | const int *ciphersuites; |
ansond | 0:137634ff4186 | 1282 | const ssl_ciphersuite_t *ciphersuite_info; |
ansond | 0:137634ff4186 | 1283 | |
ansond | 0:137634ff4186 | 1284 | SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); |
ansond | 0:137634ff4186 | 1285 | |
ansond | 0:137634ff4186 | 1286 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1287 | if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) |
ansond | 0:137634ff4186 | 1288 | #endif |
ansond | 0:137634ff4186 | 1289 | { |
ansond | 0:137634ff4186 | 1290 | if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) |
ansond | 0:137634ff4186 | 1291 | { |
ansond | 0:137634ff4186 | 1292 | SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); |
ansond | 0:137634ff4186 | 1293 | return( ret ); |
ansond | 0:137634ff4186 | 1294 | } |
ansond | 0:137634ff4186 | 1295 | } |
ansond | 0:137634ff4186 | 1296 | |
ansond | 0:137634ff4186 | 1297 | buf = ssl->in_hdr; |
ansond | 0:137634ff4186 | 1298 | |
ansond | 0:137634ff4186 | 1299 | #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) |
ansond | 0:137634ff4186 | 1300 | if( ( buf[0] & 0x80 ) != 0 ) |
ansond | 0:137634ff4186 | 1301 | return ssl_parse_client_hello_v2( ssl ); |
ansond | 0:137634ff4186 | 1302 | #endif |
ansond | 0:137634ff4186 | 1303 | |
ansond | 0:137634ff4186 | 1304 | SSL_DEBUG_BUF( 4, "record header", buf, 5 ); |
ansond | 0:137634ff4186 | 1305 | |
ansond | 0:137634ff4186 | 1306 | SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", |
ansond | 0:137634ff4186 | 1307 | buf[0] ) ); |
ansond | 0:137634ff4186 | 1308 | SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", |
ansond | 0:137634ff4186 | 1309 | ( buf[3] << 8 ) | buf[4] ) ); |
ansond | 0:137634ff4186 | 1310 | SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]", |
ansond | 0:137634ff4186 | 1311 | buf[1], buf[2] ) ); |
ansond | 0:137634ff4186 | 1312 | |
ansond | 0:137634ff4186 | 1313 | /* |
ansond | 0:137634ff4186 | 1314 | * SSLv3/TLS Client Hello |
ansond | 0:137634ff4186 | 1315 | * |
ansond | 0:137634ff4186 | 1316 | * Record layer: |
ansond | 0:137634ff4186 | 1317 | * 0 . 0 message type |
ansond | 0:137634ff4186 | 1318 | * 1 . 2 protocol version |
ansond | 0:137634ff4186 | 1319 | * 3 . 4 message length |
ansond | 0:137634ff4186 | 1320 | */ |
ansond | 0:137634ff4186 | 1321 | |
ansond | 0:137634ff4186 | 1322 | /* According to RFC 5246 Appendix E.1, the version here is typically |
ansond | 0:137634ff4186 | 1323 | * "{03,00}, the lowest version number supported by the client, [or] the |
ansond | 0:137634ff4186 | 1324 | * value of ClientHello.client_version", so the only meaningful check here |
ansond | 0:137634ff4186 | 1325 | * is the major version shouldn't be less than 3 */ |
ansond | 0:137634ff4186 | 1326 | if( buf[0] != SSL_MSG_HANDSHAKE || |
ansond | 0:137634ff4186 | 1327 | buf[1] < SSL_MAJOR_VERSION_3 ) |
ansond | 0:137634ff4186 | 1328 | { |
ansond | 0:137634ff4186 | 1329 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1330 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1331 | } |
ansond | 0:137634ff4186 | 1332 | |
ansond | 0:137634ff4186 | 1333 | n = ( buf[3] << 8 ) | buf[4]; |
ansond | 0:137634ff4186 | 1334 | |
ansond | 0:137634ff4186 | 1335 | if( n < 45 || n > SSL_MAX_CONTENT_LEN ) |
ansond | 0:137634ff4186 | 1336 | { |
ansond | 0:137634ff4186 | 1337 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1338 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1339 | } |
ansond | 0:137634ff4186 | 1340 | |
ansond | 0:137634ff4186 | 1341 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1342 | if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) |
ansond | 0:137634ff4186 | 1343 | #endif |
ansond | 0:137634ff4186 | 1344 | { |
ansond | 0:137634ff4186 | 1345 | if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 ) |
ansond | 0:137634ff4186 | 1346 | { |
ansond | 0:137634ff4186 | 1347 | SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); |
ansond | 0:137634ff4186 | 1348 | return( ret ); |
ansond | 0:137634ff4186 | 1349 | } |
ansond | 0:137634ff4186 | 1350 | } |
ansond | 0:137634ff4186 | 1351 | |
ansond | 0:137634ff4186 | 1352 | buf = ssl->in_msg; |
ansond | 0:137634ff4186 | 1353 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1354 | if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) |
ansond | 0:137634ff4186 | 1355 | n = ssl->in_msglen; |
ansond | 0:137634ff4186 | 1356 | else |
ansond | 0:137634ff4186 | 1357 | #endif |
ansond | 0:137634ff4186 | 1358 | n = ssl->in_left - 5; |
ansond | 0:137634ff4186 | 1359 | |
ansond | 0:137634ff4186 | 1360 | ssl->handshake->update_checksum( ssl, buf, n ); |
ansond | 0:137634ff4186 | 1361 | |
ansond | 0:137634ff4186 | 1362 | /* |
ansond | 0:137634ff4186 | 1363 | * SSL layer: |
ansond | 0:137634ff4186 | 1364 | * 0 . 0 handshake type |
ansond | 0:137634ff4186 | 1365 | * 1 . 3 handshake length |
ansond | 0:137634ff4186 | 1366 | * 4 . 5 protocol version |
ansond | 0:137634ff4186 | 1367 | * 6 . 9 UNIX time() |
ansond | 0:137634ff4186 | 1368 | * 10 . 37 random bytes |
ansond | 0:137634ff4186 | 1369 | * 38 . 38 session id length |
ansond | 0:137634ff4186 | 1370 | * 39 . 38+x session id |
ansond | 0:137634ff4186 | 1371 | * 39+x . 40+x ciphersuitelist length |
ansond | 0:137634ff4186 | 1372 | * 41+x . 40+y ciphersuitelist |
ansond | 0:137634ff4186 | 1373 | * 41+y . 41+y compression alg length |
ansond | 0:137634ff4186 | 1374 | * 42+y . 41+z compression algs |
ansond | 0:137634ff4186 | 1375 | * .. . .. extensions |
ansond | 0:137634ff4186 | 1376 | */ |
ansond | 0:137634ff4186 | 1377 | SSL_DEBUG_BUF( 4, "record contents", buf, n ); |
ansond | 0:137634ff4186 | 1378 | |
ansond | 0:137634ff4186 | 1379 | SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", |
ansond | 0:137634ff4186 | 1380 | buf[0] ) ); |
ansond | 0:137634ff4186 | 1381 | SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", |
ansond | 0:137634ff4186 | 1382 | ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); |
ansond | 0:137634ff4186 | 1383 | SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]", |
ansond | 0:137634ff4186 | 1384 | buf[4], buf[5] ) ); |
ansond | 0:137634ff4186 | 1385 | |
ansond | 0:137634ff4186 | 1386 | /* |
ansond | 0:137634ff4186 | 1387 | * Check the handshake type and protocol version |
ansond | 0:137634ff4186 | 1388 | */ |
ansond | 0:137634ff4186 | 1389 | if( buf[0] != SSL_HS_CLIENT_HELLO ) |
ansond | 0:137634ff4186 | 1390 | { |
ansond | 0:137634ff4186 | 1391 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1392 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1393 | } |
ansond | 0:137634ff4186 | 1394 | |
ansond | 0:137634ff4186 | 1395 | ssl->major_ver = buf[4]; |
ansond | 0:137634ff4186 | 1396 | ssl->minor_ver = buf[5]; |
ansond | 0:137634ff4186 | 1397 | |
ansond | 0:137634ff4186 | 1398 | ssl->handshake->max_major_ver = ssl->major_ver; |
ansond | 0:137634ff4186 | 1399 | ssl->handshake->max_minor_ver = ssl->minor_ver; |
ansond | 0:137634ff4186 | 1400 | |
ansond | 0:137634ff4186 | 1401 | if( ssl->major_ver < ssl->min_major_ver || |
ansond | 0:137634ff4186 | 1402 | ssl->minor_ver < ssl->min_minor_ver ) |
ansond | 0:137634ff4186 | 1403 | { |
ansond | 0:137634ff4186 | 1404 | SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" |
ansond | 0:137634ff4186 | 1405 | " [%d:%d] < [%d:%d]", |
ansond | 0:137634ff4186 | 1406 | ssl->major_ver, ssl->minor_ver, |
ansond | 0:137634ff4186 | 1407 | ssl->min_major_ver, ssl->min_minor_ver ) ); |
ansond | 0:137634ff4186 | 1408 | |
ansond | 0:137634ff4186 | 1409 | ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, |
ansond | 0:137634ff4186 | 1410 | SSL_ALERT_MSG_PROTOCOL_VERSION ); |
ansond | 0:137634ff4186 | 1411 | |
ansond | 0:137634ff4186 | 1412 | return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); |
ansond | 0:137634ff4186 | 1413 | } |
ansond | 0:137634ff4186 | 1414 | |
ansond | 0:137634ff4186 | 1415 | if( ssl->major_ver > ssl->max_major_ver ) |
ansond | 0:137634ff4186 | 1416 | { |
ansond | 0:137634ff4186 | 1417 | ssl->major_ver = ssl->max_major_ver; |
ansond | 0:137634ff4186 | 1418 | ssl->minor_ver = ssl->max_minor_ver; |
ansond | 0:137634ff4186 | 1419 | } |
ansond | 0:137634ff4186 | 1420 | else if( ssl->minor_ver > ssl->max_minor_ver ) |
ansond | 0:137634ff4186 | 1421 | ssl->minor_ver = ssl->max_minor_ver; |
ansond | 0:137634ff4186 | 1422 | |
ansond | 0:137634ff4186 | 1423 | memcpy( ssl->handshake->randbytes, buf + 6, 32 ); |
ansond | 0:137634ff4186 | 1424 | |
ansond | 0:137634ff4186 | 1425 | /* |
ansond | 0:137634ff4186 | 1426 | * Check the handshake message length |
ansond | 0:137634ff4186 | 1427 | */ |
ansond | 0:137634ff4186 | 1428 | if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) ) |
ansond | 0:137634ff4186 | 1429 | { |
ansond | 0:137634ff4186 | 1430 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1431 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1432 | } |
ansond | 0:137634ff4186 | 1433 | |
ansond | 0:137634ff4186 | 1434 | /* |
ansond | 0:137634ff4186 | 1435 | * Check the session length |
ansond | 0:137634ff4186 | 1436 | */ |
ansond | 0:137634ff4186 | 1437 | sess_len = buf[38]; |
ansond | 0:137634ff4186 | 1438 | |
ansond | 0:137634ff4186 | 1439 | if( sess_len > 32 || sess_len > n - 42 ) |
ansond | 0:137634ff4186 | 1440 | { |
ansond | 0:137634ff4186 | 1441 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1442 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1443 | } |
ansond | 0:137634ff4186 | 1444 | |
ansond | 0:137634ff4186 | 1445 | ssl->session_negotiate->length = sess_len; |
ansond | 0:137634ff4186 | 1446 | memset( ssl->session_negotiate->id, 0, |
ansond | 0:137634ff4186 | 1447 | sizeof( ssl->session_negotiate->id ) ); |
ansond | 0:137634ff4186 | 1448 | memcpy( ssl->session_negotiate->id, buf + 39, |
ansond | 0:137634ff4186 | 1449 | ssl->session_negotiate->length ); |
ansond | 0:137634ff4186 | 1450 | |
ansond | 0:137634ff4186 | 1451 | /* |
ansond | 0:137634ff4186 | 1452 | * Check the ciphersuitelist length |
ansond | 0:137634ff4186 | 1453 | */ |
ansond | 0:137634ff4186 | 1454 | ciph_len = ( buf[39 + sess_len] << 8 ) |
ansond | 0:137634ff4186 | 1455 | | ( buf[40 + sess_len] ); |
ansond | 0:137634ff4186 | 1456 | |
ansond | 0:137634ff4186 | 1457 | if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len ) |
ansond | 0:137634ff4186 | 1458 | { |
ansond | 0:137634ff4186 | 1459 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1460 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1461 | } |
ansond | 0:137634ff4186 | 1462 | |
ansond | 0:137634ff4186 | 1463 | /* |
ansond | 0:137634ff4186 | 1464 | * Check the compression algorithms length |
ansond | 0:137634ff4186 | 1465 | */ |
ansond | 0:137634ff4186 | 1466 | comp_len = buf[41 + sess_len + ciph_len]; |
ansond | 0:137634ff4186 | 1467 | |
ansond | 0:137634ff4186 | 1468 | if( comp_len < 1 || comp_len > 16 || |
ansond | 0:137634ff4186 | 1469 | comp_len > n - 42 - sess_len - ciph_len ) |
ansond | 0:137634ff4186 | 1470 | { |
ansond | 0:137634ff4186 | 1471 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1472 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1473 | } |
ansond | 0:137634ff4186 | 1474 | |
ansond | 0:137634ff4186 | 1475 | /* |
ansond | 0:137634ff4186 | 1476 | * Check the extension length |
ansond | 0:137634ff4186 | 1477 | */ |
ansond | 0:137634ff4186 | 1478 | if( n > 42 + sess_len + ciph_len + comp_len ) |
ansond | 0:137634ff4186 | 1479 | { |
ansond | 0:137634ff4186 | 1480 | ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 ) |
ansond | 0:137634ff4186 | 1481 | | ( buf[43 + sess_len + ciph_len + comp_len] ); |
ansond | 0:137634ff4186 | 1482 | |
ansond | 0:137634ff4186 | 1483 | if( ( ext_len > 0 && ext_len < 4 ) || |
ansond | 0:137634ff4186 | 1484 | n != 44 + sess_len + ciph_len + comp_len + ext_len ) |
ansond | 0:137634ff4186 | 1485 | { |
ansond | 0:137634ff4186 | 1486 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1487 | SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len); |
ansond | 0:137634ff4186 | 1488 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1489 | } |
ansond | 0:137634ff4186 | 1490 | } |
ansond | 0:137634ff4186 | 1491 | |
ansond | 0:137634ff4186 | 1492 | ssl->session_negotiate->compression = SSL_COMPRESS_NULL; |
ansond | 0:137634ff4186 | 1493 | #if defined(POLARSSL_ZLIB_SUPPORT) |
ansond | 0:137634ff4186 | 1494 | for( i = 0; i < comp_len; ++i ) |
ansond | 0:137634ff4186 | 1495 | { |
ansond | 0:137634ff4186 | 1496 | if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE ) |
ansond | 0:137634ff4186 | 1497 | { |
ansond | 0:137634ff4186 | 1498 | ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE; |
ansond | 0:137634ff4186 | 1499 | break; |
ansond | 0:137634ff4186 | 1500 | } |
ansond | 0:137634ff4186 | 1501 | } |
ansond | 0:137634ff4186 | 1502 | #endif |
ansond | 0:137634ff4186 | 1503 | |
ansond | 0:137634ff4186 | 1504 | SSL_DEBUG_BUF( 3, "client hello, random bytes", |
ansond | 0:137634ff4186 | 1505 | buf + 6, 32 ); |
ansond | 0:137634ff4186 | 1506 | SSL_DEBUG_BUF( 3, "client hello, session id", |
ansond | 0:137634ff4186 | 1507 | buf + 38, sess_len ); |
ansond | 0:137634ff4186 | 1508 | SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", |
ansond | 0:137634ff4186 | 1509 | buf + 41 + sess_len, ciph_len ); |
ansond | 0:137634ff4186 | 1510 | SSL_DEBUG_BUF( 3, "client hello, compression", |
ansond | 0:137634ff4186 | 1511 | buf + 42 + sess_len + ciph_len, comp_len ); |
ansond | 0:137634ff4186 | 1512 | |
ansond | 0:137634ff4186 | 1513 | /* |
ansond | 0:137634ff4186 | 1514 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
ansond | 0:137634ff4186 | 1515 | */ |
ansond | 0:137634ff4186 | 1516 | for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) |
ansond | 0:137634ff4186 | 1517 | { |
ansond | 0:137634ff4186 | 1518 | if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO ) |
ansond | 0:137634ff4186 | 1519 | { |
ansond | 0:137634ff4186 | 1520 | SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); |
ansond | 0:137634ff4186 | 1521 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1522 | if( ssl->renegotiation == SSL_RENEGOTIATION ) |
ansond | 0:137634ff4186 | 1523 | { |
ansond | 0:137634ff4186 | 1524 | SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); |
ansond | 0:137634ff4186 | 1525 | |
ansond | 0:137634ff4186 | 1526 | if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 1527 | return( ret ); |
ansond | 0:137634ff4186 | 1528 | |
ansond | 0:137634ff4186 | 1529 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1530 | } |
ansond | 0:137634ff4186 | 1531 | renegotiation_info_seen = 1; |
ansond | 0:137634ff4186 | 1532 | #endif /* POLARSSL_SSL_RENEGOTIATION */ |
ansond | 0:137634ff4186 | 1533 | ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; |
ansond | 0:137634ff4186 | 1534 | break; |
ansond | 0:137634ff4186 | 1535 | } |
ansond | 0:137634ff4186 | 1536 | } |
ansond | 0:137634ff4186 | 1537 | |
ansond | 0:137634ff4186 | 1538 | #if defined(POLARSSL_SSL_FALLBACK_SCSV) |
ansond | 0:137634ff4186 | 1539 | for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) |
ansond | 0:137634ff4186 | 1540 | { |
ansond | 0:137634ff4186 | 1541 | if( p[0] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) && |
ansond | 0:137634ff4186 | 1542 | p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) ) |
ansond | 0:137634ff4186 | 1543 | { |
ansond | 0:137634ff4186 | 1544 | SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) ); |
ansond | 0:137634ff4186 | 1545 | |
ansond | 0:137634ff4186 | 1546 | if( ssl->minor_ver < ssl->max_minor_ver ) |
ansond | 0:137634ff4186 | 1547 | { |
ansond | 0:137634ff4186 | 1548 | SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) ); |
ansond | 0:137634ff4186 | 1549 | |
ansond | 0:137634ff4186 | 1550 | ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL, |
ansond | 0:137634ff4186 | 1551 | SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); |
ansond | 0:137634ff4186 | 1552 | |
ansond | 0:137634ff4186 | 1553 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1554 | } |
ansond | 0:137634ff4186 | 1555 | |
ansond | 0:137634ff4186 | 1556 | break; |
ansond | 0:137634ff4186 | 1557 | } |
ansond | 0:137634ff4186 | 1558 | } |
ansond | 0:137634ff4186 | 1559 | #endif /* POLARSSL_SSL_FALLBACK_SCSV */ |
ansond | 0:137634ff4186 | 1560 | |
ansond | 0:137634ff4186 | 1561 | ext = buf + 44 + sess_len + ciph_len + comp_len; |
ansond | 0:137634ff4186 | 1562 | |
ansond | 0:137634ff4186 | 1563 | while( ext_len ) |
ansond | 0:137634ff4186 | 1564 | { |
ansond | 0:137634ff4186 | 1565 | unsigned int ext_id = ( ( ext[0] << 8 ) |
ansond | 0:137634ff4186 | 1566 | | ( ext[1] ) ); |
ansond | 0:137634ff4186 | 1567 | unsigned int ext_size = ( ( ext[2] << 8 ) |
ansond | 0:137634ff4186 | 1568 | | ( ext[3] ) ); |
ansond | 0:137634ff4186 | 1569 | |
ansond | 0:137634ff4186 | 1570 | if( ext_size + 4 > ext_len ) |
ansond | 0:137634ff4186 | 1571 | { |
ansond | 0:137634ff4186 | 1572 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1573 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1574 | } |
ansond | 0:137634ff4186 | 1575 | switch( ext_id ) |
ansond | 0:137634ff4186 | 1576 | { |
ansond | 0:137634ff4186 | 1577 | #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) |
ansond | 0:137634ff4186 | 1578 | case TLS_EXT_SERVERNAME: |
ansond | 0:137634ff4186 | 1579 | SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); |
ansond | 0:137634ff4186 | 1580 | if( ssl->f_sni == NULL ) |
ansond | 0:137634ff4186 | 1581 | break; |
ansond | 0:137634ff4186 | 1582 | |
ansond | 0:137634ff4186 | 1583 | ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1584 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1585 | return( ret ); |
ansond | 0:137634ff4186 | 1586 | break; |
ansond | 0:137634ff4186 | 1587 | #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ |
ansond | 0:137634ff4186 | 1588 | |
ansond | 0:137634ff4186 | 1589 | case TLS_EXT_RENEGOTIATION_INFO: |
ansond | 0:137634ff4186 | 1590 | SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); |
ansond | 0:137634ff4186 | 1591 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1592 | renegotiation_info_seen = 1; |
ansond | 0:137634ff4186 | 1593 | #endif |
ansond | 0:137634ff4186 | 1594 | |
ansond | 0:137634ff4186 | 1595 | ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1596 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1597 | return( ret ); |
ansond | 0:137634ff4186 | 1598 | break; |
ansond | 0:137634ff4186 | 1599 | |
ansond | 0:137634ff4186 | 1600 | #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \ |
ansond | 0:137634ff4186 | 1601 | defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED) |
ansond | 0:137634ff4186 | 1602 | case TLS_EXT_SIG_ALG: |
ansond | 0:137634ff4186 | 1603 | SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); |
ansond | 0:137634ff4186 | 1604 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1605 | if( ssl->renegotiation == SSL_RENEGOTIATION ) |
ansond | 0:137634ff4186 | 1606 | break; |
ansond | 0:137634ff4186 | 1607 | #endif |
ansond | 0:137634ff4186 | 1608 | |
ansond | 0:137634ff4186 | 1609 | ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1610 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1611 | return( ret ); |
ansond | 0:137634ff4186 | 1612 | break; |
ansond | 0:137634ff4186 | 1613 | #endif /* POLARSSL_SSL_PROTO_TLS1_2 && |
ansond | 0:137634ff4186 | 1614 | POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */ |
ansond | 0:137634ff4186 | 1615 | |
ansond | 0:137634ff4186 | 1616 | #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 1617 | case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: |
ansond | 0:137634ff4186 | 1618 | SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); |
ansond | 0:137634ff4186 | 1619 | |
ansond | 0:137634ff4186 | 1620 | ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1621 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1622 | return( ret ); |
ansond | 0:137634ff4186 | 1623 | break; |
ansond | 0:137634ff4186 | 1624 | |
ansond | 0:137634ff4186 | 1625 | case TLS_EXT_SUPPORTED_POINT_FORMATS: |
ansond | 0:137634ff4186 | 1626 | SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); |
ansond | 0:137634ff4186 | 1627 | ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; |
ansond | 0:137634ff4186 | 1628 | |
ansond | 0:137634ff4186 | 1629 | ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1630 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1631 | return( ret ); |
ansond | 0:137634ff4186 | 1632 | break; |
ansond | 0:137634ff4186 | 1633 | #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ |
ansond | 0:137634ff4186 | 1634 | |
ansond | 0:137634ff4186 | 1635 | #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) |
ansond | 0:137634ff4186 | 1636 | case TLS_EXT_MAX_FRAGMENT_LENGTH: |
ansond | 0:137634ff4186 | 1637 | SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); |
ansond | 0:137634ff4186 | 1638 | |
ansond | 0:137634ff4186 | 1639 | ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1640 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1641 | return( ret ); |
ansond | 0:137634ff4186 | 1642 | break; |
ansond | 0:137634ff4186 | 1643 | #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ |
ansond | 0:137634ff4186 | 1644 | |
ansond | 0:137634ff4186 | 1645 | #if defined(POLARSSL_SSL_TRUNCATED_HMAC) |
ansond | 0:137634ff4186 | 1646 | case TLS_EXT_TRUNCATED_HMAC: |
ansond | 0:137634ff4186 | 1647 | SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); |
ansond | 0:137634ff4186 | 1648 | |
ansond | 0:137634ff4186 | 1649 | ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1650 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1651 | return( ret ); |
ansond | 0:137634ff4186 | 1652 | break; |
ansond | 0:137634ff4186 | 1653 | #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ |
ansond | 0:137634ff4186 | 1654 | |
ansond | 0:137634ff4186 | 1655 | #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) |
ansond | 0:137634ff4186 | 1656 | case TLS_EXT_ENCRYPT_THEN_MAC: |
ansond | 0:137634ff4186 | 1657 | SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); |
ansond | 0:137634ff4186 | 1658 | |
ansond | 0:137634ff4186 | 1659 | ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1660 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1661 | return( ret ); |
ansond | 0:137634ff4186 | 1662 | break; |
ansond | 0:137634ff4186 | 1663 | #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ |
ansond | 0:137634ff4186 | 1664 | |
ansond | 0:137634ff4186 | 1665 | #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) |
ansond | 0:137634ff4186 | 1666 | case TLS_EXT_EXTENDED_MASTER_SECRET: |
ansond | 0:137634ff4186 | 1667 | SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); |
ansond | 0:137634ff4186 | 1668 | |
ansond | 0:137634ff4186 | 1669 | ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1670 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1671 | return( ret ); |
ansond | 0:137634ff4186 | 1672 | break; |
ansond | 0:137634ff4186 | 1673 | #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ |
ansond | 0:137634ff4186 | 1674 | |
ansond | 0:137634ff4186 | 1675 | #if defined(POLARSSL_SSL_SESSION_TICKETS) |
ansond | 0:137634ff4186 | 1676 | case TLS_EXT_SESSION_TICKET: |
ansond | 0:137634ff4186 | 1677 | SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); |
ansond | 0:137634ff4186 | 1678 | |
ansond | 0:137634ff4186 | 1679 | ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1680 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1681 | return( ret ); |
ansond | 0:137634ff4186 | 1682 | break; |
ansond | 0:137634ff4186 | 1683 | #endif /* POLARSSL_SSL_SESSION_TICKETS */ |
ansond | 0:137634ff4186 | 1684 | |
ansond | 0:137634ff4186 | 1685 | #if defined(POLARSSL_SSL_ALPN) |
ansond | 0:137634ff4186 | 1686 | case TLS_EXT_ALPN: |
ansond | 0:137634ff4186 | 1687 | SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); |
ansond | 0:137634ff4186 | 1688 | |
ansond | 0:137634ff4186 | 1689 | ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); |
ansond | 0:137634ff4186 | 1690 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 1691 | return( ret ); |
ansond | 0:137634ff4186 | 1692 | break; |
ansond | 0:137634ff4186 | 1693 | #endif /* POLARSSL_SSL_SESSION_TICKETS */ |
ansond | 0:137634ff4186 | 1694 | |
ansond | 0:137634ff4186 | 1695 | default: |
ansond | 0:137634ff4186 | 1696 | SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", |
ansond | 0:137634ff4186 | 1697 | ext_id ) ); |
ansond | 0:137634ff4186 | 1698 | } |
ansond | 0:137634ff4186 | 1699 | |
ansond | 0:137634ff4186 | 1700 | ext_len -= 4 + ext_size; |
ansond | 0:137634ff4186 | 1701 | ext += 4 + ext_size; |
ansond | 0:137634ff4186 | 1702 | |
ansond | 0:137634ff4186 | 1703 | if( ext_len > 0 && ext_len < 4 ) |
ansond | 0:137634ff4186 | 1704 | { |
ansond | 0:137634ff4186 | 1705 | SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
ansond | 0:137634ff4186 | 1706 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1707 | } |
ansond | 0:137634ff4186 | 1708 | } |
ansond | 0:137634ff4186 | 1709 | |
ansond | 0:137634ff4186 | 1710 | /* |
ansond | 0:137634ff4186 | 1711 | * Renegotiation security checks |
ansond | 0:137634ff4186 | 1712 | */ |
ansond | 0:137634ff4186 | 1713 | if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION && |
ansond | 0:137634ff4186 | 1714 | ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) |
ansond | 0:137634ff4186 | 1715 | { |
ansond | 0:137634ff4186 | 1716 | SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); |
ansond | 0:137634ff4186 | 1717 | handshake_failure = 1; |
ansond | 0:137634ff4186 | 1718 | } |
ansond | 0:137634ff4186 | 1719 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1720 | else if( ssl->renegotiation == SSL_RENEGOTIATION && |
ansond | 0:137634ff4186 | 1721 | ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && |
ansond | 0:137634ff4186 | 1722 | renegotiation_info_seen == 0 ) |
ansond | 0:137634ff4186 | 1723 | { |
ansond | 0:137634ff4186 | 1724 | SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); |
ansond | 0:137634ff4186 | 1725 | handshake_failure = 1; |
ansond | 0:137634ff4186 | 1726 | } |
ansond | 0:137634ff4186 | 1727 | else if( ssl->renegotiation == SSL_RENEGOTIATION && |
ansond | 0:137634ff4186 | 1728 | ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && |
ansond | 0:137634ff4186 | 1729 | ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) |
ansond | 0:137634ff4186 | 1730 | { |
ansond | 0:137634ff4186 | 1731 | SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); |
ansond | 0:137634ff4186 | 1732 | handshake_failure = 1; |
ansond | 0:137634ff4186 | 1733 | } |
ansond | 0:137634ff4186 | 1734 | else if( ssl->renegotiation == SSL_RENEGOTIATION && |
ansond | 0:137634ff4186 | 1735 | ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && |
ansond | 0:137634ff4186 | 1736 | renegotiation_info_seen == 1 ) |
ansond | 0:137634ff4186 | 1737 | { |
ansond | 0:137634ff4186 | 1738 | SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); |
ansond | 0:137634ff4186 | 1739 | handshake_failure = 1; |
ansond | 0:137634ff4186 | 1740 | } |
ansond | 0:137634ff4186 | 1741 | #endif /* POLARSSL_SSL_RENEGOTIATION */ |
ansond | 0:137634ff4186 | 1742 | |
ansond | 0:137634ff4186 | 1743 | if( handshake_failure == 1 ) |
ansond | 0:137634ff4186 | 1744 | { |
ansond | 0:137634ff4186 | 1745 | if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 1746 | return( ret ); |
ansond | 0:137634ff4186 | 1747 | |
ansond | 0:137634ff4186 | 1748 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); |
ansond | 0:137634ff4186 | 1749 | } |
ansond | 0:137634ff4186 | 1750 | |
ansond | 0:137634ff4186 | 1751 | /* |
ansond | 0:137634ff4186 | 1752 | * Search for a matching ciphersuite |
ansond | 0:137634ff4186 | 1753 | * (At the end because we need information from the EC-based extensions |
ansond | 0:137634ff4186 | 1754 | * and certificate from the SNI callback triggered by the SNI extension.) |
ansond | 0:137634ff4186 | 1755 | */ |
ansond | 0:137634ff4186 | 1756 | got_common_suite = 0; |
ansond | 0:137634ff4186 | 1757 | ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; |
ansond | 0:137634ff4186 | 1758 | ciphersuite_info = NULL; |
ansond | 0:137634ff4186 | 1759 | #if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) |
ansond | 0:137634ff4186 | 1760 | for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 ) |
ansond | 0:137634ff4186 | 1761 | { |
ansond | 0:137634ff4186 | 1762 | for( i = 0; ciphersuites[i] != 0; i++ ) |
ansond | 0:137634ff4186 | 1763 | #else |
ansond | 0:137634ff4186 | 1764 | for( i = 0; ciphersuites[i] != 0; i++ ) |
ansond | 0:137634ff4186 | 1765 | { |
ansond | 0:137634ff4186 | 1766 | for( j = 0, p = buf + 41 + sess_len; j < ciph_len; j += 2, p += 2 ) |
ansond | 0:137634ff4186 | 1767 | #endif |
ansond | 0:137634ff4186 | 1768 | { |
ansond | 0:137634ff4186 | 1769 | if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || |
ansond | 0:137634ff4186 | 1770 | p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) |
ansond | 0:137634ff4186 | 1771 | continue; |
ansond | 0:137634ff4186 | 1772 | |
ansond | 0:137634ff4186 | 1773 | got_common_suite = 1; |
ansond | 0:137634ff4186 | 1774 | |
ansond | 0:137634ff4186 | 1775 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], |
ansond | 0:137634ff4186 | 1776 | &ciphersuite_info ) ) != 0 ) |
ansond | 0:137634ff4186 | 1777 | return( ret ); |
ansond | 0:137634ff4186 | 1778 | |
ansond | 0:137634ff4186 | 1779 | if( ciphersuite_info != NULL ) |
ansond | 0:137634ff4186 | 1780 | goto have_ciphersuite; |
ansond | 0:137634ff4186 | 1781 | } |
ansond | 0:137634ff4186 | 1782 | } |
ansond | 0:137634ff4186 | 1783 | |
ansond | 0:137634ff4186 | 1784 | if( got_common_suite ) |
ansond | 0:137634ff4186 | 1785 | { |
ansond | 0:137634ff4186 | 1786 | SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " |
ansond | 0:137634ff4186 | 1787 | "but none of them usable" ) ); |
ansond | 0:137634ff4186 | 1788 | ssl_send_fatal_handshake_failure( ssl ); |
ansond | 0:137634ff4186 | 1789 | return( POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE ); |
ansond | 0:137634ff4186 | 1790 | } |
ansond | 0:137634ff4186 | 1791 | else |
ansond | 0:137634ff4186 | 1792 | { |
ansond | 0:137634ff4186 | 1793 | SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); |
ansond | 0:137634ff4186 | 1794 | ssl_send_fatal_handshake_failure( ssl ); |
ansond | 0:137634ff4186 | 1795 | return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); |
ansond | 0:137634ff4186 | 1796 | } |
ansond | 0:137634ff4186 | 1797 | |
ansond | 0:137634ff4186 | 1798 | have_ciphersuite: |
ansond | 0:137634ff4186 | 1799 | SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); |
ansond | 0:137634ff4186 | 1800 | |
ansond | 0:137634ff4186 | 1801 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
ansond | 0:137634ff4186 | 1802 | ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; |
ansond | 0:137634ff4186 | 1803 | ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); |
ansond | 0:137634ff4186 | 1804 | |
ansond | 0:137634ff4186 | 1805 | ssl->in_left = 0; |
ansond | 0:137634ff4186 | 1806 | ssl->state++; |
ansond | 0:137634ff4186 | 1807 | |
ansond | 0:137634ff4186 | 1808 | SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); |
ansond | 0:137634ff4186 | 1809 | |
ansond | 0:137634ff4186 | 1810 | return( 0 ); |
ansond | 0:137634ff4186 | 1811 | } |
ansond | 0:137634ff4186 | 1812 | |
ansond | 0:137634ff4186 | 1813 | #if defined(POLARSSL_SSL_TRUNCATED_HMAC) |
ansond | 0:137634ff4186 | 1814 | static void ssl_write_truncated_hmac_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 1815 | unsigned char *buf, |
ansond | 0:137634ff4186 | 1816 | size_t *olen ) |
ansond | 0:137634ff4186 | 1817 | { |
ansond | 0:137634ff4186 | 1818 | unsigned char *p = buf; |
ansond | 0:137634ff4186 | 1819 | |
ansond | 0:137634ff4186 | 1820 | if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ) |
ansond | 0:137634ff4186 | 1821 | { |
ansond | 0:137634ff4186 | 1822 | *olen = 0; |
ansond | 0:137634ff4186 | 1823 | return; |
ansond | 0:137634ff4186 | 1824 | } |
ansond | 0:137634ff4186 | 1825 | |
ansond | 0:137634ff4186 | 1826 | SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); |
ansond | 0:137634ff4186 | 1827 | |
ansond | 0:137634ff4186 | 1828 | *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 1829 | *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); |
ansond | 0:137634ff4186 | 1830 | |
ansond | 0:137634ff4186 | 1831 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1832 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1833 | |
ansond | 0:137634ff4186 | 1834 | *olen = 4; |
ansond | 0:137634ff4186 | 1835 | } |
ansond | 0:137634ff4186 | 1836 | #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ |
ansond | 0:137634ff4186 | 1837 | |
ansond | 0:137634ff4186 | 1838 | #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) |
ansond | 0:137634ff4186 | 1839 | static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 1840 | unsigned char *buf, |
ansond | 0:137634ff4186 | 1841 | size_t *olen ) |
ansond | 0:137634ff4186 | 1842 | { |
ansond | 0:137634ff4186 | 1843 | unsigned char *p = buf; |
ansond | 0:137634ff4186 | 1844 | const ssl_ciphersuite_t *suite = NULL; |
ansond | 0:137634ff4186 | 1845 | const cipher_info_t *cipher = NULL; |
ansond | 0:137634ff4186 | 1846 | |
ansond | 0:137634ff4186 | 1847 | if( ssl->session_negotiate->encrypt_then_mac == SSL_EXTENDED_MS_DISABLED || |
ansond | 0:137634ff4186 | 1848 | ssl->minor_ver == SSL_MINOR_VERSION_0 ) |
ansond | 0:137634ff4186 | 1849 | { |
ansond | 0:137634ff4186 | 1850 | *olen = 0; |
ansond | 0:137634ff4186 | 1851 | return; |
ansond | 0:137634ff4186 | 1852 | } |
ansond | 0:137634ff4186 | 1853 | |
ansond | 0:137634ff4186 | 1854 | /* |
ansond | 0:137634ff4186 | 1855 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension |
ansond | 0:137634ff4186 | 1856 | * from a client and then selects a stream or Authenticated Encryption |
ansond | 0:137634ff4186 | 1857 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an |
ansond | 0:137634ff4186 | 1858 | * encrypt-then-MAC response extension back to the client." |
ansond | 0:137634ff4186 | 1859 | */ |
ansond | 0:137634ff4186 | 1860 | if( ( suite = ssl_ciphersuite_from_id( |
ansond | 0:137634ff4186 | 1861 | ssl->session_negotiate->ciphersuite ) ) == NULL || |
ansond | 0:137634ff4186 | 1862 | ( cipher = cipher_info_from_type( suite->cipher ) ) == NULL || |
ansond | 0:137634ff4186 | 1863 | cipher->mode != POLARSSL_MODE_CBC ) |
ansond | 0:137634ff4186 | 1864 | { |
ansond | 0:137634ff4186 | 1865 | *olen = 0; |
ansond | 0:137634ff4186 | 1866 | return; |
ansond | 0:137634ff4186 | 1867 | } |
ansond | 0:137634ff4186 | 1868 | |
ansond | 0:137634ff4186 | 1869 | SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); |
ansond | 0:137634ff4186 | 1870 | |
ansond | 0:137634ff4186 | 1871 | *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 1872 | *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); |
ansond | 0:137634ff4186 | 1873 | |
ansond | 0:137634ff4186 | 1874 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1875 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1876 | |
ansond | 0:137634ff4186 | 1877 | *olen = 4; |
ansond | 0:137634ff4186 | 1878 | } |
ansond | 0:137634ff4186 | 1879 | #endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */ |
ansond | 0:137634ff4186 | 1880 | |
ansond | 0:137634ff4186 | 1881 | #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) |
ansond | 0:137634ff4186 | 1882 | static void ssl_write_extended_ms_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 1883 | unsigned char *buf, |
ansond | 0:137634ff4186 | 1884 | size_t *olen ) |
ansond | 0:137634ff4186 | 1885 | { |
ansond | 0:137634ff4186 | 1886 | unsigned char *p = buf; |
ansond | 0:137634ff4186 | 1887 | |
ansond | 0:137634ff4186 | 1888 | if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_DISABLED || |
ansond | 0:137634ff4186 | 1889 | ssl->minor_ver == SSL_MINOR_VERSION_0 ) |
ansond | 0:137634ff4186 | 1890 | { |
ansond | 0:137634ff4186 | 1891 | *olen = 0; |
ansond | 0:137634ff4186 | 1892 | return; |
ansond | 0:137634ff4186 | 1893 | } |
ansond | 0:137634ff4186 | 1894 | |
ansond | 0:137634ff4186 | 1895 | SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " |
ansond | 0:137634ff4186 | 1896 | "extension" ) ); |
ansond | 0:137634ff4186 | 1897 | |
ansond | 0:137634ff4186 | 1898 | *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 1899 | *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); |
ansond | 0:137634ff4186 | 1900 | |
ansond | 0:137634ff4186 | 1901 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1902 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1903 | |
ansond | 0:137634ff4186 | 1904 | *olen = 4; |
ansond | 0:137634ff4186 | 1905 | } |
ansond | 0:137634ff4186 | 1906 | #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */ |
ansond | 0:137634ff4186 | 1907 | |
ansond | 0:137634ff4186 | 1908 | #if defined(POLARSSL_SSL_SESSION_TICKETS) |
ansond | 0:137634ff4186 | 1909 | static void ssl_write_session_ticket_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 1910 | unsigned char *buf, |
ansond | 0:137634ff4186 | 1911 | size_t *olen ) |
ansond | 0:137634ff4186 | 1912 | { |
ansond | 0:137634ff4186 | 1913 | unsigned char *p = buf; |
ansond | 0:137634ff4186 | 1914 | |
ansond | 0:137634ff4186 | 1915 | if( ssl->handshake->new_session_ticket == 0 ) |
ansond | 0:137634ff4186 | 1916 | { |
ansond | 0:137634ff4186 | 1917 | *olen = 0; |
ansond | 0:137634ff4186 | 1918 | return; |
ansond | 0:137634ff4186 | 1919 | } |
ansond | 0:137634ff4186 | 1920 | |
ansond | 0:137634ff4186 | 1921 | SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); |
ansond | 0:137634ff4186 | 1922 | |
ansond | 0:137634ff4186 | 1923 | *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 1924 | *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET ) & 0xFF ); |
ansond | 0:137634ff4186 | 1925 | |
ansond | 0:137634ff4186 | 1926 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1927 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1928 | |
ansond | 0:137634ff4186 | 1929 | *olen = 4; |
ansond | 0:137634ff4186 | 1930 | } |
ansond | 0:137634ff4186 | 1931 | #endif /* POLARSSL_SSL_SESSION_TICKETS */ |
ansond | 0:137634ff4186 | 1932 | |
ansond | 0:137634ff4186 | 1933 | static void ssl_write_renegotiation_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 1934 | unsigned char *buf, |
ansond | 0:137634ff4186 | 1935 | size_t *olen ) |
ansond | 0:137634ff4186 | 1936 | { |
ansond | 0:137634ff4186 | 1937 | unsigned char *p = buf; |
ansond | 0:137634ff4186 | 1938 | |
ansond | 0:137634ff4186 | 1939 | if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION ) |
ansond | 0:137634ff4186 | 1940 | { |
ansond | 0:137634ff4186 | 1941 | *olen = 0; |
ansond | 0:137634ff4186 | 1942 | return; |
ansond | 0:137634ff4186 | 1943 | } |
ansond | 0:137634ff4186 | 1944 | |
ansond | 0:137634ff4186 | 1945 | SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); |
ansond | 0:137634ff4186 | 1946 | |
ansond | 0:137634ff4186 | 1947 | *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 1948 | *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); |
ansond | 0:137634ff4186 | 1949 | |
ansond | 0:137634ff4186 | 1950 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 1951 | if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) |
ansond | 0:137634ff4186 | 1952 | { |
ansond | 0:137634ff4186 | 1953 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1954 | *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; |
ansond | 0:137634ff4186 | 1955 | *p++ = ssl->verify_data_len * 2 & 0xFF; |
ansond | 0:137634ff4186 | 1956 | |
ansond | 0:137634ff4186 | 1957 | memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); |
ansond | 0:137634ff4186 | 1958 | p += ssl->verify_data_len; |
ansond | 0:137634ff4186 | 1959 | memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); |
ansond | 0:137634ff4186 | 1960 | p += ssl->verify_data_len; |
ansond | 0:137634ff4186 | 1961 | |
ansond | 0:137634ff4186 | 1962 | *olen = 5 + ssl->verify_data_len * 2; |
ansond | 0:137634ff4186 | 1963 | } |
ansond | 0:137634ff4186 | 1964 | else |
ansond | 0:137634ff4186 | 1965 | #endif /* POLARSSL_SSL_RENEGOTIATION */ |
ansond | 0:137634ff4186 | 1966 | { |
ansond | 0:137634ff4186 | 1967 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1968 | *p++ = 0x01; |
ansond | 0:137634ff4186 | 1969 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1970 | |
ansond | 0:137634ff4186 | 1971 | *olen = 5; |
ansond | 0:137634ff4186 | 1972 | } |
ansond | 0:137634ff4186 | 1973 | } |
ansond | 0:137634ff4186 | 1974 | |
ansond | 0:137634ff4186 | 1975 | #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) |
ansond | 0:137634ff4186 | 1976 | static void ssl_write_max_fragment_length_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 1977 | unsigned char *buf, |
ansond | 0:137634ff4186 | 1978 | size_t *olen ) |
ansond | 0:137634ff4186 | 1979 | { |
ansond | 0:137634ff4186 | 1980 | unsigned char *p = buf; |
ansond | 0:137634ff4186 | 1981 | |
ansond | 0:137634ff4186 | 1982 | if( ssl->session_negotiate->mfl_code == SSL_MAX_FRAG_LEN_NONE ) |
ansond | 0:137634ff4186 | 1983 | { |
ansond | 0:137634ff4186 | 1984 | *olen = 0; |
ansond | 0:137634ff4186 | 1985 | return; |
ansond | 0:137634ff4186 | 1986 | } |
ansond | 0:137634ff4186 | 1987 | |
ansond | 0:137634ff4186 | 1988 | SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); |
ansond | 0:137634ff4186 | 1989 | |
ansond | 0:137634ff4186 | 1990 | *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 1991 | *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); |
ansond | 0:137634ff4186 | 1992 | |
ansond | 0:137634ff4186 | 1993 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 1994 | *p++ = 1; |
ansond | 0:137634ff4186 | 1995 | |
ansond | 0:137634ff4186 | 1996 | *p++ = ssl->session_negotiate->mfl_code; |
ansond | 0:137634ff4186 | 1997 | |
ansond | 0:137634ff4186 | 1998 | *olen = 5; |
ansond | 0:137634ff4186 | 1999 | } |
ansond | 0:137634ff4186 | 2000 | #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */ |
ansond | 0:137634ff4186 | 2001 | |
ansond | 0:137634ff4186 | 2002 | #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 2003 | static void ssl_write_supported_point_formats_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 2004 | unsigned char *buf, |
ansond | 0:137634ff4186 | 2005 | size_t *olen ) |
ansond | 0:137634ff4186 | 2006 | { |
ansond | 0:137634ff4186 | 2007 | unsigned char *p = buf; |
ansond | 0:137634ff4186 | 2008 | ((void) ssl); |
ansond | 0:137634ff4186 | 2009 | |
ansond | 0:137634ff4186 | 2010 | if( ( ssl->handshake->cli_exts & |
ansond | 0:137634ff4186 | 2011 | TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) |
ansond | 0:137634ff4186 | 2012 | { |
ansond | 0:137634ff4186 | 2013 | *olen = 0; |
ansond | 0:137634ff4186 | 2014 | return; |
ansond | 0:137634ff4186 | 2015 | } |
ansond | 0:137634ff4186 | 2016 | |
ansond | 0:137634ff4186 | 2017 | SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); |
ansond | 0:137634ff4186 | 2018 | |
ansond | 0:137634ff4186 | 2019 | *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 2020 | *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); |
ansond | 0:137634ff4186 | 2021 | |
ansond | 0:137634ff4186 | 2022 | *p++ = 0x00; |
ansond | 0:137634ff4186 | 2023 | *p++ = 2; |
ansond | 0:137634ff4186 | 2024 | |
ansond | 0:137634ff4186 | 2025 | *p++ = 1; |
ansond | 0:137634ff4186 | 2026 | *p++ = POLARSSL_ECP_PF_UNCOMPRESSED; |
ansond | 0:137634ff4186 | 2027 | |
ansond | 0:137634ff4186 | 2028 | *olen = 6; |
ansond | 0:137634ff4186 | 2029 | } |
ansond | 0:137634ff4186 | 2030 | #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ |
ansond | 0:137634ff4186 | 2031 | |
ansond | 0:137634ff4186 | 2032 | #if defined(POLARSSL_SSL_ALPN ) |
ansond | 0:137634ff4186 | 2033 | static void ssl_write_alpn_ext( ssl_context *ssl, |
ansond | 0:137634ff4186 | 2034 | unsigned char *buf, size_t *olen ) |
ansond | 0:137634ff4186 | 2035 | { |
ansond | 0:137634ff4186 | 2036 | if( ssl->alpn_chosen == NULL ) |
ansond | 0:137634ff4186 | 2037 | { |
ansond | 0:137634ff4186 | 2038 | *olen = 0; |
ansond | 0:137634ff4186 | 2039 | return; |
ansond | 0:137634ff4186 | 2040 | } |
ansond | 0:137634ff4186 | 2041 | |
ansond | 0:137634ff4186 | 2042 | SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); |
ansond | 0:137634ff4186 | 2043 | |
ansond | 0:137634ff4186 | 2044 | /* |
ansond | 0:137634ff4186 | 2045 | * 0 . 1 ext identifier |
ansond | 0:137634ff4186 | 2046 | * 2 . 3 ext length |
ansond | 0:137634ff4186 | 2047 | * 4 . 5 protocol list length |
ansond | 0:137634ff4186 | 2048 | * 6 . 6 protocol name length |
ansond | 0:137634ff4186 | 2049 | * 7 . 7+n protocol name |
ansond | 0:137634ff4186 | 2050 | */ |
ansond | 0:137634ff4186 | 2051 | buf[0] = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 2052 | buf[1] = (unsigned char)( ( TLS_EXT_ALPN ) & 0xFF ); |
ansond | 0:137634ff4186 | 2053 | |
ansond | 0:137634ff4186 | 2054 | *olen = 7 + strlen( ssl->alpn_chosen ); |
ansond | 0:137634ff4186 | 2055 | |
ansond | 0:137634ff4186 | 2056 | buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 2057 | buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); |
ansond | 0:137634ff4186 | 2058 | |
ansond | 0:137634ff4186 | 2059 | buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 2060 | buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); |
ansond | 0:137634ff4186 | 2061 | |
ansond | 0:137634ff4186 | 2062 | buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); |
ansond | 0:137634ff4186 | 2063 | |
ansond | 0:137634ff4186 | 2064 | memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); |
ansond | 0:137634ff4186 | 2065 | } |
ansond | 0:137634ff4186 | 2066 | #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ |
ansond | 0:137634ff4186 | 2067 | |
ansond | 0:137634ff4186 | 2068 | static int ssl_write_server_hello( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 2069 | { |
ansond | 0:137634ff4186 | 2070 | #if defined(POLARSSL_HAVE_TIME) |
ansond | 0:137634ff4186 | 2071 | time_t t; |
ansond | 0:137634ff4186 | 2072 | #endif |
ansond | 0:137634ff4186 | 2073 | int ret; |
ansond | 0:137634ff4186 | 2074 | size_t olen, ext_len = 0, n; |
ansond | 0:137634ff4186 | 2075 | unsigned char *buf, *p; |
ansond | 0:137634ff4186 | 2076 | |
ansond | 0:137634ff4186 | 2077 | SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); |
ansond | 0:137634ff4186 | 2078 | |
ansond | 0:137634ff4186 | 2079 | if( ssl->f_rng == NULL ) |
ansond | 0:137634ff4186 | 2080 | { |
ansond | 0:137634ff4186 | 2081 | SSL_DEBUG_MSG( 1, ( "no RNG provided") ); |
ansond | 0:137634ff4186 | 2082 | return( POLARSSL_ERR_SSL_NO_RNG ); |
ansond | 0:137634ff4186 | 2083 | } |
ansond | 0:137634ff4186 | 2084 | |
ansond | 0:137634ff4186 | 2085 | /* |
ansond | 0:137634ff4186 | 2086 | * 0 . 0 handshake type |
ansond | 0:137634ff4186 | 2087 | * 1 . 3 handshake length |
ansond | 0:137634ff4186 | 2088 | * 4 . 5 protocol version |
ansond | 0:137634ff4186 | 2089 | * 6 . 9 UNIX time() |
ansond | 0:137634ff4186 | 2090 | * 10 . 37 random bytes |
ansond | 0:137634ff4186 | 2091 | */ |
ansond | 0:137634ff4186 | 2092 | buf = ssl->out_msg; |
ansond | 0:137634ff4186 | 2093 | p = buf + 4; |
ansond | 0:137634ff4186 | 2094 | |
ansond | 0:137634ff4186 | 2095 | *p++ = (unsigned char) ssl->major_ver; |
ansond | 0:137634ff4186 | 2096 | *p++ = (unsigned char) ssl->minor_ver; |
ansond | 0:137634ff4186 | 2097 | |
ansond | 0:137634ff4186 | 2098 | SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", |
ansond | 0:137634ff4186 | 2099 | buf[4], buf[5] ) ); |
ansond | 0:137634ff4186 | 2100 | |
ansond | 0:137634ff4186 | 2101 | #if defined(POLARSSL_HAVE_TIME) |
ansond | 0:137634ff4186 | 2102 | t = time( NULL ); |
ansond | 0:137634ff4186 | 2103 | *p++ = (unsigned char)( t >> 24 ); |
ansond | 0:137634ff4186 | 2104 | *p++ = (unsigned char)( t >> 16 ); |
ansond | 0:137634ff4186 | 2105 | *p++ = (unsigned char)( t >> 8 ); |
ansond | 0:137634ff4186 | 2106 | *p++ = (unsigned char)( t ); |
ansond | 0:137634ff4186 | 2107 | |
ansond | 0:137634ff4186 | 2108 | SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); |
ansond | 0:137634ff4186 | 2109 | #else |
ansond | 0:137634ff4186 | 2110 | if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 ) |
ansond | 0:137634ff4186 | 2111 | return( ret ); |
ansond | 0:137634ff4186 | 2112 | |
ansond | 0:137634ff4186 | 2113 | p += 4; |
ansond | 0:137634ff4186 | 2114 | #endif /* POLARSSL_HAVE_TIME */ |
ansond | 0:137634ff4186 | 2115 | |
ansond | 0:137634ff4186 | 2116 | if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 ) |
ansond | 0:137634ff4186 | 2117 | return( ret ); |
ansond | 0:137634ff4186 | 2118 | |
ansond | 0:137634ff4186 | 2119 | p += 28; |
ansond | 0:137634ff4186 | 2120 | |
ansond | 0:137634ff4186 | 2121 | memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); |
ansond | 0:137634ff4186 | 2122 | |
ansond | 0:137634ff4186 | 2123 | SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); |
ansond | 0:137634ff4186 | 2124 | |
ansond | 0:137634ff4186 | 2125 | /* |
ansond | 0:137634ff4186 | 2126 | * Resume is 0 by default, see ssl_handshake_init(). |
ansond | 0:137634ff4186 | 2127 | * It may be already set to 1 by ssl_parse_session_ticket_ext(). |
ansond | 0:137634ff4186 | 2128 | * If not, try looking up session ID in our cache. |
ansond | 0:137634ff4186 | 2129 | */ |
ansond | 0:137634ff4186 | 2130 | if( ssl->handshake->resume == 0 && |
ansond | 0:137634ff4186 | 2131 | #if defined(POLARSSL_SSL_RENEGOTIATION) |
ansond | 0:137634ff4186 | 2132 | ssl->renegotiation == SSL_INITIAL_HANDSHAKE && |
ansond | 0:137634ff4186 | 2133 | #endif |
ansond | 0:137634ff4186 | 2134 | ssl->session_negotiate->length != 0 && |
ansond | 0:137634ff4186 | 2135 | ssl->f_get_cache != NULL && |
ansond | 0:137634ff4186 | 2136 | ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 ) |
ansond | 0:137634ff4186 | 2137 | { |
ansond | 0:137634ff4186 | 2138 | SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); |
ansond | 0:137634ff4186 | 2139 | ssl->handshake->resume = 1; |
ansond | 0:137634ff4186 | 2140 | } |
ansond | 0:137634ff4186 | 2141 | |
ansond | 0:137634ff4186 | 2142 | if( ssl->handshake->resume == 0 ) |
ansond | 0:137634ff4186 | 2143 | { |
ansond | 0:137634ff4186 | 2144 | /* |
ansond | 0:137634ff4186 | 2145 | * New session, create a new session id, |
ansond | 0:137634ff4186 | 2146 | * unless we're about to issue a session ticket |
ansond | 0:137634ff4186 | 2147 | */ |
ansond | 0:137634ff4186 | 2148 | ssl->state++; |
ansond | 0:137634ff4186 | 2149 | |
ansond | 0:137634ff4186 | 2150 | #if defined(POLARSSL_HAVE_TIME) |
ansond | 0:137634ff4186 | 2151 | ssl->session_negotiate->start = time( NULL ); |
ansond | 0:137634ff4186 | 2152 | #endif |
ansond | 0:137634ff4186 | 2153 | |
ansond | 0:137634ff4186 | 2154 | #if defined(POLARSSL_SSL_SESSION_TICKETS) |
ansond | 0:137634ff4186 | 2155 | if( ssl->handshake->new_session_ticket != 0 ) |
ansond | 0:137634ff4186 | 2156 | { |
ansond | 0:137634ff4186 | 2157 | ssl->session_negotiate->length = n = 0; |
ansond | 0:137634ff4186 | 2158 | memset( ssl->session_negotiate->id, 0, 32 ); |
ansond | 0:137634ff4186 | 2159 | } |
ansond | 0:137634ff4186 | 2160 | else |
ansond | 0:137634ff4186 | 2161 | #endif /* POLARSSL_SSL_SESSION_TICKETS */ |
ansond | 0:137634ff4186 | 2162 | { |
ansond | 0:137634ff4186 | 2163 | ssl->session_negotiate->length = n = 32; |
ansond | 0:137634ff4186 | 2164 | if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, |
ansond | 0:137634ff4186 | 2165 | n ) ) != 0 ) |
ansond | 0:137634ff4186 | 2166 | return( ret ); |
ansond | 0:137634ff4186 | 2167 | } |
ansond | 0:137634ff4186 | 2168 | } |
ansond | 0:137634ff4186 | 2169 | else |
ansond | 0:137634ff4186 | 2170 | { |
ansond | 0:137634ff4186 | 2171 | /* |
ansond | 0:137634ff4186 | 2172 | * Resuming a session |
ansond | 0:137634ff4186 | 2173 | */ |
ansond | 0:137634ff4186 | 2174 | n = ssl->session_negotiate->length; |
ansond | 0:137634ff4186 | 2175 | ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC; |
ansond | 0:137634ff4186 | 2176 | |
ansond | 0:137634ff4186 | 2177 | if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 2178 | { |
ansond | 0:137634ff4186 | 2179 | SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); |
ansond | 0:137634ff4186 | 2180 | return( ret ); |
ansond | 0:137634ff4186 | 2181 | } |
ansond | 0:137634ff4186 | 2182 | } |
ansond | 0:137634ff4186 | 2183 | |
ansond | 0:137634ff4186 | 2184 | /* |
ansond | 0:137634ff4186 | 2185 | * 38 . 38 session id length |
ansond | 0:137634ff4186 | 2186 | * 39 . 38+n session id |
ansond | 0:137634ff4186 | 2187 | * 39+n . 40+n chosen ciphersuite |
ansond | 0:137634ff4186 | 2188 | * 41+n . 41+n chosen compression alg. |
ansond | 0:137634ff4186 | 2189 | * 42+n . 43+n extensions length |
ansond | 0:137634ff4186 | 2190 | * 44+n . 43+n+m extensions |
ansond | 0:137634ff4186 | 2191 | */ |
ansond | 0:137634ff4186 | 2192 | *p++ = (unsigned char) ssl->session_negotiate->length; |
ansond | 0:137634ff4186 | 2193 | memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length ); |
ansond | 0:137634ff4186 | 2194 | p += ssl->session_negotiate->length; |
ansond | 0:137634ff4186 | 2195 | |
ansond | 0:137634ff4186 | 2196 | SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); |
ansond | 0:137634ff4186 | 2197 | SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); |
ansond | 0:137634ff4186 | 2198 | SSL_DEBUG_MSG( 3, ( "%s session has been resumed", |
ansond | 0:137634ff4186 | 2199 | ssl->handshake->resume ? "a" : "no" ) ); |
ansond | 0:137634ff4186 | 2200 | |
ansond | 0:137634ff4186 | 2201 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); |
ansond | 0:137634ff4186 | 2202 | *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); |
ansond | 0:137634ff4186 | 2203 | *p++ = (unsigned char)( ssl->session_negotiate->compression ); |
ansond | 0:137634ff4186 | 2204 | |
ansond | 0:137634ff4186 | 2205 | SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", |
ansond | 0:137634ff4186 | 2206 | ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); |
ansond | 0:137634ff4186 | 2207 | SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", |
ansond | 0:137634ff4186 | 2208 | ssl->session_negotiate->compression ) ); |
ansond | 0:137634ff4186 | 2209 | |
ansond | 0:137634ff4186 | 2210 | /* |
ansond | 0:137634ff4186 | 2211 | * First write extensions, then the total length |
ansond | 0:137634ff4186 | 2212 | */ |
ansond | 0:137634ff4186 | 2213 | ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); |
ansond | 0:137634ff4186 | 2214 | ext_len += olen; |
ansond | 0:137634ff4186 | 2215 | |
ansond | 0:137634ff4186 | 2216 | #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) |
ansond | 0:137634ff4186 | 2217 | ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); |
ansond | 0:137634ff4186 | 2218 | ext_len += olen; |
ansond | 0:137634ff4186 | 2219 | #endif |
ansond | 0:137634ff4186 | 2220 | |
ansond | 0:137634ff4186 | 2221 | #if defined(POLARSSL_SSL_TRUNCATED_HMAC) |
ansond | 0:137634ff4186 | 2222 | ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); |
ansond | 0:137634ff4186 | 2223 | ext_len += olen; |
ansond | 0:137634ff4186 | 2224 | #endif |
ansond | 0:137634ff4186 | 2225 | |
ansond | 0:137634ff4186 | 2226 | #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) |
ansond | 0:137634ff4186 | 2227 | ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); |
ansond | 0:137634ff4186 | 2228 | ext_len += olen; |
ansond | 0:137634ff4186 | 2229 | #endif |
ansond | 0:137634ff4186 | 2230 | |
ansond | 0:137634ff4186 | 2231 | #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) |
ansond | 0:137634ff4186 | 2232 | ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); |
ansond | 0:137634ff4186 | 2233 | ext_len += olen; |
ansond | 0:137634ff4186 | 2234 | #endif |
ansond | 0:137634ff4186 | 2235 | |
ansond | 0:137634ff4186 | 2236 | #if defined(POLARSSL_SSL_SESSION_TICKETS) |
ansond | 0:137634ff4186 | 2237 | ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); |
ansond | 0:137634ff4186 | 2238 | ext_len += olen; |
ansond | 0:137634ff4186 | 2239 | #endif |
ansond | 0:137634ff4186 | 2240 | |
ansond | 0:137634ff4186 | 2241 | #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 2242 | ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); |
ansond | 0:137634ff4186 | 2243 | ext_len += olen; |
ansond | 0:137634ff4186 | 2244 | #endif |
ansond | 0:137634ff4186 | 2245 | |
ansond | 0:137634ff4186 | 2246 | #if defined(POLARSSL_SSL_ALPN) |
ansond | 0:137634ff4186 | 2247 | ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); |
ansond | 0:137634ff4186 | 2248 | ext_len += olen; |
ansond | 0:137634ff4186 | 2249 | #endif |
ansond | 0:137634ff4186 | 2250 | |
ansond | 0:137634ff4186 | 2251 | SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); |
ansond | 0:137634ff4186 | 2252 | |
ansond | 0:137634ff4186 | 2253 | if( ext_len > 0 ) |
ansond | 0:137634ff4186 | 2254 | { |
ansond | 0:137634ff4186 | 2255 | *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 2256 | *p++ = (unsigned char)( ( ext_len ) & 0xFF ); |
ansond | 0:137634ff4186 | 2257 | p += ext_len; |
ansond | 0:137634ff4186 | 2258 | } |
ansond | 0:137634ff4186 | 2259 | |
ansond | 0:137634ff4186 | 2260 | ssl->out_msglen = p - buf; |
ansond | 0:137634ff4186 | 2261 | ssl->out_msgtype = SSL_MSG_HANDSHAKE; |
ansond | 0:137634ff4186 | 2262 | ssl->out_msg[0] = SSL_HS_SERVER_HELLO; |
ansond | 0:137634ff4186 | 2263 | |
ansond | 0:137634ff4186 | 2264 | ret = ssl_write_record( ssl ); |
ansond | 0:137634ff4186 | 2265 | |
ansond | 0:137634ff4186 | 2266 | SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); |
ansond | 0:137634ff4186 | 2267 | |
ansond | 0:137634ff4186 | 2268 | return( ret ); |
ansond | 0:137634ff4186 | 2269 | } |
ansond | 0:137634ff4186 | 2270 | |
ansond | 0:137634ff4186 | 2271 | #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ |
ansond | 0:137634ff4186 | 2272 | !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ |
ansond | 0:137634ff4186 | 2273 | !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ |
ansond | 0:137634ff4186 | 2274 | !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
ansond | 0:137634ff4186 | 2275 | static int ssl_write_certificate_request( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 2276 | { |
ansond | 0:137634ff4186 | 2277 | const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
ansond | 0:137634ff4186 | 2278 | |
ansond | 0:137634ff4186 | 2279 | SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); |
ansond | 0:137634ff4186 | 2280 | |
ansond | 0:137634ff4186 | 2281 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || |
ansond | 0:137634ff4186 | 2282 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || |
ansond | 0:137634ff4186 | 2283 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || |
ansond | 0:137634ff4186 | 2284 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) |
ansond | 0:137634ff4186 | 2285 | { |
ansond | 0:137634ff4186 | 2286 | SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); |
ansond | 0:137634ff4186 | 2287 | ssl->state++; |
ansond | 0:137634ff4186 | 2288 | return( 0 ); |
ansond | 0:137634ff4186 | 2289 | } |
ansond | 0:137634ff4186 | 2290 | |
ansond | 0:137634ff4186 | 2291 | SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
ansond | 0:137634ff4186 | 2292 | return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); |
ansond | 0:137634ff4186 | 2293 | } |
ansond | 0:137634ff4186 | 2294 | #else |
ansond | 0:137634ff4186 | 2295 | static int ssl_write_certificate_request( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 2296 | { |
ansond | 0:137634ff4186 | 2297 | int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; |
ansond | 0:137634ff4186 | 2298 | const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
ansond | 0:137634ff4186 | 2299 | size_t dn_size, total_dn_size; /* excluding length bytes */ |
ansond | 0:137634ff4186 | 2300 | size_t ct_len, sa_len; /* including length bytes */ |
ansond | 0:137634ff4186 | 2301 | unsigned char *buf, *p; |
ansond | 0:137634ff4186 | 2302 | const x509_crt *crt; |
ansond | 0:137634ff4186 | 2303 | |
ansond | 0:137634ff4186 | 2304 | SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); |
ansond | 0:137634ff4186 | 2305 | |
ansond | 0:137634ff4186 | 2306 | ssl->state++; |
ansond | 0:137634ff4186 | 2307 | |
ansond | 0:137634ff4186 | 2308 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || |
ansond | 0:137634ff4186 | 2309 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || |
ansond | 0:137634ff4186 | 2310 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || |
ansond | 0:137634ff4186 | 2311 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || |
ansond | 0:137634ff4186 | 2312 | ssl->authmode == SSL_VERIFY_NONE ) |
ansond | 0:137634ff4186 | 2313 | { |
ansond | 0:137634ff4186 | 2314 | SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); |
ansond | 0:137634ff4186 | 2315 | return( 0 ); |
ansond | 0:137634ff4186 | 2316 | } |
ansond | 0:137634ff4186 | 2317 | |
ansond | 0:137634ff4186 | 2318 | /* |
ansond | 0:137634ff4186 | 2319 | * 0 . 0 handshake type |
ansond | 0:137634ff4186 | 2320 | * 1 . 3 handshake length |
ansond | 0:137634ff4186 | 2321 | * 4 . 4 cert type count |
ansond | 0:137634ff4186 | 2322 | * 5 .. m-1 cert types |
ansond | 0:137634ff4186 | 2323 | * m .. m+1 sig alg length (TLS 1.2 only) |
ansond | 0:137634ff4186 | 2324 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) |
ansond | 0:137634ff4186 | 2325 | * n .. n+1 length of all DNs |
ansond | 0:137634ff4186 | 2326 | * n+2 .. n+3 length of DN 1 |
ansond | 0:137634ff4186 | 2327 | * n+4 .. ... Distinguished Name #1 |
ansond | 0:137634ff4186 | 2328 | * ... .. ... length of DN 2, etc. |
ansond | 0:137634ff4186 | 2329 | */ |
ansond | 0:137634ff4186 | 2330 | buf = ssl->out_msg; |
ansond | 0:137634ff4186 | 2331 | p = buf + 4; |
ansond | 0:137634ff4186 | 2332 | |
ansond | 0:137634ff4186 | 2333 | /* |
ansond | 0:137634ff4186 | 2334 | * Supported certificate types |
ansond | 0:137634ff4186 | 2335 | * |
ansond | 0:137634ff4186 | 2336 | * ClientCertificateType certificate_types<1..2^8-1>; |
ansond | 0:137634ff4186 | 2337 | * enum { (255) } ClientCertificateType; |
ansond | 0:137634ff4186 | 2338 | */ |
ansond | 0:137634ff4186 | 2339 | ct_len = 0; |
ansond | 0:137634ff4186 | 2340 | |
ansond | 0:137634ff4186 | 2341 | #if defined(POLARSSL_RSA_C) |
ansond | 0:137634ff4186 | 2342 | p[1 + ct_len++] = SSL_CERT_TYPE_RSA_SIGN; |
ansond | 0:137634ff4186 | 2343 | #endif |
ansond | 0:137634ff4186 | 2344 | #if defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 2345 | p[1 + ct_len++] = SSL_CERT_TYPE_ECDSA_SIGN; |
ansond | 0:137634ff4186 | 2346 | #endif |
ansond | 0:137634ff4186 | 2347 | |
ansond | 0:137634ff4186 | 2348 | p[0] = (unsigned char) ct_len++; |
ansond | 0:137634ff4186 | 2349 | p += ct_len; |
ansond | 0:137634ff4186 | 2350 | |
ansond | 0:137634ff4186 | 2351 | sa_len = 0; |
ansond | 0:137634ff4186 | 2352 | #if defined(POLARSSL_SSL_PROTO_TLS1_2) |
ansond | 0:137634ff4186 | 2353 | /* |
ansond | 0:137634ff4186 | 2354 | * Add signature_algorithms for verify (TLS 1.2) |
ansond | 0:137634ff4186 | 2355 | * |
ansond | 0:137634ff4186 | 2356 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; |
ansond | 0:137634ff4186 | 2357 | * |
ansond | 0:137634ff4186 | 2358 | * struct { |
ansond | 0:137634ff4186 | 2359 | * HashAlgorithm hash; |
ansond | 0:137634ff4186 | 2360 | * SignatureAlgorithm signature; |
ansond | 0:137634ff4186 | 2361 | * } SignatureAndHashAlgorithm; |
ansond | 0:137634ff4186 | 2362 | * |
ansond | 0:137634ff4186 | 2363 | * enum { (255) } HashAlgorithm; |
ansond | 0:137634ff4186 | 2364 | * enum { (255) } SignatureAlgorithm; |
ansond | 0:137634ff4186 | 2365 | */ |
ansond | 0:137634ff4186 | 2366 | if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) |
ansond | 0:137634ff4186 | 2367 | { |
ansond | 0:137634ff4186 | 2368 | /* |
ansond | 0:137634ff4186 | 2369 | * Only use current running hash algorithm that is already required |
ansond | 0:137634ff4186 | 2370 | * for requested ciphersuite. |
ansond | 0:137634ff4186 | 2371 | */ |
ansond | 0:137634ff4186 | 2372 | ssl->handshake->verify_sig_alg = SSL_HASH_SHA256; |
ansond | 0:137634ff4186 | 2373 | |
ansond | 0:137634ff4186 | 2374 | if( ssl->transform_negotiate->ciphersuite_info->mac == |
ansond | 0:137634ff4186 | 2375 | POLARSSL_MD_SHA384 ) |
ansond | 0:137634ff4186 | 2376 | { |
ansond | 0:137634ff4186 | 2377 | ssl->handshake->verify_sig_alg = SSL_HASH_SHA384; |
ansond | 0:137634ff4186 | 2378 | } |
ansond | 0:137634ff4186 | 2379 | |
ansond | 0:137634ff4186 | 2380 | /* |
ansond | 0:137634ff4186 | 2381 | * Supported signature algorithms |
ansond | 0:137634ff4186 | 2382 | */ |
ansond | 0:137634ff4186 | 2383 | #if defined(POLARSSL_RSA_C) |
ansond | 0:137634ff4186 | 2384 | p[2 + sa_len++] = ssl->handshake->verify_sig_alg; |
ansond | 0:137634ff4186 | 2385 | p[2 + sa_len++] = SSL_SIG_RSA; |
ansond | 0:137634ff4186 | 2386 | #endif |
ansond | 0:137634ff4186 | 2387 | #if defined(POLARSSL_ECDSA_C) |
ansond | 0:137634ff4186 | 2388 | p[2 + sa_len++] = ssl->handshake->verify_sig_alg; |
ansond | 0:137634ff4186 | 2389 | p[2 + sa_len++] = SSL_SIG_ECDSA; |
ansond | 0:137634ff4186 | 2390 | #endif |
ansond | 0:137634ff4186 | 2391 | |
ansond | 0:137634ff4186 | 2392 | p[0] = (unsigned char)( sa_len >> 8 ); |
ansond | 0:137634ff4186 | 2393 | p[1] = (unsigned char)( sa_len ); |
ansond | 0:137634ff4186 | 2394 | sa_len += 2; |
ansond | 0:137634ff4186 | 2395 | p += sa_len; |
ansond | 0:137634ff4186 | 2396 | } |
ansond | 0:137634ff4186 | 2397 | #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ |
ansond | 0:137634ff4186 | 2398 | |
ansond | 0:137634ff4186 | 2399 | /* |
ansond | 0:137634ff4186 | 2400 | * DistinguishedName certificate_authorities<0..2^16-1>; |
ansond | 0:137634ff4186 | 2401 | * opaque DistinguishedName<1..2^16-1>; |
ansond | 0:137634ff4186 | 2402 | */ |
ansond | 0:137634ff4186 | 2403 | p += 2; |
ansond | 0:137634ff4186 | 2404 | crt = ssl->ca_chain; |
ansond | 0:137634ff4186 | 2405 | |
ansond | 0:137634ff4186 | 2406 | total_dn_size = 0; |
ansond | 0:137634ff4186 | 2407 | while( crt != NULL && crt->version != 0 ) |
ansond | 0:137634ff4186 | 2408 | { |
ansond | 0:137634ff4186 | 2409 | if( p - buf > 4096 ) |
ansond | 0:137634ff4186 | 2410 | break; |
ansond | 0:137634ff4186 | 2411 | |
ansond | 0:137634ff4186 | 2412 | dn_size = crt->subject_raw.len; |
ansond | 0:137634ff4186 | 2413 | *p++ = (unsigned char)( dn_size >> 8 ); |
ansond | 0:137634ff4186 | 2414 | *p++ = (unsigned char)( dn_size ); |
ansond | 0:137634ff4186 | 2415 | memcpy( p, crt->subject_raw.p, dn_size ); |
ansond | 0:137634ff4186 | 2416 | p += dn_size; |
ansond | 0:137634ff4186 | 2417 | |
ansond | 0:137634ff4186 | 2418 | SSL_DEBUG_BUF( 3, "requested DN", p, dn_size ); |
ansond | 0:137634ff4186 | 2419 | |
ansond | 0:137634ff4186 | 2420 | total_dn_size += 2 + dn_size; |
ansond | 0:137634ff4186 | 2421 | crt = crt->next; |
ansond | 0:137634ff4186 | 2422 | } |
ansond | 0:137634ff4186 | 2423 | |
ansond | 0:137634ff4186 | 2424 | ssl->out_msglen = p - buf; |
ansond | 0:137634ff4186 | 2425 | ssl->out_msgtype = SSL_MSG_HANDSHAKE; |
ansond | 0:137634ff4186 | 2426 | ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST; |
ansond | 0:137634ff4186 | 2427 | ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); |
ansond | 0:137634ff4186 | 2428 | ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); |
ansond | 0:137634ff4186 | 2429 | |
ansond | 0:137634ff4186 | 2430 | ret = ssl_write_record( ssl ); |
ansond | 0:137634ff4186 | 2431 | |
ansond | 0:137634ff4186 | 2432 | SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); |
ansond | 0:137634ff4186 | 2433 | |
ansond | 0:137634ff4186 | 2434 | return( ret ); |
ansond | 0:137634ff4186 | 2435 | } |
ansond | 0:137634ff4186 | 2436 | #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && |
ansond | 0:137634ff4186 | 2437 | !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && |
ansond | 0:137634ff4186 | 2438 | !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED && |
ansond | 0:137634ff4186 | 2439 | !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
ansond | 0:137634ff4186 | 2440 | |
ansond | 0:137634ff4186 | 2441 | #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2442 | defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
ansond | 0:137634ff4186 | 2443 | static int ssl_get_ecdh_params_from_cert( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 2444 | { |
ansond | 0:137634ff4186 | 2445 | int ret; |
ansond | 0:137634ff4186 | 2446 | |
ansond | 0:137634ff4186 | 2447 | if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_ECKEY ) ) |
ansond | 0:137634ff4186 | 2448 | { |
ansond | 0:137634ff4186 | 2449 | SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); |
ansond | 0:137634ff4186 | 2450 | return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH ); |
ansond | 0:137634ff4186 | 2451 | } |
ansond | 0:137634ff4186 | 2452 | |
ansond | 0:137634ff4186 | 2453 | if( ( ret = ecdh_get_params( &ssl->handshake->ecdh_ctx, |
ansond | 0:137634ff4186 | 2454 | pk_ec( *ssl_own_key( ssl ) ), |
ansond | 0:137634ff4186 | 2455 | POLARSSL_ECDH_OURS ) ) != 0 ) |
ansond | 0:137634ff4186 | 2456 | { |
ansond | 0:137634ff4186 | 2457 | SSL_DEBUG_RET( 1, ( "ecdh_get_params" ), ret ); |
ansond | 0:137634ff4186 | 2458 | return( ret ); |
ansond | 0:137634ff4186 | 2459 | } |
ansond | 0:137634ff4186 | 2460 | |
ansond | 0:137634ff4186 | 2461 | return( 0 ); |
ansond | 0:137634ff4186 | 2462 | } |
ansond | 0:137634ff4186 | 2463 | #endif /* POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
ansond | 0:137634ff4186 | 2464 | POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
ansond | 0:137634ff4186 | 2465 | |
ansond | 0:137634ff4186 | 2466 | static int ssl_write_server_key_exchange( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 2467 | { |
ansond | 0:137634ff4186 | 2468 | int ret; |
ansond | 0:137634ff4186 | 2469 | size_t n = 0; |
ansond | 0:137634ff4186 | 2470 | const ssl_ciphersuite_t *ciphersuite_info = |
ansond | 0:137634ff4186 | 2471 | ssl->transform_negotiate->ciphersuite_info; |
ansond | 0:137634ff4186 | 2472 | |
ansond | 0:137634ff4186 | 2473 | #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2474 | defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
ansond | 0:137634ff4186 | 2475 | defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2476 | defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
ansond | 0:137634ff4186 | 2477 | defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
ansond | 0:137634ff4186 | 2478 | unsigned char *p = ssl->out_msg + 4; |
ansond | 0:137634ff4186 | 2479 | unsigned char *dig_signed = p; |
ansond | 0:137634ff4186 | 2480 | size_t dig_signed_len = 0, len; |
ansond | 0:137634ff4186 | 2481 | ((void) dig_signed); |
ansond | 0:137634ff4186 | 2482 | ((void) dig_signed_len); |
ansond | 0:137634ff4186 | 2483 | #endif |
ansond | 0:137634ff4186 | 2484 | |
ansond | 0:137634ff4186 | 2485 | SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); |
ansond | 0:137634ff4186 | 2486 | |
ansond | 0:137634ff4186 | 2487 | #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2488 | defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \ |
ansond | 0:137634ff4186 | 2489 | defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) |
ansond | 0:137634ff4186 | 2490 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA || |
ansond | 0:137634ff4186 | 2491 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || |
ansond | 0:137634ff4186 | 2492 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) |
ansond | 0:137634ff4186 | 2493 | { |
ansond | 0:137634ff4186 | 2494 | SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); |
ansond | 0:137634ff4186 | 2495 | ssl->state++; |
ansond | 0:137634ff4186 | 2496 | return( 0 ); |
ansond | 0:137634ff4186 | 2497 | } |
ansond | 0:137634ff4186 | 2498 | #endif |
ansond | 0:137634ff4186 | 2499 | |
ansond | 0:137634ff4186 | 2500 | #if defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2501 | defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
ansond | 0:137634ff4186 | 2502 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || |
ansond | 0:137634ff4186 | 2503 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) |
ansond | 0:137634ff4186 | 2504 | { |
ansond | 0:137634ff4186 | 2505 | ssl_get_ecdh_params_from_cert( ssl ); |
ansond | 0:137634ff4186 | 2506 | |
ansond | 0:137634ff4186 | 2507 | SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); |
ansond | 0:137634ff4186 | 2508 | ssl->state++; |
ansond | 0:137634ff4186 | 2509 | return( 0 ); |
ansond | 0:137634ff4186 | 2510 | } |
ansond | 0:137634ff4186 | 2511 | #endif |
ansond | 0:137634ff4186 | 2512 | |
ansond | 0:137634ff4186 | 2513 | #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
ansond | 0:137634ff4186 | 2514 | defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
ansond | 0:137634ff4186 | 2515 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || |
ansond | 0:137634ff4186 | 2516 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) |
ansond | 0:137634ff4186 | 2517 | { |
ansond | 0:137634ff4186 | 2518 | /* TODO: Support identity hints */ |
ansond | 0:137634ff4186 | 2519 | *(p++) = 0x00; |
ansond | 0:137634ff4186 | 2520 | *(p++) = 0x00; |
ansond | 0:137634ff4186 | 2521 | |
ansond | 0:137634ff4186 | 2522 | n += 2; |
ansond | 0:137634ff4186 | 2523 | } |
ansond | 0:137634ff4186 | 2524 | #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED || |
ansond | 0:137634ff4186 | 2525 | POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
ansond | 0:137634ff4186 | 2526 | |
ansond | 0:137634ff4186 | 2527 | #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2528 | defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) |
ansond | 0:137634ff4186 | 2529 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || |
ansond | 0:137634ff4186 | 2530 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) |
ansond | 0:137634ff4186 | 2531 | { |
ansond | 0:137634ff4186 | 2532 | /* |
ansond | 0:137634ff4186 | 2533 | * Ephemeral DH parameters: |
ansond | 0:137634ff4186 | 2534 | * |
ansond | 0:137634ff4186 | 2535 | * struct { |
ansond | 0:137634ff4186 | 2536 | * opaque dh_p<1..2^16-1>; |
ansond | 0:137634ff4186 | 2537 | * opaque dh_g<1..2^16-1>; |
ansond | 0:137634ff4186 | 2538 | * opaque dh_Ys<1..2^16-1>; |
ansond | 0:137634ff4186 | 2539 | * } ServerDHParams; |
ansond | 0:137634ff4186 | 2540 | */ |
ansond | 0:137634ff4186 | 2541 | if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 || |
ansond | 0:137634ff4186 | 2542 | ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 ) |
ansond | 0:137634ff4186 | 2543 | { |
ansond | 0:137634ff4186 | 2544 | SSL_DEBUG_RET( 1, "mpi_copy", ret ); |
ansond | 0:137634ff4186 | 2545 | return( ret ); |
ansond | 0:137634ff4186 | 2546 | } |
ansond | 0:137634ff4186 | 2547 | |
ansond | 0:137634ff4186 | 2548 | if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx, |
ansond | 0:137634ff4186 | 2549 | (int) mpi_size( &ssl->handshake->dhm_ctx.P ), |
ansond | 0:137634ff4186 | 2550 | p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 ) |
ansond | 0:137634ff4186 | 2551 | { |
ansond | 0:137634ff4186 | 2552 | SSL_DEBUG_RET( 1, "dhm_make_params", ret ); |
ansond | 0:137634ff4186 | 2553 | return( ret ); |
ansond | 0:137634ff4186 | 2554 | } |
ansond | 0:137634ff4186 | 2555 | |
ansond | 0:137634ff4186 | 2556 | dig_signed = p; |
ansond | 0:137634ff4186 | 2557 | dig_signed_len = len; |
ansond | 0:137634ff4186 | 2558 | |
ansond | 0:137634ff4186 | 2559 | p += len; |
ansond | 0:137634ff4186 | 2560 | n += len; |
ansond | 0:137634ff4186 | 2561 | |
ansond | 0:137634ff4186 | 2562 | SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); |
ansond | 0:137634ff4186 | 2563 | SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); |
ansond | 0:137634ff4186 | 2564 | SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); |
ansond | 0:137634ff4186 | 2565 | SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); |
ansond | 0:137634ff4186 | 2566 | } |
ansond | 0:137634ff4186 | 2567 | #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || |
ansond | 0:137634ff4186 | 2568 | POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
ansond | 0:137634ff4186 | 2569 | |
ansond | 0:137634ff4186 | 2570 | #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) |
ansond | 0:137634ff4186 | 2571 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || |
ansond | 0:137634ff4186 | 2572 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA || |
ansond | 0:137634ff4186 | 2573 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) |
ansond | 0:137634ff4186 | 2574 | { |
ansond | 0:137634ff4186 | 2575 | /* |
ansond | 0:137634ff4186 | 2576 | * Ephemeral ECDH parameters: |
ansond | 0:137634ff4186 | 2577 | * |
ansond | 0:137634ff4186 | 2578 | * struct { |
ansond | 0:137634ff4186 | 2579 | * ECParameters curve_params; |
ansond | 0:137634ff4186 | 2580 | * ECPoint public; |
ansond | 0:137634ff4186 | 2581 | * } ServerECDHParams; |
ansond | 0:137634ff4186 | 2582 | */ |
ansond | 0:137634ff4186 | 2583 | const ecp_curve_info **curve = NULL; |
ansond | 0:137634ff4186 | 2584 | #if defined(POLARSSL_SSL_SET_CURVES) |
ansond | 0:137634ff4186 | 2585 | const ecp_group_id *gid; |
ansond | 0:137634ff4186 | 2586 | |
ansond | 0:137634ff4186 | 2587 | /* Match our preference list against the offered curves */ |
ansond | 0:137634ff4186 | 2588 | for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ ) |
ansond | 0:137634ff4186 | 2589 | for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) |
ansond | 0:137634ff4186 | 2590 | if( (*curve)->grp_id == *gid ) |
ansond | 0:137634ff4186 | 2591 | goto curve_matching_done; |
ansond | 0:137634ff4186 | 2592 | |
ansond | 0:137634ff4186 | 2593 | curve_matching_done: |
ansond | 0:137634ff4186 | 2594 | #else |
ansond | 0:137634ff4186 | 2595 | curve = ssl->handshake->curves; |
ansond | 0:137634ff4186 | 2596 | #endif |
ansond | 0:137634ff4186 | 2597 | |
ansond | 0:137634ff4186 | 2598 | if( *curve == NULL ) |
ansond | 0:137634ff4186 | 2599 | { |
ansond | 0:137634ff4186 | 2600 | SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); |
ansond | 0:137634ff4186 | 2601 | return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); |
ansond | 0:137634ff4186 | 2602 | } |
ansond | 0:137634ff4186 | 2603 | |
ansond | 0:137634ff4186 | 2604 | SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); |
ansond | 0:137634ff4186 | 2605 | |
ansond | 0:137634ff4186 | 2606 | if( ( ret = ecp_use_known_dp( &ssl->handshake->ecdh_ctx.grp, |
ansond | 0:137634ff4186 | 2607 | (*curve)->grp_id ) ) != 0 ) |
ansond | 0:137634ff4186 | 2608 | { |
ansond | 0:137634ff4186 | 2609 | SSL_DEBUG_RET( 1, "ecp_use_known_dp", ret ); |
ansond | 0:137634ff4186 | 2610 | return( ret ); |
ansond | 0:137634ff4186 | 2611 | } |
ansond | 0:137634ff4186 | 2612 | |
ansond | 0:137634ff4186 | 2613 | if( ( ret = ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, |
ansond | 0:137634ff4186 | 2614 | p, SSL_MAX_CONTENT_LEN - n, |
ansond | 0:137634ff4186 | 2615 | ssl->f_rng, ssl->p_rng ) ) != 0 ) |
ansond | 0:137634ff4186 | 2616 | { |
ansond | 0:137634ff4186 | 2617 | SSL_DEBUG_RET( 1, "ecdh_make_params", ret ); |
ansond | 0:137634ff4186 | 2618 | return( ret ); |
ansond | 0:137634ff4186 | 2619 | } |
ansond | 0:137634ff4186 | 2620 | |
ansond | 0:137634ff4186 | 2621 | dig_signed = p; |
ansond | 0:137634ff4186 | 2622 | dig_signed_len = len; |
ansond | 0:137634ff4186 | 2623 | |
ansond | 0:137634ff4186 | 2624 | p += len; |
ansond | 0:137634ff4186 | 2625 | n += len; |
ansond | 0:137634ff4186 | 2626 | |
ansond | 0:137634ff4186 | 2627 | SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); |
ansond | 0:137634ff4186 | 2628 | } |
ansond | 0:137634ff4186 | 2629 | #endif /* POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ |
ansond | 0:137634ff4186 | 2630 | |
ansond | 0:137634ff4186 | 2631 | #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2632 | defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2633 | defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
ansond | 0:137634ff4186 | 2634 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA || |
ansond | 0:137634ff4186 | 2635 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || |
ansond | 0:137634ff4186 | 2636 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) |
ansond | 0:137634ff4186 | 2637 | { |
ansond | 0:137634ff4186 | 2638 | size_t signature_len = 0; |
ansond | 0:137634ff4186 | 2639 | unsigned int hashlen = 0; |
ansond | 0:137634ff4186 | 2640 | unsigned char hash[64]; |
ansond | 0:137634ff4186 | 2641 | md_type_t md_alg = POLARSSL_MD_NONE; |
ansond | 0:137634ff4186 | 2642 | |
ansond | 0:137634ff4186 | 2643 | /* |
ansond | 0:137634ff4186 | 2644 | * Choose hash algorithm. NONE means MD5 + SHA1 here. |
ansond | 0:137634ff4186 | 2645 | */ |
ansond | 0:137634ff4186 | 2646 | #if defined(POLARSSL_SSL_PROTO_TLS1_2) |
ansond | 0:137634ff4186 | 2647 | if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) |
ansond | 0:137634ff4186 | 2648 | { |
ansond | 0:137634ff4186 | 2649 | md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg ); |
ansond | 0:137634ff4186 | 2650 | |
ansond | 0:137634ff4186 | 2651 | if( md_alg == POLARSSL_MD_NONE ) |
ansond | 0:137634ff4186 | 2652 | { |
ansond | 0:137634ff4186 | 2653 | SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
ansond | 0:137634ff4186 | 2654 | return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); |
ansond | 0:137634ff4186 | 2655 | } |
ansond | 0:137634ff4186 | 2656 | } |
ansond | 0:137634ff4186 | 2657 | else |
ansond | 0:137634ff4186 | 2658 | #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ |
ansond | 0:137634ff4186 | 2659 | #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ |
ansond | 0:137634ff4186 | 2660 | defined(POLARSSL_SSL_PROTO_TLS1_1) |
ansond | 0:137634ff4186 | 2661 | if( ciphersuite_info->key_exchange == |
ansond | 0:137634ff4186 | 2662 | POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA ) |
ansond | 0:137634ff4186 | 2663 | { |
ansond | 0:137634ff4186 | 2664 | md_alg = POLARSSL_MD_SHA1; |
ansond | 0:137634ff4186 | 2665 | } |
ansond | 0:137634ff4186 | 2666 | else |
ansond | 0:137634ff4186 | 2667 | #endif |
ansond | 0:137634ff4186 | 2668 | { |
ansond | 0:137634ff4186 | 2669 | md_alg = POLARSSL_MD_NONE; |
ansond | 0:137634ff4186 | 2670 | } |
ansond | 0:137634ff4186 | 2671 | |
ansond | 0:137634ff4186 | 2672 | /* |
ansond | 0:137634ff4186 | 2673 | * Compute the hash to be signed |
ansond | 0:137634ff4186 | 2674 | */ |
ansond | 0:137634ff4186 | 2675 | #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ |
ansond | 0:137634ff4186 | 2676 | defined(POLARSSL_SSL_PROTO_TLS1_1) |
ansond | 0:137634ff4186 | 2677 | if( md_alg == POLARSSL_MD_NONE ) |
ansond | 0:137634ff4186 | 2678 | { |
ansond | 0:137634ff4186 | 2679 | md5_context md5; |
ansond | 0:137634ff4186 | 2680 | sha1_context sha1; |
ansond | 0:137634ff4186 | 2681 | |
ansond | 0:137634ff4186 | 2682 | md5_init( &md5 ); |
ansond | 0:137634ff4186 | 2683 | sha1_init( &sha1 ); |
ansond | 0:137634ff4186 | 2684 | |
ansond | 0:137634ff4186 | 2685 | /* |
ansond | 0:137634ff4186 | 2686 | * digitally-signed struct { |
ansond | 0:137634ff4186 | 2687 | * opaque md5_hash[16]; |
ansond | 0:137634ff4186 | 2688 | * opaque sha_hash[20]; |
ansond | 0:137634ff4186 | 2689 | * }; |
ansond | 0:137634ff4186 | 2690 | * |
ansond | 0:137634ff4186 | 2691 | * md5_hash |
ansond | 0:137634ff4186 | 2692 | * MD5(ClientHello.random + ServerHello.random |
ansond | 0:137634ff4186 | 2693 | * + ServerParams); |
ansond | 0:137634ff4186 | 2694 | * sha_hash |
ansond | 0:137634ff4186 | 2695 | * SHA(ClientHello.random + ServerHello.random |
ansond | 0:137634ff4186 | 2696 | * + ServerParams); |
ansond | 0:137634ff4186 | 2697 | */ |
ansond | 0:137634ff4186 | 2698 | md5_starts( &md5 ); |
ansond | 0:137634ff4186 | 2699 | md5_update( &md5, ssl->handshake->randbytes, 64 ); |
ansond | 0:137634ff4186 | 2700 | md5_update( &md5, dig_signed, dig_signed_len ); |
ansond | 0:137634ff4186 | 2701 | md5_finish( &md5, hash ); |
ansond | 0:137634ff4186 | 2702 | |
ansond | 0:137634ff4186 | 2703 | sha1_starts( &sha1 ); |
ansond | 0:137634ff4186 | 2704 | sha1_update( &sha1, ssl->handshake->randbytes, 64 ); |
ansond | 0:137634ff4186 | 2705 | sha1_update( &sha1, dig_signed, dig_signed_len ); |
ansond | 0:137634ff4186 | 2706 | sha1_finish( &sha1, hash + 16 ); |
ansond | 0:137634ff4186 | 2707 | |
ansond | 0:137634ff4186 | 2708 | hashlen = 36; |
ansond | 0:137634ff4186 | 2709 | |
ansond | 0:137634ff4186 | 2710 | md5_free( &md5 ); |
ansond | 0:137634ff4186 | 2711 | sha1_free( &sha1 ); |
ansond | 0:137634ff4186 | 2712 | } |
ansond | 0:137634ff4186 | 2713 | else |
ansond | 0:137634ff4186 | 2714 | #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \ |
ansond | 0:137634ff4186 | 2715 | POLARSSL_SSL_PROTO_TLS1_1 */ |
ansond | 0:137634ff4186 | 2716 | #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ |
ansond | 0:137634ff4186 | 2717 | defined(POLARSSL_SSL_PROTO_TLS1_2) |
ansond | 0:137634ff4186 | 2718 | if( md_alg != POLARSSL_MD_NONE ) |
ansond | 0:137634ff4186 | 2719 | { |
ansond | 0:137634ff4186 | 2720 | md_context_t ctx; |
ansond | 0:137634ff4186 | 2721 | const md_info_t *md_info = md_info_from_type( md_alg ); |
ansond | 0:137634ff4186 | 2722 | |
ansond | 0:137634ff4186 | 2723 | md_init( &ctx ); |
ansond | 0:137634ff4186 | 2724 | |
ansond | 0:137634ff4186 | 2725 | /* Info from md_alg will be used instead */ |
ansond | 0:137634ff4186 | 2726 | hashlen = 0; |
ansond | 0:137634ff4186 | 2727 | |
ansond | 0:137634ff4186 | 2728 | /* |
ansond | 0:137634ff4186 | 2729 | * digitally-signed struct { |
ansond | 0:137634ff4186 | 2730 | * opaque client_random[32]; |
ansond | 0:137634ff4186 | 2731 | * opaque server_random[32]; |
ansond | 0:137634ff4186 | 2732 | * ServerDHParams params; |
ansond | 0:137634ff4186 | 2733 | * }; |
ansond | 0:137634ff4186 | 2734 | */ |
ansond | 0:137634ff4186 | 2735 | if( ( ret = md_init_ctx( &ctx, md_info ) ) != 0 ) |
ansond | 0:137634ff4186 | 2736 | { |
ansond | 0:137634ff4186 | 2737 | SSL_DEBUG_RET( 1, "md_init_ctx", ret ); |
ansond | 0:137634ff4186 | 2738 | return( ret ); |
ansond | 0:137634ff4186 | 2739 | } |
ansond | 0:137634ff4186 | 2740 | |
ansond | 0:137634ff4186 | 2741 | md_starts( &ctx ); |
ansond | 0:137634ff4186 | 2742 | md_update( &ctx, ssl->handshake->randbytes, 64 ); |
ansond | 0:137634ff4186 | 2743 | md_update( &ctx, dig_signed, dig_signed_len ); |
ansond | 0:137634ff4186 | 2744 | md_finish( &ctx, hash ); |
ansond | 0:137634ff4186 | 2745 | md_free( &ctx ); |
ansond | 0:137634ff4186 | 2746 | } |
ansond | 0:137634ff4186 | 2747 | else |
ansond | 0:137634ff4186 | 2748 | #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \ |
ansond | 0:137634ff4186 | 2749 | POLARSSL_SSL_PROTO_TLS1_2 */ |
ansond | 0:137634ff4186 | 2750 | { |
ansond | 0:137634ff4186 | 2751 | SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
ansond | 0:137634ff4186 | 2752 | return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); |
ansond | 0:137634ff4186 | 2753 | } |
ansond | 0:137634ff4186 | 2754 | |
ansond | 0:137634ff4186 | 2755 | SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : |
ansond | 0:137634ff4186 | 2756 | (unsigned int) ( md_info_from_type( md_alg ) )->size ); |
ansond | 0:137634ff4186 | 2757 | |
ansond | 0:137634ff4186 | 2758 | /* |
ansond | 0:137634ff4186 | 2759 | * Make the signature |
ansond | 0:137634ff4186 | 2760 | */ |
ansond | 0:137634ff4186 | 2761 | if( ssl_own_key( ssl ) == NULL ) |
ansond | 0:137634ff4186 | 2762 | { |
ansond | 0:137634ff4186 | 2763 | SSL_DEBUG_MSG( 1, ( "got no private key" ) ); |
ansond | 0:137634ff4186 | 2764 | return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
ansond | 0:137634ff4186 | 2765 | } |
ansond | 0:137634ff4186 | 2766 | |
ansond | 0:137634ff4186 | 2767 | #if defined(POLARSSL_SSL_PROTO_TLS1_2) |
ansond | 0:137634ff4186 | 2768 | if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) |
ansond | 0:137634ff4186 | 2769 | { |
ansond | 0:137634ff4186 | 2770 | *(p++) = ssl->handshake->sig_alg; |
ansond | 0:137634ff4186 | 2771 | *(p++) = ssl_sig_from_pk( ssl_own_key( ssl ) ); |
ansond | 0:137634ff4186 | 2772 | |
ansond | 0:137634ff4186 | 2773 | n += 2; |
ansond | 0:137634ff4186 | 2774 | } |
ansond | 0:137634ff4186 | 2775 | #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ |
ansond | 0:137634ff4186 | 2776 | |
ansond | 0:137634ff4186 | 2777 | if( ( ret = pk_sign( ssl_own_key( ssl ), md_alg, hash, hashlen, |
ansond | 0:137634ff4186 | 2778 | p + 2 , &signature_len, |
ansond | 0:137634ff4186 | 2779 | ssl->f_rng, ssl->p_rng ) ) != 0 ) |
ansond | 0:137634ff4186 | 2780 | { |
ansond | 0:137634ff4186 | 2781 | SSL_DEBUG_RET( 1, "pk_sign", ret ); |
ansond | 0:137634ff4186 | 2782 | return( ret ); |
ansond | 0:137634ff4186 | 2783 | } |
ansond | 0:137634ff4186 | 2784 | |
ansond | 0:137634ff4186 | 2785 | *(p++) = (unsigned char)( signature_len >> 8 ); |
ansond | 0:137634ff4186 | 2786 | *(p++) = (unsigned char)( signature_len ); |
ansond | 0:137634ff4186 | 2787 | n += 2; |
ansond | 0:137634ff4186 | 2788 | |
ansond | 0:137634ff4186 | 2789 | SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); |
ansond | 0:137634ff4186 | 2790 | |
ansond | 0:137634ff4186 | 2791 | p += signature_len; |
ansond | 0:137634ff4186 | 2792 | n += signature_len; |
ansond | 0:137634ff4186 | 2793 | } |
ansond | 0:137634ff4186 | 2794 | #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || |
ansond | 0:137634ff4186 | 2795 | POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
ansond | 0:137634ff4186 | 2796 | POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
ansond | 0:137634ff4186 | 2797 | |
ansond | 0:137634ff4186 | 2798 | ssl->out_msglen = 4 + n; |
ansond | 0:137634ff4186 | 2799 | ssl->out_msgtype = SSL_MSG_HANDSHAKE; |
ansond | 0:137634ff4186 | 2800 | ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE; |
ansond | 0:137634ff4186 | 2801 | |
ansond | 0:137634ff4186 | 2802 | ssl->state++; |
ansond | 0:137634ff4186 | 2803 | |
ansond | 0:137634ff4186 | 2804 | if( ( ret = ssl_write_record( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 2805 | { |
ansond | 0:137634ff4186 | 2806 | SSL_DEBUG_RET( 1, "ssl_write_record", ret ); |
ansond | 0:137634ff4186 | 2807 | return( ret ); |
ansond | 0:137634ff4186 | 2808 | } |
ansond | 0:137634ff4186 | 2809 | |
ansond | 0:137634ff4186 | 2810 | SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); |
ansond | 0:137634ff4186 | 2811 | |
ansond | 0:137634ff4186 | 2812 | return( 0 ); |
ansond | 0:137634ff4186 | 2813 | } |
ansond | 0:137634ff4186 | 2814 | |
ansond | 0:137634ff4186 | 2815 | static int ssl_write_server_hello_done( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 2816 | { |
ansond | 0:137634ff4186 | 2817 | int ret; |
ansond | 0:137634ff4186 | 2818 | |
ansond | 0:137634ff4186 | 2819 | SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); |
ansond | 0:137634ff4186 | 2820 | |
ansond | 0:137634ff4186 | 2821 | ssl->out_msglen = 4; |
ansond | 0:137634ff4186 | 2822 | ssl->out_msgtype = SSL_MSG_HANDSHAKE; |
ansond | 0:137634ff4186 | 2823 | ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE; |
ansond | 0:137634ff4186 | 2824 | |
ansond | 0:137634ff4186 | 2825 | ssl->state++; |
ansond | 0:137634ff4186 | 2826 | |
ansond | 0:137634ff4186 | 2827 | if( ( ret = ssl_write_record( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 2828 | { |
ansond | 0:137634ff4186 | 2829 | SSL_DEBUG_RET( 1, "ssl_write_record", ret ); |
ansond | 0:137634ff4186 | 2830 | return( ret ); |
ansond | 0:137634ff4186 | 2831 | } |
ansond | 0:137634ff4186 | 2832 | |
ansond | 0:137634ff4186 | 2833 | SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); |
ansond | 0:137634ff4186 | 2834 | |
ansond | 0:137634ff4186 | 2835 | return( 0 ); |
ansond | 0:137634ff4186 | 2836 | } |
ansond | 0:137634ff4186 | 2837 | |
ansond | 0:137634ff4186 | 2838 | #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2839 | defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) |
ansond | 0:137634ff4186 | 2840 | static int ssl_parse_client_dh_public( ssl_context *ssl, unsigned char **p, |
ansond | 0:137634ff4186 | 2841 | const unsigned char *end ) |
ansond | 0:137634ff4186 | 2842 | { |
ansond | 0:137634ff4186 | 2843 | int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; |
ansond | 0:137634ff4186 | 2844 | size_t n; |
ansond | 0:137634ff4186 | 2845 | |
ansond | 0:137634ff4186 | 2846 | /* |
ansond | 0:137634ff4186 | 2847 | * Receive G^Y mod P, premaster = (G^Y)^X mod P |
ansond | 0:137634ff4186 | 2848 | */ |
ansond | 0:137634ff4186 | 2849 | if( *p + 2 > end ) |
ansond | 0:137634ff4186 | 2850 | { |
ansond | 0:137634ff4186 | 2851 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 2852 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 2853 | } |
ansond | 0:137634ff4186 | 2854 | |
ansond | 0:137634ff4186 | 2855 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
ansond | 0:137634ff4186 | 2856 | *p += 2; |
ansond | 0:137634ff4186 | 2857 | |
ansond | 0:137634ff4186 | 2858 | if( *p + n > end ) |
ansond | 0:137634ff4186 | 2859 | { |
ansond | 0:137634ff4186 | 2860 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 2861 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 2862 | } |
ansond | 0:137634ff4186 | 2863 | |
ansond | 0:137634ff4186 | 2864 | if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) |
ansond | 0:137634ff4186 | 2865 | { |
ansond | 0:137634ff4186 | 2866 | SSL_DEBUG_RET( 1, "dhm_read_public", ret ); |
ansond | 0:137634ff4186 | 2867 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
ansond | 0:137634ff4186 | 2868 | } |
ansond | 0:137634ff4186 | 2869 | |
ansond | 0:137634ff4186 | 2870 | *p += n; |
ansond | 0:137634ff4186 | 2871 | |
ansond | 0:137634ff4186 | 2872 | SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); |
ansond | 0:137634ff4186 | 2873 | |
ansond | 0:137634ff4186 | 2874 | return( ret ); |
ansond | 0:137634ff4186 | 2875 | } |
ansond | 0:137634ff4186 | 2876 | #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED || |
ansond | 0:137634ff4186 | 2877 | POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
ansond | 0:137634ff4186 | 2878 | |
ansond | 0:137634ff4186 | 2879 | #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 2880 | defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) |
ansond | 0:137634ff4186 | 2881 | static int ssl_parse_encrypted_pms( ssl_context *ssl, |
ansond | 0:137634ff4186 | 2882 | const unsigned char *p, |
ansond | 0:137634ff4186 | 2883 | const unsigned char *end, |
ansond | 0:137634ff4186 | 2884 | size_t pms_offset ) |
ansond | 0:137634ff4186 | 2885 | { |
ansond | 0:137634ff4186 | 2886 | int ret; |
ansond | 0:137634ff4186 | 2887 | size_t len = pk_get_len( ssl_own_key( ssl ) ); |
ansond | 0:137634ff4186 | 2888 | unsigned char *pms = ssl->handshake->premaster + pms_offset; |
ansond | 0:137634ff4186 | 2889 | unsigned char fake_pms[48], peer_pms[48]; |
ansond | 0:137634ff4186 | 2890 | unsigned char mask; |
ansond | 0:137634ff4186 | 2891 | size_t i, diff, peer_pmslen; |
ansond | 0:137634ff4186 | 2892 | |
ansond | 0:137634ff4186 | 2893 | if( ! pk_can_do( ssl_own_key( ssl ), POLARSSL_PK_RSA ) ) |
ansond | 0:137634ff4186 | 2894 | { |
ansond | 0:137634ff4186 | 2895 | SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); |
ansond | 0:137634ff4186 | 2896 | return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
ansond | 0:137634ff4186 | 2897 | } |
ansond | 0:137634ff4186 | 2898 | |
ansond | 0:137634ff4186 | 2899 | /* |
ansond | 0:137634ff4186 | 2900 | * Decrypt the premaster using own private RSA key |
ansond | 0:137634ff4186 | 2901 | */ |
ansond | 0:137634ff4186 | 2902 | #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \ |
ansond | 0:137634ff4186 | 2903 | defined(POLARSSL_SSL_PROTO_TLS1_2) |
ansond | 0:137634ff4186 | 2904 | if( ssl->minor_ver != SSL_MINOR_VERSION_0 ) |
ansond | 0:137634ff4186 | 2905 | { |
ansond | 0:137634ff4186 | 2906 | if( *p++ != ( ( len >> 8 ) & 0xFF ) || |
ansond | 0:137634ff4186 | 2907 | *p++ != ( ( len ) & 0xFF ) ) |
ansond | 0:137634ff4186 | 2908 | { |
ansond | 0:137634ff4186 | 2909 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 2910 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 2911 | } |
ansond | 0:137634ff4186 | 2912 | } |
ansond | 0:137634ff4186 | 2913 | #endif |
ansond | 0:137634ff4186 | 2914 | |
ansond | 0:137634ff4186 | 2915 | if( p + len != end ) |
ansond | 0:137634ff4186 | 2916 | { |
ansond | 0:137634ff4186 | 2917 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 2918 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 2919 | } |
ansond | 0:137634ff4186 | 2920 | |
ansond | 0:137634ff4186 | 2921 | /* |
ansond | 0:137634ff4186 | 2922 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding |
ansond | 0:137634ff4186 | 2923 | * must not cause the connection to end immediately; instead, send a |
ansond | 0:137634ff4186 | 2924 | * bad_record_mac later in the handshake. |
ansond | 0:137634ff4186 | 2925 | * Also, avoid data-dependant branches here to protect against |
ansond | 0:137634ff4186 | 2926 | * timing-based variants. |
ansond | 0:137634ff4186 | 2927 | */ |
ansond | 0:137634ff4186 | 2928 | ret = ssl->f_rng( ssl->p_rng, fake_pms, sizeof( fake_pms ) ); |
ansond | 0:137634ff4186 | 2929 | if( ret != 0 ) |
ansond | 0:137634ff4186 | 2930 | return( ret ); |
ansond | 0:137634ff4186 | 2931 | |
ansond | 0:137634ff4186 | 2932 | ret = pk_decrypt( ssl_own_key( ssl ), p, len, |
ansond | 0:137634ff4186 | 2933 | peer_pms, &peer_pmslen, |
ansond | 0:137634ff4186 | 2934 | sizeof( peer_pms ), |
ansond | 0:137634ff4186 | 2935 | ssl->f_rng, ssl->p_rng ); |
ansond | 0:137634ff4186 | 2936 | |
ansond | 0:137634ff4186 | 2937 | diff = (size_t) ret; |
ansond | 0:137634ff4186 | 2938 | diff |= peer_pmslen ^ 48; |
ansond | 0:137634ff4186 | 2939 | diff |= peer_pms[0] ^ ssl->handshake->max_major_ver; |
ansond | 0:137634ff4186 | 2940 | diff |= peer_pms[1] ^ ssl->handshake->max_minor_ver; |
ansond | 0:137634ff4186 | 2941 | |
ansond | 0:137634ff4186 | 2942 | #if defined(POLARSSL_SSL_DEBUG_ALL) |
ansond | 0:137634ff4186 | 2943 | if( diff != 0 ) |
ansond | 0:137634ff4186 | 2944 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 2945 | #endif |
ansond | 0:137634ff4186 | 2946 | |
ansond | 0:137634ff4186 | 2947 | if( sizeof( ssl->handshake->premaster ) < pms_offset || |
ansond | 0:137634ff4186 | 2948 | sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) |
ansond | 0:137634ff4186 | 2949 | { |
ansond | 0:137634ff4186 | 2950 | SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
ansond | 0:137634ff4186 | 2951 | return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); |
ansond | 0:137634ff4186 | 2952 | } |
ansond | 0:137634ff4186 | 2953 | ssl->handshake->pmslen = 48; |
ansond | 0:137634ff4186 | 2954 | |
ansond | 0:137634ff4186 | 2955 | mask = ( diff | - diff ) >> ( sizeof( size_t ) * 8 - 1 ); |
ansond | 0:137634ff4186 | 2956 | mask = (unsigned char)( - ( ret != 0 ) ); /* mask = diff ? 0xff : 0x00 */ |
ansond | 0:137634ff4186 | 2957 | for( i = 0; i < ssl->handshake->pmslen; i++ ) |
ansond | 0:137634ff4186 | 2958 | pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); |
ansond | 0:137634ff4186 | 2959 | |
ansond | 0:137634ff4186 | 2960 | return( 0 ); |
ansond | 0:137634ff4186 | 2961 | } |
ansond | 0:137634ff4186 | 2962 | #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED || |
ansond | 0:137634ff4186 | 2963 | POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
ansond | 0:137634ff4186 | 2964 | |
ansond | 0:137634ff4186 | 2965 | #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) |
ansond | 0:137634ff4186 | 2966 | static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p, |
ansond | 0:137634ff4186 | 2967 | const unsigned char *end ) |
ansond | 0:137634ff4186 | 2968 | { |
ansond | 0:137634ff4186 | 2969 | int ret = 0; |
ansond | 0:137634ff4186 | 2970 | size_t n; |
ansond | 0:137634ff4186 | 2971 | |
ansond | 0:137634ff4186 | 2972 | if( ssl->f_psk == NULL && |
ansond | 0:137634ff4186 | 2973 | ( ssl->psk == NULL || ssl->psk_identity == NULL || |
ansond | 0:137634ff4186 | 2974 | ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) |
ansond | 0:137634ff4186 | 2975 | { |
ansond | 0:137634ff4186 | 2976 | SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); |
ansond | 0:137634ff4186 | 2977 | return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
ansond | 0:137634ff4186 | 2978 | } |
ansond | 0:137634ff4186 | 2979 | |
ansond | 0:137634ff4186 | 2980 | /* |
ansond | 0:137634ff4186 | 2981 | * Receive client pre-shared key identity name |
ansond | 0:137634ff4186 | 2982 | */ |
ansond | 0:137634ff4186 | 2983 | if( *p + 2 > end ) |
ansond | 0:137634ff4186 | 2984 | { |
ansond | 0:137634ff4186 | 2985 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 2986 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 2987 | } |
ansond | 0:137634ff4186 | 2988 | |
ansond | 0:137634ff4186 | 2989 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
ansond | 0:137634ff4186 | 2990 | *p += 2; |
ansond | 0:137634ff4186 | 2991 | |
ansond | 0:137634ff4186 | 2992 | if( n < 1 || n > 65535 || *p + n > end ) |
ansond | 0:137634ff4186 | 2993 | { |
ansond | 0:137634ff4186 | 2994 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 2995 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 2996 | } |
ansond | 0:137634ff4186 | 2997 | |
ansond | 0:137634ff4186 | 2998 | if( ssl->f_psk != NULL ) |
ansond | 0:137634ff4186 | 2999 | { |
ansond | 0:137634ff4186 | 3000 | if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 ) |
ansond | 0:137634ff4186 | 3001 | ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY; |
ansond | 0:137634ff4186 | 3002 | } |
ansond | 0:137634ff4186 | 3003 | else |
ansond | 0:137634ff4186 | 3004 | { |
ansond | 0:137634ff4186 | 3005 | /* Identity is not a big secret since clients send it in the clear, |
ansond | 0:137634ff4186 | 3006 | * but treat it carefully anyway, just in case */ |
ansond | 0:137634ff4186 | 3007 | if( n != ssl->psk_identity_len || |
ansond | 0:137634ff4186 | 3008 | safer_memcmp( ssl->psk_identity, *p, n ) != 0 ) |
ansond | 0:137634ff4186 | 3009 | { |
ansond | 0:137634ff4186 | 3010 | ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY; |
ansond | 0:137634ff4186 | 3011 | } |
ansond | 0:137634ff4186 | 3012 | } |
ansond | 0:137634ff4186 | 3013 | |
ansond | 0:137634ff4186 | 3014 | if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY ) |
ansond | 0:137634ff4186 | 3015 | { |
ansond | 0:137634ff4186 | 3016 | SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); |
ansond | 0:137634ff4186 | 3017 | if( ( ret = ssl_send_alert_message( ssl, |
ansond | 0:137634ff4186 | 3018 | SSL_ALERT_LEVEL_FATAL, |
ansond | 0:137634ff4186 | 3019 | SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 ) |
ansond | 0:137634ff4186 | 3020 | { |
ansond | 0:137634ff4186 | 3021 | return( ret ); |
ansond | 0:137634ff4186 | 3022 | } |
ansond | 0:137634ff4186 | 3023 | |
ansond | 0:137634ff4186 | 3024 | return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY ); |
ansond | 0:137634ff4186 | 3025 | } |
ansond | 0:137634ff4186 | 3026 | |
ansond | 0:137634ff4186 | 3027 | *p += n; |
ansond | 0:137634ff4186 | 3028 | |
ansond | 0:137634ff4186 | 3029 | return( 0 ); |
ansond | 0:137634ff4186 | 3030 | } |
ansond | 0:137634ff4186 | 3031 | #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */ |
ansond | 0:137634ff4186 | 3032 | |
ansond | 0:137634ff4186 | 3033 | static int ssl_parse_client_key_exchange( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 3034 | { |
ansond | 0:137634ff4186 | 3035 | int ret; |
ansond | 0:137634ff4186 | 3036 | const ssl_ciphersuite_t *ciphersuite_info; |
ansond | 0:137634ff4186 | 3037 | |
ansond | 0:137634ff4186 | 3038 | ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
ansond | 0:137634ff4186 | 3039 | |
ansond | 0:137634ff4186 | 3040 | SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); |
ansond | 0:137634ff4186 | 3041 | |
ansond | 0:137634ff4186 | 3042 | if( ( ret = ssl_read_record( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 3043 | { |
ansond | 0:137634ff4186 | 3044 | SSL_DEBUG_RET( 1, "ssl_read_record", ret ); |
ansond | 0:137634ff4186 | 3045 | return( ret ); |
ansond | 0:137634ff4186 | 3046 | } |
ansond | 0:137634ff4186 | 3047 | |
ansond | 0:137634ff4186 | 3048 | if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) |
ansond | 0:137634ff4186 | 3049 | { |
ansond | 0:137634ff4186 | 3050 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 3051 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 3052 | } |
ansond | 0:137634ff4186 | 3053 | |
ansond | 0:137634ff4186 | 3054 | if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE ) |
ansond | 0:137634ff4186 | 3055 | { |
ansond | 0:137634ff4186 | 3056 | SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
ansond | 0:137634ff4186 | 3057 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 3058 | } |
ansond | 0:137634ff4186 | 3059 | |
ansond | 0:137634ff4186 | 3060 | #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) |
ansond | 0:137634ff4186 | 3061 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ) |
ansond | 0:137634ff4186 | 3062 | { |
ansond | 0:137634ff4186 | 3063 | unsigned char *p = ssl->in_msg + 4; |
ansond | 0:137634ff4186 | 3064 | unsigned char *end = ssl->in_msg + ssl->in_hslen; |
ansond | 0:137634ff4186 | 3065 | |
ansond | 0:137634ff4186 | 3066 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) |
ansond | 0:137634ff4186 | 3067 | { |
ansond | 0:137634ff4186 | 3068 | SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); |
ansond | 0:137634ff4186 | 3069 | return( ret ); |
ansond | 0:137634ff4186 | 3070 | } |
ansond | 0:137634ff4186 | 3071 | |
ansond | 0:137634ff4186 | 3072 | if( p != end ) |
ansond | 0:137634ff4186 | 3073 | { |
ansond | 0:137634ff4186 | 3074 | SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
ansond | 0:137634ff4186 | 3075 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 3076 | } |
ansond | 0:137634ff4186 | 3077 | |
ansond | 0:137634ff4186 | 3078 | ssl->handshake->pmslen = POLARSSL_PREMASTER_SIZE; |
ansond | 0:137634ff4186 | 3079 | |
ansond | 0:137634ff4186 | 3080 | if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx, |
ansond | 0:137634ff4186 | 3081 | ssl->handshake->premaster, |
ansond | 0:137634ff4186 | 3082 | &ssl->handshake->pmslen, |
ansond | 0:137634ff4186 | 3083 | ssl->f_rng, ssl->p_rng ) ) != 0 ) |
ansond | 0:137634ff4186 | 3084 | { |
ansond | 0:137634ff4186 | 3085 | SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); |
ansond | 0:137634ff4186 | 3086 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); |
ansond | 0:137634ff4186 | 3087 | } |
ansond | 0:137634ff4186 | 3088 | |
ansond | 0:137634ff4186 | 3089 | SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); |
ansond | 0:137634ff4186 | 3090 | } |
ansond | 0:137634ff4186 | 3091 | else |
ansond | 0:137634ff4186 | 3092 | #endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
ansond | 0:137634ff4186 | 3093 | #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 3094 | defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 3095 | defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
ansond | 0:137634ff4186 | 3096 | defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
ansond | 0:137634ff4186 | 3097 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA || |
ansond | 0:137634ff4186 | 3098 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA || |
ansond | 0:137634ff4186 | 3099 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_RSA || |
ansond | 0:137634ff4186 | 3100 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDH_ECDSA ) |
ansond | 0:137634ff4186 | 3101 | { |
ansond | 0:137634ff4186 | 3102 | if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx, |
ansond | 0:137634ff4186 | 3103 | ssl->in_msg + 4, ssl->in_hslen - 4 ) ) != 0 ) |
ansond | 0:137634ff4186 | 3104 | { |
ansond | 0:137634ff4186 | 3105 | SSL_DEBUG_RET( 1, "ecdh_read_public", ret ); |
ansond | 0:137634ff4186 | 3106 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
ansond | 0:137634ff4186 | 3107 | } |
ansond | 0:137634ff4186 | 3108 | |
ansond | 0:137634ff4186 | 3109 | SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); |
ansond | 0:137634ff4186 | 3110 | |
ansond | 0:137634ff4186 | 3111 | if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, |
ansond | 0:137634ff4186 | 3112 | &ssl->handshake->pmslen, |
ansond | 0:137634ff4186 | 3113 | ssl->handshake->premaster, |
ansond | 0:137634ff4186 | 3114 | POLARSSL_MPI_MAX_SIZE, |
ansond | 0:137634ff4186 | 3115 | ssl->f_rng, ssl->p_rng ) ) != 0 ) |
ansond | 0:137634ff4186 | 3116 | { |
ansond | 0:137634ff4186 | 3117 | SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret ); |
ansond | 0:137634ff4186 | 3118 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); |
ansond | 0:137634ff4186 | 3119 | } |
ansond | 0:137634ff4186 | 3120 | |
ansond | 0:137634ff4186 | 3121 | SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); |
ansond | 0:137634ff4186 | 3122 | } |
ansond | 0:137634ff4186 | 3123 | else |
ansond | 0:137634ff4186 | 3124 | #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
ansond | 0:137634ff4186 | 3125 | POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
ansond | 0:137634ff4186 | 3126 | POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
ansond | 0:137634ff4186 | 3127 | POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
ansond | 0:137634ff4186 | 3128 | #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) |
ansond | 0:137634ff4186 | 3129 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ) |
ansond | 0:137634ff4186 | 3130 | { |
ansond | 0:137634ff4186 | 3131 | unsigned char *p = ssl->in_msg + 4; |
ansond | 0:137634ff4186 | 3132 | unsigned char *end = ssl->in_msg + ssl->in_hslen; |
ansond | 0:137634ff4186 | 3133 | |
ansond | 0:137634ff4186 | 3134 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
ansond | 0:137634ff4186 | 3135 | { |
ansond | 0:137634ff4186 | 3136 | SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
ansond | 0:137634ff4186 | 3137 | return( ret ); |
ansond | 0:137634ff4186 | 3138 | } |
ansond | 0:137634ff4186 | 3139 | |
ansond | 0:137634ff4186 | 3140 | if( p != end ) |
ansond | 0:137634ff4186 | 3141 | { |
ansond | 0:137634ff4186 | 3142 | SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
ansond | 0:137634ff4186 | 3143 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 3144 | } |
ansond | 0:137634ff4186 | 3145 | |
ansond | 0:137634ff4186 | 3146 | if( ( ret = ssl_psk_derive_premaster( ssl, |
ansond | 0:137634ff4186 | 3147 | ciphersuite_info->key_exchange ) ) != 0 ) |
ansond | 0:137634ff4186 | 3148 | { |
ansond | 0:137634ff4186 | 3149 | SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); |
ansond | 0:137634ff4186 | 3150 | return( ret ); |
ansond | 0:137634ff4186 | 3151 | } |
ansond | 0:137634ff4186 | 3152 | } |
ansond | 0:137634ff4186 | 3153 | else |
ansond | 0:137634ff4186 | 3154 | #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */ |
ansond | 0:137634ff4186 | 3155 | #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) |
ansond | 0:137634ff4186 | 3156 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) |
ansond | 0:137634ff4186 | 3157 | { |
ansond | 0:137634ff4186 | 3158 | unsigned char *p = ssl->in_msg + 4; |
ansond | 0:137634ff4186 | 3159 | unsigned char *end = ssl->in_msg + ssl->in_hslen; |
ansond | 0:137634ff4186 | 3160 | |
ansond | 0:137634ff4186 | 3161 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
ansond | 0:137634ff4186 | 3162 | { |
ansond | 0:137634ff4186 | 3163 | SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
ansond | 0:137634ff4186 | 3164 | return( ret ); |
ansond | 0:137634ff4186 | 3165 | } |
ansond | 0:137634ff4186 | 3166 | |
ansond | 0:137634ff4186 | 3167 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) |
ansond | 0:137634ff4186 | 3168 | { |
ansond | 0:137634ff4186 | 3169 | SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); |
ansond | 0:137634ff4186 | 3170 | return( ret ); |
ansond | 0:137634ff4186 | 3171 | } |
ansond | 0:137634ff4186 | 3172 | |
ansond | 0:137634ff4186 | 3173 | if( ( ret = ssl_psk_derive_premaster( ssl, |
ansond | 0:137634ff4186 | 3174 | ciphersuite_info->key_exchange ) ) != 0 ) |
ansond | 0:137634ff4186 | 3175 | { |
ansond | 0:137634ff4186 | 3176 | SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); |
ansond | 0:137634ff4186 | 3177 | return( ret ); |
ansond | 0:137634ff4186 | 3178 | } |
ansond | 0:137634ff4186 | 3179 | } |
ansond | 0:137634ff4186 | 3180 | else |
ansond | 0:137634ff4186 | 3181 | #endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
ansond | 0:137634ff4186 | 3182 | #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) |
ansond | 0:137634ff4186 | 3183 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) |
ansond | 0:137634ff4186 | 3184 | { |
ansond | 0:137634ff4186 | 3185 | unsigned char *p = ssl->in_msg + 4; |
ansond | 0:137634ff4186 | 3186 | unsigned char *end = ssl->in_msg + ssl->in_hslen; |
ansond | 0:137634ff4186 | 3187 | |
ansond | 0:137634ff4186 | 3188 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
ansond | 0:137634ff4186 | 3189 | { |
ansond | 0:137634ff4186 | 3190 | SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
ansond | 0:137634ff4186 | 3191 | return( ret ); |
ansond | 0:137634ff4186 | 3192 | } |
ansond | 0:137634ff4186 | 3193 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) |
ansond | 0:137634ff4186 | 3194 | { |
ansond | 0:137634ff4186 | 3195 | SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); |
ansond | 0:137634ff4186 | 3196 | return( ret ); |
ansond | 0:137634ff4186 | 3197 | } |
ansond | 0:137634ff4186 | 3198 | |
ansond | 0:137634ff4186 | 3199 | if( p != end ) |
ansond | 0:137634ff4186 | 3200 | { |
ansond | 0:137634ff4186 | 3201 | SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
ansond | 0:137634ff4186 | 3202 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); |
ansond | 0:137634ff4186 | 3203 | } |
ansond | 0:137634ff4186 | 3204 | |
ansond | 0:137634ff4186 | 3205 | if( ( ret = ssl_psk_derive_premaster( ssl, |
ansond | 0:137634ff4186 | 3206 | ciphersuite_info->key_exchange ) ) != 0 ) |
ansond | 0:137634ff4186 | 3207 | { |
ansond | 0:137634ff4186 | 3208 | SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); |
ansond | 0:137634ff4186 | 3209 | return( ret ); |
ansond | 0:137634ff4186 | 3210 | } |
ansond | 0:137634ff4186 | 3211 | } |
ansond | 0:137634ff4186 | 3212 | else |
ansond | 0:137634ff4186 | 3213 | #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
ansond | 0:137634ff4186 | 3214 | #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
ansond | 0:137634ff4186 | 3215 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK ) |
ansond | 0:137634ff4186 | 3216 | { |
ansond | 0:137634ff4186 | 3217 | unsigned char *p = ssl->in_msg + 4; |
ansond | 0:137634ff4186 | 3218 | unsigned char *end = ssl->in_msg + ssl->in_hslen; |
ansond | 0:137634ff4186 | 3219 | |
ansond | 0:137634ff4186 | 3220 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
ansond | 0:137634ff4186 | 3221 | { |
ansond | 0:137634ff4186 | 3222 | SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
ansond | 0:137634ff4186 | 3223 | return( ret ); |
ansond | 0:137634ff4186 | 3224 | } |
ansond | 0:137634ff4186 | 3225 | |
ansond | 0:137634ff4186 | 3226 | if( ( ret = ecdh_read_public( &ssl->handshake->ecdh_ctx, |
ansond | 0:137634ff4186 | 3227 | p, end - p ) ) != 0 ) |
ansond | 0:137634ff4186 | 3228 | { |
ansond | 0:137634ff4186 | 3229 | SSL_DEBUG_RET( 1, "ecdh_read_public", ret ); |
ansond | 0:137634ff4186 | 3230 | return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); |
ansond | 0:137634ff4186 | 3231 | } |
ansond | 0:137634ff4186 | 3232 | |
ansond | 0:137634ff4186 | 3233 | SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); |
ansond | 0:137634ff4186 | 3234 | |
ansond | 0:137634ff4186 | 3235 | if( ( ret = ssl_psk_derive_premaster( ssl, |
ansond | 0:137634ff4186 | 3236 | ciphersuite_info->key_exchange ) ) != 0 ) |
ansond | 0:137634ff4186 | 3237 | { |
ansond | 0:137634ff4186 | 3238 | SSL_DEBUG_RET( 1, "ssl_psk_derive_premaster", ret ); |
ansond | 0:137634ff4186 | 3239 | return( ret ); |
ansond | 0:137634ff4186 | 3240 | } |
ansond | 0:137634ff4186 | 3241 | } |
ansond | 0:137634ff4186 | 3242 | else |
ansond | 0:137634ff4186 | 3243 | #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
ansond | 0:137634ff4186 | 3244 | #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) |
ansond | 0:137634ff4186 | 3245 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA ) |
ansond | 0:137634ff4186 | 3246 | { |
ansond | 0:137634ff4186 | 3247 | if( ( ret = ssl_parse_encrypted_pms( ssl, |
ansond | 0:137634ff4186 | 3248 | ssl->in_msg + 4, |
ansond | 0:137634ff4186 | 3249 | ssl->in_msg + ssl->in_hslen, |
ansond | 0:137634ff4186 | 3250 | 0 ) ) != 0 ) |
ansond | 0:137634ff4186 | 3251 | { |
ansond | 0:137634ff4186 | 3252 | SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); |
ansond | 0:137634ff4186 | 3253 | return( ret ); |
ansond | 0:137634ff4186 | 3254 | } |
ansond | 0:137634ff4186 | 3255 | } |
ansond | 0:137634ff4186 | 3256 | else |
ansond | 0:137634ff4186 | 3257 | #endif /* POLARSSL_KEY_EXCHANGE_RSA_ENABLED */ |
ansond | 0:137634ff4186 | 3258 | { |
ansond | 0:137634ff4186 | 3259 | SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
ansond | 0:137634ff4186 | 3260 | return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); |
ansond | 0:137634ff4186 | 3261 | } |
ansond | 0:137634ff4186 | 3262 | |
ansond | 0:137634ff4186 | 3263 | if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 3264 | { |
ansond | 0:137634ff4186 | 3265 | SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); |
ansond | 0:137634ff4186 | 3266 | return( ret ); |
ansond | 0:137634ff4186 | 3267 | } |
ansond | 0:137634ff4186 | 3268 | |
ansond | 0:137634ff4186 | 3269 | ssl->state++; |
ansond | 0:137634ff4186 | 3270 | |
ansond | 0:137634ff4186 | 3271 | SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); |
ansond | 0:137634ff4186 | 3272 | |
ansond | 0:137634ff4186 | 3273 | return( 0 ); |
ansond | 0:137634ff4186 | 3274 | } |
ansond | 0:137634ff4186 | 3275 | |
ansond | 0:137634ff4186 | 3276 | #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \ |
ansond | 0:137634ff4186 | 3277 | !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ |
ansond | 0:137634ff4186 | 3278 | !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ |
ansond | 0:137634ff4186 | 3279 | !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
ansond | 0:137634ff4186 | 3280 | static int ssl_parse_certificate_verify( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 3281 | { |
ansond | 0:137634ff4186 | 3282 | const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
ansond | 0:137634ff4186 | 3283 | |
ansond | 0:137634ff4186 | 3284 | SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
ansond | 0:137634ff4186 | 3285 | |
ansond | 0:137634ff4186 | 3286 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || |
ansond | 0:137634ff4186 | 3287 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || |
ansond | 0:137634ff4186 | 3288 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || |
ansond | 0:137634ff4186 | 3289 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) |
ansond | 0:137634ff4186 | 3290 | { |
ansond | 0:137634ff4186 | 3291 | SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
ansond | 0:137634ff4186 | 3292 | ssl->state++; |
ansond | 0:137634ff4186 | 3293 | return( 0 ); |
ansond | 0:137634ff4186 | 3294 | } |
ansond | 0:137634ff4186 | 3295 | |
ansond | 0:137634ff4186 | 3296 | SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
ansond | 0:137634ff4186 | 3297 | return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); |
ansond | 0:137634ff4186 | 3298 | } |
ansond | 0:137634ff4186 | 3299 | #else |
ansond | 0:137634ff4186 | 3300 | static int ssl_parse_certificate_verify( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 3301 | { |
ansond | 0:137634ff4186 | 3302 | int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; |
ansond | 0:137634ff4186 | 3303 | size_t sa_len, sig_len; |
ansond | 0:137634ff4186 | 3304 | unsigned char hash[48]; |
ansond | 0:137634ff4186 | 3305 | unsigned char *hash_start = hash; |
ansond | 0:137634ff4186 | 3306 | size_t hashlen; |
ansond | 0:137634ff4186 | 3307 | #if defined(POLARSSL_SSL_PROTO_TLS1_2) |
ansond | 0:137634ff4186 | 3308 | pk_type_t pk_alg; |
ansond | 0:137634ff4186 | 3309 | #endif |
ansond | 0:137634ff4186 | 3310 | md_type_t md_alg; |
ansond | 0:137634ff4186 | 3311 | const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; |
ansond | 0:137634ff4186 | 3312 | |
ansond | 0:137634ff4186 | 3313 | SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
ansond | 0:137634ff4186 | 3314 | |
ansond | 0:137634ff4186 | 3315 | if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || |
ansond | 0:137634ff4186 | 3316 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || |
ansond | 0:137634ff4186 | 3317 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || |
ansond | 0:137634ff4186 | 3318 | ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) |
ansond | 0:137634ff4186 | 3319 | { |
ansond | 0:137634ff4186 | 3320 | SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
ansond | 0:137634ff4186 | 3321 | ssl->state++; |
ansond | 0:137634ff4186 | 3322 | return( 0 ); |
ansond | 0:137634ff4186 | 3323 | } |
ansond | 0:137634ff4186 | 3324 | |
ansond | 0:137634ff4186 | 3325 | if( ssl->session_negotiate->peer_cert == NULL ) |
ansond | 0:137634ff4186 | 3326 | { |
ansond | 0:137634ff4186 | 3327 | SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
ansond | 0:137634ff4186 | 3328 | ssl->state++; |
ansond | 0:137634ff4186 | 3329 | return( 0 ); |
ansond | 0:137634ff4186 | 3330 | } |
ansond | 0:137634ff4186 | 3331 | |
ansond | 0:137634ff4186 | 3332 | ssl->handshake->calc_verify( ssl, hash ); |
ansond | 0:137634ff4186 | 3333 | |
ansond | 0:137634ff4186 | 3334 | if( ( ret = ssl_read_record( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 3335 | { |
ansond | 0:137634ff4186 | 3336 | SSL_DEBUG_RET( 1, "ssl_read_record", ret ); |
ansond | 0:137634ff4186 | 3337 | return( ret ); |
ansond | 0:137634ff4186 | 3338 | } |
ansond | 0:137634ff4186 | 3339 | |
ansond | 0:137634ff4186 | 3340 | ssl->state++; |
ansond | 0:137634ff4186 | 3341 | |
ansond | 0:137634ff4186 | 3342 | if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) |
ansond | 0:137634ff4186 | 3343 | { |
ansond | 0:137634ff4186 | 3344 | SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
ansond | 0:137634ff4186 | 3345 | return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
ansond | 0:137634ff4186 | 3346 | } |
ansond | 0:137634ff4186 | 3347 | |
ansond | 0:137634ff4186 | 3348 | if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY ) |
ansond | 0:137634ff4186 | 3349 | { |
ansond | 0:137634ff4186 | 3350 | SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
ansond | 0:137634ff4186 | 3351 | return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
ansond | 0:137634ff4186 | 3352 | } |
ansond | 0:137634ff4186 | 3353 | |
ansond | 0:137634ff4186 | 3354 | /* |
ansond | 0:137634ff4186 | 3355 | * 0 . 0 handshake type |
ansond | 0:137634ff4186 | 3356 | * 1 . 3 handshake length |
ansond | 0:137634ff4186 | 3357 | * 4 . 5 sig alg (TLS 1.2 only) |
ansond | 0:137634ff4186 | 3358 | * 4+n . 5+n signature length (n = sa_len) |
ansond | 0:137634ff4186 | 3359 | * 6+n . 6+n+m signature (m = sig_len) |
ansond | 0:137634ff4186 | 3360 | */ |
ansond | 0:137634ff4186 | 3361 | |
ansond | 0:137634ff4186 | 3362 | #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \ |
ansond | 0:137634ff4186 | 3363 | defined(POLARSSL_SSL_PROTO_TLS1_1) |
ansond | 0:137634ff4186 | 3364 | if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) |
ansond | 0:137634ff4186 | 3365 | { |
ansond | 0:137634ff4186 | 3366 | sa_len = 0; |
ansond | 0:137634ff4186 | 3367 | |
ansond | 0:137634ff4186 | 3368 | md_alg = POLARSSL_MD_NONE; |
ansond | 0:137634ff4186 | 3369 | hashlen = 36; |
ansond | 0:137634ff4186 | 3370 | |
ansond | 0:137634ff4186 | 3371 | /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ |
ansond | 0:137634ff4186 | 3372 | if( pk_can_do( &ssl->session_negotiate->peer_cert->pk, |
ansond | 0:137634ff4186 | 3373 | POLARSSL_PK_ECDSA ) ) |
ansond | 0:137634ff4186 | 3374 | { |
ansond | 0:137634ff4186 | 3375 | hash_start += 16; |
ansond | 0:137634ff4186 | 3376 | hashlen -= 16; |
ansond | 0:137634ff4186 | 3377 | md_alg = POLARSSL_MD_SHA1; |
ansond | 0:137634ff4186 | 3378 | } |
ansond | 0:137634ff4186 | 3379 | } |
ansond | 0:137634ff4186 | 3380 | else |
ansond | 0:137634ff4186 | 3381 | #endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || |
ansond | 0:137634ff4186 | 3382 | POLARSSL_SSL_PROTO_TLS1_1 */ |
ansond | 0:137634ff4186 | 3383 | #if defined(POLARSSL_SSL_PROTO_TLS1_2) |
ansond | 0:137634ff4186 | 3384 | if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) |
ansond | 0:137634ff4186 | 3385 | { |
ansond | 0:137634ff4186 | 3386 | sa_len = 2; |
ansond | 0:137634ff4186 | 3387 | |
ansond | 0:137634ff4186 | 3388 | /* |
ansond | 0:137634ff4186 | 3389 | * Hash |
ansond | 0:137634ff4186 | 3390 | */ |
ansond | 0:137634ff4186 | 3391 | if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ) |
ansond | 0:137634ff4186 | 3392 | { |
ansond | 0:137634ff4186 | 3393 | SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" |
ansond | 0:137634ff4186 | 3394 | " for verify message" ) ); |
ansond | 0:137634ff4186 | 3395 | return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
ansond | 0:137634ff4186 | 3396 | } |
ansond | 0:137634ff4186 | 3397 | |
ansond | 0:137634ff4186 | 3398 | md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg ); |
ansond | 0:137634ff4186 | 3399 | |
ansond | 0:137634ff4186 | 3400 | /* Info from md_alg will be used instead */ |
ansond | 0:137634ff4186 | 3401 | hashlen = 0; |
ansond | 0:137634ff4186 | 3402 | |
ansond | 0:137634ff4186 | 3403 | /* |
ansond | 0:137634ff4186 | 3404 | * Signature |
ansond | 0:137634ff4186 | 3405 | */ |
ansond | 0:137634ff4186 | 3406 | if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) ) |
ansond | 0:137634ff4186 | 3407 | == POLARSSL_PK_NONE ) |
ansond | 0:137634ff4186 | 3408 | { |
ansond | 0:137634ff4186 | 3409 | SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" |
ansond | 0:137634ff4186 | 3410 | " for verify message" ) ); |
ansond | 0:137634ff4186 | 3411 | return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
ansond | 0:137634ff4186 | 3412 | } |
ansond | 0:137634ff4186 | 3413 | |
ansond | 0:137634ff4186 | 3414 | /* |
ansond | 0:137634ff4186 | 3415 | * Check the certificate's key type matches the signature alg |
ansond | 0:137634ff4186 | 3416 | */ |
ansond | 0:137634ff4186 | 3417 | if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) |
ansond | 0:137634ff4186 | 3418 | { |
ansond | 0:137634ff4186 | 3419 | SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); |
ansond | 0:137634ff4186 | 3420 | return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
ansond | 0:137634ff4186 | 3421 | } |
ansond | 0:137634ff4186 | 3422 | } |
ansond | 0:137634ff4186 | 3423 | else |
ansond | 0:137634ff4186 | 3424 | #endif /* POLARSSL_SSL_PROTO_TLS1_2 */ |
ansond | 0:137634ff4186 | 3425 | { |
ansond | 0:137634ff4186 | 3426 | SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
ansond | 0:137634ff4186 | 3427 | return( POLARSSL_ERR_SSL_INTERNAL_ERROR ); |
ansond | 0:137634ff4186 | 3428 | } |
ansond | 0:137634ff4186 | 3429 | |
ansond | 0:137634ff4186 | 3430 | sig_len = ( ssl->in_msg[4 + sa_len] << 8 ) | ssl->in_msg[5 + sa_len]; |
ansond | 0:137634ff4186 | 3431 | |
ansond | 0:137634ff4186 | 3432 | if( sa_len + sig_len + 6 != ssl->in_hslen ) |
ansond | 0:137634ff4186 | 3433 | { |
ansond | 0:137634ff4186 | 3434 | SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
ansond | 0:137634ff4186 | 3435 | return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); |
ansond | 0:137634ff4186 | 3436 | } |
ansond | 0:137634ff4186 | 3437 | |
ansond | 0:137634ff4186 | 3438 | if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk, |
ansond | 0:137634ff4186 | 3439 | md_alg, hash_start, hashlen, |
ansond | 0:137634ff4186 | 3440 | ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 ) |
ansond | 0:137634ff4186 | 3441 | { |
ansond | 0:137634ff4186 | 3442 | SSL_DEBUG_RET( 1, "pk_verify", ret ); |
ansond | 0:137634ff4186 | 3443 | return( ret ); |
ansond | 0:137634ff4186 | 3444 | } |
ansond | 0:137634ff4186 | 3445 | |
ansond | 0:137634ff4186 | 3446 | SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); |
ansond | 0:137634ff4186 | 3447 | |
ansond | 0:137634ff4186 | 3448 | return( ret ); |
ansond | 0:137634ff4186 | 3449 | } |
ansond | 0:137634ff4186 | 3450 | #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED && |
ansond | 0:137634ff4186 | 3451 | !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED && |
ansond | 0:137634ff4186 | 3452 | !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ |
ansond | 0:137634ff4186 | 3453 | |
ansond | 0:137634ff4186 | 3454 | #if defined(POLARSSL_SSL_SESSION_TICKETS) |
ansond | 0:137634ff4186 | 3455 | static int ssl_write_new_session_ticket( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 3456 | { |
ansond | 0:137634ff4186 | 3457 | int ret; |
ansond | 0:137634ff4186 | 3458 | size_t tlen; |
ansond | 0:137634ff4186 | 3459 | uint32_t lifetime = (uint32_t) ssl->ticket_lifetime; |
ansond | 0:137634ff4186 | 3460 | |
ansond | 0:137634ff4186 | 3461 | SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); |
ansond | 0:137634ff4186 | 3462 | |
ansond | 0:137634ff4186 | 3463 | ssl->out_msgtype = SSL_MSG_HANDSHAKE; |
ansond | 0:137634ff4186 | 3464 | ssl->out_msg[0] = SSL_HS_NEW_SESSION_TICKET; |
ansond | 0:137634ff4186 | 3465 | |
ansond | 0:137634ff4186 | 3466 | /* |
ansond | 0:137634ff4186 | 3467 | * struct { |
ansond | 0:137634ff4186 | 3468 | * uint32 ticket_lifetime_hint; |
ansond | 0:137634ff4186 | 3469 | * opaque ticket<0..2^16-1>; |
ansond | 0:137634ff4186 | 3470 | * } NewSessionTicket; |
ansond | 0:137634ff4186 | 3471 | * |
ansond | 0:137634ff4186 | 3472 | * 4 . 7 ticket_lifetime_hint (0 = unspecified) |
ansond | 0:137634ff4186 | 3473 | * 8 . 9 ticket_len (n) |
ansond | 0:137634ff4186 | 3474 | * 10 . 9+n ticket content |
ansond | 0:137634ff4186 | 3475 | */ |
ansond | 0:137634ff4186 | 3476 | |
ansond | 0:137634ff4186 | 3477 | ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; |
ansond | 0:137634ff4186 | 3478 | ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; |
ansond | 0:137634ff4186 | 3479 | ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; |
ansond | 0:137634ff4186 | 3480 | ssl->out_msg[7] = ( lifetime ) & 0xFF; |
ansond | 0:137634ff4186 | 3481 | |
ansond | 0:137634ff4186 | 3482 | if( ( ret = ssl_write_ticket( ssl, &tlen ) ) != 0 ) |
ansond | 0:137634ff4186 | 3483 | { |
ansond | 0:137634ff4186 | 3484 | SSL_DEBUG_RET( 1, "ssl_write_ticket", ret ); |
ansond | 0:137634ff4186 | 3485 | tlen = 0; |
ansond | 0:137634ff4186 | 3486 | } |
ansond | 0:137634ff4186 | 3487 | |
ansond | 0:137634ff4186 | 3488 | ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); |
ansond | 0:137634ff4186 | 3489 | ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); |
ansond | 0:137634ff4186 | 3490 | |
ansond | 0:137634ff4186 | 3491 | ssl->out_msglen = 10 + tlen; |
ansond | 0:137634ff4186 | 3492 | |
ansond | 0:137634ff4186 | 3493 | /* |
ansond | 0:137634ff4186 | 3494 | * Morally equivalent to updating ssl->state, but NewSessionTicket and |
ansond | 0:137634ff4186 | 3495 | * ChangeCipherSpec share the same state. |
ansond | 0:137634ff4186 | 3496 | */ |
ansond | 0:137634ff4186 | 3497 | ssl->handshake->new_session_ticket = 0; |
ansond | 0:137634ff4186 | 3498 | |
ansond | 0:137634ff4186 | 3499 | if( ( ret = ssl_write_record( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 3500 | { |
ansond | 0:137634ff4186 | 3501 | SSL_DEBUG_RET( 1, "ssl_write_record", ret ); |
ansond | 0:137634ff4186 | 3502 | return( ret ); |
ansond | 0:137634ff4186 | 3503 | } |
ansond | 0:137634ff4186 | 3504 | |
ansond | 0:137634ff4186 | 3505 | SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); |
ansond | 0:137634ff4186 | 3506 | |
ansond | 0:137634ff4186 | 3507 | return( 0 ); |
ansond | 0:137634ff4186 | 3508 | } |
ansond | 0:137634ff4186 | 3509 | #endif /* POLARSSL_SSL_SESSION_TICKETS */ |
ansond | 0:137634ff4186 | 3510 | |
ansond | 0:137634ff4186 | 3511 | /* |
ansond | 0:137634ff4186 | 3512 | * SSL handshake -- server side -- single step |
ansond | 0:137634ff4186 | 3513 | */ |
ansond | 0:137634ff4186 | 3514 | int ssl_handshake_server_step( ssl_context *ssl ) |
ansond | 0:137634ff4186 | 3515 | { |
ansond | 0:137634ff4186 | 3516 | int ret = 0; |
ansond | 0:137634ff4186 | 3517 | |
ansond | 0:137634ff4186 | 3518 | if( ssl->state == SSL_HANDSHAKE_OVER ) |
ansond | 0:137634ff4186 | 3519 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 3520 | |
ansond | 0:137634ff4186 | 3521 | SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); |
ansond | 0:137634ff4186 | 3522 | |
ansond | 0:137634ff4186 | 3523 | if( ( ret = ssl_flush_output( ssl ) ) != 0 ) |
ansond | 0:137634ff4186 | 3524 | return( ret ); |
ansond | 0:137634ff4186 | 3525 | |
ansond | 0:137634ff4186 | 3526 | switch( ssl->state ) |
ansond | 0:137634ff4186 | 3527 | { |
ansond | 0:137634ff4186 | 3528 | case SSL_HELLO_REQUEST: |
ansond | 0:137634ff4186 | 3529 | ssl->state = SSL_CLIENT_HELLO; |
ansond | 0:137634ff4186 | 3530 | break; |
ansond | 0:137634ff4186 | 3531 | |
ansond | 0:137634ff4186 | 3532 | /* |
ansond | 0:137634ff4186 | 3533 | * <== ClientHello |
ansond | 0:137634ff4186 | 3534 | */ |
ansond | 0:137634ff4186 | 3535 | case SSL_CLIENT_HELLO: |
ansond | 0:137634ff4186 | 3536 | ret = ssl_parse_client_hello( ssl ); |
ansond | 0:137634ff4186 | 3537 | break; |
ansond | 0:137634ff4186 | 3538 | |
ansond | 0:137634ff4186 | 3539 | /* |
ansond | 0:137634ff4186 | 3540 | * ==> ServerHello |
ansond | 0:137634ff4186 | 3541 | * Certificate |
ansond | 0:137634ff4186 | 3542 | * ( ServerKeyExchange ) |
ansond | 0:137634ff4186 | 3543 | * ( CertificateRequest ) |
ansond | 0:137634ff4186 | 3544 | * ServerHelloDone |
ansond | 0:137634ff4186 | 3545 | */ |
ansond | 0:137634ff4186 | 3546 | case SSL_SERVER_HELLO: |
ansond | 0:137634ff4186 | 3547 | ret = ssl_write_server_hello( ssl ); |
ansond | 0:137634ff4186 | 3548 | break; |
ansond | 0:137634ff4186 | 3549 | |
ansond | 0:137634ff4186 | 3550 | case SSL_SERVER_CERTIFICATE: |
ansond | 0:137634ff4186 | 3551 | ret = ssl_write_certificate( ssl ); |
ansond | 0:137634ff4186 | 3552 | break; |
ansond | 0:137634ff4186 | 3553 | |
ansond | 0:137634ff4186 | 3554 | case SSL_SERVER_KEY_EXCHANGE: |
ansond | 0:137634ff4186 | 3555 | ret = ssl_write_server_key_exchange( ssl ); |
ansond | 0:137634ff4186 | 3556 | break; |
ansond | 0:137634ff4186 | 3557 | |
ansond | 0:137634ff4186 | 3558 | case SSL_CERTIFICATE_REQUEST: |
ansond | 0:137634ff4186 | 3559 | ret = ssl_write_certificate_request( ssl ); |
ansond | 0:137634ff4186 | 3560 | break; |
ansond | 0:137634ff4186 | 3561 | |
ansond | 0:137634ff4186 | 3562 | case SSL_SERVER_HELLO_DONE: |
ansond | 0:137634ff4186 | 3563 | ret = ssl_write_server_hello_done( ssl ); |
ansond | 0:137634ff4186 | 3564 | break; |
ansond | 0:137634ff4186 | 3565 | |
ansond | 0:137634ff4186 | 3566 | /* |
ansond | 0:137634ff4186 | 3567 | * <== ( Certificate/Alert ) |
ansond | 0:137634ff4186 | 3568 | * ClientKeyExchange |
ansond | 0:137634ff4186 | 3569 | * ( CertificateVerify ) |
ansond | 0:137634ff4186 | 3570 | * ChangeCipherSpec |
ansond | 0:137634ff4186 | 3571 | * Finished |
ansond | 0:137634ff4186 | 3572 | */ |
ansond | 0:137634ff4186 | 3573 | case SSL_CLIENT_CERTIFICATE: |
ansond | 0:137634ff4186 | 3574 | ret = ssl_parse_certificate( ssl ); |
ansond | 0:137634ff4186 | 3575 | break; |
ansond | 0:137634ff4186 | 3576 | |
ansond | 0:137634ff4186 | 3577 | case SSL_CLIENT_KEY_EXCHANGE: |
ansond | 0:137634ff4186 | 3578 | ret = ssl_parse_client_key_exchange( ssl ); |
ansond | 0:137634ff4186 | 3579 | break; |
ansond | 0:137634ff4186 | 3580 | |
ansond | 0:137634ff4186 | 3581 | case SSL_CERTIFICATE_VERIFY: |
ansond | 0:137634ff4186 | 3582 | ret = ssl_parse_certificate_verify( ssl ); |
ansond | 0:137634ff4186 | 3583 | break; |
ansond | 0:137634ff4186 | 3584 | |
ansond | 0:137634ff4186 | 3585 | case SSL_CLIENT_CHANGE_CIPHER_SPEC: |
ansond | 0:137634ff4186 | 3586 | ret = ssl_parse_change_cipher_spec( ssl ); |
ansond | 0:137634ff4186 | 3587 | break; |
ansond | 0:137634ff4186 | 3588 | |
ansond | 0:137634ff4186 | 3589 | case SSL_CLIENT_FINISHED: |
ansond | 0:137634ff4186 | 3590 | ret = ssl_parse_finished( ssl ); |
ansond | 0:137634ff4186 | 3591 | break; |
ansond | 0:137634ff4186 | 3592 | |
ansond | 0:137634ff4186 | 3593 | /* |
ansond | 0:137634ff4186 | 3594 | * ==> ( NewSessionTicket ) |
ansond | 0:137634ff4186 | 3595 | * ChangeCipherSpec |
ansond | 0:137634ff4186 | 3596 | * Finished |
ansond | 0:137634ff4186 | 3597 | */ |
ansond | 0:137634ff4186 | 3598 | case SSL_SERVER_CHANGE_CIPHER_SPEC: |
ansond | 0:137634ff4186 | 3599 | #if defined(POLARSSL_SSL_SESSION_TICKETS) |
ansond | 0:137634ff4186 | 3600 | if( ssl->handshake->new_session_ticket != 0 ) |
ansond | 0:137634ff4186 | 3601 | ret = ssl_write_new_session_ticket( ssl ); |
ansond | 0:137634ff4186 | 3602 | else |
ansond | 0:137634ff4186 | 3603 | #endif |
ansond | 0:137634ff4186 | 3604 | ret = ssl_write_change_cipher_spec( ssl ); |
ansond | 0:137634ff4186 | 3605 | break; |
ansond | 0:137634ff4186 | 3606 | |
ansond | 0:137634ff4186 | 3607 | case SSL_SERVER_FINISHED: |
ansond | 0:137634ff4186 | 3608 | ret = ssl_write_finished( ssl ); |
ansond | 0:137634ff4186 | 3609 | break; |
ansond | 0:137634ff4186 | 3610 | |
ansond | 0:137634ff4186 | 3611 | case SSL_FLUSH_BUFFERS: |
ansond | 0:137634ff4186 | 3612 | SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); |
ansond | 0:137634ff4186 | 3613 | ssl->state = SSL_HANDSHAKE_WRAPUP; |
ansond | 0:137634ff4186 | 3614 | break; |
ansond | 0:137634ff4186 | 3615 | |
ansond | 0:137634ff4186 | 3616 | case SSL_HANDSHAKE_WRAPUP: |
ansond | 0:137634ff4186 | 3617 | ssl_handshake_wrapup( ssl ); |
ansond | 0:137634ff4186 | 3618 | break; |
ansond | 0:137634ff4186 | 3619 | |
ansond | 0:137634ff4186 | 3620 | default: |
ansond | 0:137634ff4186 | 3621 | SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); |
ansond | 0:137634ff4186 | 3622 | return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); |
ansond | 0:137634ff4186 | 3623 | } |
ansond | 0:137634ff4186 | 3624 | |
ansond | 0:137634ff4186 | 3625 | return( ret ); |
ansond | 0:137634ff4186 | 3626 | } |
ansond | 0:137634ff4186 | 3627 | #endif /* POLARSSL_SSL_SRV_C */ |
ansond | 0:137634ff4186 | 3628 |