TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 80855881ecdf1fde1fe1407200a38b838f0d4eed / . / library / ssl_cli.c
blob: d226e653281f7d6cb98dc7c311034d0b94335eb2 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]23#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]24#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]25#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]26#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]32#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33#include <stdlib.h>
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]34#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]35#define mbedtls_free free
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]36#endif
37
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]38#include "mbedtls/debug.h"
39#include "mbedtls/ssl.h"
40#include "mbedtls/ssl_internal.h"
41
42#include <string.h>
43
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]44#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]46#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]47#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]52#endif
53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
55static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]56 unsigned char *buf,
57 size_t *olen )
58{
59 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]60 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]61 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]62
63 *olen = 0;
64
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]65 if( ssl->hostname == NULL )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]66 return;
67
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]68 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]69 ssl->hostname ) );
70
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]71 hostname_len = strlen( ssl->hostname );
72
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]73 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]74 {
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]75 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]76 return;
77 }
78
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]79 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]80 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
81 *
82 * In order to provide any of the server names, clients MAY include an
83 * extension of type "server_name" in the (extended) client hello. The
84 * "extension_data" field of this extension SHALL contain
85 * "ServerNameList" where:
86 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]87 * struct {
88 * NameType name_type;
89 * select (name_type) {
90 * case host_name: HostName;
91 * } name;
92 * } ServerName;
93 *
94 * enum {
95 * host_name(0), (255)
96 * } NameType;
97 *
98 * opaque HostName<1..2^16-1>;
99 *
100 * struct {
101 * ServerName server_name_list<1..2^16-1>
102 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]103 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]104 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]107
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]108 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
109 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]110
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]111 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
112 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]114 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]115 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
116 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]117
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]118 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]119
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]120 *olen = hostname_len + 9;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]121}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]122#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]124#if defined(MBEDTLS_SSL_RENEGOTIATION)
125static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]126 unsigned char *buf,
127 size_t *olen )
128{
129 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]130 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]131
132 *olen = 0;
133
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]134 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
135 * initial ClientHello, in which case also adding the renegotiation
136 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]137 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]138 return;
139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]141
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]142 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]143 {
144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
145 return;
146 }
147
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]148 /*
149 * Secure renegotiation
150 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]151 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
152 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]153
154 *p++ = 0x00;
155 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
156 *p++ = ssl->verify_data_len & 0xFF;
157
158 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
159
160 *olen = 5 + ssl->verify_data_len;
161}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]162#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]163
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]164/*
165 * Only if we handle at least one key exchange that needs signatures.
166 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]167#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
168 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
169static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]170 unsigned char *buf,
171 size_t *olen )
172{
173 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]174 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]175 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]176 const int *md;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]177#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200[diff] [blame]178 unsigned char *sig_alg_list = buf + 6;
179#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]180
181 *olen = 0;
182
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]183 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]184 return;
185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]187
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]188 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
189 {
190#if defined(MBEDTLS_ECDSA_C)
191 sig_alg_len += 2;
192#endif
193#if defined(MBEDTLS_RSA_C)
194 sig_alg_len += 2;
195#endif
196 }
197
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]198 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]199 {
200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
201 return;
202 }
203
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]204 /*
205 * Prepare signature_algorithms extension (TLS 1.2)
206 */
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]207 sig_alg_len = 0;
208
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]209 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
210 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]211#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]212 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
213 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]214#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]215#if defined(MBEDTLS_RSA_C)
216 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
217 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]218#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]219 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]220
221 /*
222 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]223 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
224 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]225 * } HashAlgorithm;
226 *
227 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
228 * SignatureAlgorithm;
229 *
230 * struct {
231 * HashAlgorithm hash;
232 * SignatureAlgorithm signature;
233 * } SignatureAndHashAlgorithm;
234 *
235 * SignatureAndHashAlgorithm
236 * supported_signature_algorithms<2..2^16-2>;
237 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]238 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
239 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]240
241 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
242 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
243
244 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
245 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
246
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]247 *olen = 6 + sig_alg_len;
248}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]249#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
250 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]251
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]252#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]254static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]255 unsigned char *buf,
256 size_t *olen )
257{
258 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]259 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100[diff] [blame]260 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]261 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]262 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]263#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]264 const mbedtls_ecp_group_id *grp_id;
Paul Bakker0910f322014-02-06 13:41:18 +0100[diff] [blame]265#else
266 ((void) ssl);
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]267#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]268
269 *olen = 0;
270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]272
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]273 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]274 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]275 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Janos Follath8a317052016-04-21 23:37:09 +0100[diff] [blame]276 if( info == NULL )
277 {
278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
279 return;
280 }
281
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]282 elliptic_curve_len += 2;
283 }
284
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]285 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]286 {
287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
288 return;
289 }
290
291 elliptic_curve_len = 0;
292
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]293 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]294 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]295 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]296 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
297 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]298 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]299
300 if( elliptic_curve_len == 0 )
301 return;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]302
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]303 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
304 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]305
306 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
307 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
308
309 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
310 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
311
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]312 *olen = 6 + elliptic_curve_len;
313}
314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]315static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]316 unsigned char *buf,
317 size_t *olen )
318{
319 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]320 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]321
322 *olen = 0;
323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]324 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]325
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]326 if( end < p || (size_t)( end - p ) < 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]327 {
328 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
329 return;
330 }
331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]332 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
333 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]334
335 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]336 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]337
338 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]339 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]340
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]341 *olen = 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]342}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]343#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]344 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]345
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]346#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]347static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
348 unsigned char *buf,
349 size_t *olen )
350{
351 int ret;
352 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]353 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]354 size_t kkpp_len;
355
356 *olen = 0;
357
358 /* Skip costly extension if we can't use EC J-PAKE anyway */
359 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
360 return;
361
362 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
363
364 if( end - p < 4 )
365 {
366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
367 return;
368 }
369
370 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
371 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
372
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]373 /*
374 * We may need to send ClientHello multiple times for Hello verification.
375 * We don't want to compute fresh values every time (both for performance
376 * and consistency reasons), so cache the extension content.
377 */
378 if( ssl->handshake->ecjpake_cache == NULL ||
379 ssl->handshake->ecjpake_cache_len == 0 )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]380 {
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]381 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
382
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]383 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
384 p + 2, end - p - 2, &kkpp_len,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]385 mbedtls_ssl_conf_get_frng( ssl->conf ),
386 ssl->conf->p_rng );
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]387 if( ret != 0 )
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]388 {
389 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
390 return;
391 }
392
393 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
394 if( ssl->handshake->ecjpake_cache == NULL )
395 {
396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
397 return;
398 }
399
400 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
401 ssl->handshake->ecjpake_cache_len = kkpp_len;
402 }
403 else
404 {
405 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
406
407 kkpp_len = ssl->handshake->ecjpake_cache_len;
408
409 if( (size_t)( end - p - 2 ) < kkpp_len )
410 {
411 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
412 return;
413 }
414
415 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]416 }
417
418 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
419 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
420
421 *olen = kkpp_len + 4;
422}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]423#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]424
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]425#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]426static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
427 unsigned char *buf,
428 size_t *olen )
429{
430 unsigned char *p = buf;
431 size_t ext_len;
432 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
433
434 /*
Hanno Becker3cdf8fe2019-05-15 10:26:32 +0100[diff] [blame]435 * Quoting draft-ietf-tls-dtls-connection-id-05
436 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]437 *
438 * struct {
439 * opaque cid<0..2^8-1>;
440 * } ConnectionId;
441 */
442
443 *olen = 0;
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]444 if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]445 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
446 {
447 return;
448 }
449 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
450
451 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
452 * which is at most 255, so the increment cannot overflow. */
453 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
454 {
455 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
456 return;
457 }
458
459 /* Add extension ID + size */
460 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
461 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
462 ext_len = (size_t) ssl->own_cid_len + 1;
463 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
464 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
465
466 *p++ = (uint8_t) ssl->own_cid_len;
467 memcpy( p, ssl->own_cid, ssl->own_cid_len );
468
469 *olen = ssl->own_cid_len + 5;
470}
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]471#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]472
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]473#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
474static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]475 unsigned char *buf,
476 size_t *olen )
477{
478 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]479 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]480
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]481 *olen = 0;
482
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]483 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]484 return;
485 }
486
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]488
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]489 if( end < p || (size_t)( end - p ) < 5 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]490 {
491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
492 return;
493 }
494
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]495 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
496 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]497
498 *p++ = 0x00;
499 *p++ = 1;
500
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]501 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]502
503 *olen = 5;
504}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]505#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]507#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
508static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]509 unsigned char *buf, size_t *olen )
510{
511 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]512 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]513
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]514 *olen = 0;
515
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]516 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]517 {
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]518 return;
519 }
520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]521 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]522
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]523 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]524 {
525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
526 return;
527 }
528
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]529 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
530 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]531
532 *p++ = 0x00;
533 *p++ = 0x00;
534
535 *olen = 4;
536}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]537#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]539#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
540static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]541 unsigned char *buf, size_t *olen )
542{
543 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]544 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]545
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]546 *olen = 0;
547
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]548 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
549 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]550 {
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]551 return;
552 }
553
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]554 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]555 "extension" ) );
556
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]557 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]558 {
559 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
560 return;
561 }
562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
564 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]565
566 *p++ = 0x00;
567 *p++ = 0x00;
568
569 *olen = 4;
570}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]571#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]572
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]573#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
574static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]575 unsigned char *buf, size_t *olen )
576{
577 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]578 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]579
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]580 *olen = 0;
581
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]582 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
583 MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]584 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]585 {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]586 return;
587 }
588
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]589 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]590 "extension" ) );
591
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]592 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]593 {
594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
595 return;
596 }
597
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]598 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
599 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]600
601 *p++ = 0x00;
602 *p++ = 0x00;
603
604 *olen = 4;
605}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]606#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]607
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]608#if defined(MBEDTLS_SSL_SESSION_TICKETS)
609static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]610 unsigned char *buf, size_t *olen )
611{
612 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]613 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]614 size_t tlen = ssl->session_negotiate->ticket_len;
615
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]616 *olen = 0;
617
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]618 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]619 {
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]620 return;
621 }
622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]623 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]624
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]625 if( end < p || (size_t)( end - p ) < 4 + tlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]626 {
627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
628 return;
629 }
630
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]631 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
632 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]633
634 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
635 *p++ = (unsigned char)( ( tlen ) & 0xFF );
636
637 *olen = 4;
638
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]639 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]640 {
641 return;
642 }
643
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]644 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]645
646 memcpy( p, ssl->session_negotiate->ticket, tlen );
647
648 *olen += tlen;
649}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]650#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652#if defined(MBEDTLS_SSL_ALPN)
653static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]654 unsigned char *buf, size_t *olen )
655{
656 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]657 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]658 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]659 const char **cur;
660
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]661 *olen = 0;
662
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]663 if( ssl->conf->alpn_list == NULL )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]664 {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]665 return;
666 }
667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]669
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]670 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Simon Butcher04799a42015-09-29 00:31:09 +0100[diff] [blame]671 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]672
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]673 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]674 {
675 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
676 return;
677 }
678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]679 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
680 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]681
682 /*
683 * opaque ProtocolName<1..2^8-1>;
684 *
685 * struct {
686 * ProtocolName protocol_name_list<2..2^16-1>
687 * } ProtocolNameList;
688 */
689
690 /* Skip writing extension and list length for now */
691 p += 4;
692
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]693 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]694 {
695 *p = (unsigned char)( strlen( *cur ) & 0xFF );
696 memcpy( p + 1, *cur, *p );
697 p += 1 + *p;
698 }
699
700 *olen = p - buf;
701
702 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
703 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
704 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
705
706 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
707 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
708 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
709}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]711
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]712/*
713 * Generate random bytes for ClientHello
714 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]716{
717 int ret;
718 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]719#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]720 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]721#endif
722
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]723 /*
724 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
725 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]727 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]728 ssl->handshake->verify_cookie != NULL )
729 {
730 return( 0 );
731 }
732#endif
733
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]734#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]735 t = mbedtls_time( NULL );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]736 *p++ = (unsigned char)( t >> 24 );
737 *p++ = (unsigned char)( t >> 16 );
738 *p++ = (unsigned char)( t >> 8 );
739 *p++ = (unsigned char)( t );
740
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]742#else
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]743 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
744 ( ssl->conf->p_rng, p, 4 ) ) != 0 )
745 {
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]746 return( ret );
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]747 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]748
749 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]750#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]751
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]752 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
753 ( ssl->conf->p_rng, p, 28 ) ) != 0 )
754 {
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]755 return( ret );
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]756 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]757
758 return( 0 );
759}
760
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]761/**
762 * \brief Validate cipher suite against config in SSL context.
763 *
764 * \param suite_info cipher suite to validate
765 * \param ssl SSL context
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]766 * \param min_minor_ver Minimal minor version to accept a cipher suite
767 * \param max_minor_ver Maximal minor version to accept a cipher suite
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]768 *
769 * \return 0 if valid, else 1
770 */
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]771static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info,
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]772 const mbedtls_ssl_context * ssl,
773 int min_minor_ver, int max_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]774{
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]775 (void) ssl;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]776 if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]777 return( 1 );
778
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]779
780 if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
781 mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
782 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]783 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]784 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]785
786#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]787 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]788 ( mbedtls_ssl_suite_get_flags( suite_info ) &
789 MBEDTLS_CIPHERSUITE_NODTLS ) != 0 )
790 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]791 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]792 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]793#endif
794
795#if defined(MBEDTLS_ARC4_C)
796 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]797 mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 )
798 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]799 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]800 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]801#endif
802
803#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]804 if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
805 MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
806 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
807 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]808 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]809 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]810#endif
811
812 return( 0 );
813}
814
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]815static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]817 int ret;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]818 size_t i, n, olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]820 unsigned char *p, *q;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]821 unsigned char offer_compress;
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]822#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
823 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
824 int uses_ec = 0;
825#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]826
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]827 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]828
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]829 if( mbedtls_ssl_conf_get_frng( ssl->conf ) == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]830 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]831 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
832 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]833 }
834
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]835 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]836 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]837 ssl->major_ver = ssl->conf->min_major_ver;
838 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]839 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]841 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]842 {
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
844 "consider using mbedtls_ssl_config_defaults()" ) );
845 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]846 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847
848 /*
849 * 0 . 0 handshake type
850 * 1 . 3 handshake length
851 * 4 . 5 highest version supported
852 * 6 . 9 current UNIX time
853 * 10 . 37 random bytes
854 */
855 buf = ssl->out_msg;
856 p = buf + 4;
857
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]858 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
859 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]860 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863 buf[4], buf[5] ) );
864
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]865 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
866 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]867 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]868 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]869 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]870
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]871 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]872 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]873 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]874
875 /*
876 * 38 . 38 session id length
877 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]878 * 39+n . 39+n DTLS only: cookie length (1 byte)
879 * 40+n . .. DTSL only: cookie
880 * .. . .. ciphersuitelist length (2 bytes)
881 * .. . .. ciphersuitelist
882 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]883 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]884 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]885 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]886 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]887
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]888 /*
889 * We'll write a session of non-zero length if resumption was requested
890 * by the user, we're not renegotiating, and the session ID is of
891 * appropriate length. Otherwise make the length 0 (for now, see next code
892 * block for behaviour with tickets).
893 */
894 if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ||
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]895 mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]896 ssl->session_negotiate->id_len < 16 ||
897 ssl->session_negotiate->id_len > 32 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]898 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]899 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]900 }
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]901 else
902 {
903 n = ssl->session_negotiate->id_len;
904 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]905
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]906#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]907 /*
908 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
909 * generate and include a Session ID in the TLS ClientHello."
910 */
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]911 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
912 ssl->session_negotiate->ticket != NULL &&
913 ssl->session_negotiate->ticket_len != 0 )
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +0000[diff] [blame]914 {
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]915 ret = mbedtls_ssl_conf_get_frng( ssl->conf )
916 ( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]917
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]918 if( ret != 0 )
919 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]920
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]921 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]922 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]923#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]924
925 *p++ = (unsigned char) n;
926
927 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]928 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]930 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
931 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]932
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]933 /*
934 * DTLS cookie
935 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]936#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]937 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]938 {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]939 if( ssl->handshake->verify_cookie == NULL )
940 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]941 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]942 *p++ = 0;
943 }
944 else
945 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]946 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]947 ssl->handshake->verify_cookie,
948 ssl->handshake->verify_cookie_len );
949
950 *p++ = ssl->handshake->verify_cookie_len;
951 memcpy( p, ssl->handshake->verify_cookie,
952 ssl->handshake->verify_cookie_len );
953 p += ssl->handshake->verify_cookie_len;
954 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]955 }
956#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]958 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]959 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]960 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]961
962 /* Skip writing ciphersuite length for now */
963 n = 0;
964 q = p;
965 p += 2;
966
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]967 MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
968 ssl->minor_ver,
969 ciphersuite_info )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]970 {
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]971 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
972 ssl->conf->min_minor_ver,
973 ssl->conf->max_minor_ver ) != 0 )
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]974 {
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]975 continue;
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]976 }
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]977
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]978 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]979 mbedtls_ssl_suite_get_id( ciphersuite_info ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]981#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
982 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
983 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
984#endif
985
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]986 n++;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]987 *p++ = (unsigned char)(
988 mbedtls_ssl_suite_get_id( ciphersuite_info ) >> 8 );
989 *p++ = (unsigned char)(
990 mbedtls_ssl_suite_get_id( ciphersuite_info ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]991 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]992 MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]994 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
Ron Eldor714785d2017-08-28 13:55:55 +0300[diff] [blame]995
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]996 /*
997 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
998 */
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]999 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1000 {
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]1001 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1003 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1004 n++;
1005 }
1006
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1007 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100[diff] [blame]1009 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1010 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1011 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1012 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1013 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1014 n++;
1015 }
1016#endif
1017
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1018 *q++ = (unsigned char)( n >> 7 );
1019 *q++ = (unsigned char)( n << 1 );
1020
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1021#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1022 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1023#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1024 offer_compress = 0;
1025#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1026
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1027 /*
Johannes H4e5d23f2018-01-06 09:46:57 +0100[diff] [blame]1028 * We don't support compression with DTLS right now: if many records come
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1029 * in the same datagram, uncompressing one could overwrite the next one.
1030 * We don't want to add complexity for handling that case unless there is
1031 * an actual need for it.
1032 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1033#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1034 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1035 offer_compress = 0;
1036#endif
1037
1038 if( offer_compress )
1039 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1041 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1042 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1043
1044 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1045 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1046 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1047 }
1048 else
1049 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1050 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1051 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1052 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1053
1054 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1055 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1056 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1057
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1058 // First write extensions, then the total length
1059 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1060#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1061 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1062 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1063#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]1065 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1066 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1068 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1069 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1070#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1071
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1072#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1073 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1074 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1075 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1076#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1077
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]1078#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1079 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1080 if( uses_ec )
1081 {
1082 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1083 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1084
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1085 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1086 ext_len += olen;
1087 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1088#endif
1089
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1090#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]1091 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1092 ext_len += olen;
1093#endif
1094
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1095#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]1096 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
1097 ext_len += olen;
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1098#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]1099
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1100#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1101 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1102 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1103#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1104
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1105#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1106 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1107 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1108#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1110#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1111 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1112 ext_len += olen;
1113#endif
1114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1115#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1116 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1117 ext_len += olen;
1118#endif
1119
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1120#if defined(MBEDTLS_SSL_ALPN)
1121 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1122 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1123#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1124
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1125#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1126 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1127 ext_len += olen;
1128#endif
1129
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1130 /* olen unused if all extensions are disabled */
1131 ((void) olen);
1132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1133 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1134 ext_len ) );
1135
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]1136 if( ext_len > 0 )
1137 {
1138 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1139 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1140 p += ext_len;
1141 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1142
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1143 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1144 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1145 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146
1147 ssl->state++;
1148
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1149#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1150 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1151 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]1152#endif
1153
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1154 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1155 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1156 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1157 return( ret );
1158 }
1159
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1160#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1161 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1162 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1163 {
1164 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1165 return( ret );
1166 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]1167#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1168
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1169 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1170
1171 return( 0 );
1172}
1173
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1174static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1175 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1176 size_t len )
1177{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1178#if defined(MBEDTLS_SSL_RENEGOTIATION)
1179 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1180 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1181 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1182 if( len != 1 + ssl->verify_data_len * 2 ||
1183 buf[0] != ssl->verify_data_len * 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1184 mbedtls_ssl_safer_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1185 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1186 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1187 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1188 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1189 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1190 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1191 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1192 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1193 }
1194 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1195 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1196#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1197 {
1198 if( len != 1 || buf[0] != 0x00 )
1199 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1201 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1202 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1203 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1204 }
1205
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1206 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1207 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1208
1209 return( 0 );
1210}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1211
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1212#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1213static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1214 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1215 size_t len )
1216{
1217 /*
1218 * server should use the extension only if we did,
1219 * and if so the server's value should match ours (and len is always 1)
1220 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1221 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1222 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1223 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1224 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1226 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1227 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1228 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1229 }
1230
1231 return( 0 );
1232}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1233#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1234
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1235#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1236static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1237 const unsigned char *buf,
1238 size_t len )
1239{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1240 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1241 len != 0 )
1242 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1243 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1244 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1245 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1246 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1247 }
1248
1249 ((void) buf);
1250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1252
1253 return( 0 );
1254}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1255#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1256
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1257#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1258static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
1259 const unsigned char *buf,
1260 size_t len )
1261{
1262 size_t peer_cid_len;
1263
1264 if( /* CID extension only makes sense in DTLS */
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1265 MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1266 /* The server must only send the CID extension if we have offered it. */
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1267 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1268 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1269 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1270 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1271 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1272 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1273 }
1274
1275 if( len == 0 )
1276 {
1277 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1278 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1279 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1280 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1281 }
1282
1283 peer_cid_len = *buf++;
1284 len--;
1285
1286 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
1287 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1289 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1290 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1291 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1292 }
1293
1294 if( len != peer_cid_len )
1295 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1296 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1297 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1298 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1299 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1300 }
1301
Hanno Beckerf885d3b2019-05-03 12:47:49 +0100[diff] [blame]1302 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1303 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1304 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
1305
1306 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
1307 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
1308
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1309 return( 0 );
1310}
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1311#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1312
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1313#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1314static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1315 const unsigned char *buf,
1316 size_t len )
1317{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1318 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1319 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1320 len != 0 )
1321 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1322 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1323 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1324 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1325 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1326 }
1327
1328 ((void) buf);
1329
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1330 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1331
1332 return( 0 );
1333}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1334#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1336#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1337static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1338 const unsigned char *buf,
1339 size_t len )
1340{
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]1341 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
1342 MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1343 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1344 len != 0 )
1345 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1347 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1348 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1349 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1350 }
1351
1352 ((void) buf);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1353 return( 0 );
1354}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1356
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1357#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1358static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1359 const unsigned char *buf,
1360 size_t len )
1361{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1362 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1363 len != 0 )
1364 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1365 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1366 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1367 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1368 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1369 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1370
1371 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]1372
1373 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1374
1375 return( 0 );
1376}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1377#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1378
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1379#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1380 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1382 const unsigned char *buf,
1383 size_t len )
1384{
1385 size_t list_size;
1386 const unsigned char *p;
1387
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1388 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1389 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1390 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1391 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1392 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1393 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1394 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1395 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1396
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]1397 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1398 while( list_size > 0 )
1399 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1400 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1401 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1402 {
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1403#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]1404 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]1405#endif
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1406#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1407 ssl->handshake->ecjpake_ctx.point_format = p[0];
1408#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1409 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1410 return( 0 );
1411 }
1412
1413 list_size--;
1414 p++;
1415 }
1416
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1417 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1418 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1419 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1420 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1421}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1422#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1423 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1424
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1425#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1426static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1427 const unsigned char *buf,
1428 size_t len )
1429{
1430 int ret;
1431
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1432 if( mbedtls_ssl_suite_get_key_exchange(
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]1433 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
1434 != MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1435 {
1436 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1437 return( 0 );
1438 }
1439
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]1440 /* If we got here, we no longer need our cached extension */
1441 mbedtls_free( ssl->handshake->ecjpake_cache );
1442 ssl->handshake->ecjpake_cache = NULL;
1443 ssl->handshake->ecjpake_cache_len = 0;
1444
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1445 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1446 buf, len ) ) != 0 )
1447 {
1448 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1449 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1450 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1451 return( ret );
1452 }
1453
1454 return( 0 );
1455}
1456#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1458#if defined(MBEDTLS_SSL_ALPN)
1459static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1460 const unsigned char *buf, size_t len )
1461{
1462 size_t list_len, name_len;
1463 const char **p;
1464
1465 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1466 if( ssl->conf->alpn_list == NULL )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1467 {
1468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1469 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1470 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1472 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1473
1474 /*
1475 * opaque ProtocolName<1..2^8-1>;
1476 *
1477 * struct {
1478 * ProtocolName protocol_name_list<2..2^16-1>
1479 * } ProtocolNameList;
1480 *
1481 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1482 */
1483
1484 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1485 if( len < 4 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1486 {
1487 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1488 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1489 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1490 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1491
1492 list_len = ( buf[0] << 8 ) | buf[1];
1493 if( list_len != len - 2 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1494 {
1495 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1496 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1497 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1498 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1499
1500 name_len = buf[2];
1501 if( name_len != list_len - 1 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1502 {
1503 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1504 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1505 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1506 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1507
1508 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1509 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1510 {
1511 if( name_len == strlen( *p ) &&
1512 memcmp( buf + 3, *p, name_len ) == 0 )
1513 {
1514 ssl->alpn_chosen = *p;
1515 return( 0 );
1516 }
1517 }
1518
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1520 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1521 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1522 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1523}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1524#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1525
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1526/*
1527 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1528 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1529#if defined(MBEDTLS_SSL_PROTO_DTLS)
1530static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1531{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1532 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1533 int major_ver, minor_ver;
1534 unsigned char cookie_len;
1535
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1536 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1537
1538 /*
1539 * struct {
1540 * ProtocolVersion server_version;
1541 * opaque cookie<0..2^8-1>;
1542 * } HelloVerifyRequest;
1543 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1545 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1546 p += 2;
1547
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1548 /*
1549 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1550 * even is lower than our min version.
1551 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1552 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1553 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1554 major_ver > ssl->conf->max_major_ver ||
1555 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1556 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1558
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1559 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1560 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1561
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1562 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1563 }
1564
1565 cookie_len = *p++;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1566 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1567
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1568 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1569 {
1570 MBEDTLS_SSL_DEBUG_MSG( 1,
1571 ( "cookie length does not match incoming message size" ) );
1572 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1573 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1574 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1575 }
1576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1577 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1578
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1579 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1580 if( ssl->handshake->verify_cookie == NULL )
1581 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1582 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1583 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1584 }
1585
1586 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1587 ssl->handshake->verify_cookie_len = cookie_len;
1588
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1589 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1590 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1591 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1593 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1594
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1595 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1596
1597 return( 0 );
1598}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1599#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1600
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1601static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1602{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1603 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1604 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1605 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1606 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1607 unsigned char comp;
1608#if defined(MBEDTLS_ZLIB_SUPPORT)
1609 int accept_comp;
1610#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1611#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1612 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1613#endif
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]1614#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1615 int extended_ms_seen = 0;
1616#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1617 int handshake_failure = 0;
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1618
1619 /* The ciphersuite chosen by the server. */
1620 mbedtls_ssl_ciphersuite_handle_t server_suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1621
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1622 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1623
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]1624 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1625 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1626 /* No alert on a read error. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1627 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1628 return( ret );
1629 }
1630
Hanno Beckerf5970a02019-05-08 09:38:41 +0100[diff] [blame]1631 buf = ssl->in_msg;
1632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1633 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1634 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1635#if defined(MBEDTLS_SSL_RENEGOTIATION)
1636 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1637 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1638 ssl->renego_records_seen++;
1639
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1640 if( ssl->conf->renego_max_records >= 0 &&
1641 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1642 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1643 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1644 "but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1645 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1646 }
1647
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1648 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1649
1650 ssl->keep_current_message = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1651 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1652 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1653#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1656 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1657 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1658 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1659 }
1660
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1661#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1662 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1663 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1664 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1665 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1666 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1667 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1668 return( ssl_parse_hello_verify_request( ssl ) );
1669 }
1670 else
1671 {
1672 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1673 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1674 ssl->handshake->verify_cookie = NULL;
1675 ssl->handshake->verify_cookie_len = 0;
1676 }
1677 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1678#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1680 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1681 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1682 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1683 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1684 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1685 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1686 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1687 }
1688
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1689 /*
1690 * 0 . 1 server_version
1691 * 2 . 33 random (maybe including 4 bytes of Unix time)
1692 * 34 . 34 session_id length = n
1693 * 35 . 34+n session_id
1694 * 35+n . 36+n cipher_suite
1695 * 37+n . 37+n compression_method
1696 *
1697 * 38+n . 39+n extensions length (optional)
1698 * 40+n . .. extensions
1699 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1700 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1702 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1703 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1704 ssl->conf->transport, buf + 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1705
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1706 if( ssl->major_ver < ssl->conf->min_major_ver ||
1707 ssl->minor_ver < ssl->conf->min_minor_ver ||
1708 ssl->major_ver > ssl->conf->max_major_ver ||
1709 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1712 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1713 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1714 ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1715 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1716
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1717 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1718 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1719
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1720 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1721 }
1722
Andres Amaya Garcia6bce9cb2017-09-06 15:33:34 +0100[diff] [blame]1723 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1724 ( (uint32_t) buf[2] << 24 ) |
1725 ( (uint32_t) buf[3] << 16 ) |
1726 ( (uint32_t) buf[4] << 8 ) |
1727 ( (uint32_t) buf[5] ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1728
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1729 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1730
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1731 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1733 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1734
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1735 if( n > 32 )
1736 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1738 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1739 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1740 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1741 }
1742
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1743 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1745 ext_len = ( ( buf[38 + n] << 8 )
1746 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1748 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1749 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1750 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1751 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1752 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1753 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1754 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1755 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1756 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1757 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1758 {
1759 ext_len = 0;
1760 }
1761 else
1762 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1764 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1765 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1766 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1767 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1769 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1770 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1771
1772 /*
1773 * Read and check compression
1774 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1775 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1776
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1777#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1778 /* See comments in ssl_write_client_hello() */
Manuel Pégourié-Gonnardff4bd9f2019-06-06 10:34:48 +0200[diff] [blame]1779 accept_comp = MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1780
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1781 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1782 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1783#else /* MBEDTLS_ZLIB_SUPPORT */
1784 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1785#endif/* MBEDTLS_ZLIB_SUPPORT */
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1786 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1788 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1789 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1790 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1791 }
1792
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1793 /*
1794 * Initialize update checksum functions
1795 */
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1796 server_suite_info = mbedtls_ssl_ciphersuite_from_id( i );
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1797#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1798 ssl->handshake->ciphersuite_info = server_suite_info;
1799#endif
1800 if( server_suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1801 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1802 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1803 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1804 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1805 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1806 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1807 mbedtls_ssl_optimize_checksum( ssl, server_suite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1808
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1809 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1810 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811
1812 /*
1813 * Check if the session can be resumed
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1814 *
1815 * We're only resuming a session if it was requested (handshake->resume
1816 * already set to 1 by mbedtls_ssl_set_session()), and further conditions
1817 * are satisfied (not renegotiating, ID and ciphersuite match, etc).
1818 *
1819 * Update handshake->resume to the value it will keep for the rest of the
1820 * handshake, and that will be used to determine the relative order
1821 * client/server last flights, as well as in handshake_wrapup().
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1822 */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1823#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
1824 if( n == 0 ||
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]1825 mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Hanno Beckere02758c2019-06-26 15:31:31 +0100[diff] [blame]1826 mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) != i ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1827 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1828 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1829 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1830 {
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1831 ssl->handshake->resume = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832 }
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1833#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
1834
1835 if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836 {
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1837 /* Resume a session */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1838 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1839
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1840 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1841 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1842 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1843 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1844 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1845 return( ret );
1846 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1847 }
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1848 else
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1849 {
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1850 /* Start a new session */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1851 ssl->state++;
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1852#if defined(MBEDTLS_HAVE_TIME)
1853 ssl->session_negotiate->start = mbedtls_time( NULL );
1854#endif
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1855#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1856 ssl->session_negotiate->ciphersuite = i;
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1857#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1858 ssl->session_negotiate->compression = comp;
1859 ssl->session_negotiate->id_len = n;
1860 memcpy( ssl->session_negotiate->id, buf + 35, n );
1861 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1863 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Manuel Pégourié-Gonnard3652e992019-07-01 12:09:22 +0200[diff] [blame]1864 mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]1866 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1867 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1869 /*
1870 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1871 */
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1872 MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
1873 ssl->minor_ver,
1874 ciphersuite_info )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1875 {
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1876 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1877 ssl->conf->min_minor_ver,
1878 ssl->conf->max_minor_ver ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1879 {
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]1880 continue;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881 }
1882
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1883 if( ciphersuite_info != server_suite_info )
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]1884 continue;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1886 goto server_picked_valid_suite;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1887 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1888 MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
1889
1890 /* If we reach this code-path, the server's chosen ciphersuite
1891 * wasn't among those advertised by us. */
1892 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1893 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1894 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1895 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1896
1897server_picked_valid_suite:
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1898
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1899 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1900 mbedtls_ssl_suite_get_name( server_suite_info ) ) );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1901
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1902#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1903 if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1904 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1905 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1906 {
1907 ssl->handshake->ecrs_enabled = 1;
1908 }
1909#endif
1910
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1911 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1912#if defined(MBEDTLS_ZLIB_SUPPORT)
1913 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1914#endif
1915 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1916 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1917 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1918 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1919 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1920 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1921 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1922 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1924 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1925
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1926 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1927
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1928 while( ext_len )
1929 {
1930 unsigned int ext_id = ( ( ext[0] << 8 )
1931 | ( ext[1] ) );
1932 unsigned int ext_size = ( ( ext[2] << 8 )
1933 | ( ext[3] ) );
1934
1935 if( ext_size + 4 > ext_len )
1936 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1938 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1939 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1940 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1941 }
1942
1943 switch( ext_id )
1944 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1945 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1946 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1947#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1948 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1949#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1950
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1951 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1952 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1953 return( ret );
1954
1955 break;
1956
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1957#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1958 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1959 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1960
1961 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1962 ext + 4, ext_size ) ) != 0 )
1963 {
1964 return( ret );
1965 }
1966
1967 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1968#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1969
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1970#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1971 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1972 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1973
1974 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1975 ext + 4, ext_size ) ) != 0 )
1976 {
1977 return( ret );
1978 }
1979
1980 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1981#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1982
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1983#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1984 case MBEDTLS_TLS_EXT_CID:
1985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
1986
1987 if( ( ret = ssl_parse_cid_ext( ssl,
1988 ext + 4,
1989 ext_size ) ) != 0 )
1990 {
1991 return( ret );
1992 }
1993
1994 break;
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1995#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1996
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1997#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1998 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1999 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2000
2001 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2002 ext + 4, ext_size ) ) != 0 )
2003 {
2004 return( ret );
2005 }
2006
2007 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2008#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2009
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2010#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2011 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2012 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2013
2014 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2015 ext + 4, ext_size ) ) != 0 )
2016 {
2017 return( ret );
2018 }
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2019 extended_ms_seen = 1;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2020
2021 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2022#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2023
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2024#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2025 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2026 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2027
2028 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2029 ext + 4, ext_size ) ) != 0 )
2030 {
2031 return( ret );
2032 }
2033
2034 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2035#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2036
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]2037#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2038 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2039 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2040 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2041
2042 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2043 ext + 4, ext_size ) ) != 0 )
2044 {
2045 return( ret );
2046 }
2047
2048 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2049#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2050 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2051
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2052#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2053 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2054 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2055
2056 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2057 ext + 4, ext_size ) ) != 0 )
2058 {
2059 return( ret );
2060 }
2061
2062 break;
2063#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2064
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2065#if defined(MBEDTLS_SSL_ALPN)
2066 case MBEDTLS_TLS_EXT_ALPN:
2067 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2068
2069 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2070 return( ret );
2071
2072 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2073#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2074
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2075 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2076 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2077 ext_id ) );
2078 }
2079
2080 ext_len -= 4 + ext_size;
2081 ext += 4 + ext_size;
2082
2083 if( ext_len > 0 && ext_len < 4 )
2084 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2085 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2086 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2087 }
2088 }
2089
2090 /*
2091 * Renegotiation security checks
2092 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2093 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]2094 mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
2095 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2096 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2098 handshake_failure = 1;
2099 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2100#if defined(MBEDTLS_SSL_RENEGOTIATION)
2101 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2102 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2103 renegotiation_info_seen == 0 )
2104 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2106 handshake_failure = 1;
2107 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2108 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2109 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]2110 mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
2111 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2112 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2113 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2114 handshake_failure = 1;
2115 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2116 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2117 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2118 renegotiation_info_seen == 1 )
2119 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2120 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2121 handshake_failure = 1;
2122 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2123#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2124
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2125 /*
2126 * Check if extended master secret is being enforced
2127 */
2128#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]2129 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2130 MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2131 {
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2132 if( extended_ms_seen )
2133 {
Hanno Becker1ab322b2019-06-11 14:50:54 +0100[diff] [blame]2134#if !defined(MBEDTLS_SSL_EXTENDED_MS_ENFORCED)
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2135 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Hanno Becker1ab322b2019-06-11 14:50:54 +0100[diff] [blame]2136#endif /* !MBEDTLS_SSL_EXTENDED_MS_ENFORCED */
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2137 }
2138 else if( mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
2139 MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED )
2140 {
2141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2142 "secret, while it is enforced") );
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2143 handshake_failure = 1;
2144 }
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2145 }
2146#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2147
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2148 if( handshake_failure == 1 )
2149 {
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]2150 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2151 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2152 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2153 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2154
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2155 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156
2157 return( 0 );
2158}
2159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2160#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2161 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2162static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2163 unsigned char *end )
2164{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2165 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2166
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2167 /*
2168 * Ephemeral DH parameters:
2169 *
2170 * struct {
2171 * opaque dh_p<1..2^16-1>;
2172 * opaque dh_g<1..2^16-1>;
2173 * opaque dh_Ys<1..2^16-1>;
2174 * } ServerDHParams;
2175 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2176 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2177 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2178 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2179 return( ret );
2180 }
2181
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2182 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2183 {
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2184 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2185 ssl->handshake->dhm_ctx.len * 8,
2186 ssl->conf->dhm_min_bitlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2187 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2188 }
2189
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2190 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2191 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2192 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2193
2194 return( ret );
2195}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2196#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2197 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2199#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2200 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2201 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2202 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2203 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2204static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2205{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2206 const mbedtls_ecp_curve_info *curve_info;
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2207 mbedtls_ecp_group_id grp_id;
2208#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2209 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2210#else
2211 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2212#endif
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2213
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2214 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2215 if( curve_info == NULL )
2216 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2217 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2218 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2219 }
2220
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2221 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2222
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]2223#if defined(MBEDTLS_ECP_C)
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2224 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2225#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2226 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2227 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2228#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2229 return( -1 );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2230
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2231 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2232 MBEDTLS_DEBUG_ECDH_QP );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2233
2234 return( 0 );
2235}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2236#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2237 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2238 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2239 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2240 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2241
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2242#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2243 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2244 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2245static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2246 unsigned char **p,
2247 unsigned char *end )
2248{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2249 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2250
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2251 /*
2252 * Ephemeral ECDH parameters:
2253 *
2254 * struct {
2255 * ECParameters curve_params;
2256 * ECPoint public;
2257 * } ServerECDHParams;
2258 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2259 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2260 (const unsigned char **) p, end ) ) != 0 )
2261 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2262 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2263#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]2264 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2265 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2266#endif
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2267 return( ret );
2268 }
2269
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2270 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2271 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2272 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2273 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2274 }
2275
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2276 return( ret );
2277}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2278#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2279 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2280 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2281
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2282#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2283static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2284 unsigned char **p,
2285 unsigned char *end )
2286{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2287 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2288 size_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2289 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2290
2291 /*
2292 * PSK parameters:
2293 *
2294 * opaque psk_identity_hint<0..2^16-1>;
2295 */
Hanno Becker0c161d12018-10-08 13:40:50 +0100[diff] [blame]2296 if( end - (*p) < 2 )
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2297 {
2298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2299 "(psk_identity_hint length)" ) );
2300 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2301 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]2302 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2303 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2304
Hanno Becker8df10232018-10-10 15:48:39 +0100[diff] [blame]2305 if( end - (*p) < (int) len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2306 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2307 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2308 "(psk_identity_hint length)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2309 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2310 }
2311
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]2312 /*
2313 * Note: we currently ignore the PKS identity hint, as we only allow one
2314 * PSK to be provisionned on the client. This could be changed later if
2315 * someone needs that feature.
2316 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2317 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2318 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2319
2320 return( ret );
2321}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2322#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2324#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2325 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2326/*
2327 * Generate a pre-master secret and encrypt it with the server's RSA key
2328 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2329static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2330 size_t offset, size_t *olen,
2331 size_t pms_offset )
2332{
2333 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2334 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2335 unsigned char *p = ssl->handshake->premaster + pms_offset;
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2336 mbedtls_pk_context *peer_pk = NULL;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2337
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2338 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2339 {
2340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2341 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2342 }
2343
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2344 /*
2345 * Generate (part of) the pre-master as
2346 * struct {
2347 * ProtocolVersion client_version;
2348 * opaque random[46];
2349 * } PreMasterSecret;
2350 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2351 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2352 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2353
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]2354 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
2355 ( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2356 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2357 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2358 return( ret );
2359 }
2360
2361 ssl->handshake->pmslen = 48;
2362
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2363#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2364 /* Because the peer CRT pubkey is embedded into the handshake
2365 * params currently, and there's no 'is_init' functions for PK
2366 * contexts, we need to break the abstraction and peek into
2367 * the PK context to see if it has been initialized. */
2368 if( ssl->handshake->peer_pubkey.pk_info != NULL )
2369 peer_pk = &ssl->handshake->peer_pubkey;
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2370#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2371 if( ssl->session_negotiate->peer_cert != NULL )
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2372 {
2373 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2374 &peer_pk );
2375 if( ret != 0 )
2376 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2377 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2378 return( ret );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2379 }
2380 }
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2381#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2382
2383 if( peer_pk == NULL )
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2384 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2385 /* Should never happen */
Hanno Beckere9839c02019-02-26 11:51:06 +0000[diff] [blame]2386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2387 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2388 }
2389
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2390 /*
2391 * Now write it out, encrypted
2392 */
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2393 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2394 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2395 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2396 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2397 goto cleanup;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2398 }
2399
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2400 if( ( ret = mbedtls_pk_encrypt( peer_pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2401 p, ssl->handshake->pmslen,
2402 ssl->out_msg + offset + len_bytes, olen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2403 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]2404 mbedtls_ssl_conf_get_frng( ssl->conf ),
2405 ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2406 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2407 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2408 goto cleanup;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2409 }
2410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2411#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2412 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2413 if( len_bytes == 2 )
2414 {
2415 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2416 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2417 *olen += 2;
2418 }
2419#endif
2420
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2421cleanup:
2422
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2423#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2424 /* We don't need the peer's public key anymore. Free it. */
2425 mbedtls_pk_free( peer_pk );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2426#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2427 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2428#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2429
2430 return( ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2431}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2432#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2433 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2434
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2435#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2436#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2437 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2438 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2439static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2440 unsigned char **p,
2441 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2442 mbedtls_md_type_t *md_alg,
2443 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2444{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2445 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2446 *md_alg = MBEDTLS_MD_NONE;
2447 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2448
2449 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2450 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2451 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2452 return( 0 );
2453 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2454
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2455 if( (*p) + 2 > end )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2456 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2457
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2458 /*
2459 * Get hash algorithm
2460 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2461 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2462 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +0100[diff] [blame]2463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]2464 "HashAlgorithm %d", *(p)[0] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2465 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2466 }
2467
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2468 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2469 * Get signature algorithm
2470 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2471 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2472 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +0100[diff] [blame]2473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]2474 "SignatureAlgorithm %d", (*p)[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2475 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2476 }
2477
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2478 /*
2479 * Check if the hash is acceptable
2480 */
2481 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2482 {
Gilles Peskinecd3c8452017-05-09 14:57:45 +0200[diff] [blame]2483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2484 *(p)[0] ) );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2485 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2486 }
2487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2488 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2489 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2490 *p += 2;
2491
2492 return( 0 );
2493}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2494#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2495 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2496 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2497#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2499#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2500 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2501static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2502{
2503 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2504 const mbedtls_ecp_keypair *peer_key;
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2505 mbedtls_pk_context * peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2506
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2507#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2508 peer_pk = &ssl->handshake->peer_pubkey;
2509#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2510 if( ssl->session_negotiate->peer_cert == NULL )
2511 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2512 /* Should never happen */
Hanno Beckerc39e23e2019-02-26 12:36:01 +0000[diff] [blame]2513 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2514 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2515 }
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2516
2517 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2518 &peer_pk );
2519 if( ret != 0 )
2520 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2521 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2522 return( ret );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2523 }
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2524#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2525
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2526 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2527 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2529 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2530 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2531 }
2532
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2533 peer_key = mbedtls_pk_ec( *peer_pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2535 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2536 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2537 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2538 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2539 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2540 }
2541
2542 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2543 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2545 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
2546 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2547 }
2548
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2549cleanup:
2550
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2551#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2552 /* We don't need the peer's public key anymore. Free it,
2553 * so that more RAM is available for upcoming expensive
2554 * operations like ECDHE. */
2555 mbedtls_pk_free( peer_pk );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2556#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2557 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2558#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2559
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2560 return( ret );
2561}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2562#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2563 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2565static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2566{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2567 int ret;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2568 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2569 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2570 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2571
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2572 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2573
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2574#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2575 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2576 MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2577 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2578 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2579 ssl->state++;
2580 return( 0 );
2581 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2582 ((void) p);
2583 ((void) end);
2584#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2586#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2587 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2588 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2589 MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2590 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2591 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2592 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2593 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2594 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2595 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2596 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2597 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2598 return( ret );
2599 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2600
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2601 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2602 ssl->state++;
2603 return( 0 );
2604 }
2605 ((void) p);
2606 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2607#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2608 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2609
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2610#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2611 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2612 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2613 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2614 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2615 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2616#endif
2617
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2618 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2619 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2620 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2621 return( ret );
2622 }
2623
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2624 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2625 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2627 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2628 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2629 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2630 }
2631
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2632 /*
2633 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2634 * doesn't use a psk_identity_hint
2635 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2636 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2637 {
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2638 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2639 == MBEDTLS_KEY_EXCHANGE_PSK ||
2640 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2641 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2642 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2643 /* Current message is probably either
2644 * CertificateRequest or ServerHelloDone */
2645 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2646 goto exit;
2647 }
2648
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2650 "not be skipped" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2651 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2652 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2654 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2655 }
2656
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2657#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2658 if( ssl->handshake->ecrs_enabled )
2659 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2660
2661start_processing:
2662#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2663 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2664 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2665 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2667#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2668 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2669 == MBEDTLS_KEY_EXCHANGE_PSK ||
2670 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2671 == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2672 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2673 == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2674 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2675 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2676 {
2677 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2678 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2680 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2681 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2682 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2683 }
2684 } /* FALLTROUGH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2685#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2686
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2687#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2688 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2689 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2690 == MBEDTLS_KEY_EXCHANGE_PSK ||
2691 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2692 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2693 {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2694 ; /* nothing more to do */
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2695 }
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2696 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2697#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2698 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2699#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2700 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2701 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2702 == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2703 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2704 == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2705 {
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2706 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2707 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2709 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2710 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2711 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2712 }
2713 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2714 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2715#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2716 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2717#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2718 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2719 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2720 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2721 == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2722 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2723 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2724 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2725 == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2726 {
2727 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2728 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2729 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2730 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2731 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2732 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2733 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2734 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2735 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2736#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2737 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2738 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2739#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2740 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2741 == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2742 {
2743 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2744 p, end - p );
2745 if( ret != 0 )
2746 {
2747 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2748 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2749 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2750 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2751 }
2752 }
2753 else
2754#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2755 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2756 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2757 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2758 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2759
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2760#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2761 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2762 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2763 size_t sig_len, hashlen;
2764 unsigned char hash[64];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2765 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2766 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2767 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2768 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2769 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2770
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2771 mbedtls_pk_context * peer_pk;
2772
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2773 /*
2774 * Handle the digitally-signed structure
2775 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2776#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2777 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2778 {
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2779 if( ssl_parse_signature_algorithm( ssl, &p, end,
2780 &md_alg, &pk_alg ) != 0 )
2781 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2782 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2783 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2784 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2785 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2786 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2787
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2788 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2789 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2790 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2791 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2792 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2793 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2794 }
2795 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2796 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2797#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2798#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2799 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2800 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2801 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2802 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2803
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2804 /* Default hash for ECDSA is SHA-1 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2805 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2806 md_alg = MBEDTLS_MD_SHA1;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2807 }
2808 else
2809#endif
2810 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2811 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2812 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2813 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2814
2815 /*
2816 * Read signature
2817 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2818
2819 if( p > end - 2 )
2820 {
2821 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2822 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2823 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2824 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2825 }
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2826 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2827 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2828
Krzysztof Stachowiak027f84c2018-03-13 11:29:24 +0100[diff] [blame]2829 if( p != end - sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2830 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2831 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2832 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2833 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2834 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2835 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2836
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2837 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2838
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2839 /*
2840 * Compute the hash that has been signed
2841 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2842#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2843 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2844 if( md_alg == MBEDTLS_MD_NONE )
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2845 {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2846 hashlen = 36;
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2847 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2848 params_len );
2849 if( ret != 0 )
Andres Amaya Garciaf0e521e2017-06-28 12:11:42 +0100[diff] [blame]2850 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2851 }
2852 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2853#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2854 MBEDTLS_SSL_PROTO_TLS1_1 */
2855#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2856 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2857 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2858 {
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2859 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2860 params, params_len,
2861 md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2862 if( ret != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2863 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2864 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2865 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2866#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2867 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2868 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2869 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2870 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2871 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2872
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2873 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2874
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2875#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2876 peer_pk = &ssl->handshake->peer_pubkey;
2877#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2878 if( ssl->session_negotiate->peer_cert == NULL )
2879 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2880 /* Should never happen */
Hanno Beckerc39e23e2019-02-26 12:36:01 +0000[diff] [blame]2881 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2882 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2883 }
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2884
2885 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2886 &peer_pk );
2887 if( ret != 0 )
2888 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2889 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2890 return( ret );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2891 }
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2892#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2893
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2894 /*
2895 * Verify signature
2896 */
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2897 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2898 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2899 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2900 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2901 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2902#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2903 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2904#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2905 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2906 }
2907
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2908#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2909 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2910 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2911#endif
2912
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2913 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2914 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2915 {
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2916#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2917 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2918#endif
2919 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2920 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2921 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2922#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2923 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2924 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2925#endif
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2926#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2927 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2928#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2929 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2930 }
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2931
2932#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2933 /* We don't need the peer's public key anymore. Free it,
2934 * so that more RAM is available for upcoming expensive
2935 * operations like ECDHE. */
2936 mbedtls_pk_free( peer_pk );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2937#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2938 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2939#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2940 }
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2941#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2942
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2943exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2944 ssl->state++;
2945
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2946 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2947
2948 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2949}
2950
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2951#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2952static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2953{
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2954 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2955 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2956
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2957 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2958
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2959 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2960 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2962 ssl->state++;
2963 return( 0 );
2964 }
2965
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2966 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2967 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2968}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2969#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2970static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2971{
2972 int ret;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2973 unsigned char *buf;
2974 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2975 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2976 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2977 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2978
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2979 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2980
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2981 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2982 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2983 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2984 ssl->state++;
2985 return( 0 );
2986 }
2987
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2988 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2989 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2990 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2991 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2992 }
2993
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2994 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2995 {
2996 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2997 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2998 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2999 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3000 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3001
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3002 ssl->state++;
3003 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3005 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3006 ssl->client_auth ? "a" : "no" ) );
3007
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3008 if( ssl->client_auth == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3009 {
3010 /* Current message is probably the ServerHelloDone */
3011 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3012 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3013 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3014
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3015 /*
3016 * struct {
3017 * ClientCertificateType certificate_types<1..2^8-1>;
3018 * SignatureAndHashAlgorithm
3019 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3020 * DistinguishedName certificate_authorities<0..2^16-1>;
3021 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3022 *
3023 * Since we only support a single certificate on clients, let's just
3024 * ignore all the information that's supposed to help us pick a
3025 * certificate.
3026 *
3027 * We could check that our certificate matches the request, and bail out
3028 * if it doesn't, but it's simpler to just send the certificate anyway,
3029 * and give the server the opportunity to decide if it should terminate
3030 * the connection when it doesn't like our certificate.
3031 *
3032 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3033 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]3034 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3035 *
3036 * However, we still minimally parse the message to check it is at least
3037 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3038 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3039 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3040
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3041 /* certificate_types */
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]3042 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3043 {
3044 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3045 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3046 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3047 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3048 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3049 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3050 n = cert_type_len;
3051
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3052 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3053 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3054 * * the length of the signature algorithms field (if minor version of
3055 * SSL is 3),
3056 * * distinguished name length otherwise.
3057 * Both reach at most the index:
3058 * ...hdr_len + 2 + n,
3059 * therefore the buffer length at this point must be greater than that
3060 * regardless of the actual code path.
3061 */
3062 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3063 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3064 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3065 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3066 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3067 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3068 }
3069
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3070 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3071#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3072 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3073 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3074 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3075 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3076#if defined(MBEDTLS_DEBUG_C)
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3077 unsigned char* sig_alg;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3078 size_t i;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3079#endif
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3080
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3081 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3082 * The furthest access in buf is in the loop few lines below:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3083 * sig_alg[i + 1],
3084 * where:
3085 * sig_alg = buf + ...hdr_len + 3 + n,
3086 * max(i) = sig_alg_len - 1.
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3087 * Therefore the furthest access is:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3088 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3089 * which reduces to:
3090 * buf[...hdr_len + 3 + n + sig_alg_len],
3091 * which is one less than we need the buf to be.
3092 */
3093 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
3094 {
3095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3096 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3097 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3098 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3099 }
3100
3101#if defined(MBEDTLS_DEBUG_C)
3102 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3103 for( i = 0; i < sig_alg_len; i += 2 )
3104 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3105 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
3106 ",%d", sig_alg[i], sig_alg[i + 1] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3107 }
3108#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3109
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3110 n += 2 + sig_alg_len;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3111 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3112#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3113
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3114 /* certificate_authorities */
3115 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3116 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3117
3118 n += dn_len;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3119 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3120 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3121 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3122 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3123 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3124 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3125 }
3126
3127exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3128 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3129
3130 return( 0 );
3131}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3132#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3133
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3134static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3135{
3136 int ret;
3137
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3139
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3140 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3141 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3142 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3143 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3144 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3145
3146 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3147 {
3148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3149 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3150 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3151
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3152 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3153 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3154 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3155 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3156 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3157 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3158 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3159 }
3160
3161 ssl->state++;
3162
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3163#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]3164 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3165 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3166#endif
3167
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3168 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3169
3170 return( 0 );
3171}
3172
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3173static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3174{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3175 int ret;
3176 size_t i, n;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3177 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3178 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3179
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3181
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3182#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3183 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3184 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3185 /*
3186 * DHM key exchange -- send G^X mod P
3187 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3188 n = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3189
3190 ssl->out_msg[4] = (unsigned char)( n >> 8 );
3191 ssl->out_msg[5] = (unsigned char)( n );
3192 i = 6;
3193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3194 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3195 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3196 &ssl->out_msg[i], n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3197 mbedtls_ssl_conf_get_frng( ssl->conf ),
3198 ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3199 if( ret != 0 )
3200 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3201 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3202 return( ret );
3203 }
3204
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3205 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3206 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3207
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3208 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3209 ssl->handshake->premaster,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]3210 MBEDTLS_PREMASTER_SIZE,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +0200[diff] [blame]3211 &ssl->handshake->pmslen,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3212 mbedtls_ssl_conf_get_frng( ssl->conf ),
3213 ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3214 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3215 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3216 return( ret );
3217 }
3218
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3219 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3220 }
3221 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3222#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3223#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3224 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3225 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3226 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3227 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3228 == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3229 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3230 == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3231 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3232 == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3233 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3234 == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3235 {
3236 /*
3237 * ECDH key exchange -- send client public value
3238 */
3239 i = 4;
3240
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3241#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3242 if( ssl->handshake->ecrs_enabled )
3243 {
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3244 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3245 goto ecdh_calc_secret;
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]3246
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3247 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3248 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3249#endif
3250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3251 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3252 &n,
3253 &ssl->out_msg[i], 1000,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3254 mbedtls_ssl_conf_get_frng( ssl->conf ),
3255 ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3256 if( ret != 0 )
3257 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3258 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3259#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3260 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3261 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3262#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3263 return( ret );
3264 }
3265
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3266 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3267 MBEDTLS_DEBUG_ECDH_Q );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3268
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3269#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3270 if( ssl->handshake->ecrs_enabled )
3271 {
3272 ssl->handshake->ecrs_n = n;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3273 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3274 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3275
3276ecdh_calc_secret:
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3277 if( ssl->handshake->ecrs_enabled )
3278 n = ssl->handshake->ecrs_n;
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3279#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3280 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3281 &ssl->handshake->pmslen,
3282 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3283 MBEDTLS_MPI_MAX_SIZE,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3284 mbedtls_ssl_conf_get_frng( ssl->conf ),
3285 ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3286 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3287 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3288#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3289 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3290 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3291#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3292 return( ret );
3293 }
3294
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3295 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3296 MBEDTLS_DEBUG_ECDH_Z );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3297 }
3298 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3299#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3300 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3301 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3302 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3303#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3304 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3305 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3306 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3307 * opaque psk_identity<0..2^16-1>;
3308 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3309 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3310 {
3311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3312 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3313 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3314
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3315 i = 4;
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3316 n = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3317
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3318 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3319 {
3320 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
3321 "SSL buffer too short" ) );
3322 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3323 }
3324
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3325 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3326 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3327
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3328 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
3329 i += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3330
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3331#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3332 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3333 == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3334 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3335 n = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3336 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3337 else
3338#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3339#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3340 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3341 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3342 {
3343 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3344 return( ret );
3345 }
3346 else
3347#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3348#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3349 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3350 == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3351 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3352 /*
3353 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3354 */
3355 n = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3356
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3357 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3358 {
3359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
3360 " or SSL buffer too short" ) );
3361 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3362 }
3363
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3364 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3365 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3367 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3368 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3369 &ssl->out_msg[i], n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3370 mbedtls_ssl_conf_get_frng( ssl->conf ),
3371 ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3372 if( ret != 0 )
3373 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3374 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3375 return( ret );
3376 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3377 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3378 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3379#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3380#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3381 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3382 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3383 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3384 /*
3385 * ClientECDiffieHellmanPublic public;
3386 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3387 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3388 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3389 mbedtls_ssl_conf_get_frng( ssl->conf ),
3390 ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3391 if( ret != 0 )
3392 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3393 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3394 return( ret );
3395 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3396
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3397 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3398 MBEDTLS_DEBUG_ECDH_Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3399 }
3400 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3401#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3402 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3403 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3404 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3405 }
3406
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3407 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3408 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3409 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3410 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3411 return( ret );
3412 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3413 }
3414 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3415#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3416#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3417 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
3418 MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3419 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3420 i = 4;
3421 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]3422 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3423 }
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3424 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3425#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3426#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3427 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
3428 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3429 {
3430 i = 4;
3431
3432 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3433 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3434 mbedtls_ssl_conf_get_frng( ssl->conf ),
3435 ssl->conf->p_rng );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3436 if( ret != 0 )
3437 {
3438 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3439 return( ret );
3440 }
3441
3442 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3443 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3444 mbedtls_ssl_conf_get_frng( ssl->conf ),
3445 ssl->conf->p_rng );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3446 if( ret != 0 )
3447 {
3448 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3449 return( ret );
3450 }
3451 }
3452 else
3453#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3454 {
3455 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3456 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3457 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3458 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3459
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3460 ssl->out_msglen = i + n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3461 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3462 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3463
3464 ssl->state++;
3465
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3466 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3467 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3468 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3469 return( ret );
3470 }
3471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3472 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3473
3474 return( 0 );
3475}
3476
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3477#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3478static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3479{
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3480 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3481 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3482 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3483
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3484 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3486 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3487 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3488 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3489 return( ret );
3490 }
3491
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3492 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3493 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3494 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3495 ssl->state++;
3496 return( 0 );
3497 }
3498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3500 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3501}
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3502#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3503static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3504{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3505 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3506 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3507 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3508 size_t n = 0, offset = 0;
3509 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3510 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3511 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnarda5759752019-05-03 11:43:28 +0200[diff] [blame]3512 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3513 void *rs_ctx = NULL;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3515 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3516
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3517#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3518 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3519 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3520 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3521 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3522 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3523#endif
3524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3525 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3526 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3527 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3528 return( ret );
3529 }
3530
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3531 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3532 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3533 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3534 ssl->state++;
3535 return( 0 );
3536 }
3537
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3538 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3539 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3540 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3541 ssl->state++;
3542 return( 0 );
3543 }
3544
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3545 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3546 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3547 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3548 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3549 }
3550
3551 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3552 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3553 */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3554#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3555 if( ssl->handshake->ecrs_enabled )
3556 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3557
3558sign:
3559#endif
3560
Manuel Pégourié-Gonnarda5759752019-05-03 11:43:28 +0200[diff] [blame]3561 ssl->handshake->calc_verify( ssl, hash, &hashlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3563#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3564 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3565 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3566 {
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3567 /*
3568 * digitally-signed struct {
3569 * opaque md5_hash[16];
3570 * opaque sha_hash[20];
3571 * };
3572 *
3573 * md5_hash
3574 * MD5(handshake_messages);
3575 *
3576 * sha_hash
3577 * SHA(handshake_messages);
3578 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3579 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3580
3581 /*
3582 * For ECDSA, default hash is SHA-1 only
3583 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3584 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3585 {
3586 hash_start += 16;
3587 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3588 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3589 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3590 }
3591 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3592#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3593 MBEDTLS_SSL_PROTO_TLS1_1 */
3594#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3595 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3596 {
3597 /*
3598 * digitally-signed struct {
3599 * opaque handshake_messages[handshake_messages_length];
3600 * };
3601 *
3602 * Taking shortcut here. We assume that the server always allows the
3603 * PRF Hash function and has sent it in the allowed signature
3604 * algorithms list received in the Certificate Request message.
3605 *
3606 * Until we encounter a server that does not, we will take this
3607 * shortcut.
3608 *
3609 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3610 * in order to satisfy 'weird' needs from the server side.
3611 */
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3612 if( mbedtls_ssl_suite_get_mac(
3613 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3614 == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3615 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3616 md_alg = MBEDTLS_MD_SHA384;
3617 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3618 }
3619 else
3620 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3621 md_alg = MBEDTLS_MD_SHA256;
3622 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3623 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3624 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3625
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]3626 /* Info from md_alg will be used instead */
3627 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3628 offset = 2;
3629 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3630 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3631#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3632 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3634 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3635 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3636
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3637#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3638 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3639 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3640#endif
3641
3642 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3643 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3644 ssl->out_msg + 6 + offset, &n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3645 mbedtls_ssl_conf_get_frng( ssl->conf ),
3646 ssl->conf->p_rng, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3647 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3648 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3649#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3650 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3651 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3652#endif
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3653 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3654 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3655
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3656 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3657 ssl->out_msg[5 + offset] = (unsigned char)( n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3658
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3659 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3660 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3661 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3662
3663 ssl->state++;
3664
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3665 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3666 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3667 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3668 return( ret );
3669 }
3670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3671 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3672
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3673 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3674}
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3675#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3677#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3678static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3679{
3680 int ret;
3681 uint32_t lifetime;
3682 size_t ticket_len;
3683 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3684 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3686 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3687
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3688 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3689 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3690 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3691 return( ret );
3692 }
3693
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3694 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3695 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3696 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3697 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3698 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3699 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3700 }
3701
3702 /*
3703 * struct {
3704 * uint32 ticket_lifetime_hint;
3705 * opaque ticket<0..2^16-1>;
3706 * } NewSessionTicket;
3707 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3708 * 0 . 3 ticket_lifetime_hint
3709 * 4 . 5 ticket_len (n)
3710 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3711 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3712 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3713 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3714 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3715 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3716 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3717 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3718 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3719 }
3720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3721 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3722
Philippe Antoineb5b25432018-05-11 11:06:29 +0200[diff] [blame]3723 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3724 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3725
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3726 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3728 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3729 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3731 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3732 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3733 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3734 }
3735
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3736 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3737
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3738 /* We're not waiting for a NewSessionTicket message any more */
3739 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3740 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3741
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3742 /*
3743 * Zero-length ticket means the server changed his mind and doesn't want
3744 * to send a ticket after all, so just forget it
3745 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]3746 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3747 return( 0 );
3748
Hanno Becker3d699e42019-01-30 14:46:35 +0000[diff] [blame]3749 if( ssl->session != NULL && ssl->session->ticket != NULL )
3750 {
3751 mbedtls_platform_zeroize( ssl->session->ticket,
3752 ssl->session->ticket_len );
3753 mbedtls_free( ssl->session->ticket );
3754 ssl->session->ticket = NULL;
3755 ssl->session->ticket_len = 0;
3756 }
3757
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]3758 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3759 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3760 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3761 ssl->session_negotiate->ticket = NULL;
3762 ssl->session_negotiate->ticket_len = 0;
3763
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3764 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3765 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3766 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3767 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3768 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3769 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3770 }
3771
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3772 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3773
3774 ssl->session_negotiate->ticket = ticket;
3775 ssl->session_negotiate->ticket_len = ticket_len;
3776 ssl->session_negotiate->ticket_lifetime = lifetime;
3777
3778 /*
3779 * RFC 5077 section 3.4:
3780 * "If the client receives a session ticket from the server, then it
3781 * discards any Session ID that was sent in the ServerHello."
3782 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3783 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3784 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3785
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3786 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3787
3788 return( 0 );
3789}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3790#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3791
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3792/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3793 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3794 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3795int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3796{
3797 int ret = 0;
3798
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +0200[diff] [blame]3799 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3800 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3801
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3802 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3803
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3804 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3805 return( ret );
3806
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3807#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]3808 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3809 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3810 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3811 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3812 return( ret );
3813 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3814#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3815
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3816 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3817 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3818#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3819 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3820 ssl->handshake->new_session_ticket != 0 )
3821 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3822 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3823 }
3824#endif
3825
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3826 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3827 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3828 case MBEDTLS_SSL_HELLO_REQUEST:
3829 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3830 break;
3831
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3832 /*
3833 * ==> ClientHello
3834 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3835 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3836 ret = ssl_write_client_hello( ssl );
3837 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3838
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3839 /*
3840 * <== ServerHello
3841 * Certificate
3842 * ( ServerKeyExchange )
3843 * ( CertificateRequest )
3844 * ServerHelloDone
3845 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3846 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3847 ret = ssl_parse_server_hello( ssl );
3848 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3849
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3850 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3851 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3852 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3853
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3854 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3855 ret = ssl_parse_server_key_exchange( ssl );
3856 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3857
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3858 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3859 ret = ssl_parse_certificate_request( ssl );
3860 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3862 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3863 ret = ssl_parse_server_hello_done( ssl );
3864 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3865
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3866 /*
3867 * ==> ( Certificate/Alert )
3868 * ClientKeyExchange
3869 * ( CertificateVerify )
3870 * ChangeCipherSpec
3871 * Finished
3872 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3873 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3874 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3875 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3876
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3877 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3878 ret = ssl_write_client_key_exchange( ssl );
3879 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3880
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3881 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3882 ret = ssl_write_certificate_verify( ssl );
3883 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3884
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3885 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3886 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3887 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3888
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3889 case MBEDTLS_SSL_CLIENT_FINISHED:
3890 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3891 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3892
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3893 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3894 * <== ( NewSessionTicket )
3895 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3896 * Finished
3897 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3898#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3899 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3900 ret = ssl_parse_new_session_ticket( ssl );
3901 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3902#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3903
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3904 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3905 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3906 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3907
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3908 case MBEDTLS_SSL_SERVER_FINISHED:
3909 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3910 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3911
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3912 case MBEDTLS_SSL_FLUSH_BUFFERS:
3913 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3914 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3915 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3917 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3918 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3919 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3920
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3921 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3922 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3923 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3924 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3925
3926 return( ret );
3927}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3928#endif /* MBEDTLS_SSL_CLI_C */