TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 73f4cb126d003baa510fba6a95a5987f25f8455a / . / library / ssl_cli.c
blob: 8774003beb3270e684bb415144e0c86a09903624 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]23#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]24#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]25#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]26#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]32#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33#include <stdlib.h>
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]34#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]35#define mbedtls_free free
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]36#endif
37
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]38#include "mbedtls/debug.h"
39#include "mbedtls/ssl.h"
40#include "mbedtls/ssl_internal.h"
41
42#include <string.h>
43
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]44#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]46#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]47#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]52#endif
53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
55static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]56 unsigned char *buf,
57 size_t *olen )
58{
59 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]60 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]61 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]62
63 *olen = 0;
64
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]65 if( ssl->hostname == NULL )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]66 return;
67
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]68 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]69 ssl->hostname ) );
70
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]71 hostname_len = strlen( ssl->hostname );
72
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]73 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]74 {
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]75 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]76 return;
77 }
78
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]79 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]80 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
81 *
82 * In order to provide any of the server names, clients MAY include an
83 * extension of type "server_name" in the (extended) client hello. The
84 * "extension_data" field of this extension SHALL contain
85 * "ServerNameList" where:
86 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]87 * struct {
88 * NameType name_type;
89 * select (name_type) {
90 * case host_name: HostName;
91 * } name;
92 * } ServerName;
93 *
94 * enum {
95 * host_name(0), (255)
96 * } NameType;
97 *
98 * opaque HostName<1..2^16-1>;
99 *
100 * struct {
101 * ServerName server_name_list<1..2^16-1>
102 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]103 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]104 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]107
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]108 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
109 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]110
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]111 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
112 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]114 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]115 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
116 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]117
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]118 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]119
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]120 *olen = hostname_len + 9;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]121}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]122#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]124#if defined(MBEDTLS_SSL_RENEGOTIATION)
125static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]126 unsigned char *buf,
127 size_t *olen )
128{
129 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]130 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]131
132 *olen = 0;
133
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]134 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
135 * initial ClientHello, in which case also adding the renegotiation
136 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]137 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]138 return;
139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]141
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]142 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]143 {
144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
145 return;
146 }
147
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]148 /*
149 * Secure renegotiation
150 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]151 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
152 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]153
154 *p++ = 0x00;
155 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
156 *p++ = ssl->verify_data_len & 0xFF;
157
158 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
159
160 *olen = 5 + ssl->verify_data_len;
161}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]162#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]163
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]164/*
165 * Only if we handle at least one key exchange that needs signatures.
166 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]167#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
168 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
169static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]170 unsigned char *buf,
171 size_t *olen )
172{
173 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]174 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]175 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]176 const int *md;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]177#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200[diff] [blame]178 unsigned char *sig_alg_list = buf + 6;
179#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]180
181 *olen = 0;
182
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]183 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]184 return;
185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]187
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]188 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
189 {
190#if defined(MBEDTLS_ECDSA_C)
191 sig_alg_len += 2;
192#endif
193#if defined(MBEDTLS_RSA_C)
194 sig_alg_len += 2;
195#endif
196 }
197
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]198 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]199 {
200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
201 return;
202 }
203
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]204 /*
205 * Prepare signature_algorithms extension (TLS 1.2)
206 */
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]207 sig_alg_len = 0;
208
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]209 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
210 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]211#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]212 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
213 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]214#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]215#if defined(MBEDTLS_RSA_C)
216 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
217 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]218#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]219 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]220
221 /*
222 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]223 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
224 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]225 * } HashAlgorithm;
226 *
227 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
228 * SignatureAlgorithm;
229 *
230 * struct {
231 * HashAlgorithm hash;
232 * SignatureAlgorithm signature;
233 * } SignatureAndHashAlgorithm;
234 *
235 * SignatureAndHashAlgorithm
236 * supported_signature_algorithms<2..2^16-2>;
237 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]238 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
239 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]240
241 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
242 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
243
244 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
245 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
246
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]247 *olen = 6 + sig_alg_len;
248}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]249#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
250 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]251
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]252#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]254static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]255 unsigned char *buf,
256 size_t *olen )
257{
258 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]259 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100[diff] [blame]260 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]261 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]262 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]263#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]264 const mbedtls_ecp_group_id *grp_id;
Paul Bakker0910f322014-02-06 13:41:18 +0100[diff] [blame]265#else
266 ((void) ssl);
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]267#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]268
269 *olen = 0;
270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]272
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]273#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]274 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]275#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]276 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]277#endif
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]278 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]279#if defined(MBEDTLS_ECP_C)
280 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]281#endif
Janos Follath8a317052016-04-21 23:37:09 +0100[diff] [blame]282 if( info == NULL )
283 {
284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
285 return;
286 }
287
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]288 elliptic_curve_len += 2;
289 }
290
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]291 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]292 {
293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
294 return;
295 }
296
297 elliptic_curve_len = 0;
298
299#if defined(MBEDTLS_ECP_C)
300 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]301#else
302 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]303#endif
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]304 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]305#if defined(MBEDTLS_ECP_C)
306 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]307#endif
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]308 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
309 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]310 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]311
312 if( elliptic_curve_len == 0 )
313 return;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]315 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
316 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]317
318 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
319 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
320
321 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
322 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
323
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]324 *olen = 6 + elliptic_curve_len;
325}
326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]327static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]328 unsigned char *buf,
329 size_t *olen )
330{
331 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]332 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]333
334 *olen = 0;
335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]336 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]337
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]338 if( end < p || (size_t)( end - p ) < 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]339 {
340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
341 return;
342 }
343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]344 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
345 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]346
347 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]348 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]349
350 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]351 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]352
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]353 *olen = 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]354}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]355#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]357
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]358#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]359static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
360 unsigned char *buf,
361 size_t *olen )
362{
363 int ret;
364 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]365 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]366 size_t kkpp_len;
367
368 *olen = 0;
369
370 /* Skip costly extension if we can't use EC J-PAKE anyway */
371 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
372 return;
373
374 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
375
376 if( end - p < 4 )
377 {
378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
379 return;
380 }
381
382 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
384
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]385 /*
386 * We may need to send ClientHello multiple times for Hello verification.
387 * We don't want to compute fresh values every time (both for performance
388 * and consistency reasons), so cache the extension content.
389 */
390 if( ssl->handshake->ecjpake_cache == NULL ||
391 ssl->handshake->ecjpake_cache_len == 0 )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]392 {
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]393 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
394
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]395 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
396 p + 2, end - p - 2, &kkpp_len,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]397 mbedtls_ssl_conf_get_frng( ssl->conf ),
398 ssl->conf->p_rng );
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]399 if( ret != 0 )
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]400 {
401 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
402 return;
403 }
404
405 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
406 if( ssl->handshake->ecjpake_cache == NULL )
407 {
408 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
409 return;
410 }
411
412 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
413 ssl->handshake->ecjpake_cache_len = kkpp_len;
414 }
415 else
416 {
417 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
418
419 kkpp_len = ssl->handshake->ecjpake_cache_len;
420
421 if( (size_t)( end - p - 2 ) < kkpp_len )
422 {
423 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
424 return;
425 }
426
427 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]428 }
429
430 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
431 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
432
433 *olen = kkpp_len + 4;
434}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]435#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]436
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]437#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]438static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
439 unsigned char *buf,
440 size_t *olen )
441{
442 unsigned char *p = buf;
443 size_t ext_len;
444 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
445
446 /*
Hanno Becker3cdf8fe2019-05-15 10:26:32 +0100[diff] [blame]447 * Quoting draft-ietf-tls-dtls-connection-id-05
448 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]449 *
450 * struct {
451 * opaque cid<0..2^8-1>;
452 * } ConnectionId;
453 */
454
455 *olen = 0;
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]456 if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]457 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
458 {
459 return;
460 }
461 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
462
463 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
464 * which is at most 255, so the increment cannot overflow. */
465 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
466 {
467 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
468 return;
469 }
470
471 /* Add extension ID + size */
472 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
473 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
474 ext_len = (size_t) ssl->own_cid_len + 1;
475 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
476 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
477
478 *p++ = (uint8_t) ssl->own_cid_len;
479 memcpy( p, ssl->own_cid, ssl->own_cid_len );
480
481 *olen = ssl->own_cid_len + 5;
482}
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]483#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]485#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
486static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]487 unsigned char *buf,
488 size_t *olen )
489{
490 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]491 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]492
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]493 *olen = 0;
494
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]495 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]496 return;
497 }
498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]499 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]500
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]501 if( end < p || (size_t)( end - p ) < 5 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]502 {
503 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
504 return;
505 }
506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]507 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
508 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]509
510 *p++ = 0x00;
511 *p++ = 1;
512
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]513 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]514
515 *olen = 5;
516}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
520static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]521 unsigned char *buf, size_t *olen )
522{
523 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]524 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]525
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]526 *olen = 0;
527
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]528 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]529 {
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]530 return;
531 }
532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]533 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]534
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]535 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]536 {
537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
538 return;
539 }
540
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]541 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
542 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]543
544 *p++ = 0x00;
545 *p++ = 0x00;
546
547 *olen = 4;
548}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]549#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]550
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
552static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]553 unsigned char *buf, size_t *olen )
554{
555 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]556 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]557
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]558 *olen = 0;
559
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]560 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
561 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]562 {
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]563 return;
564 }
565
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]566 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]567 "extension" ) );
568
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]569 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]570 {
571 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
572 return;
573 }
574
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]575 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
576 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]577
578 *p++ = 0x00;
579 *p++ = 0x00;
580
581 *olen = 4;
582}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]583#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]584
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]585#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
586static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]587 unsigned char *buf, size_t *olen )
588{
589 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]590 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]591
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]592 *olen = 0;
593
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]594 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
595 MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]596 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]597 {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]598 return;
599 }
600
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]601 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]602 "extension" ) );
603
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]604 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]605 {
606 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
607 return;
608 }
609
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]610 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
611 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]612
613 *p++ = 0x00;
614 *p++ = 0x00;
615
616 *olen = 4;
617}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]618#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]619
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]620#if defined(MBEDTLS_SSL_SESSION_TICKETS)
621static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]622 unsigned char *buf, size_t *olen )
623{
624 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]625 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]626 size_t tlen = ssl->session_negotiate->ticket_len;
627
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]628 *olen = 0;
629
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]630 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]631 {
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]632 return;
633 }
634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]636
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]637 if( end < p || (size_t)( end - p ) < 4 + tlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]638 {
639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
640 return;
641 }
642
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]643 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
644 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]645
646 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
647 *p++ = (unsigned char)( ( tlen ) & 0xFF );
648
649 *olen = 4;
650
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]651 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]652 {
653 return;
654 }
655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]657
658 memcpy( p, ssl->session_negotiate->ticket, tlen );
659
660 *olen += tlen;
661}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]662#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]664#if defined(MBEDTLS_SSL_ALPN)
665static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]666 unsigned char *buf, size_t *olen )
667{
668 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]669 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]670 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]671 const char **cur;
672
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]673 *olen = 0;
674
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]675 if( ssl->conf->alpn_list == NULL )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]676 {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]677 return;
678 }
679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]681
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]682 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Simon Butcher04799a42015-09-29 00:31:09 +0100[diff] [blame]683 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]684
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]685 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]686 {
687 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
688 return;
689 }
690
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
692 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]693
694 /*
695 * opaque ProtocolName<1..2^8-1>;
696 *
697 * struct {
698 * ProtocolName protocol_name_list<2..2^16-1>
699 * } ProtocolNameList;
700 */
701
702 /* Skip writing extension and list length for now */
703 p += 4;
704
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]705 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]706 {
707 *p = (unsigned char)( strlen( *cur ) & 0xFF );
708 memcpy( p + 1, *cur, *p );
709 p += 1 + *p;
710 }
711
712 *olen = p - buf;
713
714 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
715 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
716 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
717
718 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
719 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
720 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
721}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]722#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]723
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]724/*
725 * Generate random bytes for ClientHello
726 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]727static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]728{
729 int ret;
730 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]732 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]733#endif
734
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]735 /*
736 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
737 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]738#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]739 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]740 ssl->handshake->verify_cookie != NULL )
741 {
742 return( 0 );
743 }
744#endif
745
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]746#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]747 t = mbedtls_time( NULL );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]748 *p++ = (unsigned char)( t >> 24 );
749 *p++ = (unsigned char)( t >> 16 );
750 *p++ = (unsigned char)( t >> 8 );
751 *p++ = (unsigned char)( t );
752
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]753 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]754#else
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]755 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
756 ( ssl->conf->p_rng, p, 4 ) ) != 0 )
757 {
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]758 return( ret );
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]759 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]760
761 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]762#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]763
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]764 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
765 ( ssl->conf->p_rng, p, 28 ) ) != 0 )
766 {
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]767 return( ret );
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]768 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]769
770 return( 0 );
771}
772
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]773/**
774 * \brief Validate cipher suite against config in SSL context.
775 *
776 * \param suite_info cipher suite to validate
777 * \param ssl SSL context
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]778 * \param min_minor_ver Minimal minor version to accept a cipher suite
779 * \param max_minor_ver Maximal minor version to accept a cipher suite
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]780 *
781 * \return 0 if valid, else 1
782 */
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]783static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info,
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]784 const mbedtls_ssl_context * ssl,
785 int min_minor_ver, int max_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]786{
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]787 (void) ssl;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]788 if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]789 return( 1 );
790
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]791
792 if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
793 mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
794 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]795 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]796 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]797
798#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]799 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]800 ( mbedtls_ssl_suite_get_flags( suite_info ) &
801 MBEDTLS_CIPHERSUITE_NODTLS ) != 0 )
802 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]803 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]804 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]805#endif
806
807#if defined(MBEDTLS_ARC4_C)
808 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]809 mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 )
810 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]811 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]812 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]813#endif
814
815#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]816 if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
817 MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
818 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
819 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]820 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]821 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]822#endif
823
824 return( 0 );
825}
826
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]827static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]828{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]829 int ret;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]830 size_t i, n, olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]832 unsigned char *p, *q;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]833 unsigned char offer_compress;
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]834#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
835 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
836 int uses_ec = 0;
837#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]839 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]841 if( mbedtls_ssl_conf_get_frng( ssl->conf ) == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]842 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
844 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]845 }
846
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]847 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]848 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]849 ssl->major_ver = ssl->conf->min_major_ver;
850 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]851 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]853 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]854 {
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
856 "consider using mbedtls_ssl_config_defaults()" ) );
857 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]858 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]859
860 /*
861 * 0 . 0 handshake type
862 * 1 . 3 handshake length
863 * 4 . 5 highest version supported
864 * 6 . 9 current UNIX time
865 * 10 . 37 random bytes
866 */
867 buf = ssl->out_msg;
868 p = buf + 4;
869
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]870 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
871 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]872 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875 buf[4], buf[5] ) );
876
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]877 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
878 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]879 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]880 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]881 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]882
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]883 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]884 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]885 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]886
887 /*
888 * 38 . 38 session id length
889 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]890 * 39+n . 39+n DTLS only: cookie length (1 byte)
891 * 40+n . .. DTSL only: cookie
892 * .. . .. ciphersuitelist length (2 bytes)
893 * .. . .. ciphersuitelist
894 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]895 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]896 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]897 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]898 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]899
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]900 /*
901 * We'll write a session of non-zero length if resumption was requested
902 * by the user, we're not renegotiating, and the session ID is of
903 * appropriate length. Otherwise make the length 0 (for now, see next code
904 * block for behaviour with tickets).
905 */
906 if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ||
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]907 mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]908 ssl->session_negotiate->id_len < 16 ||
909 ssl->session_negotiate->id_len > 32 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]910 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]911 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]912 }
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]913 else
914 {
915 n = ssl->session_negotiate->id_len;
916 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]917
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]918#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]919 /*
920 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
921 * generate and include a Session ID in the TLS ClientHello."
922 */
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]923 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
924 ssl->session_negotiate->ticket != NULL &&
925 ssl->session_negotiate->ticket_len != 0 )
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +0000[diff] [blame]926 {
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]927 ret = mbedtls_ssl_conf_get_frng( ssl->conf )
928 ( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]929
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]930 if( ret != 0 )
931 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]932
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]933 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]934 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]935#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]936
937 *p++ = (unsigned char) n;
938
939 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]940 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]941
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]942 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
943 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]944
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]945 /*
946 * DTLS cookie
947 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]948#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]949 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]950 {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]951 if( ssl->handshake->verify_cookie == NULL )
952 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]954 *p++ = 0;
955 }
956 else
957 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]959 ssl->handshake->verify_cookie,
960 ssl->handshake->verify_cookie_len );
961
962 *p++ = ssl->handshake->verify_cookie_len;
963 memcpy( p, ssl->handshake->verify_cookie,
964 ssl->handshake->verify_cookie_len );
965 p += ssl->handshake->verify_cookie_len;
966 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]967 }
968#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]969
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]970 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]971 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]972 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]973
974 /* Skip writing ciphersuite length for now */
975 n = 0;
976 q = p;
977 p += 2;
978
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]979 MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
980 ssl->minor_ver,
981 ciphersuite_info )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 {
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]983 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
984 ssl->conf->min_minor_ver,
985 ssl->conf->max_minor_ver ) != 0 )
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]986 {
987 /* Logically, we want to continue the ciphersuite iteration
988 * here, but We can't just use `continue` because
989 * MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE()
990 * doesn't unfold to a loop in case only a single
991 * ciphersuite is enabled. */
992 goto next_suite;
993 }
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]994
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]995 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]996 mbedtls_ssl_suite_get_id( ciphersuite_info ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]997
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]998#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
999 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1000 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
1001#endif
1002
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1003 n++;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1004 *p++ = (unsigned char)(
1005 mbedtls_ssl_suite_get_id( ciphersuite_info ) >> 8 );
1006 *p++ = (unsigned char)(
1007 mbedtls_ssl_suite_get_id( ciphersuite_info ) );
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1008
1009 next_suite:
1010 /* Need something here to avoid
1011 * 'label at end of compound statement' error. */
1012 ((void) 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1013 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1014 MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1015
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]1016 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
Ron Eldor714785d2017-08-28 13:55:55 +0300[diff] [blame]1017
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1018 /*
1019 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1020 */
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]1021 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1022 {
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]1023 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1024 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1025 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1026 n++;
1027 }
1028
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1029 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1030#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100[diff] [blame]1031 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1032 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1033 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1034 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1035 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1036 n++;
1037 }
1038#endif
1039
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1040 *q++ = (unsigned char)( n >> 7 );
1041 *q++ = (unsigned char)( n << 1 );
1042
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1044 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1045#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1046 offer_compress = 0;
1047#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1048
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1049 /*
Johannes H4e5d23f2018-01-06 09:46:57 +0100[diff] [blame]1050 * We don't support compression with DTLS right now: if many records come
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1051 * in the same datagram, uncompressing one could overwrite the next one.
1052 * We don't want to add complexity for handling that case unless there is
1053 * an actual need for it.
1054 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1055#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1056 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1057 offer_compress = 0;
1058#endif
1059
1060 if( offer_compress )
1061 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1063 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1064 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1065
1066 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1068 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1069 }
1070 else
1071 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1072 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1073 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1074 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1075
1076 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1077 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1078 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1080 // First write extensions, then the total length
1081 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1082#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1083 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1084 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1085#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]1087 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1088 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1089#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1090 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1091 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1092#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1093
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1094#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1095 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1096 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1097 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1098#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1099
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]1100#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1101 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1102 if( uses_ec )
1103 {
1104 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1105 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1106
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1107 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1108 ext_len += olen;
1109 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1110#endif
1111
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1112#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]1113 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1114 ext_len += olen;
1115#endif
1116
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1117#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]1118 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
1119 ext_len += olen;
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1120#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]1121
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1122#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1123 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1124 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1125#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1126
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1127#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1128 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1129 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1130#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1131
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1132#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1133 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1134 ext_len += olen;
1135#endif
1136
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1137#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1138 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1139 ext_len += olen;
1140#endif
1141
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1142#if defined(MBEDTLS_SSL_ALPN)
1143 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1144 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1145#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1146
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1147#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1148 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1149 ext_len += olen;
1150#endif
1151
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1152 /* olen unused if all extensions are disabled */
1153 ((void) olen);
1154
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1155 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1156 ext_len ) );
1157
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]1158 if( ext_len > 0 )
1159 {
1160 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1161 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1162 p += ext_len;
1163 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1164
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1165 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1166 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1167 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1168
1169 ssl->state++;
1170
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1171#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1172 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1173 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]1174#endif
1175
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1176 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1177 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1178 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1179 return( ret );
1180 }
1181
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1182#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1183 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1184 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1185 {
1186 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1187 return( ret );
1188 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]1189#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1190
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1192
1193 return( 0 );
1194}
1195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1196static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1197 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1198 size_t len )
1199{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1200#if defined(MBEDTLS_SSL_RENEGOTIATION)
1201 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1202 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1203 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1204 if( len != 1 + ssl->verify_data_len * 2 ||
1205 buf[0] != ssl->verify_data_len * 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1206 mbedtls_ssl_safer_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1207 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1208 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1209 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1210 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1211 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1212 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1213 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1214 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1215 }
1216 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1217 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1218#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1219 {
1220 if( len != 1 || buf[0] != 0x00 )
1221 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1223 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1224 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1225 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1226 }
1227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1228 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1229 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1230
1231 return( 0 );
1232}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1233
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1234#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1235static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1236 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1237 size_t len )
1238{
1239 /*
1240 * server should use the extension only if we did,
1241 * and if so the server's value should match ours (and len is always 1)
1242 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1243 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1244 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1245 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1246 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1248 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1249 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1250 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1251 }
1252
1253 return( 0 );
1254}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1255#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1256
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1257#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1258static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1259 const unsigned char *buf,
1260 size_t len )
1261{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1262 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1263 len != 0 )
1264 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1265 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1266 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1267 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1268 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1269 }
1270
1271 ((void) buf);
1272
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1273 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1274
1275 return( 0 );
1276}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1277#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1278
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1279#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1280static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
1281 const unsigned char *buf,
1282 size_t len )
1283{
1284 size_t peer_cid_len;
1285
1286 if( /* CID extension only makes sense in DTLS */
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1287 MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1288 /* The server must only send the CID extension if we have offered it. */
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1289 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1290 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1291 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1292 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1293 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1295 }
1296
1297 if( len == 0 )
1298 {
1299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1300 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1301 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1302 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1303 }
1304
1305 peer_cid_len = *buf++;
1306 len--;
1307
1308 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
1309 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1311 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1312 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1313 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1314 }
1315
1316 if( len != peer_cid_len )
1317 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1318 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1319 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1320 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1321 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1322 }
1323
Hanno Beckerf885d3b2019-05-03 12:47:49 +0100[diff] [blame]1324 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1325 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1326 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
1327
1328 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
1329 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
1330
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1331 return( 0 );
1332}
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1333#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1334
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1335#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1336static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1337 const unsigned char *buf,
1338 size_t len )
1339{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1340 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1341 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1342 len != 0 )
1343 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1345 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1346 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1347 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1348 }
1349
1350 ((void) buf);
1351
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1352 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1353
1354 return( 0 );
1355}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1356#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1358#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1359static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1360 const unsigned char *buf,
1361 size_t len )
1362{
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]1363 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
1364 MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1365 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1366 len != 0 )
1367 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1368 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1369 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1370 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1371 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1372 }
1373
1374 ((void) buf);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1375 return( 0 );
1376}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1377#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1378
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1379#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1380static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1381 const unsigned char *buf,
1382 size_t len )
1383{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1384 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1385 len != 0 )
1386 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1387 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1388 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1389 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1390 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1391 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1392
1393 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]1394
1395 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1396
1397 return( 0 );
1398}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1399#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1400
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1401#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1402 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1403static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1404 const unsigned char *buf,
1405 size_t len )
1406{
1407 size_t list_size;
1408 const unsigned char *p;
1409
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1410 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1411 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1412 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1413 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1414 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1415 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1416 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1417 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1418
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]1419 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1420 while( list_size > 0 )
1421 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1422 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1423 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1424 {
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1425#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]1426 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]1427#endif
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1428#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1429 ssl->handshake->ecjpake_ctx.point_format = p[0];
1430#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1431 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1432 return( 0 );
1433 }
1434
1435 list_size--;
1436 p++;
1437 }
1438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1440 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1441 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1442 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1443}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1444#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1445 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1446
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1447#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1448static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1449 const unsigned char *buf,
1450 size_t len )
1451{
1452 int ret;
1453
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1454 if( mbedtls_ssl_suite_get_key_exchange(
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]1455 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
1456 != MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1457 {
1458 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1459 return( 0 );
1460 }
1461
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]1462 /* If we got here, we no longer need our cached extension */
1463 mbedtls_free( ssl->handshake->ecjpake_cache );
1464 ssl->handshake->ecjpake_cache = NULL;
1465 ssl->handshake->ecjpake_cache_len = 0;
1466
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1467 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1468 buf, len ) ) != 0 )
1469 {
1470 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1471 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1472 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1473 return( ret );
1474 }
1475
1476 return( 0 );
1477}
1478#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1479
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1480#if defined(MBEDTLS_SSL_ALPN)
1481static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1482 const unsigned char *buf, size_t len )
1483{
1484 size_t list_len, name_len;
1485 const char **p;
1486
1487 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1488 if( ssl->conf->alpn_list == NULL )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1489 {
1490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1491 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1492 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1493 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1494 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1495
1496 /*
1497 * opaque ProtocolName<1..2^8-1>;
1498 *
1499 * struct {
1500 * ProtocolName protocol_name_list<2..2^16-1>
1501 * } ProtocolNameList;
1502 *
1503 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1504 */
1505
1506 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1507 if( len < 4 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1508 {
1509 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1510 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1511 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1512 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1513
1514 list_len = ( buf[0] << 8 ) | buf[1];
1515 if( list_len != len - 2 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1516 {
1517 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1518 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1519 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1520 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1521
1522 name_len = buf[2];
1523 if( name_len != list_len - 1 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1524 {
1525 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1526 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1527 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1528 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1529
1530 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1531 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1532 {
1533 if( name_len == strlen( *p ) &&
1534 memcmp( buf + 3, *p, name_len ) == 0 )
1535 {
1536 ssl->alpn_chosen = *p;
1537 return( 0 );
1538 }
1539 }
1540
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1541 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1542 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1543 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1545}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1546#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1547
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1548/*
1549 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1550 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1551#if defined(MBEDTLS_SSL_PROTO_DTLS)
1552static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1553{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1554 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1555 int major_ver, minor_ver;
1556 unsigned char cookie_len;
1557
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1558 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1559
1560 /*
1561 * struct {
1562 * ProtocolVersion server_version;
1563 * opaque cookie<0..2^8-1>;
1564 * } HelloVerifyRequest;
1565 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1566 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1567 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1568 p += 2;
1569
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1570 /*
1571 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1572 * even is lower than our min version.
1573 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1574 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1575 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1576 major_ver > ssl->conf->max_major_ver ||
1577 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1578 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1581 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1582 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1584 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1585 }
1586
1587 cookie_len = *p++;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1588 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1589
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1590 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1591 {
1592 MBEDTLS_SSL_DEBUG_MSG( 1,
1593 ( "cookie length does not match incoming message size" ) );
1594 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1595 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1596 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1597 }
1598
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1599 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1600
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1601 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1602 if( ssl->handshake->verify_cookie == NULL )
1603 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1604 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1605 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1606 }
1607
1608 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1609 ssl->handshake->verify_cookie_len = cookie_len;
1610
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1611 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1612 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1613 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1614
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1615 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1617 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1618
1619 return( 0 );
1620}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1621#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1623static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1624{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1625 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1626 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1627 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1628 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1629 unsigned char comp;
1630#if defined(MBEDTLS_ZLIB_SUPPORT)
1631 int accept_comp;
1632#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1633#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1634 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1635#endif
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]1636#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1637 int extended_ms_seen = 0;
1638#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1639 int handshake_failure = 0;
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1640
1641 /* The ciphersuite chosen by the server. */
1642 mbedtls_ssl_ciphersuite_handle_t server_suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1643
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1644 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1645
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]1646 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1647 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1648 /* No alert on a read error. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1649 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1650 return( ret );
1651 }
1652
Hanno Beckerf5970a02019-05-08 09:38:41 +0100[diff] [blame]1653 buf = ssl->in_msg;
1654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1656 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657#if defined(MBEDTLS_SSL_RENEGOTIATION)
1658 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1659 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1660 ssl->renego_records_seen++;
1661
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1662 if( ssl->conf->renego_max_records >= 0 &&
1663 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1664 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1666 "but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1667 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1668 }
1669
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1671
1672 ssl->keep_current_message = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1673 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1674 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1675#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1678 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1679 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1680 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1681 }
1682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1683#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1684 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1685 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1686 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1687 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1688 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1690 return( ssl_parse_hello_verify_request( ssl ) );
1691 }
1692 else
1693 {
1694 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1695 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1696 ssl->handshake->verify_cookie = NULL;
1697 ssl->handshake->verify_cookie_len = 0;
1698 }
1699 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1700#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1702 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1703 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1705 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1706 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1707 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1708 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1709 }
1710
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1711 /*
1712 * 0 . 1 server_version
1713 * 2 . 33 random (maybe including 4 bytes of Unix time)
1714 * 34 . 34 session_id length = n
1715 * 35 . 34+n session_id
1716 * 35+n . 36+n cipher_suite
1717 * 37+n . 37+n compression_method
1718 *
1719 * 38+n . 39+n extensions length (optional)
1720 * 40+n . .. extensions
1721 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1722 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1723
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1724 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1725 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1726 ssl->conf->transport, buf + 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1727
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1728 if( ssl->major_ver < ssl->conf->min_major_ver ||
1729 ssl->minor_ver < ssl->conf->min_minor_ver ||
1730 ssl->major_ver > ssl->conf->max_major_ver ||
1731 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1732 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1734 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1735 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1736 ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1737 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1738
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1739 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1740 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1741
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1742 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1743 }
1744
Andres Amaya Garcia6bce9cb2017-09-06 15:33:34 +0100[diff] [blame]1745 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1746 ( (uint32_t) buf[2] << 24 ) |
1747 ( (uint32_t) buf[3] << 16 ) |
1748 ( (uint32_t) buf[4] << 8 ) |
1749 ( (uint32_t) buf[5] ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1750
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1751 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1753 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1754
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1755 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1756
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1757 if( n > 32 )
1758 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1759 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1760 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1761 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1762 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1763 }
1764
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1765 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1766 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1767 ext_len = ( ( buf[38 + n] << 8 )
1768 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1769
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1770 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1771 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1772 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1774 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1775 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1776 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1777 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1779 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1780 {
1781 ext_len = 0;
1782 }
1783 else
1784 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1785 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1786 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1787 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1788 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1789 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1791 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1792 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1793
1794 /*
1795 * Read and check compression
1796 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1797 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1799#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1800 /* See comments in ssl_write_client_hello() */
Manuel Pégourié-Gonnardff4bd9f2019-06-06 10:34:48 +0200[diff] [blame]1801 accept_comp = MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1802
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1803 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1804 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1805#else /* MBEDTLS_ZLIB_SUPPORT */
1806 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1807#endif/* MBEDTLS_ZLIB_SUPPORT */
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1808 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1810 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1811 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1812 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1813 }
1814
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1815 /*
1816 * Initialize update checksum functions
1817 */
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1818 server_suite_info = mbedtls_ssl_ciphersuite_from_id( i );
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame^]1819#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1820 ssl->handshake->ciphersuite_info = server_suite_info;
1821#endif
1822 if( server_suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1823 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1824 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1825 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1826 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1827 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1828 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1829 mbedtls_ssl_optimize_checksum( ssl, server_suite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1832 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833
1834 /*
1835 * Check if the session can be resumed
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1836 *
1837 * We're only resuming a session if it was requested (handshake->resume
1838 * already set to 1 by mbedtls_ssl_set_session()), and further conditions
1839 * are satisfied (not renegotiating, ID and ciphersuite match, etc).
1840 *
1841 * Update handshake->resume to the value it will keep for the rest of the
1842 * handshake, and that will be used to determine the relative order
1843 * client/server last flights, as well as in handshake_wrapup().
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1844 */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1845#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
1846 if( n == 0 ||
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]1847 mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Hanno Beckere02758c2019-06-26 15:31:31 +0100[diff] [blame]1848 mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) != i ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1849 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1850 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1851 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852 {
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1853 ssl->handshake->resume = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1854 }
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1855#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
1856
1857 if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1858 {
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1859 /* Resume a session */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1860 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1862 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1863 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1864 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1865 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1866 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1867 return( ret );
1868 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1869 }
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1870 else
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1871 {
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1872 /* Start a new session */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1873 ssl->state++;
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1874#if defined(MBEDTLS_HAVE_TIME)
1875 ssl->session_negotiate->start = mbedtls_time( NULL );
1876#endif
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame^]1877#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1878 ssl->session_negotiate->ciphersuite = i;
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame^]1879#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1880 ssl->session_negotiate->compression = comp;
1881 ssl->session_negotiate->id_len = n;
1882 memcpy( ssl->session_negotiate->id, buf + 35, n );
1883 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1884
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1885 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Manuel Pégourié-Gonnard3652e992019-07-01 12:09:22 +0200[diff] [blame]1886 mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1887
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]1888 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1889 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1891 /*
1892 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1893 */
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1894 MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
1895 ssl->minor_ver,
1896 ciphersuite_info )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897 {
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1898 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1899 ssl->conf->min_minor_ver,
1900 ssl->conf->max_minor_ver ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901 {
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1902 /* Logically, we want to continue the ciphersuite iteration
1903 * here, but We can't just use `continue` because
1904 * MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE()
1905 * doesn't unfold to a loop in case only a single
1906 * ciphersuite is enabled. */
1907 goto next_suite;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908 }
1909
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1910 if( ciphersuite_info != server_suite_info )
1911 goto next_suite;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1913 goto server_picked_valid_suite;
1914
1915 next_suite:
1916 /* Need something here to avoid
1917 * 'label at end of compound statement' error. */
1918 ((void) 0);
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1919 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1920 MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
1921
1922 /* If we reach this code-path, the server's chosen ciphersuite
1923 * wasn't among those advertised by us. */
1924 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1925 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1926 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1927 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1928
1929server_picked_valid_suite:
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1930
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1931 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1932 mbedtls_ssl_suite_get_name( server_suite_info ) ) );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1933
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1934#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1935 if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1936 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1937 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1938 {
1939 ssl->handshake->ecrs_enabled = 1;
1940 }
1941#endif
1942
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1943 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1944#if defined(MBEDTLS_ZLIB_SUPPORT)
1945 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1946#endif
1947 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1948 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1949 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1950 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1951 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1952 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1954 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1955
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1956 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1957
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1959
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1960 while( ext_len )
1961 {
1962 unsigned int ext_id = ( ( ext[0] << 8 )
1963 | ( ext[1] ) );
1964 unsigned int ext_size = ( ( ext[2] << 8 )
1965 | ( ext[3] ) );
1966
1967 if( ext_size + 4 > ext_len )
1968 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1970 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1971 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1972 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1973 }
1974
1975 switch( ext_id )
1976 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1977 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1978 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1979#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1980 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1981#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1982
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1983 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1984 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1985 return( ret );
1986
1987 break;
1988
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1989#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1990 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1991 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1992
1993 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1994 ext + 4, ext_size ) ) != 0 )
1995 {
1996 return( ret );
1997 }
1998
1999 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2000#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]2001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2002#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2003 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
2004 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]2005
2006 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
2007 ext + 4, ext_size ) ) != 0 )
2008 {
2009 return( ret );
2010 }
2011
2012 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2013#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]2014
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2015#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]2016 case MBEDTLS_TLS_EXT_CID:
2017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
2018
2019 if( ( ret = ssl_parse_cid_ext( ssl,
2020 ext + 4,
2021 ext_size ) ) != 0 )
2022 {
2023 return( ret );
2024 }
2025
2026 break;
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2027#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]2028
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2029#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2030 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2031 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2032
2033 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2034 ext + 4, ext_size ) ) != 0 )
2035 {
2036 return( ret );
2037 }
2038
2039 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2040#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2041
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2042#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2043 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2044 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2045
2046 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2047 ext + 4, ext_size ) ) != 0 )
2048 {
2049 return( ret );
2050 }
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2051 extended_ms_seen = 1;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2052
2053 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2054#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2056#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2057 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2058 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2059
2060 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2061 ext + 4, ext_size ) ) != 0 )
2062 {
2063 return( ret );
2064 }
2065
2066 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2067#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2068
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]2069#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2070 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2071 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2072 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2073
2074 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2075 ext + 4, ext_size ) ) != 0 )
2076 {
2077 return( ret );
2078 }
2079
2080 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2081#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2082 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2083
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2084#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2085 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2086 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2087
2088 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2089 ext + 4, ext_size ) ) != 0 )
2090 {
2091 return( ret );
2092 }
2093
2094 break;
2095#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2096
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2097#if defined(MBEDTLS_SSL_ALPN)
2098 case MBEDTLS_TLS_EXT_ALPN:
2099 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2100
2101 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2102 return( ret );
2103
2104 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2105#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2106
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2107 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2108 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2109 ext_id ) );
2110 }
2111
2112 ext_len -= 4 + ext_size;
2113 ext += 4 + ext_size;
2114
2115 if( ext_len > 0 && ext_len < 4 )
2116 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2117 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2118 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2119 }
2120 }
2121
2122 /*
2123 * Renegotiation security checks
2124 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2125 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]2126 mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
2127 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2128 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2129 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2130 handshake_failure = 1;
2131 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2132#if defined(MBEDTLS_SSL_RENEGOTIATION)
2133 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2134 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2135 renegotiation_info_seen == 0 )
2136 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2138 handshake_failure = 1;
2139 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2140 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2141 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]2142 mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
2143 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2144 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2145 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2146 handshake_failure = 1;
2147 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2148 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2149 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2150 renegotiation_info_seen == 1 )
2151 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2153 handshake_failure = 1;
2154 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2155#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2156
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2157 /*
2158 * Check if extended master secret is being enforced
2159 */
2160#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]2161 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2162 MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2163 {
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2164 if( extended_ms_seen )
2165 {
Hanno Becker1ab322b2019-06-11 14:50:54 +0100[diff] [blame]2166#if !defined(MBEDTLS_SSL_EXTENDED_MS_ENFORCED)
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2167 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Hanno Becker1ab322b2019-06-11 14:50:54 +0100[diff] [blame]2168#endif /* !MBEDTLS_SSL_EXTENDED_MS_ENFORCED */
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2169 }
2170 else if( mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
2171 MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED )
2172 {
2173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2174 "secret, while it is enforced") );
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2175 handshake_failure = 1;
2176 }
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2177 }
2178#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2179
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2180 if( handshake_failure == 1 )
2181 {
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]2182 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2183 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2184 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2185 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2186
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2187 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2188
2189 return( 0 );
2190}
2191
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2192#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2193 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2194static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2195 unsigned char *end )
2196{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2197 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2198
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2199 /*
2200 * Ephemeral DH parameters:
2201 *
2202 * struct {
2203 * opaque dh_p<1..2^16-1>;
2204 * opaque dh_g<1..2^16-1>;
2205 * opaque dh_Ys<1..2^16-1>;
2206 * } ServerDHParams;
2207 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2208 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2209 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2210 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2211 return( ret );
2212 }
2213
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2214 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2215 {
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2216 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2217 ssl->handshake->dhm_ctx.len * 8,
2218 ssl->conf->dhm_min_bitlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2219 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2220 }
2221
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2222 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2223 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2224 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2225
2226 return( ret );
2227}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2228#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2229 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2230
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2231#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2232 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2233 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2234 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2235 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2236static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2237{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2238 const mbedtls_ecp_curve_info *curve_info;
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2239 mbedtls_ecp_group_id grp_id;
2240#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2241 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2242#else
2243 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2244#endif
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2245
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2246 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2247 if( curve_info == NULL )
2248 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2250 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2251 }
2252
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2253 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2254
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]2255#if defined(MBEDTLS_ECP_C)
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2256 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2257#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2258 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2259 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2260#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2261 return( -1 );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2262
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2263 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2264 MBEDTLS_DEBUG_ECDH_QP );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2265
2266 return( 0 );
2267}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2268#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2269 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2270 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2271 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2272 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2273
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2274#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2275 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2276 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2277static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2278 unsigned char **p,
2279 unsigned char *end )
2280{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2281 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2282
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2283 /*
2284 * Ephemeral ECDH parameters:
2285 *
2286 * struct {
2287 * ECParameters curve_params;
2288 * ECPoint public;
2289 * } ServerECDHParams;
2290 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2291 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2292 (const unsigned char **) p, end ) ) != 0 )
2293 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2294 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2295#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]2296 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2297 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2298#endif
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2299 return( ret );
2300 }
2301
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2302 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2303 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2304 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2305 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2306 }
2307
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2308 return( ret );
2309}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2310#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2311 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2312 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2313
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2314#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2315static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2316 unsigned char **p,
2317 unsigned char *end )
2318{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2319 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2320 size_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2321 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2322
2323 /*
2324 * PSK parameters:
2325 *
2326 * opaque psk_identity_hint<0..2^16-1>;
2327 */
Hanno Becker0c161d12018-10-08 13:40:50 +0100[diff] [blame]2328 if( end - (*p) < 2 )
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2329 {
2330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2331 "(psk_identity_hint length)" ) );
2332 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2333 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]2334 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2335 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2336
Hanno Becker8df10232018-10-10 15:48:39 +0100[diff] [blame]2337 if( end - (*p) < (int) len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2338 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2339 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2340 "(psk_identity_hint length)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2341 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2342 }
2343
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]2344 /*
2345 * Note: we currently ignore the PKS identity hint, as we only allow one
2346 * PSK to be provisionned on the client. This could be changed later if
2347 * someone needs that feature.
2348 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2349 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2350 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2351
2352 return( ret );
2353}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2354#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2355
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2356#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2357 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2358/*
2359 * Generate a pre-master secret and encrypt it with the server's RSA key
2360 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2361static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2362 size_t offset, size_t *olen,
2363 size_t pms_offset )
2364{
2365 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2366 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2367 unsigned char *p = ssl->handshake->premaster + pms_offset;
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2368 mbedtls_pk_context *peer_pk = NULL;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2369
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2370 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2371 {
2372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2373 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2374 }
2375
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2376 /*
2377 * Generate (part of) the pre-master as
2378 * struct {
2379 * ProtocolVersion client_version;
2380 * opaque random[46];
2381 * } PreMasterSecret;
2382 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2383 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2384 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2385
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]2386 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
2387 ( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2388 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2389 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2390 return( ret );
2391 }
2392
2393 ssl->handshake->pmslen = 48;
2394
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2395#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2396 /* Because the peer CRT pubkey is embedded into the handshake
2397 * params currently, and there's no 'is_init' functions for PK
2398 * contexts, we need to break the abstraction and peek into
2399 * the PK context to see if it has been initialized. */
2400 if( ssl->handshake->peer_pubkey.pk_info != NULL )
2401 peer_pk = &ssl->handshake->peer_pubkey;
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2402#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2403 if( ssl->session_negotiate->peer_cert != NULL )
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2404 {
2405 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2406 &peer_pk );
2407 if( ret != 0 )
2408 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2409 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2410 return( ret );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2411 }
2412 }
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2413#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2414
2415 if( peer_pk == NULL )
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2416 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2417 /* Should never happen */
Hanno Beckere9839c02019-02-26 11:51:06 +0000[diff] [blame]2418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2419 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2420 }
2421
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2422 /*
2423 * Now write it out, encrypted
2424 */
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2425 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2426 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2428 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2429 goto cleanup;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2430 }
2431
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2432 if( ( ret = mbedtls_pk_encrypt( peer_pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2433 p, ssl->handshake->pmslen,
2434 ssl->out_msg + offset + len_bytes, olen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2435 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]2436 mbedtls_ssl_conf_get_frng( ssl->conf ),
2437 ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2438 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2439 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2440 goto cleanup;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2441 }
2442
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2443#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2444 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2445 if( len_bytes == 2 )
2446 {
2447 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2448 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2449 *olen += 2;
2450 }
2451#endif
2452
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2453cleanup:
2454
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2455#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2456 /* We don't need the peer's public key anymore. Free it. */
2457 mbedtls_pk_free( peer_pk );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2458#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2459 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2460#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2461
2462 return( ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2463}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2464#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2465 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2466
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2467#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2468#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2469 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2470 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2471static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2472 unsigned char **p,
2473 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2474 mbedtls_md_type_t *md_alg,
2475 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2476{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2477 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2478 *md_alg = MBEDTLS_MD_NONE;
2479 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2480
2481 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2482 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2483 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2484 return( 0 );
2485 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2486
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2487 if( (*p) + 2 > end )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2488 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2489
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2490 /*
2491 * Get hash algorithm
2492 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2493 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2494 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +0100[diff] [blame]2495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]2496 "HashAlgorithm %d", *(p)[0] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2497 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2498 }
2499
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2500 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2501 * Get signature algorithm
2502 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2503 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2504 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +0100[diff] [blame]2505 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]2506 "SignatureAlgorithm %d", (*p)[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2507 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2508 }
2509
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2510 /*
2511 * Check if the hash is acceptable
2512 */
2513 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2514 {
Gilles Peskinecd3c8452017-05-09 14:57:45 +0200[diff] [blame]2515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2516 *(p)[0] ) );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2517 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2518 }
2519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2521 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2522 *p += 2;
2523
2524 return( 0 );
2525}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2526#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2527 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2528 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2529#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2530
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2531#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2532 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2533static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2534{
2535 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2536 const mbedtls_ecp_keypair *peer_key;
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2537 mbedtls_pk_context * peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2538
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2539#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2540 peer_pk = &ssl->handshake->peer_pubkey;
2541#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2542 if( ssl->session_negotiate->peer_cert == NULL )
2543 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2544 /* Should never happen */
Hanno Beckerc39e23e2019-02-26 12:36:01 +0000[diff] [blame]2545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2546 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2547 }
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2548
2549 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2550 &peer_pk );
2551 if( ret != 0 )
2552 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2553 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2554 return( ret );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2555 }
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2556#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2557
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2558 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2559 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2561 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2562 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2563 }
2564
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2565 peer_key = mbedtls_pk_ec( *peer_pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2566
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2567 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2568 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2569 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2570 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2571 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2572 }
2573
2574 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2575 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2576 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2577 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
2578 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2579 }
2580
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2581cleanup:
2582
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2583#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2584 /* We don't need the peer's public key anymore. Free it,
2585 * so that more RAM is available for upcoming expensive
2586 * operations like ECDHE. */
2587 mbedtls_pk_free( peer_pk );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2588#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2589 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2590#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2591
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2592 return( ret );
2593}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2594#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2595 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2596
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2597static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2598{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2599 int ret;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2600 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2601 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2602 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2603
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2604 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2606#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2607 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2608 MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2609 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2610 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2611 ssl->state++;
2612 return( 0 );
2613 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2614 ((void) p);
2615 ((void) end);
2616#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2617
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2618#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2619 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2620 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2621 MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2622 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2623 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2624 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2625 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2626 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2627 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2628 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2629 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2630 return( ret );
2631 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2633 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2634 ssl->state++;
2635 return( 0 );
2636 }
2637 ((void) p);
2638 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2639#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2640 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2641
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2642#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2643 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2644 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2645 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2646 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2647 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2648#endif
2649
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2650 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2651 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2652 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2653 return( ret );
2654 }
2655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2656 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2657 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2659 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2660 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2661 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2662 }
2663
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2664 /*
2665 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2666 * doesn't use a psk_identity_hint
2667 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2668 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2669 {
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2670 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2671 == MBEDTLS_KEY_EXCHANGE_PSK ||
2672 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2673 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2674 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2675 /* Current message is probably either
2676 * CertificateRequest or ServerHelloDone */
2677 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2678 goto exit;
2679 }
2680
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2682 "not be skipped" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2683 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2684 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2686 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2687 }
2688
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2689#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2690 if( ssl->handshake->ecrs_enabled )
2691 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2692
2693start_processing:
2694#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2695 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2696 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2697 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2699#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2700 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2701 == MBEDTLS_KEY_EXCHANGE_PSK ||
2702 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2703 == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2704 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2705 == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2706 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2707 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2708 {
2709 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2712 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2713 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2714 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2715 }
2716 } /* FALLTROUGH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2717#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2718
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2719#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2720 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2721 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2722 == MBEDTLS_KEY_EXCHANGE_PSK ||
2723 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2724 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2725 {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2726 ; /* nothing more to do */
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2727 }
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2728 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2729#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2730 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2731#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2732 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2733 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2734 == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2735 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2736 == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2737 {
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2738 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2739 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2740 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2741 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2742 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2743 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2744 }
2745 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2746 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2747#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2748 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2749#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2750 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2751 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2752 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2753 == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2754 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2755 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2756 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2757 == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2758 {
2759 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2760 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2761 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2762 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2763 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2764 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2765 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2766 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2767 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2768#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2769 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2770 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2771#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2772 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2773 == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2774 {
2775 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2776 p, end - p );
2777 if( ret != 0 )
2778 {
2779 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2780 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2781 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2782 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2783 }
2784 }
2785 else
2786#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2787 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2788 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2789 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2790 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2791
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2792#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2793 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2794 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2795 size_t sig_len, hashlen;
2796 unsigned char hash[64];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2797 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2798 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2799 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2800 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2801 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2802
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2803 mbedtls_pk_context * peer_pk;
2804
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2805 /*
2806 * Handle the digitally-signed structure
2807 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2808#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2809 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2810 {
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2811 if( ssl_parse_signature_algorithm( ssl, &p, end,
2812 &md_alg, &pk_alg ) != 0 )
2813 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2814 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2815 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2816 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2817 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2818 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2819
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2820 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2821 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2822 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2823 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2824 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2825 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2826 }
2827 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2828 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2829#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2830#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2831 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2832 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2833 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2834 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2835
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2836 /* Default hash for ECDSA is SHA-1 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2837 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2838 md_alg = MBEDTLS_MD_SHA1;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2839 }
2840 else
2841#endif
2842 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2844 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2845 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2846
2847 /*
2848 * Read signature
2849 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2850
2851 if( p > end - 2 )
2852 {
2853 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2854 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2855 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2856 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2857 }
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2858 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2859 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2860
Krzysztof Stachowiak027f84c2018-03-13 11:29:24 +0100[diff] [blame]2861 if( p != end - sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2862 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2863 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2864 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2865 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2866 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2867 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2869 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2870
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2871 /*
2872 * Compute the hash that has been signed
2873 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2874#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2875 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2876 if( md_alg == MBEDTLS_MD_NONE )
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2877 {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2878 hashlen = 36;
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2879 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2880 params_len );
2881 if( ret != 0 )
Andres Amaya Garciaf0e521e2017-06-28 12:11:42 +0100[diff] [blame]2882 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2883 }
2884 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2885#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2886 MBEDTLS_SSL_PROTO_TLS1_1 */
2887#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2888 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2889 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2890 {
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2891 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2892 params, params_len,
2893 md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2894 if( ret != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2895 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2896 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2897 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2898#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2899 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2900 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2902 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2903 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2904
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2905 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2906
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2907#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2908 peer_pk = &ssl->handshake->peer_pubkey;
2909#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2910 if( ssl->session_negotiate->peer_cert == NULL )
2911 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2912 /* Should never happen */
Hanno Beckerc39e23e2019-02-26 12:36:01 +0000[diff] [blame]2913 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2914 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2915 }
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2916
2917 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2918 &peer_pk );
2919 if( ret != 0 )
2920 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2921 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2922 return( ret );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2923 }
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2924#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2925
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2926 /*
2927 * Verify signature
2928 */
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2929 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2930 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2931 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2932 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2933 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2934#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2935 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2936#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2937 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2938 }
2939
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2940#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2941 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2942 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2943#endif
2944
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2945 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2946 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2947 {
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2948#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2949 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2950#endif
2951 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2952 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2953 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2954#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2955 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2956 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2957#endif
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2958#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2959 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2960#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2961 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2962 }
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2963
2964#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2965 /* We don't need the peer's public key anymore. Free it,
2966 * so that more RAM is available for upcoming expensive
2967 * operations like ECDHE. */
2968 mbedtls_pk_free( peer_pk );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2969#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2970 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2971#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2972 }
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2973#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2974
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2975exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2976 ssl->state++;
2977
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2978 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2979
2980 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2981}
2982
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2983#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2984static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2985{
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2986 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2987 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2988
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2989 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2990
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2991 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2992 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2993 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2994 ssl->state++;
2995 return( 0 );
2996 }
2997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2998 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2999 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3000}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3001#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3002static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3003{
3004 int ret;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3005 unsigned char *buf;
3006 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3007 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3008 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3009 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3010
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3011 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3012
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3013 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3014 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3015 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3016 ssl->state++;
3017 return( 0 );
3018 }
3019
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3020 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3021 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3022 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3023 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3024 }
3025
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3026 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3027 {
3028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3029 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3030 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3031 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3032 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3033
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3034 ssl->state++;
3035 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3036
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3037 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3038 ssl->client_auth ? "a" : "no" ) );
3039
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3040 if( ssl->client_auth == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3041 {
3042 /* Current message is probably the ServerHelloDone */
3043 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3044 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3045 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3046
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3047 /*
3048 * struct {
3049 * ClientCertificateType certificate_types<1..2^8-1>;
3050 * SignatureAndHashAlgorithm
3051 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3052 * DistinguishedName certificate_authorities<0..2^16-1>;
3053 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3054 *
3055 * Since we only support a single certificate on clients, let's just
3056 * ignore all the information that's supposed to help us pick a
3057 * certificate.
3058 *
3059 * We could check that our certificate matches the request, and bail out
3060 * if it doesn't, but it's simpler to just send the certificate anyway,
3061 * and give the server the opportunity to decide if it should terminate
3062 * the connection when it doesn't like our certificate.
3063 *
3064 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3065 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]3066 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3067 *
3068 * However, we still minimally parse the message to check it is at least
3069 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3070 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3071 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3072
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3073 /* certificate_types */
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]3074 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3075 {
3076 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3077 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3078 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3079 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3080 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3081 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3082 n = cert_type_len;
3083
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3084 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3085 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3086 * * the length of the signature algorithms field (if minor version of
3087 * SSL is 3),
3088 * * distinguished name length otherwise.
3089 * Both reach at most the index:
3090 * ...hdr_len + 2 + n,
3091 * therefore the buffer length at this point must be greater than that
3092 * regardless of the actual code path.
3093 */
3094 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3095 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3096 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3097 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3098 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3099 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3100 }
3101
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3102 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3103#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3104 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3105 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3106 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3107 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3108#if defined(MBEDTLS_DEBUG_C)
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3109 unsigned char* sig_alg;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3110 size_t i;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3111#endif
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3112
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3113 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3114 * The furthest access in buf is in the loop few lines below:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3115 * sig_alg[i + 1],
3116 * where:
3117 * sig_alg = buf + ...hdr_len + 3 + n,
3118 * max(i) = sig_alg_len - 1.
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3119 * Therefore the furthest access is:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3120 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3121 * which reduces to:
3122 * buf[...hdr_len + 3 + n + sig_alg_len],
3123 * which is one less than we need the buf to be.
3124 */
3125 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
3126 {
3127 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3128 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3129 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3130 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3131 }
3132
3133#if defined(MBEDTLS_DEBUG_C)
3134 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3135 for( i = 0; i < sig_alg_len; i += 2 )
3136 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3137 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
3138 ",%d", sig_alg[i], sig_alg[i + 1] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3139 }
3140#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3141
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3142 n += 2 + sig_alg_len;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3143 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3144#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3145
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3146 /* certificate_authorities */
3147 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3148 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3149
3150 n += dn_len;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3151 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3152 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3154 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3155 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3156 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3157 }
3158
3159exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3160 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3161
3162 return( 0 );
3163}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3164#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3165
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3166static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3167{
3168 int ret;
3169
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3170 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3171
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3172 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3173 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3174 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3175 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3176 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3177
3178 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3179 {
3180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3181 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3182 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3183
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3184 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3185 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3186 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3187 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3188 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3189 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3190 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3191 }
3192
3193 ssl->state++;
3194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3195#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]3196 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3197 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3198#endif
3199
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3200 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3201
3202 return( 0 );
3203}
3204
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3205static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3206{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3207 int ret;
3208 size_t i, n;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3209 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3210 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3211
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3213
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3214#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3215 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3216 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3217 /*
3218 * DHM key exchange -- send G^X mod P
3219 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3220 n = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3221
3222 ssl->out_msg[4] = (unsigned char)( n >> 8 );
3223 ssl->out_msg[5] = (unsigned char)( n );
3224 i = 6;
3225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3226 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3227 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3228 &ssl->out_msg[i], n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3229 mbedtls_ssl_conf_get_frng( ssl->conf ),
3230 ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3231 if( ret != 0 )
3232 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3233 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3234 return( ret );
3235 }
3236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3237 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3238 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3239
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3240 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3241 ssl->handshake->premaster,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]3242 MBEDTLS_PREMASTER_SIZE,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +0200[diff] [blame]3243 &ssl->handshake->pmslen,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3244 mbedtls_ssl_conf_get_frng( ssl->conf ),
3245 ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3246 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3247 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3248 return( ret );
3249 }
3250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3251 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3252 }
3253 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3254#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3255#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3256 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3257 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3258 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3259 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3260 == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3261 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3262 == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3263 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3264 == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3265 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3266 == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3267 {
3268 /*
3269 * ECDH key exchange -- send client public value
3270 */
3271 i = 4;
3272
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3273#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3274 if( ssl->handshake->ecrs_enabled )
3275 {
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3276 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3277 goto ecdh_calc_secret;
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]3278
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3279 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3280 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3281#endif
3282
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3283 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3284 &n,
3285 &ssl->out_msg[i], 1000,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3286 mbedtls_ssl_conf_get_frng( ssl->conf ),
3287 ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3288 if( ret != 0 )
3289 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3290 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3291#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3292 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3293 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3294#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3295 return( ret );
3296 }
3297
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3298 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3299 MBEDTLS_DEBUG_ECDH_Q );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3300
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3301#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3302 if( ssl->handshake->ecrs_enabled )
3303 {
3304 ssl->handshake->ecrs_n = n;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3305 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3306 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3307
3308ecdh_calc_secret:
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3309 if( ssl->handshake->ecrs_enabled )
3310 n = ssl->handshake->ecrs_n;
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3311#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3312 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3313 &ssl->handshake->pmslen,
3314 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3315 MBEDTLS_MPI_MAX_SIZE,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3316 mbedtls_ssl_conf_get_frng( ssl->conf ),
3317 ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3318 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3319 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3320#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3321 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3322 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3323#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3324 return( ret );
3325 }
3326
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3327 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3328 MBEDTLS_DEBUG_ECDH_Z );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3329 }
3330 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3331#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3332 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3333 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3334 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3335#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3336 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3337 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3338 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3339 * opaque psk_identity<0..2^16-1>;
3340 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3341 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3342 {
3343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3344 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3345 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3346
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3347 i = 4;
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3348 n = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3349
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3350 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3351 {
3352 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
3353 "SSL buffer too short" ) );
3354 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3355 }
3356
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3357 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3358 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3359
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3360 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
3361 i += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3363#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3364 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3365 == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3366 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3367 n = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3368 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3369 else
3370#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3371#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3372 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3373 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3374 {
3375 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3376 return( ret );
3377 }
3378 else
3379#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3380#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3381 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3382 == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3383 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3384 /*
3385 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3386 */
3387 n = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3388
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3389 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3390 {
3391 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
3392 " or SSL buffer too short" ) );
3393 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3394 }
3395
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3396 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3397 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3398
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3399 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3400 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3401 &ssl->out_msg[i], n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3402 mbedtls_ssl_conf_get_frng( ssl->conf ),
3403 ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3404 if( ret != 0 )
3405 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3406 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3407 return( ret );
3408 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3409 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3410 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3411#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3412#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3413 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3414 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3415 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3416 /*
3417 * ClientECDiffieHellmanPublic public;
3418 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3419 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3420 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3421 mbedtls_ssl_conf_get_frng( ssl->conf ),
3422 ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3423 if( ret != 0 )
3424 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3425 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3426 return( ret );
3427 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3428
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3429 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3430 MBEDTLS_DEBUG_ECDH_Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3431 }
3432 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3433#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3434 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3435 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3436 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3437 }
3438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3439 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3440 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3441 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3442 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3443 return( ret );
3444 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3445 }
3446 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3447#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3448#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3449 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
3450 MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3451 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3452 i = 4;
3453 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]3454 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3455 }
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3456 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3457#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3458#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3459 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
3460 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3461 {
3462 i = 4;
3463
3464 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3465 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3466 mbedtls_ssl_conf_get_frng( ssl->conf ),
3467 ssl->conf->p_rng );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3468 if( ret != 0 )
3469 {
3470 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3471 return( ret );
3472 }
3473
3474 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3475 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3476 mbedtls_ssl_conf_get_frng( ssl->conf ),
3477 ssl->conf->p_rng );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3478 if( ret != 0 )
3479 {
3480 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3481 return( ret );
3482 }
3483 }
3484 else
3485#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3486 {
3487 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3489 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3490 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3491
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3492 ssl->out_msglen = i + n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3493 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3494 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3495
3496 ssl->state++;
3497
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3498 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3499 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3500 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3501 return( ret );
3502 }
3503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3504 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3505
3506 return( 0 );
3507}
3508
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3509#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3510static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3511{
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3512 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3513 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3514 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3516 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3518 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3519 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3520 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3521 return( ret );
3522 }
3523
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3524 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3525 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3526 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3527 ssl->state++;
3528 return( 0 );
3529 }
3530
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3531 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3532 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3533}
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3534#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3535static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3536{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3537 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3538 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3539 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3540 size_t n = 0, offset = 0;
3541 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3542 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3543 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnarda5759752019-05-03 11:43:28 +0200[diff] [blame]3544 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3545 void *rs_ctx = NULL;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3547 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3548
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3549#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3550 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3551 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3552 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3553 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3554 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3555#endif
3556
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3557 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3558 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3559 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3560 return( ret );
3561 }
3562
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3563 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3564 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3565 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3566 ssl->state++;
3567 return( 0 );
3568 }
3569
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3570 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3571 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3572 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3573 ssl->state++;
3574 return( 0 );
3575 }
3576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3577 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3578 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3580 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3581 }
3582
3583 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3584 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3585 */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3586#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3587 if( ssl->handshake->ecrs_enabled )
3588 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3589
3590sign:
3591#endif
3592
Manuel Pégourié-Gonnarda5759752019-05-03 11:43:28 +0200[diff] [blame]3593 ssl->handshake->calc_verify( ssl, hash, &hashlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3594
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3595#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3596 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3597 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3598 {
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3599 /*
3600 * digitally-signed struct {
3601 * opaque md5_hash[16];
3602 * opaque sha_hash[20];
3603 * };
3604 *
3605 * md5_hash
3606 * MD5(handshake_messages);
3607 *
3608 * sha_hash
3609 * SHA(handshake_messages);
3610 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3611 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3612
3613 /*
3614 * For ECDSA, default hash is SHA-1 only
3615 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3616 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3617 {
3618 hash_start += 16;
3619 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3620 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3621 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3622 }
3623 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3624#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3625 MBEDTLS_SSL_PROTO_TLS1_1 */
3626#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3627 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3628 {
3629 /*
3630 * digitally-signed struct {
3631 * opaque handshake_messages[handshake_messages_length];
3632 * };
3633 *
3634 * Taking shortcut here. We assume that the server always allows the
3635 * PRF Hash function and has sent it in the allowed signature
3636 * algorithms list received in the Certificate Request message.
3637 *
3638 * Until we encounter a server that does not, we will take this
3639 * shortcut.
3640 *
3641 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3642 * in order to satisfy 'weird' needs from the server side.
3643 */
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3644 if( mbedtls_ssl_suite_get_mac(
3645 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3646 == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3647 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3648 md_alg = MBEDTLS_MD_SHA384;
3649 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3650 }
3651 else
3652 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3653 md_alg = MBEDTLS_MD_SHA256;
3654 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3655 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3656 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3657
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]3658 /* Info from md_alg will be used instead */
3659 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3660 offset = 2;
3661 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3662 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3663#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3664 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3666 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3667 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3668
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3669#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3670 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3671 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3672#endif
3673
3674 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3675 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3676 ssl->out_msg + 6 + offset, &n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3677 mbedtls_ssl_conf_get_frng( ssl->conf ),
3678 ssl->conf->p_rng, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3679 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3680 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3681#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3682 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3683 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3684#endif
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3685 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3686 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3687
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3688 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3689 ssl->out_msg[5 + offset] = (unsigned char)( n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3690
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3691 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3692 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3693 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3694
3695 ssl->state++;
3696
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3697 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3698 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3699 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3700 return( ret );
3701 }
3702
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3703 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3704
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3705 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3706}
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3707#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3708
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3709#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3710static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3711{
3712 int ret;
3713 uint32_t lifetime;
3714 size_t ticket_len;
3715 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3716 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3717
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3718 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3719
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3720 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3721 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3722 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3723 return( ret );
3724 }
3725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3726 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3727 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3729 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3730 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3731 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3732 }
3733
3734 /*
3735 * struct {
3736 * uint32 ticket_lifetime_hint;
3737 * opaque ticket<0..2^16-1>;
3738 * } NewSessionTicket;
3739 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3740 * 0 . 3 ticket_lifetime_hint
3741 * 4 . 5 ticket_len (n)
3742 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3743 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3744 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3745 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3746 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3748 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3749 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3750 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3751 }
3752
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3753 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3754
Philippe Antoineb5b25432018-05-11 11:06:29 +0200[diff] [blame]3755 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3756 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3757
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3758 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3759
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3760 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3761 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3762 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3763 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3764 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3765 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3766 }
3767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3769
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3770 /* We're not waiting for a NewSessionTicket message any more */
3771 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3772 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3773
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3774 /*
3775 * Zero-length ticket means the server changed his mind and doesn't want
3776 * to send a ticket after all, so just forget it
3777 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]3778 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3779 return( 0 );
3780
Hanno Becker3d699e42019-01-30 14:46:35 +0000[diff] [blame]3781 if( ssl->session != NULL && ssl->session->ticket != NULL )
3782 {
3783 mbedtls_platform_zeroize( ssl->session->ticket,
3784 ssl->session->ticket_len );
3785 mbedtls_free( ssl->session->ticket );
3786 ssl->session->ticket = NULL;
3787 ssl->session->ticket_len = 0;
3788 }
3789
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]3790 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3791 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3792 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3793 ssl->session_negotiate->ticket = NULL;
3794 ssl->session_negotiate->ticket_len = 0;
3795
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3796 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3797 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3798 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3799 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3800 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3801 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3802 }
3803
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3804 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3805
3806 ssl->session_negotiate->ticket = ticket;
3807 ssl->session_negotiate->ticket_len = ticket_len;
3808 ssl->session_negotiate->ticket_lifetime = lifetime;
3809
3810 /*
3811 * RFC 5077 section 3.4:
3812 * "If the client receives a session ticket from the server, then it
3813 * discards any Session ID that was sent in the ServerHello."
3814 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3815 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3816 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3817
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3818 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3819
3820 return( 0 );
3821}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3822#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3823
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3824/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3825 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3826 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3827int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3828{
3829 int ret = 0;
3830
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +0200[diff] [blame]3831 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3832 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3833
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3834 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3835
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3836 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3837 return( ret );
3838
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3839#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]3840 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3841 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3842 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3843 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3844 return( ret );
3845 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3846#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3847
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3848 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3849 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3850#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3851 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3852 ssl->handshake->new_session_ticket != 0 )
3853 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3854 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3855 }
3856#endif
3857
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3858 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3859 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3860 case MBEDTLS_SSL_HELLO_REQUEST:
3861 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3862 break;
3863
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3864 /*
3865 * ==> ClientHello
3866 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3867 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3868 ret = ssl_write_client_hello( ssl );
3869 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3870
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3871 /*
3872 * <== ServerHello
3873 * Certificate
3874 * ( ServerKeyExchange )
3875 * ( CertificateRequest )
3876 * ServerHelloDone
3877 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3878 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3879 ret = ssl_parse_server_hello( ssl );
3880 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3881
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3882 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3883 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3884 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3885
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3886 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3887 ret = ssl_parse_server_key_exchange( ssl );
3888 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3889
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3890 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3891 ret = ssl_parse_certificate_request( ssl );
3892 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3893
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3894 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3895 ret = ssl_parse_server_hello_done( ssl );
3896 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3897
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3898 /*
3899 * ==> ( Certificate/Alert )
3900 * ClientKeyExchange
3901 * ( CertificateVerify )
3902 * ChangeCipherSpec
3903 * Finished
3904 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3905 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3906 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3907 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3908
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3909 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3910 ret = ssl_write_client_key_exchange( ssl );
3911 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3912
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3913 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3914 ret = ssl_write_certificate_verify( ssl );
3915 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3917 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3918 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3919 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3921 case MBEDTLS_SSL_CLIENT_FINISHED:
3922 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3923 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3924
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3925 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3926 * <== ( NewSessionTicket )
3927 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3928 * Finished
3929 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3930#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3931 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3932 ret = ssl_parse_new_session_ticket( ssl );
3933 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3934#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3935
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3936 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3937 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3938 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3939
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3940 case MBEDTLS_SSL_SERVER_FINISHED:
3941 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3942 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3943
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3944 case MBEDTLS_SSL_FLUSH_BUFFERS:
3945 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3946 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3947 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3948
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3949 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3950 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3951 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3952
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3953 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3954 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3955 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3956 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3957
3958 return( ret );
3959}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3960#endif /* MBEDTLS_SSL_CLI_C */