TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7ea4b4d70ab5e0ac339502254597514e46e3b935 / . / library / ssl_cli.c
blob: 9f7f11b543ba651f407fca3ca5d3f51d33749102 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]23#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]24#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]25#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]26#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]32#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33#include <stdlib.h>
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]34#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]35#define mbedtls_free free
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]36#endif
37
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]38#include "mbedtls/debug.h"
39#include "mbedtls/ssl.h"
40#include "mbedtls/ssl_internal.h"
41
42#include <string.h>
43
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]44#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]46#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]47#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]52#endif
53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
55static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]56 unsigned char *buf,
57 size_t *olen )
58{
59 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]60 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]61 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]62
63 *olen = 0;
64
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]65 if( ssl->hostname == NULL )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]66 return;
67
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]68 MBEDTLS_SSL_DEBUG_MSG( 3,
69 ( "client hello, adding server name extension: %s",
70 ssl->hostname ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]71
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]72 hostname_len = strlen( ssl->hostname );
73
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]74 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]75 {
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]76 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]77 return;
78 }
79
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]80 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]81 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
82 *
83 * In order to provide any of the server names, clients MAY include an
84 * extension of type "server_name" in the (extended) client hello. The
85 * "extension_data" field of this extension SHALL contain
86 * "ServerNameList" where:
87 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]88 * struct {
89 * NameType name_type;
90 * select (name_type) {
91 * case host_name: HostName;
92 * } name;
93 * } ServerName;
94 *
95 * enum {
96 * host_name(0), (255)
97 * } NameType;
98 *
99 * opaque HostName<1..2^16-1>;
100 *
101 * struct {
102 * ServerName server_name_list<1..2^16-1>
103 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]104 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]105 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
107 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]108
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]109 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
110 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]111
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]112 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
113 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]115 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]116 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
117 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]118
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]119 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]120
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]121 *olen = hostname_len + 9;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]122}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]123#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]124
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]125#if defined(MBEDTLS_SSL_RENEGOTIATION)
126static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]127 unsigned char *buf,
128 size_t *olen )
129{
130 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]131 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]132
133 *olen = 0;
134
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]135 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
136 * initial ClientHello, in which case also adding the renegotiation
137 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]138 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]139 return;
140
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]141 MBEDTLS_SSL_DEBUG_MSG( 3,
142 ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]143
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]144 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]145 {
146 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
147 return;
148 }
149
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]150 /*
151 * Secure renegotiation
152 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]153 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
154 & 0xFF );
155 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO )
156 & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]157
158 *p++ = 0x00;
159 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
160 *p++ = ssl->verify_data_len & 0xFF;
161
162 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
163
164 *olen = 5 + ssl->verify_data_len;
165}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]166#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]167
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]168/*
169 * Only if we handle at least one key exchange that needs signatures.
170 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]171#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
172 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
173static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]174 unsigned char *buf,
175 size_t *olen )
176{
177 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]178 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]179 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]180 const int *md;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]181#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200[diff] [blame]182 unsigned char *sig_alg_list = buf + 6;
183#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]184
185 *olen = 0;
186
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]187 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]188 return;
189
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]190 MBEDTLS_SSL_DEBUG_MSG( 3,
191 ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]192
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]193 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
194 {
195#if defined(MBEDTLS_ECDSA_C)
196 sig_alg_len += 2;
197#endif
198#if defined(MBEDTLS_RSA_C)
199 sig_alg_len += 2;
200#endif
201 }
202
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]203 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]204 {
205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
206 return;
207 }
208
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]209 /*
210 * Prepare signature_algorithms extension (TLS 1.2)
211 */
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]212 sig_alg_len = 0;
213
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]214 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
215 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]216#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]217 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
218 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]219#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]220#if defined(MBEDTLS_RSA_C)
221 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
222 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]223#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]224 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]225
226 /*
227 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]228 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
229 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]230 * } HashAlgorithm;
231 *
232 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
233 * SignatureAlgorithm;
234 *
235 * struct {
236 * HashAlgorithm hash;
237 * SignatureAlgorithm signature;
238 * } SignatureAndHashAlgorithm;
239 *
240 * SignatureAndHashAlgorithm
241 * supported_signature_algorithms<2..2^16-2>;
242 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]243 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
244 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]245
246 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
247 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
248
249 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
250 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
251
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]252 *olen = 6 + sig_alg_len;
253}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]254#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
255 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]256
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]257#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]258 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]259static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]260 unsigned char *buf,
261 size_t *olen )
262{
263 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]264 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100[diff] [blame]265 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]266 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]267 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]268 const mbedtls_ecp_group_id *grp_id;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]269
270 *olen = 0;
271
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]272 MBEDTLS_SSL_DEBUG_MSG( 3,
273 ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]274
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]275 for( grp_id = ssl->conf->curve_list;
276 *grp_id != MBEDTLS_ECP_DP_NONE;
277 grp_id++ )
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]278 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]279 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Janos Follath8a317052016-04-21 23:37:09 +0100[diff] [blame]280 if( info == NULL )
281 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]282 MBEDTLS_SSL_DEBUG_MSG( 1,
283 ( "invalid curve in ssl configuration" ) );
Janos Follath8a317052016-04-21 23:37:09 +0100[diff] [blame]284 return;
285 }
286
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]287 elliptic_curve_len += 2;
288 }
289
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]290 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]291 {
292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
293 return;
294 }
295
296 elliptic_curve_len = 0;
297
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]298 for( grp_id = ssl->conf->curve_list;
299 *grp_id != MBEDTLS_ECP_DP_NONE;
300 grp_id++ )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]301 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]302 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]303 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
304 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]305 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]306
307 if( elliptic_curve_len == 0 )
308 return;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]309
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]310 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
311 & 0xFF );
312 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES )
313 & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]314
315 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
316 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
317
318 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
319 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
320
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]321 *olen = 6 + elliptic_curve_len;
322}
323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]324static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]325 unsigned char *buf,
326 size_t *olen )
327{
328 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]329 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]330
331 *olen = 0;
332
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]333 MBEDTLS_SSL_DEBUG_MSG( 3,
334 ( "client hello, adding supported_point_formats extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]335
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]336 if( end < p || (size_t)( end - p ) < 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]337 {
338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
339 return;
340 }
341
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]342 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
343 & 0xFF );
344 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS )
345 & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]346
347 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]348 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]349
350 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]351 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]352
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]353 *olen = 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]354}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]355#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]357
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]358#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]359static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
360 unsigned char *buf,
361 size_t *olen )
362{
363 int ret;
364 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]365 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]366 size_t kkpp_len;
367
368 *olen = 0;
369
370 /* Skip costly extension if we can't use EC J-PAKE anyway */
371 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
372 return;
373
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]374 MBEDTLS_SSL_DEBUG_MSG( 3,
375 ( "client hello, adding ecjpake_kkpp extension" ) );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]376
377 if( end - p < 4 )
378 {
379 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
380 return;
381 }
382
383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
384 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
385
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]386 /*
387 * We may need to send ClientHello multiple times for Hello verification.
388 * We don't want to compute fresh values every time (both for performance
389 * and consistency reasons), so cache the extension content.
390 */
391 if( ssl->handshake->ecjpake_cache == NULL ||
392 ssl->handshake->ecjpake_cache_len == 0 )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]393 {
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]394 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
395
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]396 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
397 p + 2, end - p - 2, &kkpp_len,
398 ssl->conf->f_rng, ssl->conf->p_rng );
399 if( ret != 0 )
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]400 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]401 MBEDTLS_SSL_DEBUG_RET( 1 ,
402 "mbedtls_ecjpake_write_round_one", ret );
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]403 return;
404 }
405
406 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
407 if( ssl->handshake->ecjpake_cache == NULL )
408 {
409 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
410 return;
411 }
412
413 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
414 ssl->handshake->ecjpake_cache_len = kkpp_len;
415 }
416 else
417 {
418 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
419
420 kkpp_len = ssl->handshake->ecjpake_cache_len;
421
422 if( (size_t)( end - p - 2 ) < kkpp_len )
423 {
424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
425 return;
426 }
427
428 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]429 }
430
431 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
432 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
433
434 *olen = kkpp_len + 4;
435}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]436#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]437
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]438#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
439static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]440 unsigned char *buf,
441 size_t *olen )
442{
443 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]444 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]445
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]446 *olen = 0;
447
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]448 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]449 return;
450 }
451
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]452 MBEDTLS_SSL_DEBUG_MSG( 3,
453 ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]454
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]455 if( end < p || (size_t)( end - p ) < 5 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]456 {
457 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
458 return;
459 }
460
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]461 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
462 & 0xFF );
463 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH )
464 & 0xFF );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]465
466 *p++ = 0x00;
467 *p++ = 1;
468
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]469 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]470
471 *olen = 5;
472}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]473#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]474
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]475#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
476static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]477 unsigned char *buf, size_t *olen )
478{
479 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]480 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]481
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]482 *olen = 0;
483
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]484 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]485 {
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]486 return;
487 }
488
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]489 MBEDTLS_SSL_DEBUG_MSG( 3,
490 ( "client hello, adding truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]491
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]492 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]493 {
494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
495 return;
496 }
497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]498 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
499 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]500
501 *p++ = 0x00;
502 *p++ = 0x00;
503
504 *olen = 4;
505}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]506#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]508#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
509static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]510 unsigned char *buf, size_t *olen )
511{
512 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]513 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]514
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]515 *olen = 0;
516
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]517 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
518 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]519 {
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]520 return;
521 }
522
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]523 MBEDTLS_SSL_DEBUG_MSG( 3,
524 ( "client hello, adding encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]525
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]526 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]527 {
528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
529 return;
530 }
531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]532 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
533 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]534
535 *p++ = 0x00;
536 *p++ = 0x00;
537
538 *olen = 4;
539}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]540#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]541
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
543static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]544 unsigned char *buf, size_t *olen )
545{
546 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]547 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]548
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]549 *olen = 0;
550
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]551 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
552 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]553 {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]554 return;
555 }
556
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]557 MBEDTLS_SSL_DEBUG_MSG( 3,
558 ( "client hello, adding extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]559
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]560 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]561 {
562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
563 return;
564 }
565
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]566 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
567 & 0xFF );
568 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET )
569 & 0xFF );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]570
571 *p++ = 0x00;
572 *p++ = 0x00;
573
574 *olen = 4;
575}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]576#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]577
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]578#if defined(MBEDTLS_SSL_SESSION_TICKETS)
579static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]580 unsigned char *buf, size_t *olen )
581{
582 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]583 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]584 size_t tlen = ssl->session_negotiate->ticket_len;
585
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]586 *olen = 0;
587
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]588 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]589 {
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]590 return;
591 }
592
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]593 MBEDTLS_SSL_DEBUG_MSG( 3,
594 ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]595
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]596 if( end < p || (size_t)( end - p ) < 4 + tlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]597 {
598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
599 return;
600 }
601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]602 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
603 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]604
605 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
606 *p++ = (unsigned char)( ( tlen ) & 0xFF );
607
608 *olen = 4;
609
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]610 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]611 {
612 return;
613 }
614
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]615 MBEDTLS_SSL_DEBUG_MSG( 3,
616 ( "sending session ticket of length %d", tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]617
618 memcpy( p, ssl->session_negotiate->ticket, tlen );
619
620 *olen += tlen;
621}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]622#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]623
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]624#if defined(MBEDTLS_SSL_ALPN)
625static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]626 unsigned char *buf, size_t *olen )
627{
628 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]629 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]630 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]631 const char **cur;
632
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]633 *olen = 0;
634
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]635 if( ssl->conf->alpn_list == NULL )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]636 {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]637 return;
638 }
639
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]641
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]642 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Simon Butcher04799a42015-09-29 00:31:09 +0100[diff] [blame]643 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]644
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]645 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]646 {
647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
648 return;
649 }
650
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]651 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
652 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]653
654 /*
655 * opaque ProtocolName<1..2^8-1>;
656 *
657 * struct {
658 * ProtocolName protocol_name_list<2..2^16-1>
659 * } ProtocolNameList;
660 */
661
662 /* Skip writing extension and list length for now */
663 p += 4;
664
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]665 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]666 {
667 *p = (unsigned char)( strlen( *cur ) & 0xFF );
668 memcpy( p + 1, *cur, *p );
669 p += 1 + *p;
670 }
671
672 *olen = p - buf;
673
674 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
675 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
676 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
677
678 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
679 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
680 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
681}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]683
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]684/*
685 * Generate random bytes for ClientHello
686 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]687static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]688{
689 int ret;
690 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]692 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]693#endif
694
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]695 /*
696 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
697 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]698#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]699 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]700 ssl->handshake->verify_cookie != NULL )
701 {
702 return( 0 );
703 }
704#endif
705
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]706#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]707 t = mbedtls_time( NULL );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]708 *p++ = (unsigned char)( t >> 24 );
709 *p++ = (unsigned char)( t >> 16 );
710 *p++ = (unsigned char)( t >> 8 );
711 *p++ = (unsigned char)( t );
712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]713 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]714#else
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]715 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]716 return( ret );
717
718 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]719#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]720
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]721 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]722 return( ret );
723
724 return( 0 );
725}
726
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]727/**
728 * \brief Validate cipher suite against config in SSL context.
729 *
730 * \param suite_info cipher suite to validate
731 * \param ssl SSL context
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]732 * \param min_minor_ver Minimal minor version to accept a cipher suite
733 * \param max_minor_ver Maximal minor version to accept a cipher suite
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]734 *
735 * \return 0 if valid, else 1
736 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]737static int ssl_validate_ciphersuite(
738 const mbedtls_ssl_ciphersuite_t * suite_info,
739 const mbedtls_ssl_context * ssl,
740 int min_minor_ver, int max_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]741{
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]742 (void) ssl;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]743 if( suite_info == NULL )
744 return( 1 );
745
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]746 if( suite_info->min_minor_ver > max_minor_ver ||
747 suite_info->max_minor_ver < min_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]748 return( 1 );
749
750#if defined(MBEDTLS_SSL_PROTO_DTLS)
751 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
752 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
753 return( 1 );
754#endif
755
756#if defined(MBEDTLS_ARC4_C)
757 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
758 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
759 return( 1 );
760#endif
761
762#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
763 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
764 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
765 return( 1 );
766#endif
767
768 return( 0 );
769}
770
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]771static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]772{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]773 int ret;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]774 size_t i, n, olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]776 unsigned char *p, *q;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]777 unsigned char offer_compress;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]778 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]779 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]780#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
781 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
782 int uses_ec = 0;
783#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]784
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]785 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]786
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]787 if( ssl->conf->f_rng == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]788 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]789 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
790 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]791 }
792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]793#if defined(MBEDTLS_SSL_RENEGOTIATION)
794 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]795#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]796 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]797 ssl->major_ver = ssl->conf->min_major_ver;
798 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]799 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]800
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]801 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]802 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]803 MBEDTLS_SSL_DEBUG_MSG( 1,
804 ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]805 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]806 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]807
808 /*
809 * 0 . 0 handshake type
810 * 1 . 3 handshake length
811 * 4 . 5 highest version supported
812 * 6 . 9 current UNIX time
813 * 10 . 37 random bytes
814 */
815 buf = ssl->out_msg;
816 p = buf + 4;
817
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]818 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
819 ssl->conf->max_minor_ver,
820 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]821 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]822
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]824 buf[4], buf[5] ) );
825
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]826 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
827 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]828 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]829 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]830 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]831
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]832 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]833 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]834 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835
836 /*
837 * 38 . 38 session id length
838 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]839 * 39+n . 39+n DTLS only: cookie length (1 byte)
840 * 40+n . .. DTSL only: cookie
841 * .. . .. ciphersuitelist length (2 bytes)
842 * .. . .. ciphersuitelist
843 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]844 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]845 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]846 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]848 n = ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]849
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]850 if( n < 16 || n > 32 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]851#if defined(MBEDTLS_SSL_RENEGOTIATION)
852 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]853#endif
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]854 ssl->handshake->resume == 0 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]855 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]856 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]857 }
858
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]859#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]860 /*
861 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
862 * generate and include a Session ID in the TLS ClientHello."
863 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]864#if defined(MBEDTLS_SSL_RENEGOTIATION)
865 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]866#endif
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +0000[diff] [blame]867 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]868 if( ssl->session_negotiate->ticket != NULL &&
869 ssl->session_negotiate->ticket_len != 0 )
870 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]871 ret = ssl->conf->f_rng( ssl->conf->p_rng,
872 ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]873
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]874 if( ret != 0 )
875 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]876
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]877 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]878 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]879 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]880#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]881
882 *p++ = (unsigned char) n;
883
884 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]885 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]886
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]887 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
888 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]889
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]890 /*
891 * DTLS cookie
892 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]893#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]894 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]895 {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]896 if( ssl->handshake->verify_cookie == NULL )
897 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]898 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]899 *p++ = 0;
900 }
901 else
902 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]903 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]904 ssl->handshake->verify_cookie,
905 ssl->handshake->verify_cookie_len );
906
907 *p++ = ssl->handshake->verify_cookie_len;
908 memcpy( p, ssl->handshake->verify_cookie,
909 ssl->handshake->verify_cookie_len );
910 p += ssl->handshake->verify_cookie_len;
911 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]912 }
913#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]914
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]915 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]916 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]917 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]918 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]919
920 /* Skip writing ciphersuite length for now */
921 n = 0;
922 q = p;
923 p += 2;
924
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]925 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]926 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]928
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]929 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
930 ssl->conf->min_minor_ver,
931 ssl->conf->max_minor_ver ) != 0 )
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]932 continue;
933
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
935 ciphersuites[i] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]936
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]937#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
938 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
939 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
940#endif
941
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]942 n++;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]943 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
944 *p++ = (unsigned char)( ciphersuites[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]945 }
946
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]947 MBEDTLS_SSL_DEBUG_MSG( 3,
948 ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
Ron Eldor714785d2017-08-28 13:55:55 +0300[diff] [blame]949
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]950 /*
951 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
952 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]953#if defined(MBEDTLS_SSL_RENEGOTIATION)
954 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]955#endif
956 {
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]957 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
959 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]960 n++;
961 }
962
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]963 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]964#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100[diff] [blame]965 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]966 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]967 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
968 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
969 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]970 n++;
971 }
972#endif
973
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]974 *q++ = (unsigned char)( n >> 7 );
975 *q++ = (unsigned char)( n << 1 );
976
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]978 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]979#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]980 offer_compress = 0;
981#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]983 /*
Johannes H4e5d23f2018-01-06 09:46:57 +0100[diff] [blame]984 * We don't support compression with DTLS right now: if many records come
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]985 * in the same datagram, uncompressing one could overwrite the next one.
986 * We don't want to add complexity for handling that case unless there is
987 * an actual need for it.
988 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]989#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]990 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]991 offer_compress = 0;
992#endif
993
994 if( offer_compress )
995 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]996 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
997 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]998 MBEDTLS_SSL_COMPRESS_DEFLATE,
999 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1000
1001 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1003 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1004 }
1005 else
1006 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1007 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1008 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1009 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1010
1011 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1012 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1013 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1015 // First write extensions, then the total length
1016 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1017#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1018 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1019 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1020#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]1022 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1023 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1024#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1025 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1026 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1027#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1028
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1030 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1031 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1032 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1033#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1034
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]1035#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1036 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1037 if( uses_ec )
1038 {
1039 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1040 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1041
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1042 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1043 ext_len += olen;
1044 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1045#endif
1046
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1047#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]1048 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1049 ext_len += olen;
1050#endif
1051
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1053 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1054 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1055#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1056
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1058 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1059 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1060#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1063 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1064 ext_len += olen;
1065#endif
1066
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1068 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1069 ext_len += olen;
1070#endif
1071
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1072#if defined(MBEDTLS_SSL_ALPN)
1073 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1074 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1075#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1076
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1077#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1078 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1079 ext_len += olen;
1080#endif
1081
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1082 /* olen unused if all extensions are disabled */
1083 ((void) olen);
1084
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1086 ext_len ) );
1087
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]1088 if( ext_len > 0 )
1089 {
1090 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1091 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1092 p += ext_len;
1093 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1094
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1097 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1098
1099 ssl->state++;
1100
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1101#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1102 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1103 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]1104#endif
1105
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1106 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1108 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109 return( ret );
1110 }
1111
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1112#if defined(MBEDTLS_SSL_PROTO_DTLS)
1113 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1114 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1115 {
1116 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1117 return( ret );
1118 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]1119#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1120
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1122
1123 return( 0 );
1124}
1125
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1126static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1127 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1128 size_t len )
1129{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1130#if defined(MBEDTLS_SSL_RENEGOTIATION)
1131 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1132 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1133 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1134 if( len != 1 + ssl->verify_data_len * 2 ||
1135 buf[0] != ssl->verify_data_len * 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1136 mbedtls_ssl_safer_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1137 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1138 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1139 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1140 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1142 mbedtls_ssl_send_alert_message(
1143 ssl,
1144 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1145 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1146 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1147 }
1148 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1149 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1150#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1151 {
1152 if( len != 1 || buf[0] != 0x00 )
1153 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1154 MBEDTLS_SSL_DEBUG_MSG(
1155 1, ( "non-zero length renegotiation info" ) );
1156 mbedtls_ssl_send_alert_message(
1157 ssl,
1158 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1159 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1160 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1161 }
1162
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1163 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1164 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1165
1166 return( 0 );
1167}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1168
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1169#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1170static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1171 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1172 size_t len )
1173{
1174 /*
1175 * server should use the extension only if we did,
1176 * and if so the server's value should match ours (and len is always 1)
1177 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1178 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1179 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1180 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1181 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1182 MBEDTLS_SSL_DEBUG_MSG( 1,
1183 ( "non-matching max fragment length extension" ) );
1184 mbedtls_ssl_send_alert_message(
1185 ssl,
1186 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1187 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1188 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1189 }
1190
1191 return( 0 );
1192}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1193#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1195#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1196static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1197 const unsigned char *buf,
1198 size_t len )
1199{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1200 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1201 len != 0 )
1202 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1203 MBEDTLS_SSL_DEBUG_MSG( 1,
1204 ( "non-matching truncated HMAC extension" ) );
1205 mbedtls_ssl_send_alert_message(
1206 ssl,
1207 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1208 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1209 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1210 }
1211
1212 ((void) buf);
1213
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1214 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1215
1216 return( 0 );
1217}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1218#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1219
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1220#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1221static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1222 const unsigned char *buf,
1223 size_t len )
1224{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1225 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1226 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1227 len != 0 )
1228 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1229 MBEDTLS_SSL_DEBUG_MSG( 1,
1230 ( "non-matching encrypt-then-MAC extension" ) );
1231 mbedtls_ssl_send_alert_message(
1232 ssl,
1233 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1234 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1235 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1236 }
1237
1238 ((void) buf);
1239
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1240 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1241
1242 return( 0 );
1243}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1244#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1245
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1246#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1247static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1248 const unsigned char *buf,
1249 size_t len )
1250{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1251 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1252 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1253 len != 0 )
1254 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1255 MBEDTLS_SSL_DEBUG_MSG( 1,
1256 ( "non-matching extended master secret extension" ) );
1257 mbedtls_ssl_send_alert_message(
1258 ssl,
1259 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1260 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1261 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1262 }
1263
1264 ((void) buf);
1265
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1266 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1267
1268 return( 0 );
1269}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1270#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1271
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1272#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1273static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1274 const unsigned char *buf,
1275 size_t len )
1276{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1277 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1278 len != 0 )
1279 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1280 MBEDTLS_SSL_DEBUG_MSG( 1,
1281 ( "non-matching session ticket extension" ) );
1282 mbedtls_ssl_send_alert_message(
1283 ssl,
1284 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1285 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1286 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1287 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1288
1289 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]1290
1291 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1292
1293 return( 0 );
1294}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1295#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1296
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1297#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1298 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1299static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1300 const unsigned char *buf,
1301 size_t len )
1302{
1303 size_t list_size;
1304 const unsigned char *p;
1305
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1306 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1307 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1310 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1312 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1313 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1314
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]1315 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1316 while( list_size > 0 )
1317 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1318 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1319 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1320 {
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1321#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]1322 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]1323#endif
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1324#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1325 ssl->handshake->ecjpake_ctx.point_format = p[0];
1326#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1328 return( 0 );
1329 }
1330
1331 list_size--;
1332 p++;
1333 }
1334
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1336 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1337 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1338 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1339}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1340#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1341 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1342
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1343#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1344static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1345 const unsigned char *buf,
1346 size_t len )
1347{
1348 int ret;
1349
1350 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
1351 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1352 {
1353 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1354 return( 0 );
1355 }
1356
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]1357 /* If we got here, we no longer need our cached extension */
1358 mbedtls_free( ssl->handshake->ecjpake_cache );
1359 ssl->handshake->ecjpake_cache = NULL;
1360 ssl->handshake->ecjpake_cache_len = 0;
1361
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1362 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1363 buf, len ) ) != 0 )
1364 {
1365 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1366 mbedtls_ssl_send_alert_message(
1367 ssl,
1368 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1369 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1370 return( ret );
1371 }
1372
1373 return( 0 );
1374}
1375#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1376
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1377#if defined(MBEDTLS_SSL_ALPN)
1378static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1379 const unsigned char *buf, size_t len )
1380{
1381 size_t list_len, name_len;
1382 const char **p;
1383
1384 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1385 if( ssl->conf->alpn_list == NULL )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1386 {
1387 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1388 mbedtls_ssl_send_alert_message(
1389 ssl,
1390 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1391 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1392 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1393 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1394
1395 /*
1396 * opaque ProtocolName<1..2^8-1>;
1397 *
1398 * struct {
1399 * ProtocolName protocol_name_list<2..2^16-1>
1400 * } ProtocolNameList;
1401 *
1402 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1403 */
1404
1405 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1406 if( len < 4 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1407 {
1408 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1409 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1410 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1411 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1412
1413 list_len = ( buf[0] << 8 ) | buf[1];
1414 if( list_len != len - 2 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1415 {
1416 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1417 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1418 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1419 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1420
1421 name_len = buf[2];
1422 if( name_len != list_len - 1 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1423 {
1424 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1425 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1426 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1427 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1428
1429 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1430 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1431 {
1432 if( name_len == strlen( *p ) &&
1433 memcmp( buf + 3, *p, name_len ) == 0 )
1434 {
1435 ssl->alpn_chosen = *p;
1436 return( 0 );
1437 }
1438 }
1439
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1440 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1441 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1442 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1443 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1444}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1445#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1446
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1447/*
1448 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1449 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1450#if defined(MBEDTLS_SSL_PROTO_DTLS)
1451static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1452{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1453 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1454 int major_ver, minor_ver;
1455 unsigned char cookie_len;
1456
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1457 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1458
Gilles Peskined5c4a7c2019-09-27 14:02:44 +0200[diff] [blame]1459 /* Check that there is enough room for:
1460 * - 2 bytes of version
1461 * - 1 byte of cookie_len
1462 */
1463 if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
1464 {
1465 MBEDTLS_SSL_DEBUG_MSG( 1,
1466 ( "incoming HelloVerifyRequest message is too short" ) );
1467 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1468 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1469 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1470 }
1471
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1472 /*
1473 * struct {
1474 * ProtocolVersion server_version;
1475 * opaque cookie<0..2^8-1>;
1476 * } HelloVerifyRequest;
1477 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1478 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1479 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1480 p += 2;
1481
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1482 /*
1483 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1484 * even is lower than our min version.
1485 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1486 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1487 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1488 major_ver > ssl->conf->max_major_ver ||
1489 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1490 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1492
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1493 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1494 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1495
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1496 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1497 }
1498
1499 cookie_len = *p++;
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1500 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1501 {
1502 MBEDTLS_SSL_DEBUG_MSG( 1,
1503 ( "cookie length does not match incoming message size" ) );
1504 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1505 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1506 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1507 }
Gilles Peskine01a96d62019-09-27 14:00:36 +0200[diff] [blame]1508 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1509
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1510 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1511
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1512 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1513 if( ssl->handshake->verify_cookie == NULL )
1514 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1516 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1517 }
1518
1519 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1520 ssl->handshake->verify_cookie_len = cookie_len;
1521
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1522 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1523 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1524 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1526 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1527
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1528 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1529
1530 return( 0 );
1531}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1532#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1535{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1536 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1537 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1538 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1539 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1540 unsigned char comp;
1541#if defined(MBEDTLS_ZLIB_SUPPORT)
1542 int accept_comp;
1543#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1545 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1546#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1547 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1548 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1550 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1552 buf = ssl->in_msg;
1553
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]1554 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1555 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1556 /* No alert on a read error. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1557 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1558 return( ret );
1559 }
1560
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1561 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1562 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1563#if defined(MBEDTLS_SSL_RENEGOTIATION)
1564 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1565 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1566 ssl->renego_records_seen++;
1567
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1568 if( ssl->conf->renego_max_records >= 0 &&
1569 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1570 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1571 MBEDTLS_SSL_DEBUG_MSG( 1,
1572 ( "renegotiation requested, but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1573 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1574 }
1575
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1576 MBEDTLS_SSL_DEBUG_MSG( 1,
1577 ( "non-handshake message during renegotiation" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1578
1579 ssl->keep_current_message = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1580 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1581 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1582#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1584 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1585 mbedtls_ssl_send_alert_message(
1586 ssl,
1587 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1588 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1589 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1590 }
1591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1592#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1593 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1594 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1595 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1596 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1597 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1598 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1599 return( ssl_parse_hello_verify_request( ssl ) );
1600 }
1601 else
1602 {
1603 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1604 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1605 ssl->handshake->verify_cookie = NULL;
1606 ssl->handshake->verify_cookie_len = 0;
1607 }
1608 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1609#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1610
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1611 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1612 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1613 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1614 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1615 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1616 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1617 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1618 }
1619
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1620 /*
1621 * 0 . 1 server_version
1622 * 2 . 33 random (maybe including 4 bytes of Unix time)
1623 * 34 . 34 session_id length = n
1624 * 35 . 34+n session_id
1625 * 35+n . 36+n cipher_suite
1626 * 37+n . 37+n compression_method
1627 *
1628 * 38+n . 39+n extensions length (optional)
1629 * 40+n . .. extensions
1630 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1631 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1633 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1634 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1635 ssl->conf->transport, buf + 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1636
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1637 if( ssl->major_ver < ssl->conf->min_major_ver ||
1638 ssl->minor_ver < ssl->conf->min_minor_ver ||
1639 ssl->major_ver > ssl->conf->max_major_ver ||
1640 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1641 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1642 MBEDTLS_SSL_DEBUG_MSG( 1,
1643 ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1644 ssl->conf->min_major_ver,
1645 ssl->conf->min_minor_ver,
1646 ssl->major_ver, ssl->minor_ver,
1647 ssl->conf->max_major_ver,
1648 ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1650 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1651 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1652
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1653 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1654 }
1655
Andres Amaya Garcia6bce9cb2017-09-06 15:33:34 +0100[diff] [blame]1656 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1657 ( (uint32_t) buf[2] << 24 ) |
1658 ( (uint32_t) buf[3] << 16 ) |
1659 ( (uint32_t) buf[4] << 8 ) |
1660 ( (uint32_t) buf[5] ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1661
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1662 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1663
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1664 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1666 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1667
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1668 if( n > 32 )
1669 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1671 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1672 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1673 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1674 }
1675
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1676 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1677 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1678 ext_len = ( ( buf[38 + n] << 8 )
1679 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1680
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1681 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1682 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1683 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1684 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1685 mbedtls_ssl_send_alert_message(
1686 ssl,
1687 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1688 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1689 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1690 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1691 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1692 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1693 {
1694 ext_len = 0;
1695 }
1696 else
1697 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1699 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1700 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1701 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1702 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1703
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1704 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1705 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1706
1707 /*
1708 * Read and check compression
1709 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1710 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1711
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1712#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1713 /* See comments in ssl_write_client_hello() */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1714#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1715 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1716 accept_comp = 0;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1717 else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1718#endif
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1719 accept_comp = 1;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1720
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1721 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1722 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1723#else /* MBEDTLS_ZLIB_SUPPORT */
1724 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1725#endif/* MBEDTLS_ZLIB_SUPPORT */
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1726 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1727 MBEDTLS_SSL_DEBUG_MSG( 1,
1728 ( "server hello, bad compression: %d", comp ) );
1729 mbedtls_ssl_send_alert_message(
1730 ssl,
1731 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1732 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1733 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1734 }
1735
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1736 /*
1737 * Initialize update checksum functions
1738 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1739 ssl->transform_negotiate->ciphersuite_info =
1740 mbedtls_ssl_ciphersuite_from_id( i );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1741
1742 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1743 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1744 MBEDTLS_SSL_DEBUG_MSG( 1,
1745 ( "ciphersuite info for %04x not found", i ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1746 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1747 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1748 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1749 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1750
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1751 mbedtls_ssl_optimize_checksum( ssl,
1752 ssl->transform_negotiate->ciphersuite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1753
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1755 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1756
1757 /*
1758 * Check if the session can be resumed
1759 */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1760 if( ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1761#if defined(MBEDTLS_SSL_RENEGOTIATION)
1762 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1763#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1764 ssl->session_negotiate->ciphersuite != i ||
1765 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1766 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1767 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768 {
1769 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1770 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1771#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]1772 ssl->session_negotiate->start = mbedtls_time( NULL );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1773#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1774 ssl->session_negotiate->ciphersuite = i;
1775 ssl->session_negotiate->compression = comp;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1776 ssl->session_negotiate->id_len = n;
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1777 memcpy( ssl->session_negotiate->id, buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778 }
1779 else
1780 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1781 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1783 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1784 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1785 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1786 mbedtls_ssl_send_alert_message(
1787 ssl,
1788 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1789 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1790 return( ret );
1791 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1792 }
1793
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1794 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1795 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1796
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]1797 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
1799 buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1800
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1801 /*
1802 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1803 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804 i = 0;
1805 while( 1 )
1806 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1807 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1808 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1810 mbedtls_ssl_send_alert_message(
1811 ssl,
1812 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1813 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1814 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1815 }
1816
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1817 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1818 ssl->session_negotiate->ciphersuite )
1819 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1821 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1822 }
1823
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1824 suite_info = mbedtls_ssl_ciphersuite_from_id(
1825 ssl->session_negotiate->ciphersuite );
1826 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
1827 ssl->minor_ver ) != 0 )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1828 {
1829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1830 mbedtls_ssl_send_alert_message(
1831 ssl,
1832 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1833 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1834 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1835 }
1836
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1837 MBEDTLS_SSL_DEBUG_MSG( 3,
1838 ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1839
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1840#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
1841 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1842 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1843 {
1844 ssl->handshake->ecrs_enabled = 1;
1845 }
1846#endif
1847
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1848 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1849#if defined(MBEDTLS_ZLIB_SUPPORT)
1850 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1851#endif
1852 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1854 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1855 mbedtls_ssl_send_alert_message(
1856 ssl,
1857 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1858 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1859 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1861 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1863 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1864
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1865 MBEDTLS_SSL_DEBUG_MSG( 2,
1866 ( "server hello, total extension length: %d", ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1867
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1868 while( ext_len )
1869 {
1870 unsigned int ext_id = ( ( ext[0] << 8 )
1871 | ( ext[1] ) );
1872 unsigned int ext_size = ( ( ext[2] << 8 )
1873 | ( ext[3] ) );
1874
1875 if( ext_size + 4 > ext_len )
1876 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1877 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1878 mbedtls_ssl_send_alert_message(
1879 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1880 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1881 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1882 }
1883
1884 switch( ext_id )
1885 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1886 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1887 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1888#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1889 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1890#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1891
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1892 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1893 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1894 return( ret );
1895
1896 break;
1897
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1898#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1899 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1900 MBEDTLS_SSL_DEBUG_MSG( 3,
1901 ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1902
1903 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1904 ext + 4, ext_size ) ) != 0 )
1905 {
1906 return( ret );
1907 }
1908
1909 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1910#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1911
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1912#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1913 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1914 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1915
1916 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1917 ext + 4, ext_size ) ) != 0 )
1918 {
1919 return( ret );
1920 }
1921
1922 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1924
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1925#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1926 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1927 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1928
1929 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1930 ext + 4, ext_size ) ) != 0 )
1931 {
1932 return( ret );
1933 }
1934
1935 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1936#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1937
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1939 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1940 MBEDTLS_SSL_DEBUG_MSG( 3,
1941 ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1942
1943 if( ( ret = ssl_parse_extended_ms_ext( ssl,
1944 ext + 4, ext_size ) ) != 0 )
1945 {
1946 return( ret );
1947 }
1948
1949 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1950#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1951
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1952#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1953 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1954 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1955
1956 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1957 ext + 4, ext_size ) ) != 0 )
1958 {
1959 return( ret );
1960 }
1961
1962 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1963#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1964
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1965#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1966 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1967 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]1968 MBEDTLS_SSL_DEBUG_MSG( 3,
1969 ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1970
1971 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1972 ext + 4, ext_size ) ) != 0 )
1973 {
1974 return( ret );
1975 }
1976
1977 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1978#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1979 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1980
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1981#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1982 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1983 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
1984
1985 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
1986 ext + 4, ext_size ) ) != 0 )
1987 {
1988 return( ret );
1989 }
1990
1991 break;
1992#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1993
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1994#if defined(MBEDTLS_SSL_ALPN)
1995 case MBEDTLS_TLS_EXT_ALPN:
1996 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1997
1998 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1999 return( ret );
2000
2001 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2002#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2003
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2004 default:
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2005 MBEDTLS_SSL_DEBUG_MSG( 3,
2006 ( "unknown extension found: %d (ignoring)", ext_id ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2007 }
2008
2009 ext_len -= 4 + ext_size;
2010 ext += 4 + ext_size;
2011
2012 if( ext_len > 0 && ext_len < 4 )
2013 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2014 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2015 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2016 }
2017 }
2018
2019 /*
2020 * Renegotiation security checks
2021 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2022 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2023 ssl->conf->allow_legacy_renegotiation ==
2024 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2025 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2026 MBEDTLS_SSL_DEBUG_MSG( 1,
2027 ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2028 handshake_failure = 1;
2029 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2030#if defined(MBEDTLS_SSL_RENEGOTIATION)
2031 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2032 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2033 renegotiation_info_seen == 0 )
2034 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2035 MBEDTLS_SSL_DEBUG_MSG( 1,
2036 ( "renegotiation_info extension missing (secure)" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2037 handshake_failure = 1;
2038 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2039 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2040 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2041 ssl->conf->allow_legacy_renegotiation ==
2042 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2043 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2044 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2045 handshake_failure = 1;
2046 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2047 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2048 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2049 renegotiation_info_seen == 1 )
2050 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2051 MBEDTLS_SSL_DEBUG_MSG( 1,
2052 ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2053 handshake_failure = 1;
2054 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2055#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2056
2057 if( handshake_failure == 1 )
2058 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2059 mbedtls_ssl_send_alert_message(
2060 ssl,
2061 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2062 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2063 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2064 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2065
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2066 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2067
2068 return( 0 );
2069}
2070
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2071#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2072 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2073static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
2074 unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2075 unsigned char *end )
2076{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2077 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2078
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2079 /*
2080 * Ephemeral DH parameters:
2081 *
2082 * struct {
2083 * opaque dh_p<1..2^16-1>;
2084 * opaque dh_g<1..2^16-1>;
2085 * opaque dh_Ys<1..2^16-1>;
2086 * } ServerDHParams;
2087 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2088 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx,
2089 p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2090 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2091 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2092 return( ret );
2093 }
2094
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2095 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2096 {
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2098 ssl->handshake->dhm_ctx.len * 8,
2099 ssl->conf->dhm_min_bitlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2100 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2101 }
2102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2103 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2104 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2105 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2106
2107 return( ret );
2108}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2110 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2111
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2112#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2113 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2114 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2115 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2116 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2117static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2118{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2119 const mbedtls_ecp_curve_info *curve_info;
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2120 mbedtls_ecp_group_id grp_id;
2121#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2122 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2123#else
2124 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2125#endif
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2126
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2127 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2128 if( curve_info == NULL )
2129 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2130 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2131 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2132 }
2133
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2134 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2135
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]2136#if defined(MBEDTLS_ECP_C)
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2137 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2138#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2139 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2140 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2141#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2142 return( -1 );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2143
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2144 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2145 MBEDTLS_DEBUG_ECDH_QP );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2146
2147 return( 0 );
2148}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2149#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2150 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2151 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2152 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2153 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2154
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2155#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2156 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2157 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2158static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2159 unsigned char **p,
2160 unsigned char *end )
2161{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2162 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2163
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2164 /*
2165 * Ephemeral ECDH parameters:
2166 *
2167 * struct {
2168 * ECParameters curve_params;
2169 * ECPoint public;
2170 * } ServerECDHParams;
2171 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2172 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2173 (const unsigned char **) p, end ) ) != 0 )
2174 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2175 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2176#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]2177 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2178 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2179#endif
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2180 return( ret );
2181 }
2182
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2183 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2184 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2185 MBEDTLS_SSL_DEBUG_MSG( 1,
2186 ( "bad server key exchange message (ECDHE curve)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2187 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2188 }
2189
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2190 return( ret );
2191}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2192#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2193 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2194 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2196#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2197static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2198 unsigned char **p,
2199 unsigned char *end )
2200{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2201 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2202 size_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2203 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2204
2205 /*
2206 * PSK parameters:
2207 *
2208 * opaque psk_identity_hint<0..2^16-1>;
2209 */
Hanno Becker0c161d12018-10-08 13:40:50 +0100[diff] [blame]2210 if( end - (*p) < 2 )
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2211 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2212 MBEDTLS_SSL_DEBUG_MSG( 1,
2213 ( "bad server key exchange message (psk_identity_hint length)" ) );
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2214 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2215 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]2216 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2217 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2218
Hanno Becker8df10232018-10-10 15:48:39 +0100[diff] [blame]2219 if( end - (*p) < (int) len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2220 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2221 MBEDTLS_SSL_DEBUG_MSG( 1,
2222 ( "bad server key exchange message (psk_identity_hint length)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2223 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2224 }
2225
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]2226 /*
2227 * Note: we currently ignore the PKS identity hint, as we only allow one
2228 * PSK to be provisionned on the client. This could be changed later if
2229 * someone needs that feature.
2230 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2231 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2232 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2233
2234 return( ret );
2235}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2236#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2237
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2238#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2239 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2240/*
2241 * Generate a pre-master secret and encrypt it with the server's RSA key
2242 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2243static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2244 size_t offset, size_t *olen,
2245 size_t pms_offset )
2246{
2247 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2248 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2249 unsigned char *p = ssl->handshake->premaster + pms_offset;
2250
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2251 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2252 {
2253 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2254 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2255 }
2256
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2257 /*
2258 * Generate (part of) the pre-master as
2259 * struct {
2260 * ProtocolVersion client_version;
2261 * opaque random[46];
2262 * } PreMasterSecret;
2263 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2264 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
2265 ssl->conf->max_minor_ver,
2266 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2267
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2268 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2269 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2270 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2271 return( ret );
2272 }
2273
2274 ssl->handshake->pmslen = 48;
2275
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2276 if( ssl->session_negotiate->peer_cert == NULL )
2277 {
2278 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2279 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2280 }
2281
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2282 /*
2283 * Now write it out, encrypted
2284 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2285 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2286 MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2287 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2289 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2290 }
2291
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2292 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2293 p, ssl->handshake->pmslen,
2294 ssl->out_msg + offset + len_bytes, olen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2295 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2296 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2297 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2298 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2299 return( ret );
2300 }
2301
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2302#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2303 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2304 if( len_bytes == 2 )
2305 {
2306 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2307 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2308 *olen += 2;
2309 }
2310#endif
2311
2312 return( 0 );
2313}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2314#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2315 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2316
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2317#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2318#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2319 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2320 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2321static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2322 unsigned char **p,
2323 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2324 mbedtls_md_type_t *md_alg,
2325 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2326{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2327 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2328 *md_alg = MBEDTLS_MD_NONE;
2329 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2330
2331 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2332 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2333 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2334 return( 0 );
2335 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2336
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2337 if( (*p) + 2 > end )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2338 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2339
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2340 /*
2341 * Get hash algorithm
2342 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2343 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
2344 == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2345 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2346 MBEDTLS_SSL_DEBUG_MSG( 1,
2347 ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2348 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2349 }
2350
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2351 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2352 * Get signature algorithm
2353 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2354 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
2355 == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2356 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2357 MBEDTLS_SSL_DEBUG_MSG( 1,
2358 ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2359 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2360 }
2361
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2362 /*
2363 * Check if the hash is acceptable
2364 */
2365 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2366 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2367 MBEDTLS_SSL_DEBUG_MSG( 1,
2368 ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2369 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2370 }
2371
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2372 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
2373 (*p)[1] ) );
2374 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
2375 (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2376 *p += 2;
2377
2378 return( 0 );
2379}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2380#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2381 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2382 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2383#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2385#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2386 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2387static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2388{
2389 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2390 const mbedtls_ecp_keypair *peer_key;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2391
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2392 if( ssl->session_negotiate->peer_cert == NULL )
2393 {
2394 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2395 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2396 }
2397
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2398 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2399 MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2400 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2402 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2403 }
2404
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2405 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2406
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2407 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2408 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2409 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2410 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2411 return( ret );
2412 }
2413
2414 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2415 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2416 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2417 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2418 }
2419
2420 return( ret );
2421}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2422#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2423 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2424
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2425static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2426{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2427 int ret;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2428 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2429 ssl->transform_negotiate->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2430 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2431
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2432 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2434#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2435 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2436 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2437 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2438 ssl->state++;
2439 return( 0 );
2440 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2441 ((void) p);
2442 ((void) end);
2443#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2445#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2446 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2447 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2448 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2449 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2450 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2451 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2452 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2453 mbedtls_ssl_send_alert_message(
2454 ssl,
2455 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2456 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2457 return( ret );
2458 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2459
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2460 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2461 ssl->state++;
2462 return( 0 );
2463 }
2464 ((void) p);
2465 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2466#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2467 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2468
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2469#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2470 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2471 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2472 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2473 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2474 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2475#endif
2476
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2477 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2478 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2479 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2480 return( ret );
2481 }
2482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2483 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2484 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2485 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2486 mbedtls_ssl_send_alert_message(
2487 ssl,
2488 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2489 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2490 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2491 }
2492
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2493 /*
2494 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2495 * doesn't use a psk_identity_hint
2496 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2497 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2498 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2499 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2500 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2501 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2502 /* Current message is probably either
2503 * CertificateRequest or ServerHelloDone */
2504 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2505 goto exit;
2506 }
2507
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2508 MBEDTLS_SSL_DEBUG_MSG( 1,
2509 ( "server key exchange message must not be skipped" ) );
2510 mbedtls_ssl_send_alert_message(
2511 ssl,
2512 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2513 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2515 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2516 }
2517
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2518#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2519 if( ssl->handshake->ecrs_enabled )
2520 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2521
2522start_processing:
2523#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2524 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2525 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2526 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2527
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2528#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2529 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2530 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2531 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2532 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2533 {
2534 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2535 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2536 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2537 mbedtls_ssl_send_alert_message(
2538 ssl,
2539 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2540 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2541 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2542 }
2543 } /* FALLTROUGH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2544#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2545
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2546#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2547 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2548 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2549 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2550 ; /* nothing more to do */
2551 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2552#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2553 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2554#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2555 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2556 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2557 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2558 {
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2559 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2560 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2562 mbedtls_ssl_send_alert_message(
2563 ssl,
2564 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2565 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2566 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2567 }
2568 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2569 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2570#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2571 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2572#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2573 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2574 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2575 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2576 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2577 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2578 {
2579 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2580 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2581 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2582 mbedtls_ssl_send_alert_message(
2583 ssl,
2584 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2585 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2586 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2587 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2588 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2589 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2590#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2591 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2592 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2593#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2594 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2595 {
2596 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2597 p, end - p );
2598 if( ret != 0 )
2599 {
2600 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2601 mbedtls_ssl_send_alert_message(
2602 ssl,
2603 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2604 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2605 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2606 }
2607 }
2608 else
2609#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2610 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2611 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2612 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2613 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2614
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2615#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2616 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2617 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2618 size_t sig_len, hashlen;
2619 unsigned char hash[64];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2620 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2621 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2622 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2623 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2624 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2625
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2626 /*
2627 * Handle the digitally-signed structure
2628 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2629#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2630 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2631 {
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2632 if( ssl_parse_signature_algorithm( ssl, &p, end,
2633 &md_alg, &pk_alg ) != 0 )
2634 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2635 MBEDTLS_SSL_DEBUG_MSG( 1,
2636 ( "bad server key exchange message" ) );
2637 mbedtls_ssl_send_alert_message(
2638 ssl,
2639 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2640 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2641 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2642 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2643
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2644 if( pk_alg !=
2645 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2646 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2647 MBEDTLS_SSL_DEBUG_MSG( 1,
2648 ( "bad server key exchange message" ) );
2649 mbedtls_ssl_send_alert_message(
2650 ssl,
2651 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2652 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2653 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2654 }
2655 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2656 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2657#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2658#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2659 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2660 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2661 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2662 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2663
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2664 /* Default hash for ECDSA is SHA-1 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2665 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2666 md_alg = MBEDTLS_MD_SHA1;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2667 }
2668 else
2669#endif
2670 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2671 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2672 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2673 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2674
2675 /*
2676 * Read signature
2677 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2678
2679 if( p > end - 2 )
2680 {
2681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2682 mbedtls_ssl_send_alert_message(
2683 ssl,
2684 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2685 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2686 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2687 }
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2688 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2689 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2690
Krzysztof Stachowiak027f84c2018-03-13 11:29:24 +0100[diff] [blame]2691 if( p != end - sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2692 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2693 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2694 mbedtls_ssl_send_alert_message(
2695 ssl,
2696 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2697 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2698 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2699 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2701 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2702
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2703 /*
2704 * Compute the hash that has been signed
2705 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2706#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2707 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2708 if( md_alg == MBEDTLS_MD_NONE )
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2709 {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2710 hashlen = 36;
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2711 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2712 params_len );
2713 if( ret != 0 )
Andres Amaya Garciaf0e521e2017-06-28 12:11:42 +0100[diff] [blame]2714 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2715 }
2716 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2717#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2718 MBEDTLS_SSL_PROTO_TLS1_1 */
2719#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2720 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2721 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2722 {
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2723 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2724 params, params_len,
2725 md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2726 if( ret != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2727 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2728 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2729 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2730#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2731 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2732 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2734 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2735 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2736
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2737 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2738
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2739 if( ssl->session_negotiate->peer_cert == NULL )
2740 {
2741 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2742 mbedtls_ssl_send_alert_message(
2743 ssl,
2744 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2745 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2746 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2747 }
2748
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2749 /*
2750 * Verify signature
2751 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2752 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2753 pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2754 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2755 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2756 mbedtls_ssl_send_alert_message(
2757 ssl,
2758 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2759 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2760 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2761 }
2762
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2763#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2764 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2765 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2766#endif
2767
2768 if( ( ret = mbedtls_pk_verify_restartable(
2769 &ssl->session_negotiate->peer_cert->pk,
2770 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2771 {
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2772#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2773 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2774#endif
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2775 mbedtls_ssl_send_alert_message(
2776 ssl,
2777 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2778 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2779 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2780#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2781 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2782 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2783#endif
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2784 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2785 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2786 }
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2787#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2788
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2789exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2790 ssl->state++;
2791
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2792 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2793
2794 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2795}
2796
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2797#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2798static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2799{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2800 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2801 ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2802
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2803 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2804
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2805 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2806 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2808 ssl->state++;
2809 return( 0 );
2810 }
2811
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2812 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2813 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2814}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2815#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2816static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2817{
2818 int ret;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2819 unsigned char *buf;
2820 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2821 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2822 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2823 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2824
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2825 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2826
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2827 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2828 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2830 ssl->state++;
2831 return( 0 );
2832 }
2833
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2834 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2835 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2836 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2837 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2838 }
2839
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2840 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2841 {
2842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2843 mbedtls_ssl_send_alert_message(
2844 ssl,
2845 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2846 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2847 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2848 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2849
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2850 ssl->state++;
2851 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2853 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2854 ssl->client_auth ? "a" : "no" ) );
2855
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2856 if( ssl->client_auth == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2857 {
2858 /* Current message is probably the ServerHelloDone */
2859 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2860 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2861 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2862
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2863 /*
2864 * struct {
2865 * ClientCertificateType certificate_types<1..2^8-1>;
2866 * SignatureAndHashAlgorithm
2867 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2868 * DistinguishedName certificate_authorities<0..2^16-1>;
2869 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2870 *
2871 * Since we only support a single certificate on clients, let's just
2872 * ignore all the information that's supposed to help us pick a
2873 * certificate.
2874 *
2875 * We could check that our certificate matches the request, and bail out
2876 * if it doesn't, but it's simpler to just send the certificate anyway,
2877 * and give the server the opportunity to decide if it should terminate
2878 * the connection when it doesn't like our certificate.
2879 *
2880 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2881 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]2882 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2883 *
2884 * However, we still minimally parse the message to check it is at least
2885 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2886 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2887 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2888
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2889 /* certificate_types */
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]2890 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
2891 {
2892 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2893 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2894 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2895 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2896 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2897 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2898 n = cert_type_len;
2899
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2900 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]2901 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2902 * * the length of the signature algorithms field (if minor version of
2903 * SSL is 3),
2904 * * distinguished name length otherwise.
2905 * Both reach at most the index:
2906 * ...hdr_len + 2 + n,
2907 * therefore the buffer length at this point must be greater than that
2908 * regardless of the actual code path.
2909 */
2910 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2911 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2913 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2914 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2915 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2916 }
2917
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2918 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2919#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2920 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2921 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2922 size_t sig_alg_len =
2923 ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2924 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2925#if defined(MBEDTLS_DEBUG_C)
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]2926 unsigned char* sig_alg;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2927 size_t i;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]2928#endif
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2929
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]2930 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]2931 * The furthest access in buf is in the loop few lines below:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]2932 * sig_alg[i + 1],
2933 * where:
2934 * sig_alg = buf + ...hdr_len + 3 + n,
2935 * max(i) = sig_alg_len - 1.
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]2936 * Therefore the furthest access is:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]2937 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2938 * which reduces to:
2939 * buf[...hdr_len + 3 + n + sig_alg_len],
2940 * which is one less than we need the buf to be.
2941 */
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2942 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
2943 + 3 + n + sig_alg_len )
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]2944 {
2945 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2946 mbedtls_ssl_send_alert_message(
2947 ssl,
2948 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2949 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]2950 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2951 }
2952
2953#if defined(MBEDTLS_DEBUG_C)
2954 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2955 for( i = 0; i < sig_alg_len; i += 2 )
2956 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]2957 MBEDTLS_SSL_DEBUG_MSG( 3,
2958 ( "Supported Signature Algorithm found: %d,%d",
2959 sig_alg[i], sig_alg[i + 1] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2960 }
2961#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2962
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2963 n += 2 + sig_alg_len;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2964 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2965#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2966
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2967 /* certificate_authorities */
2968 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2969 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2970
2971 n += dn_len;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2972 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2973 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2975 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2976 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2977 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2978 }
2979
2980exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2982
2983 return( 0 );
2984}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2985#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2986
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2987static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2988{
2989 int ret;
2990
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2991 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2992
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2993 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2994 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2995 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2996 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2997 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2998
2999 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3000 {
3001 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3002 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3003 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3005 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3006 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3007 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3009 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3010 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3011 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3012 }
3013
3014 ssl->state++;
3015
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3016#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3017 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3018 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3019#endif
3020
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3021 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3022
3023 return( 0 );
3024}
3025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3026static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3027{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3028 int ret;
3029 size_t i, n;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3030 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3031 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3033 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3035#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3036 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3037 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3038 /*
3039 * DHM key exchange -- send G^X mod P
3040 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3041 n = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3042
3043 ssl->out_msg[4] = (unsigned char)( n >> 8 );
3044 ssl->out_msg[5] = (unsigned char)( n );
3045 i = 6;
3046
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3047 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3048 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3049 &ssl->out_msg[i], n,
3050 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3051 if( ret != 0 )
3052 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3053 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3054 return( ret );
3055 }
3056
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3057 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3058 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3059
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3060 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3061 ssl->handshake->premaster,
3062 MBEDTLS_PREMASTER_SIZE,
3063 &ssl->handshake->pmslen,
3064 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3065 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3066 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3067 return( ret );
3068 }
3069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3070 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3071 }
3072 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3073#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3074#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3075 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3076 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3077 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3078 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3079 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3080 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3081 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3082 {
3083 /*
3084 * ECDH key exchange -- send client public value
3085 */
3086 i = 4;
3087
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3088#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3089 if( ssl->handshake->ecrs_enabled )
3090 {
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3091 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3092 goto ecdh_calc_secret;
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]3093
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3094 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3095 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3096#endif
3097
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3098 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3099 &n,
3100 &ssl->out_msg[i], 1000,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]3101 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3102 if( ret != 0 )
3103 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3104 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3105#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3106 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3107 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3108#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3109 return( ret );
3110 }
3111
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3112 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3113 MBEDTLS_DEBUG_ECDH_Q );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3114
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3115#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3116 if( ssl->handshake->ecrs_enabled )
3117 {
3118 ssl->handshake->ecrs_n = n;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3119 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3120 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3121
3122ecdh_calc_secret:
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3123 if( ssl->handshake->ecrs_enabled )
3124 n = ssl->handshake->ecrs_n;
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3125#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3126 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3127 &ssl->handshake->pmslen,
3128 ssl->handshake->premaster,
3129 MBEDTLS_MPI_MAX_SIZE,
3130 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3131 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3132 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3133#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3134 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3135 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3136#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3137 return( ret );
3138 }
3139
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3140 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3141 MBEDTLS_DEBUG_ECDH_Z );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3142 }
3143 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3144#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3145 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3146 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3147 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3148#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3149 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3150 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3151 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3152 * opaque psk_identity<0..2^16-1>;
3153 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3154 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3155 {
3156 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3157 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3158 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3159
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3160 i = 4;
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3161 n = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3162
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3163 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3164 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3165 MBEDTLS_SSL_DEBUG_MSG( 1,
3166 ( "psk identity too long or SSL buffer too short" ) );
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3167 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3168 }
3169
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3170 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3171 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3172
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3173 memcpy( ssl->out_msg + i,
3174 ssl->conf->psk_identity,
3175 ssl->conf->psk_identity_len );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3176 i += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3177
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3178#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3179 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3180 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3181 n = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3182 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3183 else
3184#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3185#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3186 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3187 {
3188 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3189 return( ret );
3190 }
3191 else
3192#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3193#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3194 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3195 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3196 /*
3197 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3198 */
3199 n = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3200
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3201 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3202 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3203 MBEDTLS_SSL_DEBUG_MSG( 1,
3204 ( "psk identity or DHM size too long or SSL buffer too short" ) );
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3205 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3206 }
3207
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3208 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3209 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3210
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3211 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3212 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3213 &ssl->out_msg[i], n,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]3214 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3215 if( ret != 0 )
3216 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3218 return( ret );
3219 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3220 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3221 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3222#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3223#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3224 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3225 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3226 /*
3227 * ClientECDiffieHellmanPublic public;
3228 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3229 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3230 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]3231 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3232 if( ret != 0 )
3233 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3234 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3235 return( ret );
3236 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3237
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3238 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3239 MBEDTLS_DEBUG_ECDH_Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3240 }
3241 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3242#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3243 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3245 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3246 }
3247
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3248 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3249 ciphersuite_info->key_exchange ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3250 {
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3251 MBEDTLS_SSL_DEBUG_RET(
3252 1, "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3253 return( ret );
3254 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3255 }
3256 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3257#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3258#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3259 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3260 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3261 i = 4;
3262 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]3263 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3264 }
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3265 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3266#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3267#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3268 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3269 {
3270 i = 4;
3271
3272 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3273 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3274 ssl->conf->f_rng, ssl->conf->p_rng );
3275 if( ret != 0 )
3276 {
3277 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3278 return( ret );
3279 }
3280
3281 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3282 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3283 ssl->conf->f_rng, ssl->conf->p_rng );
3284 if( ret != 0 )
3285 {
3286 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3287 return( ret );
3288 }
3289 }
3290 else
3291#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3292 {
3293 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3294 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3295 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3296 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3297
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3298 ssl->out_msglen = i + n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3299 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3300 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3301
3302 ssl->state++;
3303
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3304 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3305 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3306 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3307 return( ret );
3308 }
3309
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3310 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3311
3312 return( 0 );
3313}
3314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3315#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3316 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Paul Bakker29f221f2016-07-22 13:49:02 +0100[diff] [blame]3317 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3318 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
Paul Bakker29f221f2016-07-22 13:49:02 +0100[diff] [blame]3319 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3320 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3321static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3322{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3323 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3324 ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3325 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3327 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3328
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3329 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3330 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3331 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3332 return( ret );
3333 }
3334
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3335 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3336 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3337 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +0200[diff] [blame]3338 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3339 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3340 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3341 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3342 ssl->state++;
3343 return( 0 );
3344 }
3345
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3347 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3348}
3349#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3350static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3351{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3352 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3353 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3354 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3355 size_t n = 0, offset = 0;
3356 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3357 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3358 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3359 unsigned int hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3360 void *rs_ctx = NULL;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3361
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3362 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3363
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3364#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3365 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3366 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3367 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3368 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3369 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3370#endif
3371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3372 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3373 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3374 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3375 return( ret );
3376 }
3377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3378 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3379 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3380 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +0200[diff] [blame]3381 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3382 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3383 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3384 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3385 ssl->state++;
3386 return( 0 );
3387 }
3388
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3389 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3390 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3391 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3392 ssl->state++;
3393 return( 0 );
3394 }
3395
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3396 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3397 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3398 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3399 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3400 }
3401
3402 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3403 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3404 */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3405#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3406 if( ssl->handshake->ecrs_enabled )
3407 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3408
3409sign:
3410#endif
3411
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3412 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3413
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3414#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3415 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3416 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3417 {
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3418 /*
3419 * digitally-signed struct {
3420 * opaque md5_hash[16];
3421 * opaque sha_hash[20];
3422 * };
3423 *
3424 * md5_hash
3425 * MD5(handshake_messages);
3426 *
3427 * sha_hash
3428 * SHA(handshake_messages);
3429 */
3430 hashlen = 36;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3431 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3432
3433 /*
3434 * For ECDSA, default hash is SHA-1 only
3435 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3436 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3437 {
3438 hash_start += 16;
3439 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3440 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3441 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3442 }
3443 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3444#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3445 MBEDTLS_SSL_PROTO_TLS1_1 */
3446#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3447 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3448 {
3449 /*
3450 * digitally-signed struct {
3451 * opaque handshake_messages[handshake_messages_length];
3452 * };
3453 *
3454 * Taking shortcut here. We assume that the server always allows the
3455 * PRF Hash function and has sent it in the allowed signature
3456 * algorithms list received in the Certificate Request message.
3457 *
3458 * Until we encounter a server that does not, we will take this
3459 * shortcut.
3460 *
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3461 * Reason: Otherwise we should have running hashes for SHA512 and
3462 * SHA224 in order to satisfy 'weird' needs from the server
3463 * side.
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3464 */
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]3465 if( ssl->transform_negotiate->ciphersuite_info->mac ==
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3466 MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3467 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3468 md_alg = MBEDTLS_MD_SHA384;
3469 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3470 }
3471 else
3472 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3473 md_alg = MBEDTLS_MD_SHA256;
3474 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3475 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3476 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3477
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]3478 /* Info from md_alg will be used instead */
3479 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3480 offset = 2;
3481 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3482 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3483#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3484 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3485 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3486 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3487 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3488
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3489#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3490 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3491 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3492#endif
3493
3494 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3495 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3496 ssl->out_msg + 6 + offset, &n,
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3497 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3498 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3499 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3500#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3501 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3502 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3503#endif
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3504 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3505 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3506
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3507 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3508 ssl->out_msg[5 + offset] = (unsigned char)( n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3509
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3510 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3511 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3512 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3513
3514 ssl->state++;
3515
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3516 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3517 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3518 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3519 return( ret );
3520 }
3521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3522 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3523
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3524 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3525}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3526#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3527 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
Paul Bakker29f221f2016-07-22 13:49:02 +0100[diff] [blame]3528 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3529 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3530 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3531 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3533#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3534static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3535{
3536 int ret;
3537 uint32_t lifetime;
3538 size_t ticket_len;
3539 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3540 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3541
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3542 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3543
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3544 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3545 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3546 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3547 return( ret );
3548 }
3549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3550 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3551 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Hanno Becker35f8a542017-05-08 11:06:19 +0100[diff] [blame]3553 mbedtls_ssl_send_alert_message(
3554 ssl,
3555 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3556 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3557 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3558 }
3559
3560 /*
3561 * struct {
3562 * uint32 ticket_lifetime_hint;
3563 * opaque ticket<0..2^16-1>;
3564 * } NewSessionTicket;
3565 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3566 * 0 . 3 ticket_lifetime_hint
3567 * 4 . 5 ticket_len (n)
3568 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3569 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3570 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3571 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3572 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3574 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3575 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3576 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3577 }
3578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3579 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3580
Philippe Antoineb5b25432018-05-11 11:06:29 +0200[diff] [blame]3581 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3582 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3583
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3584 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3586 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3587 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3589 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3590 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3591 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3592 }
3593
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3594 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3595
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3596 /* We're not waiting for a NewSessionTicket message any more */
3597 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3598 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3599
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3600 /*
3601 * Zero-length ticket means the server changed his mind and doesn't want
3602 * to send a ticket after all, so just forget it
3603 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]3604 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3605 return( 0 );
3606
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]3607 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3608 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3609 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3610 ssl->session_negotiate->ticket = NULL;
3611 ssl->session_negotiate->ticket_len = 0;
3612
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3613 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3614 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3615 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3616 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3617 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3618 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3619 }
3620
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3621 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3622
3623 ssl->session_negotiate->ticket = ticket;
3624 ssl->session_negotiate->ticket_len = ticket_len;
3625 ssl->session_negotiate->ticket_lifetime = lifetime;
3626
3627 /*
3628 * RFC 5077 section 3.4:
3629 * "If the client receives a session ticket from the server, then it
3630 * discards any Session ID that was sent in the ServerHello."
3631 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3632 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3633 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3635 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3636
3637 return( 0 );
3638}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3639#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3640
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3641/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3642 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3643 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3644int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3645{
3646 int ret = 0;
3647
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +0200[diff] [blame]3648 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3649 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3650
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3651 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3652
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3653 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3654 return( ret );
3655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3656#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3657 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3658 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3659 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3660 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3661 return( ret );
3662 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3663#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3664
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3665 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3666 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3667#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3668 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3669 ssl->handshake->new_session_ticket != 0 )
3670 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3671 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3672 }
3673#endif
3674
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3675 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3676 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3677 case MBEDTLS_SSL_HELLO_REQUEST:
3678 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3679 break;
3680
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3681 /*
3682 * ==> ClientHello
3683 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3684 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3685 ret = ssl_write_client_hello( ssl );
3686 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3687
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3688 /*
3689 * <== ServerHello
3690 * Certificate
3691 * ( ServerKeyExchange )
3692 * ( CertificateRequest )
3693 * ServerHelloDone
3694 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3695 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3696 ret = ssl_parse_server_hello( ssl );
3697 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3699 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3700 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3701 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3702
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3703 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3704 ret = ssl_parse_server_key_exchange( ssl );
3705 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3707 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3708 ret = ssl_parse_certificate_request( ssl );
3709 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3711 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3712 ret = ssl_parse_server_hello_done( ssl );
3713 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3714
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3715 /*
3716 * ==> ( Certificate/Alert )
3717 * ClientKeyExchange
3718 * ( CertificateVerify )
3719 * ChangeCipherSpec
3720 * Finished
3721 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3722 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3723 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3724 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3726 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3727 ret = ssl_write_client_key_exchange( ssl );
3728 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3729
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3730 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3731 ret = ssl_write_certificate_verify( ssl );
3732 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3733
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3734 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3735 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3736 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3737
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3738 case MBEDTLS_SSL_CLIENT_FINISHED:
3739 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3740 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3741
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3742 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3743 * <== ( NewSessionTicket )
3744 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3745 * Finished
3746 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3747#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3748 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3749 ret = ssl_parse_new_session_ticket( ssl );
3750 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3751#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3752
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3753 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3754 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3755 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3756
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3757 case MBEDTLS_SSL_SERVER_FINISHED:
3758 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3759 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3760
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3761 case MBEDTLS_SSL_FLUSH_BUFFERS:
3762 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3763 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3764 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3765
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3766 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3767 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3768 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3769
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3770 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3771 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3772 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3773 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3774
3775 return( ret );
3776}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3777#endif /* MBEDTLS_SSL_CLI_C */